Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

Email Notification persists after being removed from policy

After configuring email alerts in Global Properties according to Configuring 'Mail Alerts' using 'internal_sendmail' command , setting up relay and Email alerts in rules, I am experiensing two issues:

1. "From" field in received emails is "root@unknown.org"

2. After removing alerts from the rules, publishing and installing the policy, alerts continue to be delivered each time the rule is triggered.

Nothing short of resetting Global Properties for Alerts to default value seem to be able to stop it.

Are there any other methods of configuring non-smartevent email alerts besides that in Global Properties?

It would be helpful to have them in a bit more readable form as well.

Thank you,

Vladimir

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

If you're setting up the sendmail command as described in the SK and it's not setting the from address correctly, it's probably a bug TAC needs to investigate.

Same with the issue where it won't stop sending alerts Smiley Happy

As for the format of the email, my very vague memory is that it just sends the "text" version of the log (same as fw log output)...which isn't very readable.

0 Kudos
Danny
Champion Champion
Champion

Regarding your first issue, you might want to check my reply in this thread.

0 Kudos
Danny
Champion Champion
Champion

Regarding your second issue, you could simply delete the rule and manually recreate it. That should help. Alternatively you could configure another Alert type first, install policy, then change back to normal logging.

Regarding the format of the email.. you could configure an alert that triggers a script on the gateway, and have your script formatting and sending the email you want.

You see.. there is a solution for everything. Just be creative.

0 Kudos
Vladimir
Champion
Champion

Danny,

Thank you for these suggestions!

For the first issue, if I am reading it right, there is no way to send it using authenticated user account, we simply must bounce it off the relay permitted to accept mail from checkpoint appliances.

For the second, changing the alert type will certainly do as a workaround if it works (I'll have to try it to verify). Deletion and recreation of the rule however, resets the hit count, which in some environments will be undesirable. If you have something like Tufin keeping track of hits based on the context, rather than UUID of the rule,it may work, not so much otherwise.

If you have any scripts for the transformation of the alerts into readable format, please share the wealth:)

0 Kudos
G_W_Albrecht
Legend
Legend

In sk25941 Configuring 'Mail Alerts' using 'internal_sendmail' command  we read:

Sample log entry that you will find in the body of the e-mail message:

27Jul2011 12:37:06 drop Labfw02 >eth2 useralert rule: 5; rule_uid: {D80B94DC-N325-4866-B67E-99NAZ5F41160}; SmartDefense profile: No Protection; ICMP: Echo Request; src: NS_192.168.30.44; dst: NS_LabSRVa; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 & FireWall-1;
CCSE CCTE CCSM SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events