Reports

The reports page is used to set which reports are automatically generated and delivered to each different monitor group that has been configured. It is also possible to set the generation and distribution frequency for each group on this page.

To configure automatic reporting for a particular group of monitor users, first select the group to be configured from the Group name drop-down menu and click the Select button. Next, select the generation and distribution frequency from the Report frequency drop-down menu and optionally enter a helpful message describing the reporting group into the Comment text field.

A list of available reports is displayed immediately beneath the Automated report generation region. Each report contains a description of its content and an Include tick-box. Some reports provide additional controls to customise the report content, found to the left of the Include tick-box. To set a particular report to be distributed to the currently selected monitor group, select its Include tick-box and choose any optional configuration options where applicable. Click the Save button to store the selected configuration choices.

Reports can be immediately generated and distributed to a particular monitor group by selecting the group from the Group name drop-down menu and clicking the Save and Generate reports button.

Note - It is possible to make configuration changes prior to clicking the Save and Generate reports button. All changes will be stored in addition to immediate generation and delivery of the reports to the selected group's members.

Alerts

The alerts page is used to determine which alerts are sent to which groups of users and in what format. Alerts are short messages that can be sent via email and SMS for a wide range of system events. Each alert has its own unique ID which can also be queried from this page.

To configure alerts to be sent to a particular group of monitor users, first select the group to be configured from the Group name drop-down menu and click the Select button. Next, select whether you wish to enable instantaneous alerting using the Enable instantaneous alerts tick-box control. This feature allows certain alerts deemed to be more critical (those that are subject to "Constant Monitoring" in their alert description) to be sent instantly, instead of waiting for the usual alert schedule.

A list of available alerts is displayed immediately beneath the Alert options region. Each alert contains a description of its content and information about how often the alert is checked and sent. Two tick-box controls, SMS and Email are provided for each alert that set the alert's delivery medium, for the currently select group. To set a particular alert to be distributed in either format, select the appropriate tick-box controls as necessary. Click the Save button to store the selected configuration choices.

To view the content of an alert that has already been sent, enter the alert's unique ID into the Alert ID field and click the Show button. The content of the alert will be displayed on a new page.

Groups

The groups page is used to create groups of monitor users that can be configured (at a group level) to receive automated alerts and reports.

To create a group profile, first choose an empty profile using the Group name drop-down menu and click the Select button. Enter a name for the profile into the Name text-field and click the Save button. Users can now be added and removed from this named group profile, and the profile itself can be referred to on other configuration pages to configure automatic delivery of alerts and reports.

To delete a group profile, choose the profile to be deleted from the Group name drop-down menu and click the Delete button.

To add a new user to a particular group profile, first choose the appropriate profile using the Group name drop-down menu and click the Select button. To add a user, enter appropriate values into the following configuration controls:

• Name - Used to set the user's name.
• Email address - Used to set the user's email address, if the user has an email address.
• SMS number - Used to set the SMS number of the user's mobile phone or pager device, if the user has an SMS number. The format of this number must match the number formatting specified by the Email to SMS Gateway in use.
• Enable HTML Email - Used to format any emails sent to this user in a tidier HTML format. If this option is not selected, all emails will be sent in plain text format. Ensure that the user's email client can interpret the selected format.
• Comment - A text-field used to assign a helpful message describing the monitor user.
• Enabled - Determines whether the monitor user is an active member of the monitor group.

Click the Add button to add the user to the selected group profile.

To remove one or more user from a particular group profile, first choose the appropriate profile using the Group name drop-down menu and click the Select button. Locate each user within the Current users region and select their adjacent Mark tick-box controls. Click the Remove button.

To edit a particular user in a group profile, first choose the appropriate profile using the Group name drop-down menu and click the Select button. Locate the user within the Current users list and select its adjacent Mark tick-box. Click the Edit button to populate the configuration controls in the Add a user region with the user's current configuration values. Alter the values as necessary, and click the Add button.

Note - Failure to click the Add button will result in the loss of the user's details.

Alert Settings

The alert settings page is used to enable the alert system and customise those alerts with configurable thresholds and trigger criteria.

To enable the alerts system, select the Enabled tick-box in the Alerts region and click the Save button at the bottom of the page.

These alerts are intended to assist in the monitoring and administration of "capped" connections. They are triggered whenever the traffic flow for the external interface exceeds certain thresholds. This alert can be used in two distinct modes of operation, monitoring current bandwidth utilisation and monitoring data transfers. The following controls can be used to customise this alert:

• Incoming bandwidth - Used to set the trigger level (in Kbps) of incoming traffic that when exceeded generates an alert. Alerts are triggered when a specified rate (in KBps) is currently being exceeded.
• Outgoing bandwidth - Used to set the trigger level (in Kbps) of outgoing traffic that when exceeded generates an alert. Alerts are triggered when a specified rate (in KBps) is currently being exceeded.
• Previous time period - Used to set the time period over which the following statistics are accrued.
• Incoming Traffic Exceeds - Used to set the trigger level of incoming traffic that when exceeded generates an alert. Alerts are triggered when the total inbound traffic exceeds a specified quantity (in KBytes) for the chosen time period.
• Outgoing Traffic Exceeds - Used to set the trigger level of outgoing traffic that when exceeded generates an alert. Alerts are triggered when the total outbound traffic exceeds a specified quantity (in KBytes) for the chosen time period.
• Total Traffic Exceeds - - Used to set a combined trigger level of incoming and outgoing traffic that when exceeded generates an alert. Alerts are triggered when the combined incoming and outgoing (total) traffic exceeds a specified quantity (in KBytes) for the chosen time period.

Click the Save button to record any configuration changes made to this alert.

This alert is available if the SmoothTunnel module is installed. It validates SmoothTunnel VPN certificates and issues warnings about impending expiration dates. The following controls can be used to customise this alert:

• Notification of expired certificates - Used to enable certificate expiration warnings.
• Number of days left (Warning) - Used to set the number of days before certificate expiration that generates a warning alert.
• Number of days left (Critical) - Used to set the number of days before certificate expiration that generates a critical alert.

Click the Save button to record any configuration changes made to this alert.

This alert is available if the SmoothRule module is installed. It monitors SmoothRule activity and generates warnings about suspicious behaviour.

SmoothRule can be configured to monitor external connects, that is connections made from the local network(s) to addresses beyond the external interface.

The following controls can be used to alert when outbound access to a specified list of destination ports is attempted:

• Monitor ports for accesses - Enables port monitoring of ports listed in the Destination Port list.
• Warning threshold - Used to set the number of attempted accesses to each banned port that, once exceeded, triggers an alert.
• Destination port list - Used to specify the list of banned ports that are monitored.

The following controls can be used to alert when frequent outbound access is made to one or more SmoothRule-banned IP address:

• Monitor destination IP addresses - Enables port monitoring on SmoothRule-banned destination IP addresses.
• Warning threshold - Used to set the number of attempted accesses to each SmoothRule-banned IP address that, once exceeded, triggers a warning alert.
• Incident threshold - Used to set the number of attempted accesses to each SmoothRule-banned IP address that, once exceeded, triggers an incident alert.

The following controls can be used to alert when frequent outbound access is made to one or more SmoothRule-banned ports:

• Monitor destination ports - Enables port monitoring on SmoothRule-banned destination ports.
• Warning threshold - Used to set the number of attempted accesses to each SmoothRule-banned port that, once exceeded, triggers a warning alert.
• Incident threshold - Used to set the number of attempted accesses to each SmoothRule-banned port that, once exceeded, triggers an incident alert.

Click the Save button to record any configuration changes made to this alert.

These alerts are triggered whenever the system resources exceed some predefined limitations. The following controls can be used to customise this alert:

• System load average warning level - Used to set the average level of system load (between 1.0 and 5.0) that triggers a warning alert.
• Disk usage (%) warning level - Used to set the proportion of used disk space (between 50 and 95%) that triggers a warning alert.
• System memory (%) warning level - Used to set the proportion of system memory usage (between 50 and 95%) that triggers a warning alert.

Click the Save button to record any configuration changes made to this alert.

Note A variety of techniques are used to increase system performance and these often use larger amounts of memory than may be expected. Values above 80% are reasonably common on a system that has been running for some time. However, prolonged periods of high memory use may indicate the cause of sluggish performance.

This alert monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports.

The following controls can be used to monitor source (remote) IP addresses:

• Monitor Source (remote) IP Addresses - Used to be enable alerts for frequent firewall hits from the same remote IP addresses.
• Warning threshold - The quantity of firewall hits from a particular remote IP address that triggers a warning alert.
• Incident threshold - The quantity of firewall hits from a particular remote IP address that triggers an incident alert.
• Ignore - A list or remote source IP addresses that are ignored by the alert system.

The following controls can be used to monitor source (remote) ports:

• Monitor Source (remote) Ports - Used to be enable alerts for frequent firewall hits from the same remote ports.
• Warning threshold - The quantity of firewall hits from a particular remote port that triggers a warning alert.
• Incident threshold - The quantity of firewall hits from a particular remote port that triggers an incident alert.
• Ignore - A list of remote source ports that are ignored by the alert system.

The following controls can be used to monitor destination (local) IP addresses:

• Monitor Destination (local) IP Addresses - Used to be enable alerts for frequent firewall hits to the same internal IP addresses.
• Warning threshold - The quantity of firewall hits to a particular local IP address that triggers a warning alert.
• Incident threshold - The quantity of firewall hits to a particular local IP address that triggers an incident alert.
• Ignore - A list of local destination IP addresses that are ignored by the alert system.

The following controls can be used to monitor destination (local) ports:

• Monitor Destination (local) Ports - Used to be enable alerts for frequent firewall hits to the same internal host's ports.
• Warning threshold - The quantity of firewall hits to a particular local port that triggers a warning alert.
• Incident threshold - The quantity of firewall hits to a particular local port that triggers an incident alert.
• Ignore - A list of local destination ports that are ignored by the alert system.

Click the Save button to record any configuration changes made to this alert.

These alerts are triggered by violations and notices generated by the IDS regarding suspicious network activity. The following controls can be used to customise this alert:

• Priority - Used to determine the IDS notice priority level that, when equalled or exceeded, generates a warning alert.

Click the Save button to record any configuration changes made to this alert.

Output Settings

The output settings page is used to configure the Email to SMS Gateway and SMTP settings used for delivery of Monitor alerts and reports.

SmoothMonitor can generate SMS alerts by sending emails to an appropriately configured Email to SMS gateway. A wide variety of different gateways can be used, and each requires emails to be specified in a particular format. There are no standard rules, but usually the destination SMS number is placed in the email's subject line. Due to the unique nature of this facility, SmoothMonitor uses a system of placeholders so that email messages can be formatted to the requirements of any Email to SMS gateway service provider.

The following placeholder tags are provided for use in the Email to SMS Output System region:

• %%ALERT%% - The content of the alert message.
• %%SMS%% - The recipient SMS number.
• %%EMAIL%% - The recipient's email address.
• %%HOSTNAME%% - The hostname of the SmoothWall system (useful when operating multiple firewall systems).
• %%DESCRIPTION%% - The description of the SmoothWall system (useful when using multiple firewall systems).
• %%--%% - A special placeholder that indicates that all text following it should be truncated to 160 characters. This requires truncation to be enabled using the Truncate SMS messages to 160 characters tick-box control.

Placeholders can be used in any of the configuration fields in the Email to SMS Output System. When alerts are generated, the system will automatically substitute appropriate values in place of the placeholders.

To configure the Email to SMS Output System, enter appropriate values into the following configuration fields:

• SMTP Server - Used to specify the hostname or IP address of the SMTP server that will send emails to the Email to SMS Gateway.
• Sender's Email address - Used to specify a valid email address typically reserved for IT administration purposes. This might also be the email address that is registered with the Email to SMS service provider.
• SMS to address - Used to specify the formatting of the email's to address according to the format required by the Email to SMS gateway service provider. This may be a regular email address, or it may require additional placeholders such as %%SMS%% to identify the destination of the SMS.
• Truncate SMS messages to 160 characters - Used to enable SMS message truncation. For more information refer to the Understanding message truncation section below.
• SMS subject line - Used to specify the formatting of email's subject line according to the format required by the Email to SMS gateway service provider. This should often contain the %%SMS%% placeholder as many service providers use the subject line for this purpose.
• SMS message body - Used to enter additional parameters and message text to the content of the alert message. If truncation is required from a particular point onwards, use the delimiting %%--%% placeholder to indicate the start position and ensure that Truncate SMS messages to 160 characters is enabled.

Click the Save button to record any configuration changes made to the above controls.

Some Email to SMS gateways are incapable of processing large (> 160 characters) messages. To compensate for this it is possible to ask SmoothMonitor to truncate messages. A long message will be truncated after 155 characters of the message body, and the text ".. +" will be appended to the message to indicate that the message contents have been shortened. Please be aware that this behaviour only applies to those messages sent via the Email to SMS gateway and will only take place when such a message exceeds 155 characters in length.

If your Email to SMS gateway requires setting parameters (such as username, password etc) within the message body and you wish to truncate messages to 160 characters; be aware that the character limit will include these parameters. To compensate for this, add the special delimiting placeholder %%--%% to your message body. This will cause the message body to be truncated 155 characters after the placeholder. The placeholder itself will be removed when the alert is generated.

Note 1 - In situations where truncation is enabled and the delimiter is not present, the message body will be truncated 155 characters from the start of the message body.

Note 2 - The delimiting placeholder %%--%% will only be removed if truncation is enabled.

To enable SMS message truncation, select the Truncate SMS messages to 160 characters tick-box control.

To automatically distribute reports and alerts using email, an SMTP server must be specified. Enter the IP address of the SMTP Server in the SMTP Server text field and an email address that the email will originate from in the Sender's Email address text field. Click the Save button to record the configuration changes.

The output settings can be tested by using a special alert:

• Output System Test Messages

This alert can be assigned for delivery via SMS and email using the Monitor | Alerts configuration page. Assign the alert to a particular group of users and click the Generate Test button. If the output settings have been configured correctly and the Email to SMS gateway and SMTP mail server are working, test messages should be delivered via SMS and email (if the test alert was set to be delivered using both mediums).