Firewall alerts
These are Firewall alerts.
There are the following types of firewall alerts.
Security
Alert type | Description | Severity | What has Sophos done so far? |
---|---|---|---|
Advanced Threat detected | An attempt to communicate with a botnet or command and control server has been detected. | Medium | We've logged details about the event, and notified administrators. |
Missing Heartbeat | An endpoint that previously had a security heartbeat is still communicating on the network, but its security heartbeat has been lost. | High | We've detected the activity, and notified administrators. Any firewall rules set to block RED heartbeat activity may have also blocked connections from the endpoint. |
System health
Alert type | Description | Severity | What Sophos has done so far |
---|---|---|---|
High CPU usage on firewall. | The firewall's CPU usage has been at or above 100% for more than 30 minutes. | Medium | Nothing. Your users may be experiencing issues. |
High memory usage on firewall. | The firewall's memory usage has been at 100% for more than 30 minutes. | Medium | Nothing. Your users may be experiencing issues. |
High disk usage on firewall. | The firewall's disk usage has been at 100% for more than 30 minutes. | Medium | Nothing. Your users may be experiencing issues. |
Connectivity
Alert type | Description | Severity | What Sophos has done so far |
---|---|---|---|
Firewall gateway down | Gateway <Gateway name> is down. | High | Nothing. |
Firewall gateway up | Gateway <Gateway name> is up. | Info | Nothing. |
Firewall lost connection to Sophos Central. | Firewall hasn't checked in with Sophos Central for the past <x>minutes. | High | Nothing. |
Firewall re-connected to Sophos Central. | Firewall connection to Sophos Central has been restored. | Info | Nothing. |
Firewall VPN tunnel down. | IPsec connection between <Site1> with<IP from> and <Site2> with <IP to> has closed. | Medium | Nothing. |
Firewall VPN tunnel connection restored. | IPsec connection between <Site1> with <IP from> and <Site2> with <IP to> has reconnected. | Info | Nothing. |
Firewall HA degraded. | One of the HA nodes is down or degraded. Your HA pair is unavailable. | Medium | Nothing. |
Firewall HA state restored. | Both HA nodes are now connected and in good health. | Info | Nothing. |
Firewall RED tunnel down. | <red tunnel name> is disconnected. | Medium | Nothing. |
Firewall RED tunnel connection restored | <red tunnel name> is connected again after 89000 ms. | Info | Nothing. |
General
Alert type | Description | Severity | What Sophos has done so far |
---|---|---|---|
New firewall registered with Sophos Central. | You've successfully registered a new firewall with Sophos Central. | Info | We've added the firewall to the Firewall Management list. You can now turn on Synchronized Security. |
Firewall awaiting management approval. | You've turned on Sophos Central management for this firewall. This is awaiting approval. | Medium | Nothing. You need to approve management. |
New firewall wait time expired. | A firewall was awaiting management approval for more than 30 days, and the wait time has expired. | Medium | We've canceled the management request. |
New firewall zero-touch process canceled by local admin. | You've stopped the zero-touch process on this firewall. | Medium | The zero-touch process has stopped. We've removed the firewall from the Firewall Management list. |
Firewall Management turned off for firewall. | You've turned off Firewall Management for this firewall. | Medium | We've kept the firewall in the Firewall Management list. You can't manage it. It won't report events or send backups to Sophos Central. |
Firewall de-registered from Sophos Central | You've de-registered the firewall. | Medium | We've removed the firewall from the Firewall Management list in Sophos Central. We've turned off any configured Synchronized Security features on the firewall. |