System Alert configuration and thresholds

This article applies to our On-Premise Appliance Filter and Firewall product only, not to Cloud.

 

You can find a list of the different System Alerts you can set up below, including the behaviour you can configure.

There are three types of Alerts: System Service Monitoring, configurable alerts and non-configurable alerts.

System Service Monitoring

These alerts are triggered whenever the critical system service you want to be alerted for starts or stops.

Smoothwall checks these services every five minutes and sends you an alert if a service has started or stopped within that time. If a service stops and then starts again within the five minute window, you won’t be sent an alert.

Non-configurable alerts

These alerts are triggered whenever an important action takes place.

  • Actions that are constantly monitored generate alerts instantly.
  • Actions monitored every five minutes will send an alert when the next check runs. This means a few minutes of delay may occur before the alert is sent.
  • Actions monitored every hour will send an alert when the next check runs. This means up to an hour of delay may occur before the alert is sent.
Alert Description Monitoring Availability
UPS, Power Supply status warnings Alerts when server power switches to and from the mains supply. Constant monitoring. Not in Maiden.
System Boot (Restart) Notification Alerts when the Smoothwall system is booted, turned on or restarted. Once every five minutes.  
Administration Login Failures Monitors Secure Shell (SSH) and Web Interface services for failed login attempts. Constant monitoring.  
Administration Login Success Monitors the Web Interface services for successful login attempts. Constant monitoring.  
Update Monitoring Monitors for newly available updates. Once an hour.  
Hardware Failover Notification Alerts when a hardware failover occurs or when failover machines are forced on and offline. Constant monitoring.  
VPN tunnel status Alerts when an IPSEC tunnel is connected or disconnected. Once every five minutes.  
L2TP VPN tunnel status Alerts when an L2TP (Layer 2 Tunnelling Protocol) tunnel is connected or disconnected. Once every five minutes. Not in Maiden.
Connection Monitor Alerts when interface gateways fail and when they are available again. Constant monitoring.  
Output System Test Messages Catches test alerts generated to test the monitoring Output systems. Constant monitoring.  
Web filter upstream proxy status Alerts when connectivity to an upstream proxy fails or returns. Once every 5 minutes.  
Hardware failure alerts, hard disk failure Alerts when hardware problems are detected. Constant monitoring.  
License expiry status warnings Alerts when the Smoothwall license is due for renewal or has expired. Once an hour.  
Reverse proxy violations Alerts when there are Reverse proxy connectivity issues. Constant monitoring.  

 

Configurable alerts

For these alerts, once the alert is sent, Smoothwall will continue monitoring for 15 minutes. After 15 minutes, Smoothwall checks whether what occurred during that time period exceeds the thresholds. If it does, Smoothwall will send another alert.

  • Firewall Notifications
  • Web filter violations
  • Bandwidth Monitor

For these alerts, Smoothwall checks every five minutes. If the thresholds remain exceeded on the next check, Smoothwall will send an alert.

  • System Resource Monitor
  • Web filter URL violations

For these alerts, Smoothwall checks every hour. If the thresholds remain exceeded on the next check, Smoothwall will send an alert.

  • VPN Certificates
  • Mail Queue Monitor

These alerts are triggered whenever an important action takes place:

  • Health Monitor
  • Intrusion System Monitor
  • Global Proxy
  • NTLM Authentication Failures
  • Email Virus Monitor
Alert Description How to use Monitoring Availability
Bandwidth Monitor Alerts you when the traffic flow for the external interface or bridge exceeds a specific threshold. 

You can add multiple alerts to monitor all traffic:

  1. Select Incoming or Outgoing.
  2. Select Traffic for:
    1. Total.
    2. Any IP.
    3. Single application. Also, select the Application.
    4. Single application group. Also, select the Application group.
  3. Choose a Time period from 10 minutes, Hour, Day, Week or Month.
  4. Set a bandwidth in MB or kbps.

To remove an alert, select the box in the Mark column and select Remove.

 Constant monitoring.  
Email Virus Monitor Alerts you when malware is detected when relayed via SMTP or downloaded via POP3. Select the checkboxes for Monitor POP3 proxy for viruses and Monitor SMTP relay for viruses, then select Save. Constant monitoring. Not in Maiden.
Firewall Notifications Alerts you for suspicious activity to or from IP addresses and ports.
  1. Select the boxes next to each item to alert for:
    • Monitor source (remote) IP addresses
    • Monitor source (remote) ports
    • Monitor destination (local) IP addresses
    • Monitor destination (local) ports
  2. Set thresholds:
    • Enter a Warning threshold number and an Incident threshold number.
    • Remove the number from either field to switch off generating that alert.
  3. Add any ports to Ignore.
 Constant monitoring.  
Global Proxy Alerts you to device misconfiguration or potential abuse when clients fail to present the correct certificate or when repeated connections are made from clients with a valid certificate. Select the checkboxes for Monitor for incorrect certificates and Monitor for DoS attempts, then select Save. Constant monitoring.  
Health Monitor Keep an eye on activity for services in your network outside of Smoothwall.

Use Web server (HTTP) to trigger an alert if keywords are missing from a webpage:

  1. Enter the Request URL of the webpage to monitor, excluding http://
  2. Enter the No of tries to retrieve the webpage.
  3. Enter a comma-separated list of Keywords to search for.
  4. Select Add.

Use Other services to see if the specified port is open and offering a service:

  1. Enter the IP Address and Port number.
  2. Select the Protocol of the service to check for a response from, or select Other to check the response to any connection on the associated port.
  3. Enter the No of tries to check before generating an alert.
  4. Select Add.

Use DNS name resolution to check a domain hasn't expired or been taken over:

Enter the domain Name and domain Address (URL), then select Add.

To remove an alert, select the box in the Mark column and select Remove.

 Constant monitoring.  
Intrusion System Monitor Alerts for suspicious network activity from the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). 

Select the Priority from High, Medium or Low, then select Add.

If Alerts are Enabled, you can’t switch this alert off.

 Constant monitoring.  
Mail Queue Monitor Alerts you when the number of messages in the email queue exceeds the threshold.

Enter a Threshold number of messages, then select Save.

To avoid sending this alert, clear the number, then select Save.

 Once an hour. Not in Maiden.
NTLM Authentication Failures Alerts you when a device can’t provide correct credentials for NTLM authentication.  Select the Monitor for failed NTLM Authentication checkbox, then select Save. Constant monitoring.  
System Resource Monitor Alerts you when resources reach your defined limits, as prolonged periods of high memory usage can adversely affect system performance. 
  1. Select a System load average warning level (per CPU core) between 1 and 10 in 0.5 increments.
  2. Select a Disk usage (%) warning level between 50% and 95%.
  3. Select a System memory (%) warning level between 50% and 95%.
If Alerts are Enabled, you can’t switch this alert off.		 Once every five minutes.  
VPN Certificate Monitor Alerts you before your VPN certificates expire.
  1. Select the Notification of expired certificates checkbox.
  2. Decide when alerts should be sent:
    • Enter a number into the Number of days left (Warning) and Number of days left (Critical) fields.
    • Remove the number from either field to switch off generating that alert.
  3. Select Save.
 Once an hour.  
Web filter URL violations Alerts when specific URLs are accessed a specific number of times.
  1. Enter URLs to monitor.
  2. Enter a Warning threshold (if blank, it will default to 100).
  3. Enter a Caution threshold (if blank, it will default to 20).
  4. Select Save.
To switch off the alert, delete everything from the URLs to monitor field.		 Once every five minutes.  
Web filter violations Alerts for suspicious or blocked web accesses.
  1. Select the boxes next to each item to alert for:
    • Forbidden user accesses
    • Forbidden IP address accesses
  2. For each item, decide whether to Monitor for blocked accesses and Exclude adverts.
  3. Enter a Warning threshold (if blank, it will default to 100).
  4. Enter a Caution threshold (if blank, it will default to 20).
  5. Select Save.
If Alerts are Enabled, you can’t switch this alert off.		 Constant monitoring.