I have a rule in place that triggers an email when VPN tunnel goes down. But i am getting flase positives also , as some tunnels go down and are up immediately as the session is renewed.
Is there any way that these kind of alerts are tuned out, and only receive emails when some tunnel goes down other than regular reset of the tunnel?
Example: i am getting following type of information in the email.
From: Log & Event Manager [mailto:firstname.lastname@example.org]
Sent: 03 April 2019 09:12
To: Security Team
Subject: LEM Alert - Suspicious Traffic Detected - Tunnel Down
Event Info: ipsec tunnel status changed Detection Date/Time: 2019-04-03 09:12:08.0
Message: tunnel down. policy 4(abc-defghi), src: "xx.xxx.0.0 - xx.xxx.255.255", dst: "xx.xx.0.0 - xx.xx.xx.255", gw: "xx.xx.xxx.xxx", inspi: 0xcb801ad3, reason: " remove ipsec sanode."
Detection Machine: xx.xx.x.xxx
Alert Name: Tunnel Down