Support Center > Search Results > SecureKnowledge Details
CloudGuard Dome9 Alerts and Notifications
Solution

Dome9 generates alerts as a result of configuration errors or other events.

While alerts usually do not require immediate user action, it is important to be aware of generated alerts.

The number of open alerts for an account is indicated in the upper right corner of the screen:


The Alerts mechanism is divided into two main scopes:

  • Service related alerts
  • Non service related alerts

Service related alerts

Every Service (port) can be open to a certain scope of IP's. The severity of the alert is set according to the service type and the amount of IP's that is open for.

Public and private scopes:
Defined according to RFC6890 (https://tools.ietf.org/html/rfc6890)

Scope definition:

  • Large scope is defined as 10 or more addresses
  • Small scope is defined as 5 or more addresses


The service related alerts are:

  • Known Internal Port Alert
  • Large Port Range
  • Admin Port
  • Unencrypted Known Port
  • Unknown port alert

Known internal port alert:

Alerts triggered for known internal ports.
Alert Severity:
All Internet: High
Large Public Scope: Medium
Small Public Scope: Low

Known internal Port List:

TCP

389 LDAP
TCP 7001 Encrypted Cassandra
TCP 3306 MySql
TCP 3000 Commonly used internal port
TCP 61621 Cassandra OpsCenter agent port
TCP 1433 MSSQL server
TCP 1434 MSSQL Admin
TCP 2383 SQL Server Analysis Services
TCP 2382 SQL Server Analysis Service browser
TCP 135 DCE / MSSQL debugger
TCP 137 NetBIOS Name Service
TCP 138 NetBios datagram service
TCP 139 NetBios session service
TCP 636 LDAP SSL
TCP 2484 Oracle DB SSL
TCP 3020 CIFS / SMB
TCP 4505 SaltStack master
TCP 4506 SaltStack master
TCP 5432 PostgreSQL
TCP 8140 Puppet master
TCP 9000 Hadoop name node
TCP 8000 Commonly used internal web port
TCP 8080 Commonly used internal web port
TCP 11214 Memcached SSL
TCP 11215 Memcached SSL
TCP 27018 MongoDB web portal
UDP 1434 MSSQL browser service
UDP 137 NetBIOS Name Service
UDP 138 NetBios datagram service
UDP 139 NetBios session service
UDP 161 SNMP
UDP 5432

PostgreSQL

UDP 2484 Oracle DB SSL
UDP 11214 Memcached SSL
UDP 11215 Memcached SSL
TCP 23 Telnet
TCP 445 Windows SMB
TCP 20 FTP-Data

Large Port Range

Alert will trigger for a port range of more than 20 IP's.
Alert Severity:
All Internet or large public scope: High
regular public or private scope: Medium
small private scope:Low.

Admin Port

Alert will trigger for RDP or SSH service ports
Alert Severity:

Public large scope or all internet: High
All other open scopes: Low (Logic: we recommend all admin ports to be closed with dynamic access)

Unencrypted Known Port

Alert will trigger for any unencrypted port
Alert Severity:
Always High

TCP 27017 MongoDB
TCP 7000 Cassandra inter-node communication
TCP 7199 Cassandra Monitoring port
TCP 9042 Cassandra client port
TCP 9160 Cassandra thrift port
TCP 6379 Redis
TCP 61620 Cassandra OpsCenter monitoring port
TCP 8888 Cassandra OpsCenter website
TCP 2483 Oracle DB
TCP 1521 Oracle DB
TCP 9200

Elasticsearch

TCP 9300 Elasticsearch
TCP 11211 Memcached
UDP 389 LDAP
UDP 2483 Oracle DB
UDP 11211 Memcached


Non Service related alerts

All the Alert types that are not related to Services, but alerts on a state that needs to be handled.

The non service related alerts are:

  • Cloud Push Error
  • Agent related alerts
  • Credentials alert

Cloud Push Error

Failure to push (save) the Dome9 configuration to a cloud security group.

Agent related alerts

  • Agent inaccessible
  • Agent not updated
  • Agent not approved (not attached to any sg)
  • Multiple fim policies (this is invalid state, disables the agent)

Credentials alert

Triggered when the system notices that we cannot fetch information from the cloud account (invalid credentials)

Each alert has its own cause or causes and a corresponding user action path to clear the alert and return the Dome9 system to optimal operation.
In the procedural example that follows, we explain how to repair a misconfigured SSH service and clear the alert generated by an 'Admin port exposed' to the Internet.
Admin port exposed - Alert example

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment