I'm currently working on whitelisting senders (per sender domain and per sender address) for all recipients and I came accross a bit of confussion.
The idea is to allow e-mails from whitelisted senders bypass IronPort - including bypassing SBRS, virus check, spam check, outbreak etc. However, I'm unable to find some quite easy solution for that. So far my current idea for that is to create a new Mail Flow Policy with all checks disabled and action accept and then create a new sender group with all whitelist addresses I need. However, this won't allow me to whitelist a single e-mail address...
My question is whether the abovementioned solution is correct and would allow me to bypass all checks and security issues on IronPort? If not, could you provide some other one?
the usual approach to this isindeed to create a new inbound mail policy, add all the sender addresses, and disable/enable any services in there as you require.
The reason why you cannot do that (add email adresses) on sendergroups is the way the HAT works - right at the beginning of the SMTP conversation, before any data is send. At this point the system only knows the sender's IP address, and it's hostname if the reverse lockup completes succesfully. The decision which sendergroup is getting used will be based on this information only, also because it is more reliable. Keep in mind that any email address can be faked, so allowing the Withelist to accept email addresses as well would mean you'd get more spam in your system, that not even gets scanned - as the TRUSTED mail flow policy the WHITELIST usually uses has antispam scanning disabled.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :