Hide this message
Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.
This article addresses large amounts of PortScan alerts received after a LEM upgrade or connector upgrade.
Your LEM is now normalizing TCP Buildup and Teardown events. Most likely, your Cisco firewall is sending over TCP Buildup and Teardown events to LEM that it was not normalizing on your previous version. This can be confirmed by searching for recent TCPTrafficAudit events under nDepth and looking at the EventInfo field for Buildup and Teardown events.
These events are numerous and not useful in most environments. The recommended solution is to change the logging level of those events such that they are not being sent over syslog to LEM. Refer to the following article for more information: Enable LEM to Track Cisco Firewall NAT Buildup and Teardown Events.