- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-26-2013 06:47 AM
I am looking for a way to send an email alert when a specific vulnerability threat occurs but I am stumped. I can define the email in the log notification but I cannot figure out how to use it. In a security rule I cannot specify the specific vulnerability I want this log notification applied to and I cannot create a security rule that applies to just one vulnerability without evaluating all the other traffic that matches the traffic criteria as well.
Can anyone suggest a way to send an email alert when a specific threat occurs either using the PS device or Panorama?
Thanks,
Jim
07-26-2013 07:57 AM
Hi jmayne,
If you are looking for emailing just one vulnerability threat events, you can create a new vulnerability profile for that threat ID, as shown in the screen shot below
Then use this profile under the security rule for which the traffic will flow through. Bear in mind that you should have a similar security policy below this rule , having a vulnerability profile that checks for the rest of the vulnerability signatures, so that you do not skip checking the other malicious traffic.
Create a new log forwarding profile and select the email server that we have configured
Use this log forwarding profile under the first security policy that we created
Hope this helps,
BR,
Karthik
07-26-2013 12:15 PM
Karthik,
Thanks for the response. I think what I am struggling with is that if I create the new security rule that for instance looks at all traffic inbound from the untrusted to the trusted zone with a vulnerability profile set as you suggest then all the inbound traffic will follow the action of this rule (allow or deny) without regard to whether the traffic did or did not have the vulnerability and because of that the traffic will never fall through to the follow-up rule that checked for the other vulnerabilities.
My understanding is that if the traffic matches (source, destination, application, service, user) then the traffic does not get processed by follow-up rules no matter what is or is not set in the security profiles.Is this incorrect?
Thanks,
Jim.
07-26-2013 02:21 PM
Hi Jim,
Yes, you were right about the fact that the PANFW wouldnt check for other vulnerabilities. My Bad
We dont have a way of specifying a particular threat event for which the PANFW should forward the email notification for. As a work around, you can create the log forwarding profile with the email server settings and apply it to the policy, and we will email the notifications out to the mail server. You can limit the emails that are sent out, by selecting the severity of the threat. That way you are still sending out the email notifications, at the cost of sending extra email notifications of other threats as well ( which by the way is a good practice )
BR,
Karthik
07-26-2013 02:31 PM
On the other hand,
You can create a custom report and filter it out based on the threat id in question.
You can then apply this custom report on a report group, and then use this report group under an email scheduler.
The only caveat to this solution is that you will not get live emails when the vulnerability is hit (unlike when using the log forwarding profile mentioned above ), but atleast you can get email notifications everyday about the event when the vulnerability was detected on the firewall.
Does this help?
BR,
karthik
07-26-2013 02:47 PM
I would setup log-forwarding (syslog), and then have the external syslog server parse the syslog messages looking for that specific threat ID. Then, configure the syslog server to send an e-mail when that threat ID is detected.
07-26-2013 02:50 PM
karthik,
I will try the workaround and I appreciate it. How can I ask for a feature request? Does PA have a page for that on the support site?
Thanks,
Jim
07-26-2013 02:55 PM
Hi Jim,
For filing feature request you will need to get in touch with your local Sales Engineer. He will file it on your behalf.
Hope this helps.
Thanks
Numan
07-26-2013 06:11 PM
Thanks everyone For your help.
JIm
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!