Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3130
Views
3
Helpful
2
Replies

Best rule to use to determine whether or not a device is up?

dec0dernyc
Level 1
Level 1

‎11-09-2011 11:19 AM

Hello:

What would be the best rule to use to determine whether or not a device (including routers and switches) is up and able to report/log?

Thanks in Advance.

Labels:
0 Helpful
2 Replies 2

Justin Teixeira
Level 1
Level 1

‎11-09-2011 12:40 PM

Hi dec0dernyc,

     The MARS has a built in system rule named "System Rule: Inactive CS-MARS Reporting Device", which triggers an incident whenever the "Inactive CS-MARS reporting device" event is generated.  The event, in turn, is generated when the MARS has not heard from a device in 10 minutes and contains the IP address of the inactive device.  This is the closest that you'll find on the MARS to the functionality you describe.

Best Regards,

JT

dec0dernyc
Level 1
Level 1
In response to Justin Teixeira

‎11-09-2011 12:53 PM

Thanks for the reply Justin. I am aware of that rule which is ideal for firewalls.

I guess my question should be which rule would be able to tell if a non-chatty device is down, like a switch or router.

If a switch goes down id like to be notifed via the rule.

Thanks again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents