Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

What happens when no content filters have a final action?

What happens when none of the content filters enabled for a particular policy have final actions? Is the default final action to deliver the message after applying all the relevant non-final actions? This is how it works for message filters, but I'm still learning the ropes for content filters (they didn't exist when I started using AsyncOS, and I ignored them for a long time). Amazingly enough, the documentation doesn't explicitly explain this situation, at least not that I could find. Maybe I just didn't read the right place.

Thanks,

4 REPLIES
New Member

Re: What happens when no content filters have a final action?

It does not look like you can define a content filter without applying a final action, when attempting to Submit with no final action you get the error "Error — Please add at least one action"

This seems to be the same trend for a regular expression filter via the CLI

New Member

Re: What happens when no content filters have a final action?

It does not look like you can define a content filter without applying a final action

Keep in mind what a final action is: bounce(), deliver(), or drop(). I already have several content filters which lack one of these actions, which results in the message cascading into the next matching filter. What you can't create is a filter which lacks any actions at all.

I think I've answered my own question. Without an explicit bounce(), deliver(), or drop(), the message is processed by all matching filters and then delivered.

New Member

Re: What happens when no content filters have a final action?

I think I've answered my own question. Without an explicit bounce(), deliver(), or drop(), the message is processed by all matching filters and then delivered.

Indeed. Content filters are similar to message filters. They aren't as powerful, but can use information such as the Antispam/Antivirus verdict which isn't available in message filters and they are applied after splintering.

Conditions aren't required in content filters, but you need at least one action. Sometimes it can be useful for reporting to include a condition even if it seems redundant. For example if you want a content filter that strips all executables. You could create the filter without condition or add a condition which checks if there really is an executable attachment.
The end result is the same, but with the extra condition you can see in the content filter report how often an exe was stripped (The content filter report shows how often a content filter was matched - not how often the actions did anything useful).

New Member

Re: What happens when no content filters have a final action?

but you need at least one action.

Right. The filter in question had a notify-copy() action and a deliver() action. The deliver() action was keeping subsequent filters from running. There were no subsequent filters when the one in question was originally written, so the deliver() was superfluous but not harmful. I realized it was a problem only when I added another filter. I've removed the deliver() action.

This was basically a case of knowing the answer intellectually (content filters use the same language as message filters, after all), but not having any experience or documentation to back it up.

Thanks,

134
Views
0
Helpful
4
Replies