Create an Alarm Profile


     An alarm is triggered whenever an event matching a specific criteria is generated. An alarm profile lets you define such specific criteria, and also notify you by email, when the corresponding alarm is triggered.

    Create a New Alarm Profile

     Click the Add link to create a new alarm profile. 

    1. Enter a unique name for the alarm profile in the Profile Name field.
    2. Profile Type:Select the Profile Type
      • Normal
      • Anomaly
      • Bandwidth
    3. All Devices Selected
      By default all the available devices will be selected and if you want to select devices of your choice, click Modify Selection.
      Select the devices, for which you want the alarms to be triggered. All the available devices are listed in the Available Device(s) list. Select the devices and click right arrow. The selected devices are moved to the Selected Device(s) list. If you want to remove any device from the Selected Device(s) list, select the devices and click left arrow. The removed devices will be moved back to the Available Device(s) list.
    1. Normal Alert Profile

    Define Alert Criteria:

    • Predefined
    • Custom
    1. Predefined:

    Predefined criteria for which the alarm will be triggered.

    You can use the logical and/or of the selected criteria using Match all of the following or Match any of the following selections.

    You can choose the following alert category and in turn choose predefined alert criteria:

    Alert Category:

    1. VPN Event
    2. Severity Event
    3. Attack Event
    4. Security Event
    5. Virus Event
    6. Spam Event
    7. Admin Event

    Alert Criteria:

    1. Successful User Login  -  Successful Admin Login Event
    2. Successful User Logout  -  Successful Admin Logout Event
    3. Failed User Login  -  Failed Admin Login Event
    4. Command Executed  -  Command Executed Event
    5. Admin Events  -  All Admin Event
    6. Portscan Attack  -  PortScan Attack
    7. Attack Event  -  All Attack Event
    8. Virus Event  -  All Virus Event
    9. Spam Event  -  All Spam Event
    10. Failed VPN Login  -  VPN login failed
    11. High Severity Event  -  Event has high Severity
    12. Low Severity Event  -  Event has low Severity
    13. Emergency Event  -  Alarm occur when Emergency Event happened
    14. Alert Event  -  Alarm occur when Alert Event happened
    15. Critical Event  -  Alarm occur when critical Event happened
    16. Error Event  -  Alarm occur when Error Event happened
    17. Blocked URL  -  When accessed blocked url
    18. Denied Event  -  Alarm occur when Denied Event happened

    The selected Alert Criteria of the selected Alert category will be displayed.

    1. Custom:
    • Custom Criteria for which the alarm needs to be triggered. You can use the logical and, or of the selected criteria using Match all of the following or Match any of the following selections.
    • You can set criteria based on the Severity, Protocol, Date, Received (in Bytes), Sent (in Bytes), Source, User, Destination, URL, Status, File Name, Rule, VPN, Virus, Attack, Protocol Identifies, Message, Duration (in seconds), Record Type, Log ID, Category, Application, Source Country, and Destination Country.
    • Use the Add and Remove links to specify more or fewer criteria for the alarm.
    1. Threshold details:
      1. The Priority of the alarm can be Critical, Trouble, or Attention based on your requirement for notification. Select the appropriate Priority.
      2. Enter the threshold criteria for the alarm to be triggered.
      3. For example: Alert for every: 5 Events generated within 2 Minutes
      4. Here, Events refer to the criteria that has been defined above.
      5. Select the owner for the alarm from the Assign Owner: combo box. The combo box lists all the available users in the Firewall Analyzer.
      6. You can Apply Threshold to:
      7. Either, All Devices Selected, in which case the alarm will be triggered when all the firewalls cumulatively crosses the threshold set in the threshold criteria above.
      8. Or, Each Device Selected, in which case the alarm will be triggered when each firewall crosses the threshold set in the threshold criteria above.
      9. Select the 'Generate alert once and do not generate for' check box to generate the alert once and not to generate for This Day, This Week, This Month, Custom Period.
    1. Anomaly Alert Profile

    This profile type can be selected when you would like to be notified of any abnormal behaviors or traffic anomalies. Anomaly reports can be used for Network Behavioral Analysis (NBA).

    1. All Devices Selected

    By default all the available devices will be selected and if you want to select devices of your choice, click Modify Selection.
    Select the devices, for which you want the alarms to be triggered. All the available devices are listed in the Available Device(s) list. Select the devices and click right arrow. The selected devices are moved to the Selected Device(s) list. If you want to remove any device from the Selected Device(s) list, select the devices and click left arrow. The removed devices will be moved back to the Available Device(s) list.

    1. Define Alert Criteria:

    Select the type of anomaly alarm report (Anomaly Report Type) you would like to receive. The report types could be Traffic Report, Attack Report, Virus Report, VPN Report, URL Report, Rule Report, or Event Report. Each of the above report types provide a set of filters which can be configured as per the nature of the alarm you would like to receive.

    1. Threshold details:

      1. Based on the anomaly report type and corresponding filter you have chosen, the threshold criteria for the alarm to be triggered can be set here.
      2. The Priority of the alarm can be Critical, Trouble, or Attention based on your requirement for notification. Select the appropriate Priority.
      3. Select the owner for the alarm from the Assign Owner: combo box. The combo box lists all the available users in the Firewall Analyzer.
      4. Check for every <15 minutes, 30 minutes>
      5. Select the Generate alert once and do not generate for check box to generate the alert once and not to generate for This Day, This Week, This Month, Custom Period.
    2. Bandwidth Alert Profile

    1. Define Alert Criteria:

      1. The Criteria for which the alarm needs to be triggered.
      2. You can set criteria based on the Inbound Traffic, Outbound Traffic, Total Traffic and >=, <= and Gbps, Mbps, Kbps, bps, %.
      3. Use the Add and Remove links to specify more or fewer criteria for the alarm.
    2. Threshold details:

      1. The Priority of the alarm can be Critical, Trouble, or Attention based on your requirement for notification. Select the appropriate Priority.
      2. Enter the threshold criteria for the alarm to be triggered.
      3. For example: Alert for every: 5 Events generated within 2 Minutes
      4. Here, Events refer to the criteria that has been defined above.
      5. Select the owner for the alarm from the Assign Owner: combo box. The combo box lists all the available users in the Firewall Analyzer.
      6. Select the 'Generate alert once and do not generate for' check box to generate the alert once and not to generate for This Day, This Week, This Month, Custom Period.
    3. Enable Notification:

      1. Select the 'Enable Notification' check box to notify the alerts to users, initiate remedial action.
      2. Choose one of the alert notification template types from the drop down list. The template types are:
        1. Email
        2. Email based SMS
        3. SMS
        4. Chat
        5. Run Program
        6. Log a Ticket
        7. Web Alarm
        8. Syslog Profile
        9. Trap Profile
    1. Click Save button to save the alarm profile.


    Threshold for various Alert Reports

     Threshold common to all Report types:

     Show Trend

    Assign Owner - Select the owner for the alarm from the Assign Owner: combo box. The combo box lists all the available users in the Firewall Analyzer.

    Check for every 15 Mins, 30 Mins, 1 Hour, 2 Hours, 6 Hours, 12 Hours

     Traffic Report:

    • In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Total Traffic, Sent Traffic, Received Traffic, Number of Hits, Duration of All, Any Source, Any Destination, Any Protocol exceeds <amount>_ MB, GB, KB or Times or secs, minutes, hours, days.

    • create an Alert with Priority as - Priority of the alarm can be High, Medium, or Low based on your requirement for notification. Select the appropriate Priority.

    • Assign owner 

    • Check for every 

     Attack Report:

    • In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Number of Hits of All, Any Source, Any Destination, Any Protocol, Transaction (SRC,DST), Transaction (SRC,DST,PRO) exceeds <number>_ times.

    • create an Alert with Priority as - Priority of the alarm can be High, Medium, or Low based on your requirement for notification. Select the appropriate Priority.

    • Assign owner 

    • Check for every 

    Virus Report:

    • In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Number of Hits of All, Any Source, Any Destination, Any Protocol Transaction (SRC,DST), Transaction (SRC,DST,PRO) exceeds <number>_ times.

    • create an Alert with Priority as - Priority of the alarm can be High, Medium, or Low based on your requirement for notification. Select the appropriate Priority.

    • Assign owner 

    • Check for every 

     VPN Report:

    • In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Total Traffic, Sent Traffic, Received Traffic, Number of Hits, Duration of All, Any Source, Any Destination, Any Protocol exceeds <amount>_ MB, GB, KB or Times or secs, minutes, hours, days.

    • create an Alert with Priority as - Priority of the alarm can be High, Medium, or Low based on your requirement for notification. Select the appropriate Priority.

    • Assign owner 

    • Check for every 

     URL Report:

    • In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Total Traffic, Sent Traffic, Received Traffic, Number of Hits, Duration of All, Any Source, Any Destination, Any Protocol exceeds <amount>_ MB, GB, KB or Times or secs, minutes, hours, days.

    • create an Alert with Priority as - Priority of the alarm can be High, Medium, or Low based on your requirement for notification. Select the appropriate Priority.

    • Assign owner 

    • Check for every 

     Rule Report:

    • In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Number of Hits, Denied Requests of All, Any Source, Any Destination, Any Protocol exceeds <number>_ times.

    • create an Alert with Priority as - Priority of the alarm can be High, Medium, or Low based on your requirement for notification. Select the appropriate Priority.

    • Assign owner 

    • Check for every 


    Filters for various Alert Reports of Anomaly Alert Profile

     Filters common to all Report types:

    • Time filter values are Working Hours, Non Working Hours, Week Days, Week Ends and the default value is No Criteria. Select the Time value

    • Source filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter source name. If you want to enter multiple values, use CIDR or CSV formats.

    • Protocol filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter protocol.

    • Destination filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter destination name. If you want to enter multiple values, use CIDR or CSV formats.

    • User filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter user name.

     Traffic Report:

    • Time 

    • Source 

    • Protocol 

    • Destination 

    • User filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter user name for which you want the alarm to be generated.

    • Source Country

    • Destination Country
       

    Attack Report:

    • Time 

    • Source 

    • Protocol 

    • Destination 

    • Attack filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the attack name for which you want the alarm to be generated.

    • Message filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the message part or whole for which you want the alarm to be generated.

    • Severity filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the severity of the attack for which you want the alarm to be generated.

    • Source Country

    • Destination Country

    Virus Report:

    • Time 

    • Source 

    • Protocol 

    • Destination 

    • Virus filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the VIRUS name for which you want the alarm to be generated.

    • Message filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the message part or whole for which you want the alarm to be generated.

    • Severity filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the severity of the Virus for which you want the alarm to be generated.

    • Source Country

    • Destination Country

     VPN Report:

    • Time 

    • Source 

    • Protocol 

    • Destination 

    • User filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter user name for which you want the alarm to be generated.

    • VPN filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the VPN connection for which you want the alarm to be generated.

     URL Report:

    • Time 

    • Source 

    • Protocol 

    • Destination 

    • User filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter user name for which you want the alarm to be generated.

    • URL filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the URL for which you want the alarm to be generated.

    • Category filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the URL category for which you want the alarm to be generated.

     Rule Report:

    • Time 

    • Source 

    • Protocol 

    • Destination 

    • User filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter user name for which you want the alarm to be generated.

    • Rule filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter rule name for which you want the alarm to be generated.

    • Message filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the message part or whole for which you want the alarm to be generated.

    • Source Country

    • Destination Country


    Alert Profile Examples

    With the combinational usage of Alert Profile Type, Filters, and Threshold parameters, you will be able to create Alert Profiles addressing your precise and selective needs. Some of the example profile are discussed below:

    • Say, you want to get notification of all Critical Events, enter the criteria as Severity is '2". For the severity and severity number mapping refer the table given below.

    • Same way, if you want to get notification of all attack logs, enter the criteria as RecordType is 'attack'.

    • If you want to get notification for all virus logs, enter the criteria as RecordType is 'virus'.

    The mapping table of severity number and severity 

    Severity

    Severity Number

    Emergency

    0

    Alert

    1

    Critical

    2

    Error

    3

    Warning

    4

    Notification

    5

    Information

    6


    Notification Template Types

     The notification template types are:

    1. Email
    2. Email based SMS
    3. SMS
    4. Chat
    5. Run Program
    6. Log a Ticket
    7. Web Alarm
    8. Syslog Profile
    9. Trap Profile

     

     

    Email

     

    Email based SMS

     

    SMS

     

    Chat

     

    Run Program

     

    Log a Ticket

     

    Web Alarm

     

    Syslog Profile

     

    Trap Profile