This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ESA processing flow

In what order are the various policies processed on the ESA?  I've been under the impression that it's similar to a firewall ACL; processing starts at the top and flows down until a policy is matched, then all other processing stops (unless "Continue Processing" is one of the selected options), or in the case of the ESA all Threat Protection policies are processed, then Anti-Spam policies, Data Control, etc.  

I ask because I've set up End User Web Quarantine for my users, sending only Medium Spam to the quarantine, which, if my theory is sound, should be processed after all of the Threat Protection policies.  However, in my testing of releasing email from quarantine nothing that should have been marked with Time of Click is getting tagged, nor are the URLs being rewritten.

Can someone please enlighten me on the process?

Thank you.



This thread was automatically locked due to age.
  • Hi Rich,

    Go to http://sea.sophos.com/sea_docs/en/ and search for "policy message flow".

     

    Regards,

    Aiman

  • Aiman;

    Thanks for that info, which is very useful, but I'm not sure it completely answers my question.

    Per Step 5:

    "Threat Protection: The Threat Protection feature tests both content and reputation of a message. If a virus, encrypted attachment, unscannable attachment, or SophosLabs suspected attachments is found, the message will be discarded or quarantined by default. Threat protection also does SPF and DKIM checks to validate the authenticity of a message."

    Nowhere is Time of Click mentioned in this verbiage, although clicking on the Threat Protection hyperlink does reference it.  It is also further stated at the bottom of the page:

    "Within each Policy section, individual rules are processed in the order in which they are listed. Depending on how each policy rule is configured, a message may be placed in the quarantine  , delivered to the appropriate recipient(s), or it may be discarded."

    So it may process ToC prior to "Additional Policy." However, if that's the case then why are URLs not being re-written by ToC on Bulk messages that are released from quarantine?

    Thank you.