This Rule generates alerts when ISA Server detected network elements that contain overlapping address ranges
ISA Server detected routes through a network adapter that do not correlate with the network to which this adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The event description contains both the name of the network adapter and the IP address ranges in conflict.
Every subnet connected to the ISA Server computer must be contained in a single network. The conflicting route crosses the network boundaries.
If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message.
Fix the network and/or the routing table to make these IP address ranges consistent; they should be in both or in neither.
Target | Microsoft.ISAServer.2006.ServerRole |
Category | EventCollection |
Enabled | True |
Alert Generate | False |
Remotable | True |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.ISAServer.2006.Rule.AlertGenerate.DS | Default |
WA | WriteAction | Microsoft.ISAServer.2006.Rule.AlertGenerate.WA | Default |
<Rule ID="Microsoft.ISAServer.2006.ISA_Server_detected_network_elements_that_contain_overlapping_address_ranges.Rule" Enabled="onEssentialMonitoring" Target="Microsoft.ISAServer.2006.ServerRole" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Microsoft.ISAServer.2006.Rule.AlertGenerate.DS">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<EventsPattern>^(21097)$</EventsPattern>
<EventType>1</EventType>
<SourcePattern>Microsoft Firewall</SourcePattern>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WA" TypeID="Microsoft.ISAServer.2006.Rule.AlertGenerate.WA">
<AlertMessageId>$MPElement[Name="Microsoft.ISAServer.2006.ISA_Server_detected_network_elements_that_contain_overlapping_address_ranges.AlertMessage"]$</AlertMessageId>
<DomainName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/DomainDnsName$</DomainName>
<Priority>2</Priority>
<Severity>2</Severity>
</WriteAction>
</WriteActions>
</Rule>