Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 8

Rule for LEM

I have a rule in place that triggers an email when VPN tunnel goes down. But i am getting flase positives also , as some tunnels go down and are up immediately as the session is renewed.

Is there any way that these kind of alerts are tuned out, and only receive emails when some tunnel goes down other than regular reset of the tunnel?

Example: i am getting following type of information in the email.

-----Original Message-----

From: Log & Event Manager []

Sent: 03 April 2019 09:12

To: Security Team

Subject: LEM Alert - Suspicious Traffic Detected - Tunnel Down

Event Info: ipsec tunnel status changed Detection Date/Time:  2019-04-03 09:12:08.0

Message: tunnel down. policy 4(abc-defghi), src: " -", dst: "xx.xx.0.0 - xx.xx.xx.255", gw: "", inspi: 0xcb801ad3, reason: " remove ipsec sanode."

Detection Machine:

Source IP:

Destination IP:

Source Port:

Destination Port:

Alert Name: Tunnel Down

Labels (3)
0 Kudos
0 Replies