Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Log & Event Manager (LEM) > PortScans rule is firing excessively and sending too many email alerts

PortScans rule is firing excessively and sending too many email alerts

Created by Jason Dee, last modified by MindTouch on Jun 23, 2016

Views: 14 Votes: 0 Revisions: 4

Overview

This article addresses large amounts of PortScan alerts received after a LEM upgrade or connector upgrade.

Environment

  • All LEM versions
  • Cisco firewall

Cause 

Your LEM is now normalizing TCP Buildup and Teardown events. Most likely, your Cisco firewall is sending over TCP Buildup and Teardown events to LEM that it was not normalizing on your previous version. This can be confirmed by searching for recent TCPTrafficAudit events under nDepth and looking at the EventInfo field for Buildup and Teardown events.

Resolution

These events are numerous and not useful in most environments. The recommended solution is to change the logging level of those events such that they are not being sent over syslog to LEM. Refer to the following article for more information: Enable LEM to Track Cisco Firewall NAT Buildup and Teardown Events.

 

 

Last modified
20:18, 22 Jun 2016

Tags

Classifications

Public