In Cato, there are two types of quotas: one pertains to events, while the other relates to alerts. The default threshold for event generation stands at 2 million events per hour, whereas the default cap for alert generation is set at 50 alerts per hour. For further information, refer to Cato Cloud Thresholds and Limits.
This article aims to provide guidance on how to address situations where you have received an email notifying you of an exceeded events quota and/or alerts quota.
Cato Events Quota Exceeded
When the number of events exceeds the maximum quota for the account, Cato generates an email alert.
The following screenshot shows a sample alert of events quota exceeded message for Internet firewall events:
Cato generates the Events Quota Exceeded alert when the number of events for a specific event type exceeds the maximum limits for events per hour. For more information about the event limits, see Cato Cloud Thresholds and Limits.
You can identify the WAN or Internet rule that is generating the large number of events and then disable the Track > Event option.
To identify the firewall rule and disable the track events option:
- Open the Cato Management Application and go to Monitoring > Events.
- Expand the Rule field under the Fields section.
- Locate the firewall rule that generates the large number of events.
The following screenshot shows an example of a firewall rule (Allow all outbound) that generated 5.6 million events:
4. Go to Security > WAN or Internet Firewall, locate the rule (from the previous step) and edit the Track settings.
5. Disable the Event option for this rule.
6. Click Apply and then click Save.
Cato Alerts Quota Exceeded
An email will be sent to the customer's mailing list, under General Notification, when the number of alerts generated per hour exceed 50 for the account. Customer will received an email with the subject, "Cato alerts Quota Exceeded".
- Determine the alert quota exceeded email was generated for which Cato feature. For e.g, in the above Alert Quota Exceeded email, it was for IPS alerts.
- Login to CMA to verify the authenticity of this alert
- Go to Monitoring > Events
- Under Select Presets, select the IPS and customize the time period based on when the email was received. Since the threshold for generating the Alert Quota Exceeded email is 50 alerts per hour, customize the time period, starting from an hour before the email was received.
- Go through the events to determine the reason for the alert. For e.g., in the below screenshot, it can be observed that there were multiple events for a possible attack, and it was originating from the same source.
- Investigate the events and take the necessary action.
- If these alerts turns out to be false positive, contact Cato Support. To open a Support case, refer to Submitting-a-Support-Ticket.
- If you do not wish to be notified of subsequent similar alerts, you can go to the respective rule or feature pertaining to this alert, and disable the email notification.