Firewall alerts
These are Firewall alerts.
There are the following types of firewall alerts.
Security
| Alert type | Description | Severity | What has Sophos done so far? |
|---|---|---|---|
| Advanced Threat detected | An attempt to communicate with a botnet or command and control server has been detected. | Medium | We've logged details about the event, and notified administrators. |
| Missing Heartbeat | An endpoint that previously had a security heartbeat is still communicating on the network, but its security heartbeat has been lost. | High | We've detected the activity, and notified administrators. Any firewall rules set to block RED heartbeat activity may have also blocked connections from the endpoint. |
System health
| Alert type | Description | Severity | What Sophos has done so far |
|---|---|---|---|
| High CPU usage on firewall. | The firewall's CPU usage has been at or above 100% for more than 30 minutes. | Medium | Nothing. Your users may be experiencing issues. |
| High memory usage on firewall. | The firewall's memory usage has been at 100% for more than 30 minutes. | Medium | Nothing. Your users may be experiencing issues. |
| High disk usage on firewall. | The firewall's disk usage has been at 100% for more than 30 minutes. | Medium | Nothing. Your users may be experiencing issues. |
Connectivity
| Alert type | Description | Severity | What Sophos has done so far |
|---|---|---|---|
| Firewall gateway down | Gateway <Gateway name> is down. | High | Nothing. |
| Firewall gateway up | Gateway <Gateway name> is up. | Info | Nothing. |
| Firewall lost connection to Sophos Central. | Firewall hasn't checked in with Sophos Central for the past <x>minutes. | High | Nothing. |
| Firewall re-connected to Sophos Central. | Firewall connection to Sophos Central has been restored. | Info | Nothing. |
| Firewall VPN tunnel down. | IPsec connection between <Site1> with<IP from> and <Site2> with <IP to> has closed. | Medium | Nothing. |
| Firewall VPN tunnel connection restored. | IPsec connection between <Site1> with <IP from> and <Site2> with <IP to> has reconnected. | Info | Nothing. |
| Firewall HA degraded. | One of the HA nodes is down or degraded. Your HA pair is unavailable. | Medium | Nothing. |
| Firewall HA state restored. | Both HA nodes are now connected and in good health. | Info | Nothing. |
| Firewall RED tunnel down. | <red tunnel name> is disconnected. | Medium | Nothing. |
| Firewall RED tunnel connection restored | <red tunnel name> is connected again after 89000 ms. | Info | Nothing. |
General
| Alert type | Description | Severity | What Sophos has done so far |
|---|---|---|---|
| New firewall registered with Sophos Central. | You've successfully registered a new firewall with Sophos Central. | Info | We've added the firewall to the Firewall Management list. You can now turn on Synchronized Security. |
| Firewall awaiting management approval. | You've turned on Sophos Central management for this firewall. This is awaiting approval. | Medium | Nothing. You need to approve management. |
| New firewall wait time expired. | A firewall was awaiting management approval for more than 30 days, and the wait time has expired. | Medium | We've canceled the management request. |
| New firewall zero-touch process canceled by local admin. | You've stopped the zero-touch process on this firewall. | Medium | The zero-touch process has stopped. We've removed the firewall from the Firewall Management list. |
| Firewall Management turned off for firewall. | You've turned off Firewall Management for this firewall. | Medium | We've kept the firewall in the Firewall Management list. You can't manage it. It won't report events or send backups to Sophos Central. |
| Firewall de-registered from Sophos Central | You've de-registered the firewall. | Medium | We've removed the firewall from the Firewall Management list in Sophos Central. We've turned off any configured Synchronized Security features on the firewall. |