ScreenOS Firewalls (NOT SRX)
Reply
Contributor
lvl1s7a
Posts: 25
Registered: ‎09-11-2008
0
Accepted Solution

How to filter alarms sent by ISG2000 FWs to the NMS

Hi;

 

Our FO is receiving lots of alarms from ISG2000 FW for alarms/events like land attack, port scan etc...

We want to filter specific alarms/events in ISG FW from sending SNMP traps to the NMS,

I tried to filter the alarms in the ISG GUI -> Configuration -> Report Settings -> Log Settings

but FO is still receiving alarms/events.

Any advise on how we can filter specific alarms/events in ISG FW?

 

 

Best Regards

// lvl1s7a
Recognized Expert
PentinProcessor
Posts: 258
Registered: ‎11-06-2007
0

Re: How to filter alarms sent by ISG2000 FWs to the NMS

From the CLI, run the command 'get log settings'.  What does it show for SNMP?

Land Attacks & Port Scans are at the Alert level.

 

Regards,

Josine

Contributor
lvl1s7a
Posts: 25
Registered: ‎09-11-2008
0

Re: How to filter alarms sent by ISG2000 FWs to the NMS

[ Edited ]

Hi Josine;

 

Thanks a lot for your help;

 

Here is the output of the command you asked to be run :

 

FWGPRSMUS:FWGPRSMUS01(M)-> get log setting
Levels: 0=Emergency, 1=Alert, 2=Critical, 3=Error, 4=Warning, 5=Notification,
        6=Information, 7=Debugging, '-' = disabled
Module     Console    Internal   Email      SNMP       Syslog    
system     01234567   01234567   012--5--   012-----   01234567  

Module     WebTrends  NSM        PCMCIA    
system     012--5--   01234567   01234567

 

the output shows that the "alerts" are sent by SNMP, 012-----

 

we can disable the alerts to be advertised to the NMS using "unset log module system level alert destination SNMP" , is this the right way to do it ?

 

I just wanna know if there are any other important logs with "alert" level to be sent to the NMS, other than Land attacks & Port scan

because using the command above will prevent all the logs at alert level to be advertised by SNMP 

 

Is it possible for us to filter alarms based on the description of alarms and not by log level?

For example, we would like to filter all Land Attacks, Port Scan, Ping of Death, etc, not to be sent thru SNMP?

We are afraid that we will not be able to send other significant alarms thru SNMP if we filter by log level.

Message Edited by lvl1s7a on 02-23-2009 06:48 AM
Best Regards

// lvl1s7a
Recognized Expert
PentinProcessor
Posts: 258
Registered: ‎11-06-2007
0

Re: How to filter alarms sent by ISG2000 FWs to the NMS

Yes, to disable ALERT level logs sent via SNMP, then enter this command:

unset log module system level alert destination snmp

 

Additionally, to diable CRITICAL level logs sent via SNMP, then enter this command:

unset log module system level critical destination snmp



You have valid concerns. 
In order to see all the possible ALERT level logs, refer to the ScreenOS System Log Message Guide.

 

You can run the command, get log event level <level>, to view the alarms you are getting at that level on your firewall.

 

You can send the ALERT level logs to a SYSLOG server and process them from that angle.

 

Unfortunately, you can't select the log level by the log description. 

 

Hope that helps.

Regards,

Josine

 

Contributor
lvl1s7a
Posts: 25
Registered: ‎09-11-2008
0

Re: How to filter alarms sent by ISG2000 FWs to the NMS

Hi Josine;

 

Many Thanks to you for your precious help;

 

 

Best Regards

// lvl1s7a
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.