Creating an Alert Profile

An alert is triggered whenever an event matching a specific criteria is generated. An alert profile lets you define such specific criteria, and also notify you by email, when the corresponding alert is triggered.

• Creating New Alert Profile
• Example Alert Profile

Creating a New Alert Profile

Click the Add Alert Profile link to create a new alert profile. You can find this link on the sub tab or in the Alerts box in the left navigation pane when the Alerts tab is selected.

1. Enter a unique name for the alert profile.
2. Select the devices for which the alert needs to be triggered by clicking the Change Selection link and selecting the required devices.
3. Select either of the Alert Profile Type:
   1. Normal Alert Profile
   1. Filters:
      Define Criteria for which the alert needs to be triggered. You can set criteria based on the Severity, Protocol, Date, Received (in Bytes), Sent (in Bytes), Source, Destination, URL, Status, File Name, Rule, VPN, Virus, Attack, Protocol Identifies, Message, Duration (in seconds), or Record Type. Use the Add Criteria and Remove Criteria to specify more or fewer criteria for the alert.
   2. Threshold:
      The Priority of the alert can be High, Medium, or Low based on your requirement for notification.
   3. Enter the threshold criteria for the alert to be triggered.
      For example: Trigger an Alert for every: 5 Events generated within 2 Minutes
      Here, Events refer to the criteria that has been defined above.
   4. You can Apply Threshold to:
      Either, All Devices Selected, in which case the alert will be triggered when all the firewalls cumulatively crosses the threshold set in the threshold criteria above.
      Or, Each Device Selected, in which case the alert will be triggered when each firewall crosses the threshold set in the threshold criteria above.
   2. Anomaly Alert Profile type, can be selected when you would like to be notified of any abnormal behaviors or traffic anomalies. Anomaly reports can be used for Network Behavioral Analysis (NBA).
   1. Select the type of anomaly alert report you would like to receive. The report types could be Traffic Report, Attack Report, Virus Report, VPN Report, URL Report, Rule Report, or Event Report.
   2. Filters:
      Each of the above report types provide a set of filters which can be configured as per the nature of the alert you would like to receive.
   3. Threshold:
      Based on the anomaly report type and corresponding filter you have chosen, the threshold criteria for the alert to be triggered can be set here.

    

   Anomaly Sample Scenario : In a period of 1 hour, if traffic from source 192.168.1.1 exceeds 100 MB, create a High Priority Alert and send me an email notification on every 5th occurrence. Also, once in 15 minutes, check whether the traffic has exceeded 100 MB. You can achieve the above scenario using the Anomaly Filters. Steps: Filters section: Give Source is 192.168.1.1 Threshold section: In a period of 1 Hour, If Total Traffic exceeds 100 MB, create an Alert with Priority as High Check for every 15Mins Select Send E-Mail notification check box and select 5th occurrence. Provide valid email ids in the Mail To box. Example: You will get an email when the following example values are met in your Firewall Analyzer. Schedule Time Time Range Total Bytes (MB) Alert Email 10th Aug 10:00 9:00 to 10:00 104 YES NO 10th Aug 10:15 9:15 to 10:15 106 YES NO 10th Aug 10:30 9:30 to 10:30 200 YES NO 10th Aug 10:45 9:45 to 10:45 167 YES NO 10th Aug 11:00 10:00 to 11:00 154 YES YES   Schedule Time: Time at which Firewall Analyzer checks the database to identify the amount of traffic from Source 192.168.1.1 Time Range: Time period for which the traffic is examined Total Bytes (MB): Actual bytes transferred from 192.168.1.1 Alert: Does Firewall Analyzer report Alert or not? Email: Does Firewall Analyzer send E-Mail or not?

    

4. There is a provision to receive a HTML mail containing the alert details, every time an alert matching this alert profile is triggered, select the Send E-mail Notification checkbox. Fill in the recipient email address in the Mail To box. Emails can be sent to more than one email address by separating the email addresses using a comma (,).
   
   

   You need to configure the mail server settings in Firewall Analyzer before setting up an email notification.

5. There is a provision to execute custom scripts, every time an alert matching this alert profile is triggered, select the Run Script checkbox. Enter Script Location section appears below the option. Specify the location of the script to be executed in the Location field. Alternatively, use the Browse button to locate the script. The parameters of the log can be passed as arguments to the script to be executed. Click Add link to select the parameters to be added in the Arguments field. The list of parameters with check boxes are displayed in a pop-up screen. Select the required parameters and close the screen. You can also specify other arguments as required. If the argument value is not available in the matching log, '-' character will be substituted.
6. Click Save Profile button to save the alert profile.
   

Alert Profile Examples

With the combinational usage of Alert Profile Type, Filters, and Threshold parameters, you will be able to create Alert Profiles addressing your precise and selective needs. Some of the example profile are discussed below:

• Say, you want to get notification of all Critical Events, enter the criteria as Severity is '2". For the severity and severity number mapping refer the table given below.
• Same way, if you want to get notification of all attack logs, enter the criteria as RecordType is 'attack'.
• If you want to get notification for all virus logs, enter the criteria as RecordType is 'virus'.

The mapping table of severity number and severity