Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Real-Time Monitor /alerting

DisconnectedDisconnected Newbie ✭
edited December 2021 in Firewall Management and Analytics

Are there any specific real-time alerts that would warrant a manual (meaning not automated e.g. IPS) action from a security perspective?


( all the firewalls I use are the TZ series).

Category: Firewall Management and Analytics
Reply

Best Answers

  • CORRECT ANSWER
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    Answer ✓

    Again it really depends on your organization policies... If they don't have a policy, maybe one should be written up.

    And frankly a person on a forum cannot (and really should not) define your requirements. Many things can be handled automatically as you mentioned, and I don't know how much you can get out of real-time alerting from the device itself. I also use an external SNMP monitor to generate other alerts based on things like bandwidth usage (that might require manual response).

  • CORRECT ANSWER
    DisconnectedDisconnected Newbie ✭
    Answer ✓

    Hi TKWITS,

    I appreciate your responses.

    The focus of my question was pinned to regulatory compliance associated w/NIST, so you referencing NIST, was perfect. Your point on organization's policy is certainly not lost on me, (and other readers I'm sure).

    I was trying to determine what alerts (if any) would require an urgent ticket to be created & handled by a tech, instead of leveraging an automated action. The answer, as you've pointed out isn't dependent on just technical controls/capabilities, but usually more so by any regulatory & organizational/administrative controls (policies/procedures).

    Some initial items I had in mind originally were:

    • The firewall becomes unresponsive/doesn't check-in
    • Fails-over to its secondary internet connection
    • Degradation and/or load exceeding a limit for a specified duration as defined by the organization as an acceptable level.

    Etc.

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    This is a loaded question and would depend on your organizations policies. Read up on on NIST and other cybersecurity frameworks.

  • DisconnectedDisconnected Newbie ✭

    TKWITS, thanks for your reply.

    Re: NIST, the only area I see that would require real-time alerting is regarding login/authentication failures (ref: au-5 (2) Response to audit processing failures).

    Do you see any additional requirements I'm over-looking?

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Your response was much more elegant than mine.

Sign In or Register to comment.