| Alert/Webhook Name | Group | Category | Description | Triggering Mechanism | Comments |
|---|---|---|---|---|---|
| ap_offline | marvis | ap | Offline (Marvis) | Site down: all APs lose connection around the same time. Switch down/issue: all APs on the same switch lose connection around the same time. Locally online: AP is heard locally but lost cloud connection. Locally offline: AP is not heard locally & lost cloud connection | Req SUB-VNA |
| non_compliant | marvis | ap | APs with mismatched firmware | APs in a given site deviating from the firmware version seen on majority APs (same model) at that site | Req SUB-VNA |
| ap_bad_cable | marvis | ap | Bad Ethernet cable connected to a Juniper AP | Based on AP frequent ethernet disconnects, restarts, increasing ethernet errors, connecting at 100Mbps | Req SUB-VNA |
| health_check_failed | marvis | ap | Unhealthy APs to be replaced | After all auto-remediation/self-healing on the AP fails, Marvis indicates a proactve RMA to replace the AP | Req SUB-VNA |
| insufficient_coverage | marvis | ap | Areas around AP(s) with consistent poor Wi-Fi coverage | After RRM makes changes, clients are still seen with low RSSI consistently | Req SUB-VNA |
| insufficient_capacity | marvis | ap | AP(s) with low Wi-Fi capacity | After RRM makes changes, a single client or a set of clients have heavy consumption resulting in high AP channel utilization | Req SUB-VNA |
| authentication_failure | marvis | connectivity | Site-wide wireless and wired connection failures | Sudden increase in failures across the site OR 100% failures on a server/switch/WLAN/VLAN/AP | Req SUB-VNA OR SUB-SVNA |
| dhcp_failure | marvis | connectivity | Site-wide wireless and wired connection failures | Sudden increase in failures across the site OR 100% failures on a server/WLAN/VLAN/AP | Req SUB-VNA OR SUB-SVNA |
| arp_failure | marvis | connectivity | Site-wide wireless connection failures | Sudden increase in failures across the site OR 100% failures on a server/WLAN/AP | Req SUB-VNA |
| dns_failure | marvis | connectivity | Site-wide wireless connection failures | Sudden increase in failures across the site OR 100% failures on a server/WLAN/AP | Req SUB-VNA |
| missing_vlan | marvis | switch | VLAN configured on AP missing on switch port or upstream | AP observes traffic on each vlan and compares between APs on the same switch & other APs in the site. Doesn't require a Juniper switch | Req SUB-VNA OR SUB-SVNA |
| bad_cable | marvis | switch | Faulty cable connected to a Juniper switchport | Based on port errors, power draw without ethernet link, increase in bytes out and 0 in (and vice versa) | Req SUB-VNA |
| port_flap | marvis | switch | Port constantly going up & down | Port flapping with high frequency & continuously | Req SUB-VNA |
| negotiation_mismatch | marvis | switch | Difference in settings between a wired client & connected port | Duplex mismatch and/or auto-negotiation failing | Req SUB-VNA |
| switch_stp_loop | marvis | switch | Same frame is seen by a switch multiple times | Frequent STP topology changes along with sudden increase in tx/rx | Req SUB-VNA |
| gw_bad_cable | marvis | Router | Faulty cable connected to a Juniper gateway (SRX only) port | Interface stat errors, input/output bytes being 0 | Req SUB-WNA |
| gw_negotiation_mismatch | marvis | Router | Difference in MTU packet size seen in the network (SRX only) | Packets being fragmented, MTU errors | Req SUB-WNA |
| bad_wan_uplink | marvis | Router | Underperforming/problematic interface (SRX, SSR) | Latency, jitter, packet loss, output drops & drop in transmit packets | Req SUB-WNA |
| vpn_path_down | marvis | Router | VPN peer path down (SSR only) | 100% failure of a peer path | Req SUB-WNA |
| sw_alarm_chassis_psu | infrastructure | switch | Junos Power Supply Alarm | power supply missing event will trigger this alert | |
| sw_alarm_chassis_pem | infrastructue | switch | Switch PEM Alarm | Symptoms: Minor alarms such as "PEM fan failed" , "PEM Not O" and "PEM too many i2c failures" can be seen on an MX device. Running the "show chassis environment pem" command returns the PEM module in check state. Solution: The I2C failure alarm causes the I2C bus, which allows the control components hosted by the CB, to monitor and retrieve device environment information (power, temperature, status, and so on) from the different MPC’s components. There could be a couple of reasons for these alarms: the PEM might have some issues, the slot is faulty, placement of the PEM is causing this temporary situation or chassisd is having a problem reading it, high CPU, issues with CB and so on. | |
| sw_bad_optics | infrastructure | switch | Switch Bad Optics | detects bad transceiver. Depending on the “show interfaces diagnostics optics” we generate the alert | |
| sw_alarm_chassis_poe | infrastructure | switch | Junos POE Controller Alarm | The symptoms and solution listed below on the attached KB Here are the possible next steps for POE port issues,
Typically this type of issues are hardware related, at some point there could have been a switch connected to this port that was injecting power which may have cause a short damaging the port, so RMA may be needed if reboot doesn’t clear the issue. | |
| sw_bgp_neighbor_state_changed | infrastructure | switch | BGP Neighbor State Changed | Everytime a BGP peering goes up or down, this is made available as an event as well as an alert | |
| vpn_peer_down | infrastructure | SRX | VPN Peer Down | When an IPSec tunnel goes down for WAN interfaces between hub and spoke, this alert is triggered | |
| loop_detected_by_ap | infrastructure | wireless | AP has detected loop via reflection | When AP recieves a frame that it sent out, we understand that the packet is looping and is an erroneous situation. In such situations - we call out that there is a loop in the network, this is inferred from AP data and does not require switch network to be Juniper | |
| infra_arp_failure | infrastructure | ap | Gateway Arp failure | when the ARP request for the default gateway is not receiving any response | |
| infra_dhcp_failure | infrastructure | ap | DHCP Failure | Whenever more than 10 clients are impacted due to a failing/unresponsive DHCP server within a window of 10 minutes, an email will be triggered for this event. | |
| infra_dns_failure | infrastructure | ap | DNS Failure | Whenever more than 10 clients are impacted due to a failing/unresponsive DNS server within a window of 10 minutes, an email will be triggered for this event. | |
| vc_backup_failed | infrastructure | switch | Virtual Chassis - Backup Member Elected | when a Backup Member is Elected | |
| vc_master_changed | infrastructure | switch | Virtual Chassis - New device elected for Active Role | When a New device is elected for Active Role | |
| vc_member_added" | infrastructure | switch | Adding a new VC member | Adding a new VC member | |
| vc_member_deleted | infrastructure | switch | Virtual Chassis Member Deleted | When a VC Member is Deleted | |
| sw_bpdu_error | infrastructure | switch | Switch BPDU Error | condition caused by the detection of a possible bridging loop from  | |
| sw_alarm_chassis_partition | infrastructure | switch | Switch Storage Partition Alarm | generated by the event: show chassis alarms >> RE 0 /var partition usage is high | |
| device_down | infrastructure | ap | Device offline (alert immediately when device offline) | When an AP disconnects from the cloud for the configured amount of time | |
| switch_down | infrastructue | Switch | Switch offline | Switch Offline | |
| gw_dhcp_pool_exhausted | infrastructure | SRX | WAN Edge DHCP Pool Exhausted | WAN Edge DHCP pool has been exhausted, | |
| device_restarted | infrastructure | ap | Device restarted | When an AP restarts | |
| switch_restarted | infrastructure | switch | Switch restarted | When a switch restarts | |
| gateway_down | infrastructure | SRX | WAN Edge offline | SRX device offline | |
| WAN Edge Offline | infrastructure | ssr | WAN Edge offline | ||
| sw_dhcp_pool_exhausted | infrastructure | switch | Switch DHCP pool has been exhausted, | If the Switch is a DHCP server and a particular pool is exhausted - this alert is triggered | |
| adhoc_network | security | ap | Adhoc network detected | An unauthorized adhoc network has been detected by 1 or more APs | |
| air_magnet_scan | security | ap | Air Magnet Scan detected | Someone is running Air Magnet scan for RF analysis. There are muktiple products on Market for Airmagnet Scan. | |
| eap_handshake_flood | security | ap | EAP Handshake Flood detected | Some client / simulator generating floods of EAPOL messages requesting 802.1x authentication. | |
| watched_station | security | ap | Active Watched Station detected | Client / Station configured in "Watched Station list" detected on. network. | |
| eap_dictionary_attack | security | ap | EAP Dictionary Attack detected | When someone attempts to guess password by trying different dictionary words.Multiple password failure triggers this event. | |
| eap_failure_injection | security | ap | EAP Failure Injection detected | Someone sniff EAP packets and tries to send fake EAP failures | |
| eap_spoofed_success | security | ap | EAP Spoofed Success detected | Someone sniff EAP packets and tries to send fake EAP success. | |
| eapol_logoff_attack | security | ap | EAPOL-Logoff Attack detected | Some client /simulator is sending excessive EAP logoff messages. | |
| essid_jack | security | ap | ESSID Jack detected | When some client or simulator tries to send broadcast probe request. | |
| excessive_client | security | ap | Excessive Clients detected | When number of clients associated with AP cross the configured excessive client threshold. | |
| excessive_eapol_start | security | ap | Excessive EAPOL-Start detected | Some client /simulator is sending excessive EAP START messages. | |
| idp_attack_detected | security | srx/ssr | IDP attack detected | When SRX and SSR reports IDP_ATTACK_LOG_EVENT type events | |
| monkey_jack | security | ap | Monkey Jack detected | When AP detects someone trying Man In the middle attack we trigger this event. | |
| out_of_sequence | security | ap | Out of Sequence detected | When AP detects excessive out of sequence packet this event is generated. | |
| krack_attack | security | ap | Replay Injection detected - KRACK Attack | KRACK attack attempts detected by 1 or more Aps | |
| tkip_icv_attack | security | ap | TKIP ICV Attack | When AP detects TKIP MIC failure more than configured threshold value this event is generated. | |
| url_blocked | security | srx/ssr | URL blocked | When SRX and SSR reports WEBFILTER_URL_BLOCKED type events | |
| zero_ssid_association | security | ap | Zero SSID Association Request detected | When AP scan beacon which contains. zero length SSID AP triggers this event. | |
| beacon_flood | security | Fake AP Flooding detected - a flood of new BSSIDs | Fake AP flooding is detected when the number of new SSIDs scanned by an AP exceeds the defined threshold during a defined time frame (say 60 seconds). | ||
| bssid_spoofing | security | AP | BSSID Spoofing detected | BSSID spoofing event is generated when we hear the same SSID with -30dBm or worst BSSID spoofing event is generated when we hear a device broadcasting the same BSSID as of the Access point with a good signal strength. | |
| ssid_injection | security | AP | SSID Injection detected: Detects malicious looking SSID names with possible code injection in name | SSID injection is triggered when the AP scans the RF and sees an SSID being broadcasted that could indicate a code injection language to the SSID name. A few examples of malicious SSID Names SSIDs with special characters – “%g%gAA%g%g%g%f%c%c%x” XSS Injection - “” as the SSID name OR the SSID Name | |
| repeated_auth_failures | security | AP | Clients with Repeated Client Authentication Failures | Will kick in when client faces continues client authentication failure due to Radius server not being rachable, wrong shared secret etc. | |
| vendor_ie_missing | security | AP | Mist vendor IE missing in beacon or probe response | A method to detect impersonation of sanctioned Mist AP's needs to be devised. The use case is somebody can bring in a honeypot that has the Mist Vendor IE missing. We should be able to flag that honeypot with an alert that an impersonation attack is being carried out with Vendor IE missing | |
| disassociation_flood | security | AP | Disassociation Attack detected | A type of DoS attack in which the attacker breaks the wireless connection between the victim device and the access point. The method is based on the use of a special disassociation frame specified under IEEE 802.11. Transferring such a frame to the target device breaks the connection, and the Wi-Fi protocol does not require any encryption for it. | |
| rogue_client | security | AP | Client Connection to rogue AP detected | when a Client associates to the Rogue AP | |
| rogue_ap | security | AP | Rogue AP detected | any AP not claimed onto your Organization, but detected as connected on the same wired network. | |
| honeypot_ssid | security | AP | Honeypot SSID | unauthorized APs advertising your SSID |
- Getting Started
- Wireless
- Wired Switching
- WAN Edge
- Mist Access Assurance
- Location Based Services
- Premium Analytics
- Security and Cloud Administration
- MSP
- Automation
- Product Updates
- Marvis
- Security Alerts
- FAQ