FortiSOAR Discussions
Swapnil1
New Contributor II

Cisco ESA Block sender action for SAAS based instance

The current Cisco ESA connector has an action named Block Sender. This used to work with the listener and needed SSH connection. However with the Cisco ESA SAAS based instance SSH connection is no longer available. Hence this action fails due to missing SSH connection. 
We looked at the API reference guide and observed that there is no API to Block Sender. 
AsyncOS 14.0 API for Cisco Secure Email Gateway - Getting Started Guide - GD (General Deployment) - ...

However, we found the below API for which we already have an action in the current connector: (Update Blocklist Entries)
POST /esa/api/v2.0/quarantine/blocklist{"action": "add","quarantineType": "spam","senderAddresses": ["xyz.com","space.com"],"recipientList": ["user@cronos.com"],"viewBy": "sender"}

We wanted to know that if this action performs the same functionality as the block sender action available in the connector?

Also, looks like the recipientList is a mandatory field. Can someone let us know what goes in this field if the only action we want to achieve is block the sender?

Can someone help on the above queries?
1 REPLY 1
Pranjali
Staff
Staff

Hello @Swapnil,

 

The Working of actions  'Block Sender' and 'Update Blocklist Entries' is different.
Block Sender – This action adds the IP/Domain into the HAT (Host Access Table) in listener config and we can do this only using SSH-based. No rest API available for this.
Update Blocklist Entries – This action adds the IP/Domain into the End user Blocklist(Spam Quarantine)

 

And to add the sender address in the Blocklist:
senderAddresses : address of the sender which you want to block.

recipientList: addresses of the recipients of them you want to block for above sender.

In Blocklist each entry saves like below:
{

      "senderAddress": "ace.com",

      "recipientList": [

        "abc@ace.com",

        "def@ace.com"

      ]

    }

-------------------------------------------
Original Message:
Sent: Nov 17, 2021 10:02 PM
From: Swapnil Koulgikar
Subject: Cisco ESA Block sender action for SAAS based instance

The current Cisco ESA connector has an action named Block Sender. This used to work with the listener and needed SSH connection. However with the Cisco ESA SAAS based instance SSH connection is no longer available. Hence this action fails due to missing SSH connection. 
We looked at the API reference guide and observed that there is no API to Block Sender. 
AsyncOS 14.0 API for Cisco Secure Email Gateway - Getting Started Guide - GD (General Deployment) - ...

However, we found the below API for which we already have an action in the current connector: (Update Blocklist Entries)
POST /esa/api/v2.0/quarantine/blocklist{"action": "add","quarantineType": "spam","senderAddresses": ["xyz.com","space.com"],"recipientList": [""],"viewBy": "sender"}

We wanted to know that if this action performs the same functionality as the block sender action available in the connector?

Also, looks like the recipientList is a mandatory field. Can someone let us know what goes in this field if the only action we want to achieve is block the sender?

Can someone help on the above queries?