19.4  Alerts

WinRoute enables automatic sending of messages informing the administrator about important events. This makes WinRoute administration more comfortable, since it is not necessary to connect to the firewall via the Administration Console too frequently to view all status information and logs (however, this does not mean that it is not worthy to do this occasionally).

WinRoute generates alert messages upon detection of any specific event for which alerts are preset. All alert messages are recorded into the  Alert log (see chapter 22.3  Alert Log). The WinRoute administrator can specify which alerts will be sent to whom, as well as a format of the alerts. Sent alerts can be viewed in Status → Alerts.

Note: SMTP relay must be set in WinRoute (see chapter 18.3  Relay SMTP server), otherwise alerting will not work.

Alerts Settings

Alerts settings can be configured in the Alerts settings tab under Configuration → Accounting.

WinRoute Alerts

Figure 19.11. WinRoute Alerts


This tab provides list of “rules” for alert sending. Use checking boxes to enable/disable individual rules.

Use the Add or the Edit button to (re)define an alert rule.

Alert Definitions

Figure 19.12. Alert Definitions


alert

Type of the event upon which the alert will be sent:

  • Virus detected — antivirus engine has detected a virus in a file transmitted by HTTP, FTP, SMTP or POP3 (refer to chapter 13  Antivirus control).

  • Portscan detectedWinRoute has detected a  port scanning attack (either an attack passing through or an attack addressed to the WinRoute host).

  • Host connection limit reached — a host in the local network has reached the connection limit (see chapter 17.2  Special Security Settings). This may indicate deployment of an undesirable network application (e.g. Trojan horse or a spyware) on a corresponding host.

  • Low free disk space warning — this alert warns the administrator that the free space of the WinRoute host is low (under 11 per cent of the total disk capacity).

    WinRoute needs enough disk space for saving of logs, statistics, configuration settings, temporary files (e.g. an installation archive of a new version or a file which is currently scanned by an antivirus engine) and other information. Whenever the WinRoute administrator receives such alert message, adequate actions should be performed immediately.

  • New version available — a new version of WinRoute has been detected at the server of Kerio Technologies during an update check. The administrator can download this version from the server or from http://www.kerio.com/ and install it using the Administration Console (see chapter 16.3  Update Checking).

  • User transfer quota exceeded — a user has reached daily, weekly or monthly user transfer quota and WinRoute has responded by taking an appropriate action. For details, see chapter 15.1  Viewing and definitions of user accounts.

  • Connection failover event — the Internet connection has failed and the system was switched to a secondary line, or vice versa (it was switched back to the primary line). For details, refer to chapter 6.3  Connection Failover.

  • License expiration — expiration date for the corresponding WinRoute license/subscription (or license of any module integrated in WinRoute, such as Kerio Web Filter, the McAfee antivirus, etc.) is getting closer. The WinRoute administrator should check the expiration dates and prolong a corresponding license or subscription (for details, refer to chapter 4  Product Registration and Licensing).

  • Dial / Hang-up of RAS line   WinRoute is dialing or hanging-up a RAS line (see chapter 5  Network interfaces). The alert message provides detailed information on this event: line name, reason of the dialing, username and IP address of the host from which the request was sent.

Action

Method of how the user will be informed:

  • Send email — information will be sent by an email message,

  • Send SMS (shortened email) — short text message will be sent to the user's cell phone.

    Note: SMS messages are also sent as email. User of the corresponding cell phone must use an appropriate email address (e.g. number@provider.com). Sending of SMS to telephone numbers (for example via GSM gateways connected to the WinRoute host) is not supported.

To

Email address of the recipient or of his/her cell phone (related to the Action settings).

Recipients can be selected from the list of users (email addresses) used for other alerts or new email addresses can be added by hand.

Valid at time interval

Select a time interval in which the alert will be sent. Click Edit to edit the interval or to create a new one (details in chapter 14.2  Time Ranges).

Alert Templates

Formats of alert messages (email or/and SMS) are defined by templates. Individual formats can be viewed in the Status → Alerts section of the Administration Console. Templates are predefined messages which include certain information (e.g. username, IP address, number of connections, virus information, etc.) defined through specific variables. WinRoute substitutes variables by corresponding values automatically. The WinRoute administrator can customize these templates.

Templates are stored in the templates subdirectory of the installation directory of WinRoute

(the typical path is C:\Program Files\Kerio\WinRoute Firewall\templates):

  • the console subdirectory — messages displayed in the top section of Status → Alerts (overview),

  • the console\details subdirectory — messages displayed at the bottom section of Status → Alerts (details),

  • the email subdirectory — messages sent by email (each template contains a message in the plain text and HTML formats),

  • the sms subdirectory — SMS messages sent to a cell phone.

In the Administration Console, alerts are displayed in the language currently set as preferred (see Kerio Administration Console — Help). If alert templates in the language are not available, English version is used instead. Email and SMS alerts are always in English.

Note: In the current WinRoute version, alerts are available only in English and Czech.

Alerts overview (in Administration Console)

Overview of all sent alerts (defined in Configuration → Accounting) can be found under Status → Alert Messages. The language set in the Administration Console is used (if a template in a corresponding language is not found, the alert is displayed in English).

Overview of all sent alerts (sorted by dates and times) is provided in the top section of this window.

Overview of sent alerts

Figure 19.13. Overview of sent alerts


Each line provides information on one alert:

  • Date — date and time of the event,

  • Alert — event type,

  • Details — basic information on events (IP address, username, virus name, etc.).

Click an event to view detailed information on the item including a text description (defined by templates under console\details — see above) in the bottom section of the window.

Details of a selected event

Figure 19.14. Details of a selected event


Note: Details can be optionally hidden or showed by clicking the Hide/Show details button (details are displayed by default).