Original Message:
Sent: 05-25-2022 01:53
From: Durai Sengunthar
Subject: Alerts not receiving
Thanks Jaired for posting,
Issue raised with support on this and tried on alert parts by unapply policy and also recommendation received on profile optimization is available due to Alerts tablespace is 87% for profile. Request your help on this.
Alert tablespace by type - total
-------------------------------------------------------------------------------------------------------------
Profile 87%
------------------------------
Durai Sengunthar
IT Consultant
Mumbai MH
Original Message:
Sent: 05-24-2022 09:22
From: Jaired Anderson
Subject: Alerts not receiving
Hi, Durai.
I can point you in the right direction, but unfortunately, this topic is a bit more involved than something that can be answered over a forum. This is an area where our Professional Services team could resolve this quickly. https://www.imperva.com/support/services/
Regarding the alerts, your number one issue is with SSL Untraceable Connection (https://docs.imperva.com/bundle/on-premises-knowledgebase-reference-guide/page/ssl_untraceable_connection.htm) at over 1,022,805 events. This alert informs you that the GW cannot decrypt the traffic. This is bad, as it means all that traffic is passing uninspected. The most common cause for this error message is that you are missing the correct certificate/private key for the IP that is being monitored. The second most common reason is that the IP being monitored is using Diffie-Hellman ciphers, which requires the use of Transparent Reverse Proxy (https://docs.imperva.com/bundle/v13.6-administration-guide/page/7200.htm) mode to decrypt.
The last 4 alerts, Illegal Byte Code Character, Malformed HTTP Header Line, Illegal HTTP Version and Illegal Byte Code Character are likely occurring because you are monitoring non-HTTP compliant traffic. This could be something like a remote desktop session, an SSL VPN, or something along those lines. The stream and payloads do not conform to HTTP standards and will generate a lot of "noise" in the alerts.
By the way, these last 4 alerts combined are only responsible for 590,960 alerts in comparison to the 1,022,805 generated by Untraceable SSL Connections.
Original Message:
Sent: 05-24-2022 07:17
From: Durai Sengunthar
Subject: Alerts not receiving
No changes made.
Actually i raised the same with TAC Team on this case and MX is bombarded with Alerts/Events. suggesting tune your TOP policies so that they are not blasting the GWs and MX.
Could you please recommend on how to review and tune the policies that are generating a huge amount of alert?
impctl support server show --alert-info-days=1
-------------------------------------------------------------------------------------------------------------
Alert tablespace by type - total
-------------------------------------------------------------------------------------------------------------
Profile 87%
Protocol 10%
Signature 1%
Custom 1%
Firewall 1%
-------------------------------------------------------------------------------------------------------------
Alert occurrences per policy - up to last 1 day(s), 5 results
-------------------------------------------------------------------------------------------------------------
Firewall Network Protocol Violations Po SSL Untraceable Connection 22-MAY 18:33 1022805
Protocol HTTP/1.x Protocol Policy Illegal Byte Code Character in 22-MAY 18:33 290022
Protocol HTTP/1.x Protocol Policy Malformed HTTP Header Line 22-MAY 18:33 157888
Protocol HTTP/1.x Protocol Policy Illegal HTTP Version 22-MAY 18:33 107008
Protocol HTTP/1.x Protocol Policy Illegal Byte Code Character in 22-MAY 18:33 36042
------------------------------
Durai Sengunthar
IT Consultant
Mumbai MH
Original Message:
Sent: 05-23-2022 09:30
From: Sarah Lamont(csp)
Subject: Alerts not receiving
Hi Durai,
Thanks for posting. Would you be able to provide some more information that might help our members answer your query? Have you changed anything recently?
I also wonder if this community blog might be useful. Remember to log in in order to see it.
Let me know how you get on with this.
Thanks,
Sarah
------------------------------
Sarah Lamont(csp)
Digital Community Manager
Original Message:
Sent: 05-23-2022 07:15
From: Durai Sengunthar
Subject: Alerts not receiving
Hi Team,
Alerts not receiving on MX console. Please suggest us.
Current version :- 13.6.0.76
#AllImperva
------------------------------
Durai Sengunthar
IT Consultant
Mumbai MH
------------------------------