RSA Admin

NIC011 - Login Failure followed by Successful login on Firewall Devices ???

Discussion created by RSA Admin Employee on Oct 2, 2008
Latest reply on Oct 7, 2008 by RSA Admin
Hi everyone.  I need help with the NIC011 alert.  I attempted to use the NIC011 template to create the same alert with only Checkpoint FW.  But the value masks in NIC011 appear to be wrong for Checkpoint.  The CheckPoint value for Firewall Failure in the template is 080080.  When I look this up in Manage Messages it shows 080080 as a system.failure message.  The value masks in the template for Firewall_Success are 020011 and 020010.  Again, when I look in Manage Messages these two values are in the event category Auth.Failures.User Errors.  How can the circuit Firewall_Success use messages that are in the category Auth.Failures.User Errors?  So, I created my own alert using the messages in the categories Network.Connections.Successful and Network.Denied.Connections.  Now, I am getting all kinds of false positives and when I actually have someone purposefully fail a login and then successfully login, it doesn't work.  Bottom line, I am confused.  The theory seems simple but I can't execute it.  Any help is GREATLY appreciated.  Thanks!