Alerts

In this topic:

    Dome9 generates alerts as a result of configuration errors or other events.

    While alerts usually do not require immediate user action, it is important to be aware of generated alerts.

    Alerts are shown in the Alerts page, in the Compliance & Governance menu. This view shows all alerts for all your cloud accounts.

    Alerts represents different types of events, and have an assigned severity (High, Medium, Low). You can filter the view of alerts according to account, region, severity, type, and status (open or closed).

    To view your alerts, navigate to the Alerts page in the Compliance & Governance menu.

    Filter or search the view in the filter & search pane on the left.

    Alert types

    These are the different types of alerts that are reported in Dome9

    Type

    Description

    Assigned Severity

    Admin port exposed

    admin ports on a cloud resource (for example, SSH port 22) are exposed; these ports should be kept closed and only opened when needed

    High - the port is exposed to the entire internet

    Medium -

    Low - the port is exposed, but not to the entire internet

    Wide port range

    a wide range of ports is exposed; it is preferable to open specific ports in a range, according to need

    High - ports are exposed to the entire internet or a large public scope

    Medium - ports are exposed to a regular private or public scope

    Low - ports are exposed to a small private scope

    Known internal service exposed

    ports used by internal (to the VPC) services are exposed; services that do not require outside access should not be exposed

    High - ports are exposed to the entire internet

    Medium - ports have a large exposure

    Low - ports have a small external exposure

    Unknown port exposed

    a port for an unknown service is exposed to the internet; services that do not require outside access should not be exposed

    High - ports are exposed to the entire internet

    Medium - ports have a large exposure

    Low - ports have a small external exposure

    Inaccessible agent

    communication with the Dome9 agent on a host has been lost; port 443 is usually used for this

    Medium

    Unencrypted port exposed

    an unencrypted port is exposed; exposed ports should always be encrypted

    High - ports are exposed to the entire internet

     

    Close alerts

    You can close an alert from the Alerts page.

    1. Navigate to the Alerts page, and use the filter settings to filter for the alerts of interest.

    2. Check the box at the left of the alert you wish to close.

    3. Select Acknowledge (close) in the Review menu at the right of the alert.

     

    Known ports

    These are the known ports and services

    Protocol

    Port

    Usage

    TCP

    389

    LDAP

    TCP

    7001

    Encrypted Cassandra

    TCP

    3306

    MySql

    TCP

    3000

    Commonly used internal port

    TCP

    61621

    Cassandra OpsCenter agent port

    TCP

    1433

    MSSQL server

    TCP

    1434

    MSSQL Admin

    TCP

    2383

    SQL Server Analysis Services

    TCP

    2382

    SQL Server Analysis Service browser

    TCP

    135

    DCE / MSSQL debugger

    TCP

    137

    NetBIOS Name Service

    TCP

    138

    NetBios datagram service

    TCP

    139

    NetBios session service

    TCP

    636

    LDAP SSL

    TCP

    2484

    Oracle DB SSL

    TCP

    3020

    CIFS / SMB

    TCP

    4505

    SaltStack master

    TCP

    4506

    SaltStack master

    TCP

    5432

    PostgreSQL

    TCP

    8140

    Puppet master

    TCP

    9000

    Hadoop name node

    TCP

    8000

    Commonly used internal web port

    TCP

    8080

    Commonly used internal web port

    TCP

    11214

    Memcached SSL

    TCP

    11215

    Memcached SSL

    TCP

    27018

    MongoDB web portal

    UDP

    1434

    MSSQL browser service

    UDP

    137

    NetBIOS Name Service

    UDP

    138

    NetBios datagram service

    UDP

    139

    NetBios session service

    UDP

    161

    SNMP

    UDP

    5432

    PostgreSQL

    UDP

    2484

    Oracle DB SSL

    UDP

    11214

    Memcached SSL

    UDP

    11215

    Memcached SSL

    TCP

    23

    Telnet

    TCP

    445

    Windows SMB

    TCP

    20

    FTP-Data

    These known ports should be encrypted (and will trigger a Unencrypted Known port alert if not).

    Protocol

    Port

    Usage

    TCP

    27017

    MongoDB

    TCP

    7000

    Cassandra inter-node communication

    TCP

    7199

    Cassandra Monitoring port

    TCP

    9042

    Cassandra client port

    TCP

    9160

    Cassandra thrift port

    TCP

    6379

    Redis

    TCP

    61620

    Cassandra OpsCenter monitoring port

    TCP

    8888

    Cassandra OpsCenter website

    TCP

    2483

    Oracle DB

    TCP

    1521

    Oracle DB

    TCP

    9200

    Elasticsearch

    TCP

    9300

    Elasticsearch

    TCP

    11211

    Memcached

    UDP

    389

    LDAP

    UDP

    2483

    Oracle DB

    UDP

    11211

    Memcached

     

    Example

    In this example, an alert occurs as a result of configuration error. The user notices it, views it, and takes corrective action.

    • The user creates an SSH service to apply to the Inbound Policy for a security group. Instead of setting Port Behavior to Closed and requiring a Dynamic Access lease, they mistakenly set it to Open.

    • If the Alerts main navigational control did not display any alert counter previously, it does now. If alerts were present before the configuration error, the number of alerts is increased.

    • The user clicks Alerts and investigates the alert in question.

    • Click Review button to be taken to the security group in question with the offending service rule highlighted;

    • Correct the issue. In this case, change the SSH service that is highlighted;

    • Select Limited to reconfigure the SSH service. The default is to configure the service as On-Demand for use with Dynamic Access Leasing,which is what we require in our scenario. It is possible, however, to set an individual IP, an IP range in CIDR notation, a DNS name, a Dome9 IP List object, or another AWS security group as a permitted source of incoming traffic.

      Click Save. The alert is cleared. It is also possible to check from inside the Security Group if any alerts are still open, click on Alerts under related links.

      It will filter all the Alerts to show only the selected Security Group.

      No Open Alerts,