We're getting tons of email alerts!

Overview

Are you suddenly getting a large number of email alerts about blocking a particular website?

We use a third-party utility called BrightCloud for Web Filter's Categories information and they occasionally recategorize a particular URL as a phishing/fraud or malware website. If that site/URL(s) loads ad content on numerous websites, your NG Firewall will block numerous connections and generate a lot of alert emails.

BrightCloud are generally very quick to fix mis-categorizations like this, but the Web Filter engine that checks category status caches its lookups to save time. The old cached entry can still exist for a few hours, so sometimes your NG Firewall will continue to generate alerts even though the root cause of the problem has been fixed.

Here's what you can do about it

First, take a look at one of the email alerts and find the line that starts with requestLine. That entry will have the URL of the site in question:

Go to Web Filter > Advanced and click the 'Clear Category URL Cache' button:

Next, go to Web Filter > Site Lookup and try searching for the site you were alerted about:

If the URL is no longer categorized in a way that will generate alerts, great! You're all done. If it hasn't been changed, however, you can edit your alerts to ignore that particular site.

Go to Config > Events > Alerts and edit the rule that triggered the alert. (The example above was 'Phishing/Fraud website visit blocked', which is rule #14 by default.)

Click 'Add Condition', then select 'requestLine':

That will add that condition to the rule. Set it to does not contain *[url in question]* to filter out events for that specific URL:

Save your rule and you're all set.