Skip to content
The XG Series hardware appliances reached end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=system-services-notification-list-notifications

Notifications

Notifications are sent by email and as SNMP traps.

In addition to the default notifications, Sophos Firewall sends notifications automatically for some events.

Default notifications

The firewall sends the following notifications by default:

  • HA device role changes from standalone, primary, or auxiliary.
  • HA device status changes to faulty.
  • Virtual host status changes to up or down.
  • Changes made through the web admin console: System restart or shutdown.

Note

You can't stop the firewall from sending these notifications.

Admin

  • Sign-in failed.

    This notification is sent when users sign in to the firewall with the wrong credentials or OTP.

  • Too many failed sign-in attempts.

    This notification is sent when a user reaches the number of unsuccessful attempts to sign in to the firewall as configured on Administration > Admin and user settings > Login security.

HA

  • Some dedicated interfaces are unplugged.
  • Port monitored by HA appliance is unplugged.

IPS

This notification is sent when the firewall logs and drops the packet for an IPS threat.

  • Critical
  • Major
  • Moderate
  • Minor
  • Warning

MDR, NDR Essentials, Sophos X-Ops, and third-party threat feeds

  • Alert

    This notification is sent when the firewall logs the threat but still allows the data flow.

  • Drop

    This notification is sent when the firewall logs and drops the packet for a threat.

Disk/Memory

The firewall generates logs and sends notifications when disk usage is at or above the threshold for 50 seconds. It generates logs and sends notifications at the default frequency until usage drops below the threshold. See the following table for the default thresholds and frequencies:

Notification Threshold Frequency
Configuration disk usage exceeded threshold. 80 percent and above 50 seconds
Signature disk usage exceeded threshold. 90 percent and above 50 seconds
/var partition exceeded usage threshold. 80 percent and above 12 hours

Note

The /var partition, which is used by reports, has two thresholds. Logs are generated when usage reaches the lower threshold, but notifications are only sent when usage is at or above the higher threshold, which is 80 percent. When usage exceeds the higher threshold, then drops below the lower threshold, a log is generated, but notifications aren't sent. See Reports disk space.

Firmware

  • New firmware ready for installation.
  • Installed new firmware.
  • Firmware installation failed.

System

  • WebCat database upgrade failed.
  • IPS signature upgrade failed.
  • Antivirus definition upgrade failed.

  • System started.

    This notification is sent when the firewall device is started or restarted.

  • High CPU usage.

    Once the CPU usage reaches 95 percent and stays at or above this figure for 25 minutes, the first notification log is generated. Logs are generated every 25 minutes until the usage drops down below 95 percent.

  • Gateway status.

    These notifications are turned on by default. To send them, turn on Email notifications.

RED

  • RED connection is down.
  • RED firmware upgrade failed.
  • RED device deauthorized automatically.
  • RED device has a new unlock code.

AP

  • Access point is offline.
  • Access point firmware upgrade failed.

VPN

VPN notifications are sent when an event occurs. These are sent at approximately 60-second intervals until the triggering event is resolved.

For site-to-site connections with more than one local and remote network, a notification is sent for each subnet pair.

Notifications include a description of the IPsec connection if the administrator enters the information in the connection settings.

IPsec notifications are sent only when host-to-host and site-to-site tunnel connections are disconnected for these reasons:

  • Dead peer detection (DPD).
  • Failed to re-establish connection after DPD.
  • IPsec Security Association (SA) expired and must be re-established.
  • After losing connectivity, the IPsec tunnel comes up without administrator intervention.

Here's a list of all VPN notifications:

  • IPsec tunnel is up.
  • IPsec tunnel is down.
  • IPsec tunnel failed over or failed back.
  • Established SSL VPN connection.
  • Disconnected SSL VPN connection.

Virus

  • HTTP virus alert
  • FTP virus alert
  • SMTP virus alert
  • POP3 virus alert
  • IMAP4 virus alert