RSA Admin

How to create a Correlation rules to detect cluster switching for Firewall and IDS devices

Discussion created by RSA Admin Employee on Oct 20, 2009

Hello everybody,


I've some cluster:

- Checkpoint Cluster (Active/Passive)

- Juniper Netscreen Firewall (Active/Passive)

- Juniper IDS (Active/Passive)


I would like to detect when a device change from Active to Passive mode.


But I've no idea on how I can make a such correlation rule.


Have some tips, existing rules or explanation to help me?


Thanks in advance