Alerts and Notifications

In this topic:

    Dome9 generates alerts as a result of configuration errors or other events.
    While alerts usually do not require immediate user action, it is important to be aware of generated alerts.

    The number of open alerts for an account is indicated in the upper right corner of the screen:

    image2018-3-26_9-14-41.png.

    image2017-8-12_15-33-57.png


    The Alerts mechanism is divided into two main scopes:

    • Service related alerts
    • Non service related alerts

    Service related alerts

    Every Service (port) can be open to a certain scope of IP's. The severity of the alert is set according to the service type and the amount of IP's that is open for.

    Public and private scopes:
    Defined according to RFC6890 (https://tools.ietf.org/html/rfc6890)

    Scope definition:

    • Large scope is defined as 10 or more addresses
    • Small scope is defined as 5 or more addresses


    The service related alerts are:

    • Known Internal Port Alert
    • Large Port Range
    • Admin Port
    • Unencrypted Known Port
    • Unknown port alert

    Known internal port alert:

    Alerts triggered for known internal ports.
    Alert Severity:
    All Internet: High
    Large Public Scope: Medium
    Small Public Scope: Low

    Known internal Port List:

    TCP

    389 LDAP
    TCP 7001 Encrypted Cassandra
    TCP 3306 MySql
    TCP 3000 Commonly used internal port
    TCP 61621 Cassandra OpsCenter agent port
    TCP 1433 MSSQL server
    TCP 1434 MSSQL Admin
    TCP 2383 SQL Server Analysis Services
    TCP 2382 SQL Server Analysis Service browser
    TCP 135 DCE / MSSQL debugger
    TCP 137 NetBIOS Name Service
    TCP 138 NetBios datagram service
    TCP 139 NetBios session service
    TCP 636 LDAP SSL
    TCP 2484 Oracle DB SSL
    TCP 3020 CIFS / SMB
    TCP 4505 SaltStack master
    TCP 4506 SaltStack master
    TCP 5432 PostgreSQL
    TCP 8140 Puppet master
    TCP 9000 Hadoop name node
    TCP 8000 Commonly used internal web port
    TCP 8080 Commonly used internal web port
    TCP 11214 Memcached SSL
    TCP 11215 Memcached SSL
    TCP 27018 MongoDB web portal
    UDP 1434 MSSQL browser service
    UDP 137 NetBIOS Name Service
    UDP 138 NetBios datagram service
    UDP 139 NetBios session service
    UDP 161 SNMP
    UDP 5432

    PostgreSQL

    UDP 2484 Oracle DB SSL
    UDP 11214 Memcached SSL
    UDP 11215 Memcached SSL
    TCP 23 Telnet
    TCP 445 Windows SMB
    TCP 20 FTP-Data

    Large Port Range

    Alert will trigger for a port range of more than 20 IP's.
    Alert Severity:
    All Internet or large public scope: High
    regular public or private scope: Medium
    small private scope:Low.

    Admin Port

    Alert will trigger for RDP or SSH service ports
    Alert Severity:

    Public large scope or all internet: High
    All other open scopes: Low (Logic: we recommend all admin ports to be closed with dynamic access)

    Unencrypted Known Port

    Alert will trigger for any unencrypted port
    Alert Severity:
    Always High

    TCP 27017 MongoDB
    TCP 7000 Cassandra inter-node communication
    TCP 7199 Cassandra Monitoring port
    TCP 9042 Cassandra client port
    TCP 9160 Cassandra thrift port
    TCP 6379 Redis
    TCP 61620 Cassandra OpsCenter monitoring port
    TCP 8888 Cassandra OpsCenter website
    TCP 2483 Oracle DB
    TCP 1521 Oracle DB
    TCP 9200

    Elasticsearch

    TCP 9300 Elasticsearch
    TCP 11211 Memcached
    UDP 389 LDAP
    UDP 2483 Oracle DB
    UDP 11211 Memcached


    Non Service related alerts

    All the Alert types that are not related to Services, but alerts on a state that needs to be handled.

    The non service related alerts are:

    • Cloud Push Error
    • Agent related alerts
    • Credentials alert

    Cloud Push Error

    Failure to push (save) the Dome9 configuration to a cloud security group.

    Agent related alerts

    • Agent inaccessible
    • Agent not updated
    • Agent not approved (not attached to any sg)
    • Multiple fim policies (this is invalid state, disables the agent)

    Credentials alert

    Triggered when the system notices that we cannot fetch information from the cloud account (invalid credentials)

    Each alert has its own cause or causes and a corresponding user action path to clear the alert and return the Dome9 system to optimal operation.
    In the procedural example that follows, we explain how to repair a misconfigured SSH service and clear the alert generated by an 'Admin port exposed' to the Internet.
    Admin port exposed - Alert example