Email alert on a specific vulnerability

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Email alert on a specific vulnerability

Not applicable

I am looking for a way to send an email alert when a specific vulnerability threat occurs but I am stumped. I can define the email in the log notification but I cannot figure out how to use it. In a security rule I cannot specify the specific vulnerability I want this log notification applied to and I cannot create a security rule that applies to just one vulnerability without evaluating all the other traffic that matches the traffic criteria as well.

Can anyone suggest a way to send an email alert when a specific threat occurs either using the PS device or Panorama?

Thanks,

Jim

8 REPLIES 8

L5 Sessionator

Hi jmayne,

If you are looking for emailing just one vulnerability threat events, you can create a new vulnerability profile for that threat ID, as shown in the screen shot below

cve-30003.JPG

Then use this profile under the security rule for which the traffic will flow through. Bear in mind that you should have a similar security policy below this rule , having a vulnerability profile that checks for the rest of the vulnerability signatures, so that you do not skip checking the other malicious traffic.

Create a new log forwarding profile and select the email server that we have configured

log forwarding profile.JPG

Use this log forwarding profile under the first security policy that we created

threat-policy.JPG

Hope this helps,

BR,

Karthik

Karthik,

  Thanks for the response. I think what I am struggling with is that if I create the new security rule that for instance looks at all traffic inbound from the untrusted to the trusted zone with a vulnerability profile set as you suggest then all the inbound traffic will follow the action of this rule (allow or deny) without regard to whether the traffic did or did not have the vulnerability and because of that the traffic will never fall through to the follow-up rule that checked for the other vulnerabilities.

My understanding is that if the traffic matches (source, destination, application, service, user) then the traffic does not get processed by follow-up rules no matter what is or is not set in the security profiles.Is this incorrect?

Thanks,

Jim.

Hi Jim,

Yes, you were right about the fact that the PANFW wouldnt check for other vulnerabilities. My Bad Smiley Happy

We dont have a way of specifying a particular threat event for which the PANFW should forward the email notification for. As a work around, you can create the log forwarding profile with the email server settings and apply it to the policy, and we will email the notifications out to the mail server. You can limit the emails that are sent out, by selecting the severity of the threat. That way you are still sending out the email notifications, at the cost of sending extra email notifications of other threats as well ( which by the way is a good practice Smiley Happy )

BR,

Karthik

On the other hand,

You can create a custom report and filter it out based on the threat id in question.

threat 30002.JPG

You can then apply this custom report on a report group, and then use this report group under an email scheduler.

email scheduler.JPG

The only caveat to this solution is that you will not get live emails when the vulnerability is hit (unlike when using the log forwarding profile mentioned above ), but atleast you can get email notifications everyday about the event when the vulnerability was detected on the firewall.

Does this help?

BR,

karthik

L7 Applicator

I would setup log-forwarding (syslog), and then have the external syslog server parse the syslog messages looking for that specific threat ID.  Then, configure the syslog server to send an e-mail when that threat ID is detected.

karthik,

  I will try the workaround and I appreciate it. How can I ask for a feature request? Does PA have a page for that on the support site?

Thanks,

Jim

Hi Jim,

For filing feature request you will need to get in touch with your local Sales Engineer. He will file it on your behalf.

Hope this helps.

Thanks

Numan

Thanks everyone For your help.

JIm

  • 6174 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!