This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Email alert on a specific vulnerability

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Email alert on a specific vulnerability

jmayne
Not applicable

‎07-26-2013 06:47 AM

I am looking for a way to send an email alert when a specific vulnerability threat occurs but I am stumped. I can define the email in the log notification but I cannot figure out how to use it. In a security rule I cannot specify the specific vulnerability I want this log notification applied to and I cannot create a security rule that applies to just one vulnerability without evaluating all the other traffic that matches the traffic criteria as well.

Can anyone suggest a way to send an email alert when a specific threat occurs either using the PS device or Panorama?

Thanks,

Jim

0 Likes Likes
8 REPLIES 8

kprakash
L5 Sessionator

‎07-26-2013 07:57 AM

Hi jmayne,

If you are looking for emailing just one vulnerability threat events, you can create a new vulnerability profile for that threat ID, as shown in the screen shot below

cve-30003.JPG

Then use this profile under the security rule for which the traffic will flow through. Bear in mind that you should have a similar security policy below this rule , having a vulnerability profile that checks for the rest of the vulnerability signatures, so that you do not skip checking the other malicious traffic.

Create a new log forwarding profile and select the email server that we have configured

log forwarding profile.JPG

Use this log forwarding profile under the first security policy that we created

threat-policy.JPG

Hope this helps,

BR,

Karthik

0 Likes Likes

jmayne
Not applicable
In response to kprakash

‎07-26-2013 12:15 PM

Karthik,

  Thanks for the response. I think what I am struggling with is that if I create the new security rule that for instance looks at all traffic inbound from the untrusted to the trusted zone with a vulnerability profile set as you suggest then all the inbound traffic will follow the action of this rule (allow or deny) without regard to whether the traffic did or did not have the vulnerability and because of that the traffic will never fall through to the follow-up rule that checked for the other vulnerabilities.

My understanding is that if the traffic matches (source, destination, application, service, user) then the traffic does not get processed by follow-up rules no matter what is or is not set in the security profiles.Is this incorrect?

Thanks,

Jim.

0 Likes Likes

kprakash
L5 Sessionator
In response to jmayne

‎07-26-2013 02:21 PM

Hi Jim,

Yes, you were right about the fact that the PANFW wouldnt check for other vulnerabilities. My Bad Smiley Happy

We dont have a way of specifying a particular threat event for which the PANFW should forward the email notification for. As a work around, you can create the log forwarding profile with the email server settings and apply it to the policy, and we will email the notifications out to the mail server. You can limit the emails that are sent out, by selecting the severity of the threat. That way you are still sending out the email notifications, at the cost of sending extra email notifications of other threats as well ( which by the way is a good practice Smiley Happy )

BR,

Karthik

kprakash
L5 Sessionator
In response to kprakash

‎07-26-2013 02:31 PM

On the other hand,

You can create a custom report and filter it out based on the threat id in question.

threat 30002.JPG

You can then apply this custom report on a report group, and then use this report group under an email scheduler.

email scheduler.JPG

The only caveat to this solution is that you will not get live emails when the vulnerability is hit (unlike when using the log forwarding profile mentioned above ), but atleast you can get email notifications everyday about the event when the vulnerability was detected on the firewall.

Does this help?

BR,

karthik

jvalentine
L7 Applicator

‎07-26-2013 02:47 PM

I would setup log-forwarding (syslog), and then have the external syslog server parse the syslog messages looking for that specific threat ID.  Then, configure the syslog server to send an e-mail when that threat ID is detected.

jmayne
Not applicable
In response to kprakash

‎07-26-2013 02:50 PM

karthik,

  I will try the workaround and I appreciate it. How can I ask for a feature request? Does PA have a page for that on the support site?

Thanks,

Jim

0 Likes Likes

mbutt
L5 Sessionator
In response to jmayne

‎07-26-2013 02:55 PM

Hi Jim,

For filing feature request you will need to get in touch with your local Sales Engineer. He will file it on your behalf.

Hope this helps.

Thanks

Numan

0 Likes Likes

jmayne
Not applicable
In response to mbutt

‎07-26-2013 06:11 PM

Thanks everyone For your help.

JIm

0 Likes Likes
  • 5266 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks