This Rule generates alerts when The routing table for a network adapter includes IP address ranges that are not included in the array level network to which it is bound
The routing table for one of the network adapters includes IP address ranges that are not included in the array-level network to which it is bound. As a result, packets arriving at this network adapter from these IP address ranges or sent to these IP address ranges via this network adapter will be dropped as spoofed.
The first parameter of the event indicates the name of the network adapter, and the second parameter of the event indicates the IP address ranges.
For every IP address range in the routing table of a network adapter, there should be a corresponding IP address in the array-level network for that network adapter. Otherwise, packets sent to the array-level network will be considered spoofed and therefore dropped. This could result in loss of connectivity.
If you recently changed the NLB configuration, check if the event recurs. If it does not, you may safely ignore this alert.
Add the missing IP address ranges to the array-level network.
Target | Microsoft.Forefront.TMG.Server |
Category | EventCollection |
Enabled | True |
Alert Generate | False |
Remotable | True |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Forefront.TMG.Rule.AlertGenerate.DS | Default |
WA | WriteAction | Microsoft.Forefront.TMG.Rule.AlertGenerate.WA | Default |
<Rule ID="Microsoft.Forefront.TMG.The_routing_table_for_a_network_adaptor_includes_IP_address_ranges_that_are_not_included_in_the_array_level_network_to_which_it_is_bound.Rule" Enabled="true" Target="Microsoft.Forefront.TMG.Server" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Microsoft.Forefront.TMG.Rule.AlertGenerate.DS">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<EventsPattern>^(21265)$</EventsPattern>
<EventType>1</EventType>
<SourcePattern>Microsoft Forefront TMG Firewall</SourcePattern>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WA" TypeID="Microsoft.Forefront.TMG.Rule.AlertGenerate.WA">
<AlertMessageId>$MPElement[Name="Microsoft.Forefront.TMG.The_routing_table_for_a_network_adaptor_includes_IP_address_ranges_that_are_not_included_in_the_array_level_network_to_which_it_is_bound.AlertMessage"]$</AlertMessageId>
<DomainName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/DomainDnsName$</DomainName>
<Priority>1</Priority>
<Severity>2</Severity>
</WriteAction>
</WriteActions>
</Rule>