Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring an Alert Action for Imperva SecureSphere

Configure your Imperva SecureSphere appliance to forward syslog events for firewall policy alerts to JSA.

Use the following list to define a message string in the Message field for each event type you want to forward:

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters. Paste as a single line in the Custom Format column.

  • Database alerts (v9.5 and v10 to v13)--

  • File server alerts (v9.5 and v10 to v13)--

  • Web application firewall alerts (v9.5 and v10 to v13)--

  • All alerts (v6.2 and v7 to v13 Release Enterprise Edition)--

Note:

The devTimeFormat parameter does not include a value because you can configure the time format on the SecureSphere appliance. Review the time format of your SecureSphere appliance and specify the appropriate time format.

  1. Log in to SecureSphere by using administrative privileges.
  2. Click the Policies tab.
  3. Click the Action Sets tab.
  4. Generate events for each alert that the SecureSphere device generates:
    1. Click New to create a new action set for an alert.

    2. Move the action to the Selected Actions list.

    3. Expand the System Log action group.

    4. In the Action Name field, type a name for your alert action.

    5. From the Apply to event type list, select Any event type.

    6. In the Syslog host field, type the IP address of the JSA appliance to which you want to send events.

    7. In the Syslog log level list, select INFO.

    8. In the Message field, define a message string for your event type.

    9. In the Facility field, type syslog.

    10. Select the Run on Every Event check box.

    11. Click Save.

  5. To trigger syslog events, associate each of your firewall policies to an alert action:
    1. From the navigation menu, click >Policies > Security > Firewall Policy.

    2. Select the policy that you want to use for the alert action.

    3. Click the Policy tab.

    4. From the Followed Action list, select your new action and configure the parameters.

      Tip:

      Configure established connections as either blocked, inbound, or outbound. Always allow applicable service ports.

    5. Ensure that your policy is configured as enabled and is applied to the appropriate server groups.

    6. Click Save.