inet_alert

Description

Notifies an Internet Service Provider (ISP) when a company's corporate network is under attack. This command forwards log messages generated by the alert daemon on your Check Point Security Gateway to an external Management Station. This external Management Station is usually located at the ISP site. The ISP can then analyze the alert and react accordingly.

This command uses the Event Logging API (ELA) protocol to send the alerts. The Management Station receiving the alert must be running the ELA Proxy.

If communication with the ELA Proxy is to be authenticated or encrypted, a key exchange must be performed between the external Management Station running the ELA Proxy at the ISP site and the Check Point Security Gateway generating the alert.

Procedure

Step	Description
1	Connect with SmartConsole to the applicable Security Management Server or Domain Management Server, which manages the applicable Security Gateway that should forward log messages to an external Management Station.
2	From the top left Menu, click Global properties.
3	Click on the [+] near the Log and Alert and click Alerts.
4	Clear the Send user defined alert no. 1 to SmartView Monitor.
5	Select the next option Run UserDefined script under the above.
6	Enter the applicable inet_alert syntax (see the Syntax section below).
7	Click OK.
8	Install the Access Policy on the applicable Security Gateway.

Syntax

inet_alert -s <IP Address> [-o] [-a <Auth Type>] [-p <Port>] [-f <Token> <Value>] [-m <Alert Type>]

Parameters

Parameter	Description
`-s <`IP Address`>`	The IPv4 address of the ELA Proxy (usually located at the ISP site).
`-o`	Prints the alert log received to `stdout`. Use this option when `inet_alert` is part of a pipe syntax (`<some command> \| inet_alert ...`).
`-a <`Auth Type`>`	Specifies the type of connection to the ELA Proxy. One of these values: `ssl_opsec` - The connection is authenticated and encrypted (this is the default). `auth_opsec` - The connection is authenticated. `clear` - The connection is neither authenticated, nor encrypted.
`-p <`Port`>`	Specifies the port number on the ELA proxy. Default port is 18187.
`-f <`Token`> <`Value`>`	A field to be added to the log, represented by a `<`Token`> <`Value`>` pair as follows: `<`Token`>` - The name of the field to be added to the log. Cannot contain spaces. `<`Value`>` - The field's value. Cannot contain spaces. This option can be used multiple times to add multiple `<`Token`> <`Value`>` pairs to the log.
`-m <`Alert Type`>`	The alert to be triggered at the ISP site. This alert overrides the alert specified in the log message generated by the alert daemon. The response to the alert is handled according to the actions specified in the ISP Security Policy: These alerts execute the OS commands: `alert` - Popup alert command `mail` - Mail alert command `snmptrap` - SNMP trap alert command `spoofalert` - Anti-Spoof alert command These NetQuota and ServerQuota alerts execute the OS commands specified in the `$FWDIR/conf/objects.C`: file: `value=clientquotaalert. Parameter=clientquotaalertcmd`

Exist Status

Exit Status	Description
`0`	Execution was successful.
`102`	Undetermined error.
`103`	Unable to allocate memory.
`104`	Unable to obtain log information from `stdin`
`106`	Invalid command line arguments.
`107`	Failed to invoke the OPSEC API.

Example

inet_alert -s 10.0.2.4 -a clear -f product cads -m alert

This command specifies to perform these actions in the event of an attack:

Establish a clear connection with the ELA Proxy located at IP address 10.0.2.4
Send a log message to the specified ELA Proxy. Set the product field of this log message to cads
Trigger the OS command specified in the SmartConsole > Menu > Global properties > Log and Alert > Popup Alert Command field.