Network monitor through VPN causing high log entries.

ASIRWA

I have TZ series firewalls setup in a hub and spoke VPN.

The hub lan has a network monitor that pings remote network addresses through the VPNs.

This is causing a high volume of IPS 608 Log entries on the hub firewall. At least one for each ping.

Is there any way to keep from getting these log entries for this activity over the VPN only?

BWC

It's pretty straight forward, you need to head over to the signatures of the IPS Security Service.

Use this for orientation, but you leave Detection enabled and add an Address Object for Excluded IP.

https://www.sonicwall.com/support/knowledge-base/how-to-exclude-a-specific-ips-signature-id/170505412556870/#:~:text=Step%201%20%3A%20Login%20to%20SonicWall%20Management%20Interface%2C%20go%20to%20Manage,window%20set%20Prevention%20to%20Disable.

--Michael@BWC

BWC

@ASIRWA you might disable logging for low prio events all along or you exclude the ip of your nework monitor for the signatures ICMP PING and ICMP Echo Reply.

--Michael@BWC

ASIRWA

The 608 ID is an ALERT level event. Which is generally appropriate for Intrusion Protection System.

Can you point me to the documentation on how to "exclude the ip of your network monitor for the signatures ICMP PING and ICMP Echo Reply"? That sounds much more like what I want to do. Just exclude the known legitimate traffic.

Thanks.

ASIRWA

Found the IPS exclude. Trying it.