Notifications are sent by email or as SNMP traps.
In addition to the default notifications, Sophos Firewall sends notifications automatically for some events.
These notifications are sent automatically and you can’t remove them.
- HA device role changes from standalone, primary, or auxiliary.
- HA device status changes to faulty.
- Virtual host status changes to up or down.
- Changes made through the web admin console: System restart or shutdown.
Here's a list of all notifications the firewall sends:
This notification is sent when users sign in to the firewall with the wrong credentials or OTP.
Too many failed sign-in attempts.
This notification is sent when a user reaches the number of unsuccessful attempts to sign in to the firewall as configured on Administration > Admin and user settings > Login security.
- Some dedicated interfaces are unplugged.
- Port monitored by HA appliance is unplugged.
These notifications are sent when the firewall detects intrusions of the following severity levels:
This notification is sent when the firewall logs the threat but still allows the data flow.
This notification is sent when the firewall logs and drops the packet for a threat.
Disk usage notifications are sent when thresholds are met.
The following table shows the details:
|Configuration disk usage exceeded threshold.
|80 percent and above
|Once the configuration disk usage reaches 80 percent and stays at or above this figure for 50 seconds, the first notification log is generated. Logs are generated every 50 seconds until the usage drops below 80 percent.
|Signature disk usage exceeded threshold.
|90 percent and above
|Once the signature disk usage reaches 90 percent and stays at or above this figure for 50 seconds, the first notification log is generated. Logs are generated every 50 seconds until the usage drops below 90 percent.
|Reports disk usage exceeded threshold.
|90 percent and above
|Once the reports disk usage reaches 90 percent and stays at or above this figure for 50 seconds, the first notification log is generated. Logs are generated every 12 hours until the usage drops down below 90 percent.
- New firmware ready for installation.
- Installed new firmware.
- Firmware installation failed.
- WebCat database upgrade failed.
- IPS signature upgrade failed.
- Antivirus definition upgrade failed.
This notification is sent when the firewall device is started or restarted.
High CPU usage.
Once the CPU usage reaches 95 percent and stays at or above this figure for 25 minutes, the first notification log is generated. Logs are generated every 25 minutes until the usage drops down below 95 percent.
These notifications are turned on by default. To send them, turn on Email notifications.
- RED connection is down.
- RED firmware upgrade failed.
- RED device deauthorized automatically.
- RED device has a new unlock code.
- Access point is offline.
- Access point firmware upgrade failed.
VPN notifications are sent when an event occurs. These are sent at approximately 60-second intervals until the triggering event is resolved.
For site-to-site connections with more than one local and remote network, a notification is sent for each subnet pair.
Notifications include a description of the IPsec connection if the administrator enters the information in the connection settings.
IPsec notifications are sent only when host-to-host and site-to-site tunnel connections are disconnected for these reasons:
- Dead peer detection (DPD).
- Failed to re-establish connection after DPD.
- IPsec Security Association (SA) expired and must be re-established.
- After losing connectivity, the IPsec tunnel comes up without administrator intervention.
Here's a list of all VPN notifications:
- IPsec tunnel is up.
- IPsec tunnel is down.
- IPsec tunnel failed over or failed back.
- Established SSL VPN connection.
- Disconnected SSL VPN connection.
- HTTP virus alert
- FTP virus alert
- SMTP virus alert
- POP3 virus alert
- IMAP4 virus alert