Alerts Report

I'm not seeing the alerts report for a t30 (12.5.4) firebox i've got in dimension. Looking in reports>device>alerts. I have several alerts setup, specifically looking for alerts i created in FSM by right-clicking in traffic monitor. In doing that i selected to be notified for link monitor success/failure. This device is logging normally otherwise. Anything come to mind?

Comments

  • James_CarsonJames_Carson Moderator, WatchGuard Representative
    edited August 2020

    Try creating an alert for anything that you can trigger without bringing the device down (like a specific log type, or hitting a policy.)
    You should see an alert log line appear in traffic monitor -- that's what is sent to dimension, and what the alert is generated from. If we're not seeing that, then nothing else will work.

    It's also possible that a link monitor log was missed if that's also the interface the firewall was logging out of to get to dimension/dimension cloud. Depending on how long it took link-mon to detect an issue and flip over, then actually transmit cached log data, it may have never shown up. If this is related to the CenturyLink/L3 issues yesterday, it's possible that the traffic was never because of widespread internet issues.

    *edit: spelling.

    -James Carson
    WatchGuard Customer Support

  • Just tested turning on alert for https proxy and yep that definitely works. there's only 1 external interface, so yeah it will be logging out of the same interface that may go down. In theory that would still allow an alert to be sent though right? Doesn't seem to be an issue with other fireboxes. Also odd, i get vpn alerts from this fireboxe's vpn partner, but never from this one, and i've triple checked the configuration.

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    @grahamo
    If the connection is truly down and the firewall doesn't have enough memory to cache that notification before it can be sent, it won't be sent -- it'll be lost.

    For situations like that, having an on-prem dimension server can be helpful (the firewall can log to two log/dimension servers at the same time.) SMTP will queue waiting to be delivered -- so you'll get the message eventually. Big issue with that setup would be that you'll receive duplicate notifications when they're both accessible since the notification is generated from each server.

    A central tool like whatsup that can ping each firewall and report if one suddenly goes down could also be useful for single-wan firewalls like this.

    -James Carson
    WatchGuard Customer Support

  • Sounds good, thanks for the info James

Sign In to comment.