4 Replies Latest reply on Oct 23, 2013 9:07 AM by rth67

    Alarm on Firewall Drops

    feeeds

      Has anyone found a way to make the Alarms more granular? Making a threshold alarm is straightforward, but we would like another alarm triggered when firewall drops exceed a given number in a given time frame.

      Firewall drop is an event-subtype, and I dont see a way of aggregating just off of event subtype.

        • 1. Re: Alarm on Firewall Drops
          Scott Taschler

          Yes, the way to accomplish what you're describing is to use the Alarm type "Specificed Event Rate".  If you select this as your alarm type, you will see there is a filter icon that allows you to specify what events will be included in the alarm.  In your use case you'd select "Device Type" = (firewall device) and "Event Subtype" = drop.  Then you would enter the number of events and time frame that you'd like to use for a trigger.

           

          Scott

          • 2. Re: Alarm on Firewall Drops
            feeeds

            I am testing this now, trying to get it to fire on a low event count.  Would I really need to select device type = firewall if I select the actual devices on the condition screen?

            • 3. Re: Alarm on Firewall Drops
              Scott Taschler

              No, there should be no need to set the device type if you select the devices of interest on the condition screen.

              • 4. Re: Alarm on Firewall Drops
                rth67

                If looking for Low Event Count, would you use a Deviation from Baseline below % or a Specified Event Rate? I tried to set a Specified Event Rate Alarm for a Receiver and it triggered immediatly saying the Event Rate exceeded 0 by (large number) for the summary.

                 

                Basically we are trying to monitor if a Receiver or ACE stops seeing events (or processing them), which has happened in the past prior to HF8 of 9.2.1