0 Replies Latest reply on Apr 5, 2019 9:14 AM by schozab

    Rule for LEM

    schozab

      I have a rule in place that triggers an email when VPN tunnel goes down. But i am getting flase positives also , as some tunnels go down and are up immediately as the session is renewed.

      Is there any way that these kind of alerts are tuned out, and only receive emails when some tunnel goes down other than regular reset of the tunnel?

       

      Example: i am getting following type of information in the email.

       

      -----Original Message-----

      From: Log & Event Manager [mailto:solarwindslem@xxx.co.uk]

      Sent: 03 April 2019 09:12

      To: Security Team

      Subject: LEM Alert - Suspicious Traffic Detected - Tunnel Down

       

      Event Info: ipsec tunnel status changed Detection Date/Time:  2019-04-03 09:12:08.0

       

      Message: tunnel down. policy 4(abc-defghi), src: "xx.xxx.0.0 - xx.xxx.255.255", dst: "xx.xx.0.0 - xx.xx.xx.255", gw: "xx.xx.xxx.xxx", inspi: 0xcb801ad3, reason: " remove ipsec sanode."

      Detection Machine: xx.xx.x.xxx

       

      Source IP:

      Destination IP:

      Source Port:

      Destination Port:

       

      Alert Name: Tunnel Down