Webhook Alert Table

Alert/Webhook NameGroupCategoryDescriptionTriggering MechanismComments
ap_offlinemarvisapOffline (Marvis)Site down: all APs lose connection around the same time. Switch down/issue: all APs on the same switch lose connection around the same time. Locally online: AP is heard locally but lost cloud connection. Locally offline: AP is not heard locally & lost cloud connectionReq SUB-VNA
non_compliantmarvisapAPs with mismatched firmwareAPs in a given site deviating from the firmware version seen on majority APs (same model) at that siteReq SUB-VNA
ap_bad_cablemarvisapBad Ethernet cable connected to a
Juniper AP
Based on AP frequent ethernet disconnects, restarts, increasing ethernet errors, connecting at 100MbpsReq SUB-VNA
health_check_failedmarvisapUnhealthy APs to be replacedAfter all auto-remediation/self-healing on the AP fails, Marvis indicates a proactve RMA to replace the APReq SUB-VNA
insufficient_coveragemarvisapAreas around AP(s) with consistent poor Wi-Fi coverageAfter RRM makes changes, clients are still seen with low RSSI consistentlyReq SUB-VNA
insufficient_capacitymarvisapAP(s) with low Wi-Fi capacityAfter RRM makes changes, a single client or a set of clients have heavy consumption resulting in high AP channel utilizationReq SUB-VNA
authentication_failuremarvisconnectivitySite-wide wireless and wired connection failuresSudden increase in failures across the site OR 100% failures on a server/switch/WLAN/VLAN/APReq SUB-VNA
dhcp_failuremarvisconnectivitySite-wide wireless and wired connection failuresSudden increase in failures across the site OR 100% failures on a server/WLAN/VLAN/APReq SUB-VNA
arp_failuremarvisconnectivitySite-wide wireless connection failuresSudden increase in failures across the site OR 100% failures on a server/WLAN/APReq SUB-VNA
dns_failuremarvisconnectivitySite-wide wireless connection failuresSudden increase in failures across the site OR 100% failures on a server/WLAN/APReq SUB-VNA
missing_vlanmarvisswitchVLAN configured on AP missing on switch port or upstreamAP observes traffic on each vlan and compares between APs on the same switch & other APs in the site. Doesn't require a Juniper switch Req SUB-VNA
bad_cablemarvisswitchFaulty cable connected to a Juniper switchportBased on port errors, power draw without ethernet link, increase in bytes out and 0 in (and vice versa)Req SUB-VNA
port_flapmarvisswitchPort constantly going up & downPort flapping with high frequency & continuouslyReq SUB-VNA
negotiation_mismatchmarvisswitchDifference in settings between a wired client & connected portDuplex mismatch and/or auto-negotiation failingReq SUB-VNA
switch_stp_loopmarvisswitchSame frame is seen by a switch multiple timesFrequent STP topology changes along with sudden increase in tx/rxReq SUB-VNA
gw_bad_cablemarvisRouterFaulty cable connected to a Juniper gateway (SRX only) portInterface stat errors, input/output bytes being 0Req SUB-WNA
gw_negotiation_mismatchmarvisRouterDifference in MTU packet size seen in the network (SRX only)Packets being fragmented, MTU errorsReq SUB-WNA
bad_wan_uplinkmarvisRouterUnderperforming/problematic interface (SRX, SSR)Latency, jitter, packet loss, output drops & drop in transmit packetsReq SUB-WNA
vpn_path_downmarvisRouterVPN peer path down (SSR only)100% failure of a peer pathReq SUB-WNA
sw_alarm_chassis_psuinfrastructureswitchJunos Power Supply Alarmpower supply missing event will trigger this alert
sw_alarm_chassis_peminfrastructueswitchSwitch PEM AlarmSymptoms: Minor alarms such as "PEM fan failed" , "PEM Not O" and "PEM too many i2c failures" can be seen on an MX device. Running the "show chassis environment pem" command returns the PEM module in check state. Solution: The I2C failure alarm causes the I2C bus, which allows the control components hosted by the CB, to monitor and retrieve device environment information (power, temperature, status, and so on) from the different MPC’s components. There could be a couple of reasons for these alarms: the PEM might have some issues, the slot is faulty, placement of the PEM is causing this temporary situation or chassisd is having a problem reading it, high CPU, issues with CB and so on.
sw_bad_opticsinfrastructureswitchSwitch Bad Opticsdetects bad transceiver. Depending on the “show interfaces diagnostics optics” we generate the alert
sw_alarm_chassis_poeinfrastructureswitchJunos POE Controller AlarmThe symptoms and solution listed below on the attached KB
Here are the possible next steps for POE port issues,
  • Reboot of the switch

  • Reseat of the transceiver, For scenarios where reseat is possible, you may want to wait 10-15 minutes to see if the alarm is cleared

  • Make sure nothing is connected to it, via a physical check

Typically this type of issues are hardware related, at some point there could have been a switch connected to this port that was injecting power which may have cause a short damaging the port, so RMA may be needed if reboot doesn’t clear the issue.
sw_bgp_neighbor_state_changedinfrastructureswitchBGP Neighbor State ChangedEverytime a BGP peering goes up or down, this is made available as an event as well as an alert
vpn_peer_downinfrastructureSRXVPN Peer DownWhen an IPSec tunnel goes down for WAN interfaces between hub and spoke, this alert is triggered
loop_detected_by_apinfrastructurewirelessAP has detected loop via reflectionWhen AP recieves a frame that it sent out, we understand that the packet is looping and is an erroneous situation. In such situations - we call out that there is a loop in the network, this is inferred from AP data and does not require switch network to be Juniper
infra_arp_failureinfrastructureapGateway Arp failure when the ARP request for the default gateway is not receiving any response
infra_dhcp_failureinfrastructureapDHCP FailureWhenever more than 10 clients are impacted due to a failing/unresponsive DHCP server within a window of 10 minutes, an email will be triggered for this event.
infra_dns_failureinfrastructureapDNS FailureWhenever more than 10 clients are impacted due to a failing/unresponsive DNS server within a window of 10 minutes, an email will be triggered for this event.
vc_backup_failedinfrastructureswitchVirtual Chassis - Backup Member Electedwhen a Backup Member is Elected
vc_master_changedinfrastructureswitchVirtual Chassis - New device elected for Active RoleWhen a New device is elected for Active Role
vc_member_added"infrastructureswitchAdding a new VC memberAdding a new VC member
vc_member_deletedinfrastructureswitchVirtual Chassis Member DeletedWhen a VC Member is Deleted
sw_bpdu_errorinfrastructureswitchSwitch BPDU Errorcondition caused by the detection of a possible bridging loop from 
sw_alarm_chassis_partitioninfrastructureswitchSwitch Storage Partition Alarm generated by the event: show chassis alarms >> RE 0 /var partition usage is high
device_downinfrastructureapDevice offline (alert immediately when device offline)When an AP disconnects from the cloud for the configured amount of time
switch_downinfrastructueSwitchSwitch offlineSwitch Offline
gw_dhcp_pool_exhaustedinfrastructureSRXWAN Edge DHCP Pool ExhaustedWAN Edge DHCP pool has been exhausted,
device_restartedinfrastructureapDevice restartedWhen an AP restarts
switch_restartedinfrastructureswitchSwitch restartedWhen a switch restarts
gateway_downinfrastructureSRXWAN Edge offlineSRX device offline
WAN Edge OfflineinfrastructuressrWAN Edge offline
sw_dhcp_pool_exhaustedinfrastructureswitchSwitch DHCP pool has been exhausted, If the Switch is a DHCP server and a particular pool is exhausted - this alert is triggered
adhoc_networksecurityapAdhoc network detectedAn unauthorized adhoc network has been detected by 1 or more APs
air_magnet_scansecurityapAir Magnet Scan detectedSomeone is running Air Magnet scan for RF analysis. There are muktiple products on Market for Airmagnet Scan.
eap_handshake_floodsecurityapEAP Handshake Flood detectedSome client / simulator generating floods of EAPOL messages requesting 802.1x authentication.
watched_stationsecurityapActive Watched Station detectedClient / Station configured in "Watched Station list" detected on. network.
eap_dictionary_attacksecurityapEAP Dictionary Attack detectedWhen someone attempts to guess password by trying different dictionary words.Multiple password failure triggers this event.
eap_failure_injectionsecurityapEAP Failure Injection detectedSomeone sniff EAP packets and tries to send fake EAP failures
eap_spoofed_successsecurityapEAP Spoofed Success detectedSomeone sniff EAP packets and tries to send fake EAP success.
eapol_logoff_attacksecurityapEAPOL-Logoff Attack detectedSome client /simulator is sending excessive EAP logoff messages.
essid_jacksecurityapESSID Jack detectedWhen some client or simulator tries to send broadcast probe request.
excessive_clientsecurityapExcessive Clients detectedWhen number of clients associated with AP cross the configured excessive client threshold.
excessive_eapol_startsecurityapExcessive EAPOL-Start detectedSome client /simulator is sending excessive EAP START messages.
idp_attack_detectedsecuritysrx/ssrIDP attack detectedWhen SRX and SSR reports IDP_ATTACK_LOG_EVENT type events
monkey_jacksecurityapMonkey Jack detectedWhen AP detects someone trying Man In the middle attack we trigger this event.
out_of_sequencesecurityapOut of Sequence detectedWhen AP detects excessive out of sequence packet this event is generated.
krack_attacksecurityapReplay Injection detected - KRACK AttackKRACK attack attempts detected by 1 or more Aps
tkip_icv_attacksecurityapTKIP ICV AttackWhen AP detects TKIP MIC failure more than configured threshold value this event is generated.
url_blockedsecuritysrx/ssrURL blockedWhen SRX and SSR reports WEBFILTER_URL_BLOCKED type events
zero_ssid_associationsecurityapZero SSID Association Request detectedWhen AP scan beacon which contains. zero length SSID AP triggers this event.
beacon_floodsecurityFake AP Flooding detected - a flood of new BSSIDsFake AP flooding is detected when the number of new SSIDs scanned by an AP exceeds the defined threshold during a defined time frame (say 60 seconds).
bssid_spoofingsecurityAPBSSID Spoofing detectedBSSID spoofing event is generated when we hear the same SSID with -30dBm or worst BSSID spoofing event is generated when we hear a device broadcasting the same BSSID as of the Access point with a good signal strength.
ssid_injectionsecurityAPSSID Injection detected: Detects malicious looking SSID names with possible code injection in nameSSID injection is triggered when the AP scans the RF and sees an SSID being broadcasted that could indicate a code injection language to the SSID name.
A few examples of malicious SSID Names
SSIDs with special characters – “%g%gAA%g%g%g%f%c%c%x”
XSS Injection - “” as the SSID name
OR the SSID Name
repeated_auth_failuressecurityAPClients with Repeated Client Authentication FailuresWill kick in when client faces continues client authentication failure due to Radius server not
being rachable, wrong shared secret etc.
vendor_ie_missingsecurityAPMist vendor IE missing in beacon or probe responseA method to detect impersonation of sanctioned Mist AP's needs to be devised. The use case is
somebody can bring in a honeypot that has the Mist Vendor IE missing. We should be able to
flag that honeypot with an alert that an impersonation attack is being carried out with Vendor IE missing
disassociation_floodsecurityAPDisassociation Attack detectedA type of DoS attack in which the attacker breaks the wireless connection between the victim device and the access point. The method is based on the use of a special disassociation frame specified under IEEE 802.11. Transferring such a frame to the target device breaks the connection, and the Wi-Fi protocol does not require any encryption for it.
rogue_clientsecurityAPClient Connection to rogue AP detectedwhen a Client associates to the Rogue AP
rogue_apsecurityAPRogue AP detectedany AP not claimed onto your Organization, but detected as connected on the same wired network.
honeypot_ssidsecurityAPHoneypot SSID unauthorized APs advertising your SSID