Click Save Profile button to save the alert profile.

Filters for various Alert Reports

Filters common to all Report types:

• Time filter values are Working Hours, Non Working Hours, Week Days, Week Ends and the default value is No Criteria. Select the Time value

• Source filter conditions are Is, Is Not, Contains, Starts With and Ends With.

Enter source name. If you want to enter multiple values, use CIDR or CSV formats.

• Protocol filter conditions are Is, Is Not, Contains, Starts With and Ends With.

Enter protocol.

• Destination filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter destination name. If you want to enter multiple values, use CIDR

or CSV formats. Traffic Report: • Time • Source • Protocol • Destination

• User filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter user name for which you want the alert to be generated.

Attack Report:

• Time • Source • Protocol

132 Zoho Corp.

• Destination

• Attack filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the attack name for which you want the alert to be generated.

• Message filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the message part or whole for which you want the alert to be

generated.

• Severity filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the severity of the attack for which you want the alert to be generated.

Virus Report:

• Time • Source • Protocol • Destination

• Virus filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the VIRUS name for which you want the alert to be generated.

• Message filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the message part or whole for which you want the alert to be

generated.

• Severity filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the severity of the Virus for which you want the alert to be generated.

VPN Report:

• Time • Source • Protocol • Destination

• User filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter user name for which you want the alert to be generated.

• VPN filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the VPN connection for which you want the alert to be generated.

URL Report:

• Time • Source • Protocol • Destination

• User filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter user name for which you want the alert to be generated.

• URL filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the URL for which you want the alert to be generated.

• Category filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the URL category for which you want the alert to be generated.

Rule Report:

• Time • Source

133 Zoho Corp.

• Protocol • Destination

• User filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter user name for which you want the alert to be generated.

• Rule filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter rule name for which you want the alert to be generated.

• Message filter conditions are Is, Is Not, Contains, Starts With and Ends With. Enter the message part or whole for which you want the alert to be

generated.

Threshold for various Alert Reports

Threshold common to all Report types:

Show Trend

Assign Owner - Select the owner for the alert from the Assign Owner: combo box.

The combo box lists all the available users in the Firewall Analyzer.

Check for every 15 Mins, 30 Mins, 1 Hour, 2 Hours, 6 Hours, 12 Hours

Traffic Report:

• In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Total Traffic, Sent Traffic, Received Traffic, Number of Hits, Duration of All, Any Source, Any Destination, Any Protocol exceeds <amount>_ MB, GB, KB or Times or secs, minutes, hours, days.

• create an Alert with Priority as - Priority of the alert can be High, Medium, or

Low based on your requirement for notification. Select the appropriate

Priority.

• Assign owner

• Check for every Attack Report:

• In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Number of Hits of All, Any Source, Any Destination, Any Protocol exceeds <number>_ times.

• create an Alert with Priority as - Priority of the alert can be High, Medium, or

Low based on your requirement for notification. Select the appropriate

Priority.

• Assign owner

• Check for every Virus Report:

• In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Number of Hits of All, Any Source, Any Destination, Any Protocol exceeds <number>_ times.

• create an Alert with Priority as - Priority of the alert can be High, Medium, or

Low based on your requirement for notification. Select the appropriate

Priority.

• Assign owner • Check for every

134 Zoho Corp.

VPN Report:

• In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Total Traffic, Sent Traffic, Received Traffic, Number of Hits, Duration of All, Any Source, Any Destination, Any Protocol exceeds <amount>_ MB, GB, KB or Times or secs, minutes, hours, days.

• create an Alert with Priority as - Priority of the alert can be High, Medium, or

Low based on your requirement for notification. Select the appropriate

Priority.

• Assign owner

• Check for every URL Report:

• In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Total Traffic, Sent Traffic, Received Traffic, Number of Hits, Duration of All, Any Source, Any Destination, Any Protocol exceeds <amount>_ MB, GB, KB or Times or secs, minutes, hours, days.

• create an Alert with Priority as - Priority of the alert can be High, Medium, or

Low based on your requirement for notification. Select the appropriate

Priority.

• Assign owner

• Check for every Rule Report:

• In a period of 1 Hour, 2 Hours, 6 Hours, 12 Hours, 1 Day, 7 Days, 14 Days, 30 Days, This Week, This Month If Number of Hits, Denied Requests of All, Any Source, Any Destination, Any Protocol exceeds <number>_ times.

• create an Alert with Priority as - Priority of the alert can be High, Medium, or

Low based on your requirement for notification. Select the appropriate

Priority.

• Assign owner • Check for every

Alert Profile Examples

With the combinational usage of Alert Profile Type, Filters, and Threshold parameters, you will be able to create Alert Profiles addressing your precise and selective needs. Some of the example profile are discussed below:

• Say, you want to get notification of all Critical Events, enter the criteria as

Severity is '2". For the severity and severity number mapping refer the table

given below.

• Same way, if you want to get notification of all attack logs, enter the criteria as RecordType is 'attack'.

• If you want to get notification for all virus logs, enter the criteria as

135 Zoho Corp.

The mapping table of severity number and severity

Severity Severity Number

Emergency 0 Alert 1 Critical 2 Error 3 Warning 4 Notification 5 Information 6

136 Zoho Corp.

Viewing Alerts

After setting up an Alert Profile, select the Alerts tab to see the list of alerts triggered. By default, the Alerts tab lists all the alerts triggered so far. The list shows the

timestamp of the alert, the host which triggered it, the alert priority, and the status of the alert. Clicking on each alert profile would provide the details of the alert like why, when, & for which device the alert was triggered.

Viewing Alerts for an Alert Profile

The Alerts box on the left navigation pane lists all the alert profiles created so far. Click on each alert profile to view the corresponding list of alerts triggered.

The icon against an alert profile indicates that an email notification has been setup. The icon against an alert profile indicates that a Run Script action has been setup. The icon against an alert profile indicates that an SMS notification has been setup. The icon indicates that the alert profile is currently enabled and active. To disable the alert profile, click on this icon. The alert profile is now disabled, and the icon is

shown. When an alert profile is disabled, alerts will not be triggered for that alert profile. To start triggering alerts again, click on the icon to enable the alert profile.

To edit an alert profile click on icon. To delete an alert profile, click on the icon.

The Alerts tab lets you view alerts for various alert profiles set up. To manage alert profiles, click the Alert Profiles link in the Settings tab.

In document Table of Contents INTRODUCTION About Firewall Analyzer... 6 Release Notes... 7 Supported Firewalls... 9 INSTALLATION AND SETUP... (Page 132-137)