This Rule generates alerts when The Firewall service detected a demand dial interface connection that was not created by ISA Server
The Firewall service detected that a demand dial interface may be configured improperly.
This event occurs when the specified VPN site-to-site network adapter is assigned an IP address that is already included in another network. This may be an indication of a spoof attack.
Verify that the VPN configuration for the remote server is defined properly.
Try to reestablish the connection and ensure that the connection is from the correct remote site.
Target | Microsoft.ISAServer.2006.ServerRole |
Category | EventCollection |
Enabled | True |
Alert Generate | False |
Remotable | True |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.ISAServer.2006.Rule.AlertGenerate.DS | Default |
WA | WriteAction | Microsoft.ISAServer.2006.Rule.AlertGenerate.WA | Default |
<Rule ID="Microsoft.ISAServer.2006.The_Firewall_service_detected_a_demand_dial_interface_connection_that_was_not_created_by_ISA_Server.Rule" Enabled="onEssentialMonitoring" Target="Microsoft.ISAServer.2006.ServerRole" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Microsoft.ISAServer.2006.Rule.AlertGenerate.DS">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<EventsPattern>^(21162)$</EventsPattern>
<EventType>2</EventType>
<SourcePattern>Microsoft Firewall</SourcePattern>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WA" TypeID="Microsoft.ISAServer.2006.Rule.AlertGenerate.WA">
<AlertMessageId>$MPElement[Name="Microsoft.ISAServer.2006.The_Firewall_service_detected_a_demand_dial_interface_connection_that_was_not_created_by_ISA_Server.AlertMessage"]$</AlertMessageId>
<DomainName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/DomainDnsName$</DomainName>
<Priority>2</Priority>
<Severity>2</Severity>
</WriteAction>
</WriteActions>
</Rule>