No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

No Snapshot and Event Trend for IPS Even VSM Can Receive logs

Publication Date:  2014-09-28 Views:  87 Downloads:  0
Issue Description
A customer added Secospace USG 5520S firewall in VSM. No snapshot and event trend even log detail existed for IPS in VSM.

Alarm Information
None
Handling Process
(1) Check if the USG5520s received IPS event. From the statistic, it can be seen that USG5520s did receive IPS event.

(2) Check if the USG5520s generated IPS logs. Login USG5520s with an audit user, it can be seen that USG5520s did generate IPS logs.

(3) Check if the VSM received IPS logs from USG5520s. From the following picture, it can be seen that VSM did receive IPS logs.

(4) Check the format of IPS logs. All the IPS logs received by VSM had the same format as follows.
<189>2014-09-17 15:10:24 USG5520S_ISB %%01IPS/5/PROIDF(l): type="PROIDF passed" svrip=<x.x.2.1/vpn:Public> svrport=53 proto=DNS eventnum=1
But the IPS logs of this format type will not shown in Snapshot and Event Trend view. Only the following type of IPS logs can be shown in Snapshot and Event Trend view.
<6>2014-3-4 19:17:56 Eudemon8000E-X3 %%01IPS/4/DETECT(l):proto=DNS action=Alert src=192.168.12.11 dst=10.27.209.21 srcport=3549 dstport=3754 direction=any eventnum=1 msg="DNS Tsig BO (1)" level=warning id=20001 classtype="Reconnaissance" classtype_id="1,1" reliability=high
But after checked the current IPS logs, there was no such type.
(5) After configured a IPS policy in USG5520S that can hit the IPS event, VSM can receive the IPS logs of Detect event, which can be shown in Snapshot and Event Trend view.


Root Cause
The IPS logs of PROIDF type will not shown in Snapshot and Event Trend view.
Solution
 After configured a IPS policy in USG5520S that can hit the IPS event, VSM can receive the IPS logs of Detect event, which can be shown in Snapshot and Event Trend view.
Suggestions
Not all the IPS logs can be shown in snapshot and event trend view. The PROIDF type will not be shown, and Detect type can be shown.

END