Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  How to filter alarms sent by ISG2000 FWs to the NMS

    Posted 02-18-2009 00:39

    Hi;

     

    Our FO is receiving lots of alarms from ISG2000 FW for alarms/events like land attack, port scan etc...

    We want to filter specific alarms/events in ISG FW from sending SNMP traps to the NMS,

    I tried to filter the alarms in the ISG GUI -> Configuration -> Report Settings -> Log Settings

    but FO is still receiving alarms/events.

    Any advise on how we can filter specific alarms/events in ISG FW?

     

     



  • 2.  RE: How to filter alarms sent by ISG2000 FWs to the NMS

    Posted 02-20-2009 10:08

    From the CLI, run the command 'get log settings'.  What does it show for SNMP?

    Land Attacks & Port Scans are at the Alert level.

     

    Regards,

    Josine



  • 3.  RE: How to filter alarms sent by ISG2000 FWs to the NMS

    Posted 02-21-2009 06:32

    Hi Josine;

     

    Thanks a lot for your help;

     

    Here is the output of the command you asked to be run :

     

    FWGPRSMUS:FWGPRSMUS01(M)-> get log setting
    Levels: 0=Emergency, 1=Alert, 2=Critical, 3=Error, 4=Warning, 5=Notification,
            6=Information, 7=Debugging, '-' = disabled
    Module     Console    Internal   Email      SNMP       Syslog    
    system     01234567   01234567   012--5--   012-----   01234567  

    Module     WebTrends  NSM        PCMCIA    
    system     012--5--   01234567   01234567
     

    the output shows that the "alerts" are sent by SNMP, 012-----

     

    we can disable the alerts to be advertised to the NMS using "unset log module system level alert destination SNMP" , is this the right way to do it ?

     

    I just wanna know if there are any other important logs with "alert" level to be sent to the NMS, other than Land attacks & Port scan

    because using the command above will prevent all the logs at alert level to be advertised by SNMP 

     

    Is it possible for us to filter alarms based on the description of alarms and not by log level?

    For example, we would like to filter all Land Attacks, Port Scan, Ping of Death, etc, not to be sent thru SNMP?

    We are afraid that we will not be able to send other significant alarms thru SNMP if we filter by log level.

    Message Edited by lvl1s7a on 02-23-2009 06:48 AM


  • 4.  RE: How to filter alarms sent by ISG2000 FWs to the NMS
    Best Answer

    Posted 02-23-2009 20:10

    Yes, to disable ALERT level logs sent via SNMP, then enter this command:

    unset log module system level alert destination snmp

     

    Additionally, to diable CRITICAL level logs sent via SNMP, then enter this command:

    unset log module system level critical destination snmp



    You have valid concerns. 
    In order to see all the possible ALERT level logs, refer to the ScreenOS System Log Message Guide.

     

    You can run the command, get log event level <level>, to view the alarms you are getting at that level on your firewall.

     

    You can send the ALERT level logs to a SYSLOG server and process them from that angle.

     

    Unfortunately, you can't select the log level by the log description. 

     

    Hope that helps.

    Regards,

    Josine

     


    #SNMP
    #alarms
    #alert
    #filter
    #attacks
    #syslog


  • 5.  RE: How to filter alarms sent by ISG2000 FWs to the NMS

    Posted 02-24-2009 01:31

    Hi Josine;

     

    Many Thanks to you for your precious help;