Dome9 generates alerts as a result of configuration errors or other events.
While alerts usually do not require immediate user action, it is important to be aware of generated alerts.
The number of open alerts for an account is indicated in the upper right corner of the screen:
The Alerts mechanism is divided into two main scopes:
- Service related alerts
- Non service related alerts
Service related alerts
Every Service (port) can be open to a certain scope of IP's. The severity of the alert is set according to the service type and the amount of IP's that is open for.
Public and private scopes:
Defined according to RFC6890 (https://tools.ietf.org/html/rfc6890)
- Large scope is defined as 10 or more addresses
- Small scope is defined as 5 or more addresses
The service related alerts are:
- Known Internal Port Alert
- Large Port Range
- Admin Port
- Unencrypted Known Port
- Unknown port alert
Known internal port alert:
Alerts triggered for known internal ports.
All Internet: High
Large Public Scope: Medium
Small Public Scope: Low
Known internal Port List:
|TCP||3000||Commonly used internal port|
|TCP||61621||Cassandra OpsCenter agent port|
|TCP||2383||SQL Server Analysis Services|
|TCP||2382||SQL Server Analysis Service browser|
|TCP||135||DCE / MSSQL debugger|
|TCP||137||NetBIOS Name Service|
|TCP||138||NetBios datagram service|
|TCP||139||NetBios session service|
|TCP||2484||Oracle DB SSL|
|TCP||3020||CIFS / SMB|
|TCP||9000||Hadoop name node|
|TCP||8000||Commonly used internal web port|
|TCP||8080||Commonly used internal web port|
|TCP||27018||MongoDB web portal|
|UDP||1434||MSSQL browser service|
|UDP||137||NetBIOS Name Service|
|UDP||138||NetBios datagram service|
|UDP||139||NetBios session service|
|UDP||2484||Oracle DB SSL|
Large Port Range
Alert will trigger for a port range of more than 20 IP's.
All Internet or large public scope: High
regular public or private scope: Medium
small private scope:Low.
Alert will trigger for RDP or SSH service ports
Public large scope or all internet: High
All other open scopes: Low (Logic: we recommend all admin ports to be closed with dynamic access)
Unencrypted Known Port
Alert will trigger for any unencrypted port
|TCP||7000||Cassandra inter-node communication|
|TCP||7199||Cassandra Monitoring port|
|TCP||9042||Cassandra client port|
|TCP||9160||Cassandra thrift port|
|TCP||61620||Cassandra OpsCenter monitoring port|
|TCP||8888||Cassandra OpsCenter website|
Non Service related alerts
All the Alert types that are not related to Services, but alerts on a state that needs to be handled.
The non service related alerts are:
- Cloud Push Error
- Agent related alerts
- Credentials alert
Cloud Push Error
Failure to push (save) the Dome9 configuration to a cloud security group.
Agent related alerts
- Agent inaccessible
- Agent not updated
- Agent not approved (not attached to any sg)
- Multiple fim policies (this is invalid state, disables the agent)
Triggered when the system notices that we cannot fetch information from the cloud account (invalid credentials)
Each alert has its own cause or causes and a corresponding user action path to clear the alert and return the Dome9 system to optimal operation.
In the procedural example that follows, we explain how to repair a misconfigured SSH service and clear the alert generated by an 'Admin port exposed' to the Internet.
Admin port exposed - Alert example