On our Postx box, I used to be able to see specifically what caused a message to become encrypted (for example a social security number). It would report what keyword(s) triggered the encryption.
We just replaced the Postx with an IronPort C150 (love it!) and I would like to be able to get the same info. I see that I can go to Monitor -> Content Filters to see which users had encrypted mail, then I can use Message tracking to see details including that the message WAS encrypted, however I would like to see the details of WHAT triggered the content filter.
A way to see what triggered the filter (in your case encryption filter) is to set up one of the actions to your filter to duplicate quarantine, this would send a copy of the message to system quarantine and follow the rest of the path (other actions). This way a copy of the message is sent to the system quarantine and viewing the message in system quarantine would should what content of the message was matched by the filter.
I have no experience with the Ironport encryption solutions at all but a possible solution might be to add a second action to your policy that writes the required info into an X- header. if you enable logging for this header you will see the results in your log files.
I can imagine you do not want the information in the X-header to be public (which is the nature of X- headers). There are two possible solutions for that. 1) Use numeric codes for the data in the X-header. Only you have the matching table to see what code points to what message filter or filer action.
2) Play around with policies and message filters. They are always executed in the same order (which I do not recall at the moment) if you make sure the first of the two does the detection and adds the header, you can use the second to strip the header out of the message.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...