Configuring Alerting in ISA Server 2004
By Greg Mulholland
ISA Server alerts are a wonderful tool. How easy it is to be working away, checking joke emails from friends you never talk to anymore, not knowing that your firewall is under attack. Well, not that I am advocating getting wound up in joke emails, but ISA Server firewalls make use of their own monitoring and alert features which can recognize when intrusions or attacks are taking place. The nicest part about this feature is the ability of the ISA firewall to respond to these types of attacks.
The monitoring of Alerts can be of critical benefit to your organization or network, therefore swift action or recognition is needed to keep problems from escalating.
In ISA 2004, the Monitoring node has a few little features that should be used. The Dashboard is a snapshot of all the monitoring features running. The connectivity and reports tabs can be used to great effect and we won’t ever underestimate the importance or value of logging, will we?
For the point of this document we will focus on the Alerts tab. You will notice on the right hand side we can configure "alert definitions". I have chosen to define what action should be taken in the case of IP Spoofing as an example. There are a few options, firstly, as I have demonstrated I use ISA 2004 to send an alert email to the firewall administrator, in this case me. All you need to do is specify the SMTP server.
I also created a mailbox for email@example.com so it looks nice and pretty in my inbox. I recommend testing to see that your alerts will actually be delivered to the person; to do this hit the Test button. As you can see, via the little outlook alert in the lower right corner of the screen, mine has worked fine. One further step is to create a firewall rule that allows the local host network to send SMTP mail (TCP port 25) to your mail server.
As you can see there are a few other choices, running specified programs, reporting to the Event Logs, stopping and starting specified services. You will need to determine what sort of action you will perform for each task. Some are more frequently occurring than others and require special attention.
Click Above to See Full Size
Author: Greg Mulholland
Published: March 2004