Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Managing Notification Contacts via the IPS LSM!

    • Updated:
    • 2 Jan 2018
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint SecBlade All
    • Platform:
Summary

Configure notification contacts to send messages to a recipient (either human or machine) in response to a traffic-related event that occurs on the device. The traffic-related event can be the result of triggering an IPS filter configured with an action set that specifies a notification contact. A notification contact can be any of the following:

Remote System LogSends messages to a syslog server on your network. This is a default contact available in all IPS action sets. Before using this contact, configure the IP address and port for the syslog server (System > Syslog Servers).
Management ConsoleSends messages to the LSM or the SMS device management application. This default contact is available in all action sets. If this contact is selected messages are sent to the Alert or IPS Block Log in the LSM, depending on whether a permit or block action has executed. When the device is under SMS management, messages are also sent to the SMS client application. This notification contact does not require any configuration, although you can change the default name and aggregation period.
Email or SNMPSends messages to the email address or specified SNMP. All email or SNMP contacts must be added from the Notification Contacts page. If the default email server is not configured on the device, you will be prompted to configure it before adding a contact.

Note: Before creating an Email or notification contact, you must configure Email and SMTP server settings on the IPS device from the Email Server page.

Alert Aggregation and the Aggregation Period

The IPS uses Alert Aggregation to prevent system performance problems resulting from an excessive number of notification requests. Because a single packet can trigger an alert, attacks with large numbers of packets could potentially flood the alert mechanism used to send out notifications. Alert aggregation allows you to receive alert notifications at intervals to prevent this flooding. For example, if the aggregation interval is 5 minutes, the system sends an alert at the first IPS filter trigger collects subsequent alerts and sends them out every five minutes. On the IPS, alert aggregation is controlled by the aggregation period that you configure when you create a notification contact. This setting is required for all notification contacts.

CAUTION: Short aggregation periods can significantly affect system performance. The shorter the aggregation period, the higher the system load. In the event of a flood attack, a short aggregation period can lead to system performance problems.

Details
Public

How To: Configure the Management Console Contact

  1. On the LSM menu, click IPS > Notification Contacts.
  2. On the Notification Contacts page, click Management Console.
  3. Edit the Contact Name. By default, it is Management Console.
  4. Enter the Aggregation Period for notification messages in minutes.
  5. Click Save.

 

How To: Configure the Remote System Log Contact

Designating a remote system log as the notification contact sends messages to a syslog server on your network. This is a default contact available in all IPS action sets. Before using this contact, configure the IP address and port for the syslog server(System > Syslog Servers).

CAUTION: Remote syslog, in adherence to RFC 3164, sends clear text log messages using the UDP protocol with no additional security protections. You should only use remote syslog on a secure, trusted network to prevent syslog messages from being intercepted, altered, or spoofed by a third party.

  1. On the LSM menu, click IPS > Notification Contacts.
  2. On the Notification Contacts page, click Remote System Log.
  3. Enter the remote system log's host IP address and port number.
  4. Select an Alert Facility and a Block Facility: none or select from a range of 0 to 31. The syslog server uses these numbers to identify the message source.
  5. Select a Delimiter for the generated logs: tab, comma, semicolon, or bar.
  6. Enter a Remote system log aggregation period in minutes.
  7. Click Add to add the remote syslog server.
  8. Repeat steps 3-7 to add additional remote system log servers.
  9. Click Save to save the changes.

 

How To: Create an Email or SNMP Notification Contact

  1. On the LSM menu, click IPS > Notification Contacts.
  2. Click Add Contact.
  3. On the Create Contact page, select Email or SNMP.
  4. Enter the contact name.
  5. Enter the Aggregation Period. Longer aggregation periods improve system performance.
  6. If the contact is an email contact, enter the address where notifications will be sent in the To Email Address field. If the contact is an SNMP contact, enter the host IP address and port number.
  7. Click Create to save the changes.

Note: SNMP notification contacts require SNMPv2, and will not work when SNMPv2 is disabled.

 

How To: Delete a Notification Contact

You cannot delete the default Remote System Log and Management Console contacts or a Notification Contact if it is currently configured on another Action Set.

  1. On the LSM menu, click IPS > Notification Contacts.
  2. On the Notification Contacts page, click the Delete button.
  3. On the confirmation dialog, click OK.

 

Reference: Local Security Manager User's Guide

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000098976
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.