Home » Notifications

Creating an Alert Profile


 

An alert is triggered whenever an event matching a specific criteria is generated. An alert profile lets you define such specific criteria, and also notify you by email, when the corresponding alert is triggered.

Creating a New Alert Profile

Click the Add Alert Profile link to create a new alert profile. You can find this link on the sub tab or in the Alerts box in the left navigation pane when the Alerts tab is selected.

  1. Enter a unique name for the alert profile in the Profile Name field.
  2. Select the Profile Type:
    1. Normal Alert Profile
      1. Select Device(s) for which the alert needs to be triggered by selecting the Select All check box or selecting the check boxes of required devices.
      2. Criteria for which the alert needs to be triggered. You can use the logical and/or of the selected critera using Match all of the following or Match any of the following selections. You can set criteria based on the Severity, Protocol, Date, Received (in Bytes), Sent (in Bytes), Source, User, Destination, URL, Status, File Name, Rule, VPN, Virus, Attack, Protocol Identifies, Message, Duration (in seconds), Record Type, Log ID, Category. Use the Add and Remove links to specify more or fewer criteria for the alert.
      3. Threshold:
        The Priority of the alert can be High, Medium, or Low based on your requirement for notification. Select the appropriate Priority.
      4. Enter the threshold criteria for the alert to be triggered.
        For example: Alert for every: 5 Events generated within 2 Minutes
        Here, Events refer to the criteria that has been defined above.
      5. Select the owner for the alert from the Assign Owner: combo box. The combo box lists all the available users in the Firewall Analyzer.
      6. You can Apply Threshold to:
        Either, All Devices Selected, in which case the alert will be triggered when all the firewalls cumulatively crosses the threshold set in the threshold criteria above.
        Or, Each Device Selected, in which case the alert will be triggered when each firewall crosses the threshold set in the threshold criteria above.
      7. Notification:
        Select the check box Send the notifications once and do not send for <This Day, This Week, This Month, Custom Period>, to send only one alert notification for the selected period, irrespective of any number of alerts generated during the selected period. Custom Peiod selection will display _ Days, _ Hours, _ Mins fields besides the selection list.
    2. Anomaly Alert Profile type, can be selected when you would like to be notified of any abnormal behaviors or traffic anomalies. Anomaly reports can be used for Network Behavioral Analysis (NBA).
      1. Select Device(s) for which the alert needs to be triggered by selecting the Select All check box or selecting the check boxes of required devices.
      2. Select the type of anomaly alert report (Anomaly Report Type) you would like to receive. The report types could be Traffic Report, Attack Report, Virus Report, VPN Report, URL Report, Rule Report, or Event Report.
      3. Filters:
        Each of the above report types provide a set of filters which can be configured as per the nature of the alert you would like to receive.
      4. Threshold:
        Based on the anomaly report type and corresponding filter you have chosen, the threshold criteria for the alert to be triggered can be set here.
      5. Select the owner for the alert from the Assign Owner: combo box. The combo box lists all the available users in the Firewall Analyzer.
      6. Notification:
        Select the appropriate radio button in Send the below notifications on every 1st 2nd 3rd 4th 5th occurence option. Select the check box Send the notifications once and do not send for <This Day, This Week, This Month, Custom Period>, to send only one alert notification for the selected period, irrespective of any number of alerts generated during the selected period. Custom Peiod selection will display _ Days, _ Hours, _ Mins fields besides the selection list.

       

      Anomaly Sample Scenario :

      In a period of 1 hour, if traffic from source 192.168.1.1 exceeds 100 MB, create a High Priority Alert and send me an email notification on every 5th occurrence. Also, once in 15 minutes, check whether the traffic has exceeded 100 MB.

      You can achieve the above scenario using the Anomaly Filters.

      Steps:
      1. Filters section:
        Give Source is 192.168.1.1
      2. Threshold section:
        In a period of 1 Hour, If Total Traffic exceeds 100 MB, create an Alert with Priority as High Check for every 15Mins. Select the owner for the alert <Admin> from the Assign Owner for the Alert: combo box.
      3. Select Send E-Mail notification check box and select 5th occurrence. Provide valid email ids in the Mail To box.

      Example:
      You will get an email when the following example values are met in your Firewall Analyzer.

      Schedule Time Time Range Total Bytes (MB) Alert Email
      10th Aug 10:00
      9:00 to 10:00
      104 YES NO
      10th Aug 10:15 9:15 to 10:15 106 YES NO
      10th Aug 10:30 9:30 to 10:30 200 YES NO
      10th Aug 10:45 9:45 to 10:45 167 YES NO
      10th Aug 11:00 10:00 to 11:00 154 YES YES

       

      Schedule Time: Time at which Firewall Analyzer checks the database to identify the amount of traffic from Source 192.168.1.1
      Time Range: Time period for which the traffic is examined
      Total Bytes (MB): Actual bytes transferred from 192.168.1.1
      Alert: Does Firewall Analyzer report Alert or not?
      Email: Does Firewall Analyzer send E-Mail or not?

       

    3. Bandwidth Alert Profile
      1. Select Device for which the interface bandwidth alert needs to be triggered by selecting the radio button of the live SNMP settings configured devices. Only SNMP Live Settings configured devices will be listed for the Bandwidth Alert selection.
      2. Criteria for which the alert needs to be triggered. You can set criteria based on the inside or outside interface of the device, Inbound traffic, Outbound traffic, Total traffic and >= or <= and _ bps or %. Use the +, X buttons to specify more or fewer criteria for the alert. If more than one criteria is selected, no two critera can have the same interface (inside or outside)
      3. Threshold:
        The Priority of the alert can be High, Medium, or Low based on your requirement for notification. Select the appropriate Priority.
      4. Enter the threshold criteria for the alert to be triggered.
        For example: Alert for every: 5 Events generated within 2 Minutes
        Here, Events refer to the criteria that has been defined above.
      5. Select the owner for the alert from the Assign Owner: combo box. The combo box lists all the available users in the Firewall Analyzer.
      6. Notification:
        Select the check box Send the notifications once and do not send for <This Day, This Week, This Month, Custom Period>, to send only one alert notification for the selected period, irrespective of any number of alerts generated during the selected period. Custom Peiod selection will display _ Days, _ Hours, _ Mins fields besides the selection list.

       

       

  3. There is a provision to receive a HTML mail containing the alert details, every time an alert matching this alert profile is triggered, select the Send E-mail Notification checkbox. Fill in the recipient email address in the Mail To box. Emails can be sent to more than one email address by separating the email addresses using a comma (,).

    Warning You need to configure the mail server settings in Firewall Analyzer before setting up an email notification.
  1. There is a provision to execute custom scripts, every time an alert matching this alert profile is triggered, select the Run Script checkbox. Enter Script Location section appears below the option. Specify the location of the script to be executed in the Location field. Alternatively, use the Browse button to locate the script. The parameters of the log can be passed as arguments to the script to be executed. Click Add Add link to select the parameters to be added in the Arguments field. The list of parameters with check boxes are displayed in a pop-up screen. Select the required parameters and close the screen. You can also specify other arguments as required. If the argument value is not available in the matching log, '-' character will be substituted.
  2. There is a provision to receive SMS message in your mobile phone containing the alert details, every time an alert matching this alert profile is triggered, select the Send SMS Notification checkbox. Fill in the recipient mobile phone number with country code. SMS cannot be sent to more than one phone number.

    Warning You need to configure the SMS settings in Firewall Analyzer before setting up an SMS notification.
  3. Click Save Profile button to save the alert profile.

 


 

Threshold for various Alert Reports

 

Threshold common to all Report types:

 

Show Trend

Assign Owner - Select the owner for the alert from the Assign Owner: combo box. The combo box lists all the available users in the Firewall Analyzer.

Check for every 15 Mins, 30 Mins, 1 Hour, 2 Hours, 6 Hours, 12 Hours

 

Traffic Report:

  • In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Total Traffic, Sent Traffic, Received Traffic, Number of Hits, Duration of All, Any Source, Any Destination, Any Protocol exceeds <amount>_ MB, GB, KB or Times or secs, minutes, hours, days.
  • create an Alert with Priority as - Priority of the alert can be High, Medium, or Low based on your requirement for notification. Select the appropriate Priority.
  • Assign owner Select the owner for the alert from the Assign Owner: combo box. The combo box lists all the available users in the Firewall Analyzer.
  • Check for every Check the threshold for every 15 Mins, 30 Mins, 1 Hour, 2 Hours, 6 Hours, 12 Hours

Attack Report:

  • In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Number of Hits of All, Any Source, Any Destination, Any Protocol exceeds <number>_ times.
  • create an Alert with Priority as - Priority of the alert can be High, Medium, or Low based on your requirement for notification. Select the appropriate Priority.
  • Assign owner Select the owner for the alert from the Assign Owner: combo box. The combo box lists all the available users in the Firewall Analyzer.
  • Check for every Check the threshold for every 15 Mins, 30 Mins, 1 Hour, 2 Hours, 6 Hours, 12 Hours

Virus Report:

  • In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Number of Hits of All, Any Source, Any Destination, Any Protocol exceeds <number>_ times.
  • create an Alert with Priority as - Priority of the alert can be High, Medium, or Low based on your requirement for notification. Select the appropriate Priority.
  • Assign owner Select the owner for the alert from the Assign Owner: combo box. The combo box lists all the available users in the Firewall Analyzer.
  • Check for every Check the threshold for every 15 Mins, 30 Mins, 1 Hour, 2 Hours, 6 Hours, 12 Hours

VPN Report:

  • In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Total Traffic, Sent Traffic, Received Traffic, Number of Hits, Duration of All, Any Source, Any Destination, Any Protocol exceeds <amount>_ MB, GB, KB or Times or secs, minutes, hours, days.
  • create an Alert with Priority as - Priority of the alert can be High, Medium, or Low based on your requirement for notification. Select the appropriate Priority.
  • Assign owner Select the owner for the alert from the Assign Owner: combo box. The combo box lists all the available users in the Firewall Analyzer.
  • Check for every Check the threshold for every 15 Mins, 30 Mins, 1 Hour, 2 Hours, 6 Hours, 12 Hours

URL Report:

  • In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Total Traffic, Sent Traffic, Received Traffic, Number of Hits, Duration of All, Any Source, Any Destination, Any Protocol exceeds <amount>_ MB, GB, KB or Times or secs, minutes, hours, days.
  • create an Alert with Priority as - Priority of the alert can be High, Medium, or Low based on your requirement for notification. Select the appropriate Priority.
  • Assign owner Select the owner for the alert from the Assign Owner: combo box. The combo box lists all the available users in the Firewall Analyzer.
  • Check for every Check the threshold for every 15 Mins, 30 Mins, 1 Hour, 2 Hours, 6 Hours, 12 Hours

Rule Report:

  • In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Number of Hits, Denied Requests of All, Any Source, Any Destination, Any Protocol exceeds <number>_ times.
  • create an Alert with Priority as - Priority of the alert can be High, Medium, or Low based on your requirement for notification. Select the appropriate Priority.
  • Assign owner Select the owner for the alert from the Assign Owner: combo box. The combo box lists all the available users in the Firewall Analyzer.
  • Check for every Check the threshold for every 15 Mins, 30 Mins, 1 Hour, 2 Hours, 6 Hours, 12 Hours

 

Filters for various Alert Reports of Anomaly Alert Profile

 

Filters common to all Report types:

  • Time filter values are Working Hours, Non Working Hours, Week Days, Week Ends and the default value is No Criteria. Select the Time value
  • Source filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter source name. If you want to enter multiple values, use CIDR or CSV formats.
  • Protocol filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter protocol.
  • Destination filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter destination name. If you want to enter multiple values, use CIDR or CSV formats.
  • User filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter user name.

 

Traffic Report:

  • Time Time filter values are Working Hours, Non Working Hours, Week Days, Week Ends and the default value is No Criteria. Select the Time value
  • Source Source filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter source name. If you want to enter multiple values, use CIDR or CSV formats.
  • Protocol Protocol filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter protocol.
  • Destination Destination filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter destination name. If you want to enter multiple values, use CIDR or CSV formats.
  • User filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter user name for which you want the alert to be generated.

Attack Report:

  • Time Time filter values are Working Hours, Non Working Hours, Week Days, Week Ends and the default value is No Criteria. Select the Time value
  • Source Source filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter source name. If you want to enter multiple values, use CIDR or CSV formats.
  • Protocol Protocol filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter protocol.
  • Destination Destination filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter destination name. If you want to enter multiple values, use CIDR or CSV formats.
  • Attack filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the attack name for which you want the alert to be generated.
  • Message filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the message part or whole for which you want the alert to be generated.
  • Severity filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the severity of the attack for which you want the alert to be generated.

Virus Report:

  • Time Time filter values are Working Hours, Non Working Hours, Week Days, Week Ends and the default value is No Criteria. Select the Time value
  • Source Source filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter source name. If you want to enter multiple values, use CIDR or CSV formats.
  • Protocol Protocol filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter protocol.
  • Destination Destination filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter destination name. If you want to enter multiple values, use CIDR or CSV formats.
  • Virus filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the VIRUS name for which you want the alert to be generated.
  • Message filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the message part or whole for which you want the alert to be generated.
  • Severity filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the severity of the Virus for which you want the alert to be generated.

VPN Report:

  • Time Time filter values are Working Hours, Non Working Hours, Week Days, Week Ends and the default value is No Criteria. Select the Time value
  • Source Source filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter source name. If you want to enter multiple values, use CIDR or CSV formats.
  • Protocol Protocol filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter protocol.
  • Destination Destination filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter destination name. If you want to enter multiple values, use CIDR or CSV formats.
  • User filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter user name for which you want the alert to be generated.
  • VPN filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the VPN connection for which you want the alert to be generated.

URL Report:

  • Time Time filter values are Working Hours, Non Working Hours, Week Days, Week Ends and the default value is No Criteria. Select the Time value
  • Source Source filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter source name. If you want to enter multiple values, use CIDR or CSV formats.
  • Protocol Protocol filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter protocol.
  • Destination Destination filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter destination name. If you want to enter multiple values, use CIDR or CSV formats.
  • User filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter user name for which you want the alert to be generated.
  • URL filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the URL for which you want the alert to be generated.
  • Category filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the URL category for which you want the alert to be generated.

Rule Report:

  • Time Time filter values are Working Hours, Non Working Hours, Week Days, Week Ends and the default value is No Criteria. Select the Time value
  • Source Source filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter source name. If you want to enter multiple values, use CIDR or CSV formats.
  • Protocol Protocol filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter protocol.
  • Destination Destination filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter destination name. If you want to enter multiple values, use CIDR or CSV formats.
  • User filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter user name for which you want the alert to be generated.
  • Rule filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter rule name for which you want the alert to be generated.
  • Message filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the message part or whole for which you want the alert to be generated.

Alert Profile Examples

With the combinational usage of Alert Profile Type, Filters, and Threshold parameters, you will be able to create Alert Profiles addressing your precise and selective needs. Some of the example profile are discussed below:

  • Say, you want to get notification of all Critical Events, enter the criteria as Severity is '2". For the severity and severity number mapping refer the table given below.
  • Same way, if you want to get notification of all attack logs, enter the criteria as RecordType is 'attack'.
  • If you want to get notification for all virus logs, enter the criteria as RecordType is 'virus'.

The mapping table of severity number and severity

 

Severity Severity Number
Emergency
0
Alert 1
Critical 2
Error 3
Warning 4
Notification 5
Information 6

 

 

Copyright © 2013, ZOHO Corp. All Rights Reserved.
ManageEngine