Issue
In Cato, there are two types of quotas: one pertains to events, while the other relates to alerts. The default limit varies based on the DPA license the customer has.
- For customer with DPA 2021 license, the default threshold for event generation stands at 2 million events per hour, per sub-type.
- On DPA 23, the threshold is determined by the number of data units the customer acquires during the renewal or onboarding process. Specifically, 1 Data Unit is equivalent to 2 million events per hour. (aggregation of all sub-types).
Note: Cato API eventsFeed rate is not limited by the Events Quota, but rather it follows different API rate limits as explained in Understanding Cato API Rate Limiting
For alerts, the default cap for alert generation is set at 50 alerts per hour, per sub-type.
To find out what DPA license you have, go to Administration > License
E.g. of DPA 2021
E.g. of DPA 2023
For further information, refer to Cato Cloud Thresholds and Limits.
This article aims to provide guidance on how to address situations where you have received an email notifying you of an exceeded events quota and/or alerts quota.
Troubleshooting
Cato Events Quota Exceeded
When the number of events exceeds the maximum quota for the account, Cato generates an email alert.
The following screenshot shows a sample alert of events quota exceeded message for Internet firewall events:
Solution
Cato generates the Events Quota Exceeded alert when the number of events for a specific event type exceeds the maximum limits for events per hour. For more information about the event limits, see Cato Cloud Thresholds and Limits.
WAN and Internet Events
You can identify the WAN or Internet rule that is generating the large number of events and then disable the Track > Event option.
To identify the firewall rule and disable the track events option:
- Open the Cato Management Application and go to Monitoring > Events.
- Expand the Rule field under the Fields section.
- Locate the firewall rule that generates the large number of events.
The following screenshot shows an example of a firewall rule (Allow all outbound) that generated 5.6 million events:
4. Go to Security > WAN or Internet Firewall, locate the rule (from the previous step) and edit the Track settings.
5. Disable the Event option for this rule.
6. Click Apply and then click Save.
IPS Events
If it is the IPS Engine blocking expected traffic, such as vulnerability scans, that is generating the large number of events, you can allowlist the source of the traffic as explained in Allowlisting IPS Signatures
To identify the source IP and allow list it:
- Open the Cato Management Application and go to Monitoring > Events.
- Select the IPS preset
- Expand the Source IP field under the Fields section and select the IP address with the highest amount of IPS events.
- Click the Signature ID and configure the allowlist as convenient. Make sure that Tracking is disabled.
- Click Apply
Cato Alerts Quota Exceeded
An email will be sent to the customer's mailing list, under General Notification, when the number of alerts generated per hour exceed 50 for the account. Customer will received an email with the subject, "Cato alerts Quota Exceeded".
Solution
- Determine the alert quota exceeded email was generated for which Cato feature. For e.g, in the above Alert Quota Exceeded email, it was for IPS alerts.
- Login to CMA to verify the authenticity of this alert
- Go to Monitoring > Events
- Under Select Presets, select the IPS and customize the time period based on when the email was received. Since the threshold for generating the Alert Quota Exceeded email is 50 alerts per hour, customize the time period, starting from an hour before the email was received.
- Go through the events to determine the reason for the alert. For e.g., in the below screenshot, it can be observed that there were multiple events for a possible attack, and it was originating from the same source.
- Investigate the events and take the necessary action.
- If these alerts turns out to be false positive, contact Cato Support. To open a Support case, refer to Submitting-a-Support-Ticket.
- If you do not wish to be notified of subsequent similar alerts, you can go to the respective rule or feature pertaining to this alert, and disable the email notification.
0 comments
Please sign in to leave a comment.