About alert settings

There are multiple alerts that give you the ability to adjust the threshold for sending out alerts. For those to be useful, the values often have to be adjusted from the defaults. You can configure additional alerts or change the default settings of predefined alerts. Some of these alerts are turned off upon installation and you might need a specific license to turn them on. To learn more about licenses for alerts, contact your Smoothwall representative.

Default settings

Alert Description Default Settings
Bandwidth Monitor This alert type will send out alerts when download usage exceeds certain thresholds over time. There are various selections here that can be made and multiple alerts with different conditions can be turned on. This alert can be useful when trying to determine if bandwidth limiting should be implemented. Set an alert for 85% of the total download amount possible on the internet connection over 10 minutes and if this triggers often, a bandwidth limiter may be useful.
  • Traffic for: Total
  • Time period: 10 minutes
Firewall Notifications Similar to the web filter violations alerts, we also have one for the firewall. Again we have two thresholds available, this time called warning and incident. These alerts trigger on both blocked and logged traffic so make sure traffic auditing is not enabled or threshold values are adjusted appropriately, in the "Network - Settings - Advanced" menu, as the alert might otherwise trigger too often. Again a useful alert if you suspect a system is spamming access requests to a blocked or unavailable destination.
  • Monitor source (remote) IP addresses:
    • Warning threshold: 500
    • Incident threshold: 2000
  • Monitor destination (local) IP addresses:
    • Warning threshold: 1000
    • Incident threshold: 2000
  • Monitor destination (local) ports:
    • Warning threshold: 50
    •  Incident threshold: 150
    • Ignore: 135, 136, 137, 138, 139, 445, 80
Health Monitor This is meant for monitoring external services, not the Smoothwall Filter and Firewall itself. You can add a website address and the monitoring system accesses the URL, checks for the presence of particular keywords and if those are not found or access fails outright, it generates an alert. The other services is used to check access to SSH or RDP servers, for example. If connection fails, it generates an alert. You can do a DNS resolution test for a specific address, which triggers an alert if the resolution fails or is different from the expected result.
  • None
Intrusion System Monitor  
  • Priority: High
NTLM Authentication Failures  
  • None
System Resource Monitor The system resource monitor will trigger when load average, memory or disk usage climbs above a certain threshold set in the system resource monitor settings shown below. The load average value has to be adjusted for the appliance and workload in use - in general for the load average value, set this to the number of CPUs in the system or 10, whatever is the lowest. Memory and disk should be set about the 90% mark. If the load average alert triggers often, it may be time to look at some of the services and adjust the workload that the Smoothwall Filter and Firewall is asked to manage.
  • System load average warning level (per CPU core): 3.0
  • Disk usage (%) warning level: 80%
  • System memory (%) warning level: 80%
System Service Monitoring This alert will trigger whenever a selected service stops, starts or restarts. The two items "Web proxy" and "Web filter" are not enabled by default. This is the Smoothwall Filter and the proxy engine it relies on, so always a good idea to enable those. If any service is experiencing an outage, enabling the alert for the service here will allow you to keep closer track on service status changes. This should give you an overview of when the issues appear and hopefully then a clue as to why the service is having issues.
  • Monitor the following services:
    • Report scheduler: Yes
    •  SystemD: Yes
    • Monitor alerts: Yes
VPN Certificate Monitor  
  • Notification of expired certificates: Yes
    • Number of days left (warning): 7
    • Number of days left (critical): 1
VPN Tunnel Status  
  • None
Web filter upstream proxy status  
  • None
Web filter URL violations This alert is a bit more specific in that you have to configure target URL and domains. If a user or IP address tries to access any of those, an alert gets generated. In this alert we also have two thresholds that can be used.
  • None
Web filter violations This alerts triggers if a single user is blocked according to the amounts in the settings over a 15 minute period. There are two thresholds that can be used - one sends out an alert worded as a Caution, the other as a Warning. This only affects the wording in the alert message. This alert can be useful in order to find systems and devices that are being blocked when sending out automatic requests, like software updates or others, that cause a lot of blocking to be registered for the IP or user.
  • Forbidden user accesses:
    • Exclude adverts
    • Warning threshold: 20
    • Caution threshold: 100
  • Forbidden IP address accesses:
    • Exclude adverts
    • Warning threshold: 20
    • Caution threshold: 100