Notifications

The firewall can notify administrators of important events and errors by displaying an alert in the menu bar, indicated by the fa-bell icon.

In addition to GUI notifications, the firewall also supports the following notification methods:

  • Local via LED indicators on supported hardware (not configurable)

  • Local via Sounds using a PC speaker

  • Remote via E-mail using SMTP

  • Remote via Telegram notification API

  • Remote via Pushover notification API

  • Remote via Slack notification API

General Settings

Certificate Expiration:

When set, the firewall will issue notifications as CA and certificate entries approach their expiration date so that administrators can take corrective action to renew or replace them. Notifications are also sent for expired entries.

Expiration times are checked daily, and notifications are displayed in the GUI and sent remotely.

Ignore Revoked:

When set, the firewall will not send notifications for expired certificate entries which have been revoked in at least one CRL.

Certificate Expiration Threshold:

The value, in days, at which CA and certificate entries are considered to be approaching their expiration date.

The default value is currently 27 days. Certificates from Let’s Encrypt (ACME package) typically renew when they have around 30 days before they expire. The default value is long enough that it does not notify unnecessarily, but with enough time left that problems can be corrected.

Tip

If certificates are imported into the firewall from third party sources which take longer to process, increase this value sufficiently to give administrators enough notice to obtain an updated replacement certificate before the expiration date.

SMTP E-mail

E-mail notifications are delivered by a direct SMTP connection to a mail server. The server must be configured to allow relaying from the firewall or accept authenticated SMTP connections.

Disable SMTP:

When checked, the firewall will not send SMTP notifications. This is useful to silence notifications while keeping SMTP settings in place for use by other purposes such as packages that utilize e-mail.

E-mail server:

The hostname or IP address of the e-mail server through which the firewall will send notifications.

SMTP Port of E-mail server:

The port to use when communicating with the SMTP server. The most common ports are 25 and 587.

In many cases, 25 will not work unless it is to a local or internal mail server. Providers frequently block outbound connections to port 25, so use 587 (the Submission port) when possible.

Connection Timeout to E-Mail Server:

The length of time, in seconds, that the firewall will wait for an SMTP connection to complete.

Secure SMTP Connection:

When set, the firewall will attempt a direct SSL/TLS connection when sending e-mail. The server must accept SSL/TLS connections on the configured port.

Warning

This option is not compatible with ports that utilize plain text and switch to TLS after using STARTTLS (e.g. 25, 587).

Note

When this option is not checked, the firewall will still automatically attempt to use STARTTLS to setup a secure TLS communications channel on ports 25 and 587 when authentication is configured.

Validate SSL/TLS:

When set, the certificate presented by the mail server is checked for validity against the root certificate authorities trusted by the firewall. Ensuring this validity is the best practice.

In some rare cases a mail server may have a self-signed certificate or a certificate that otherwise fails validation. Unchecking this option will allow notifications to be sent to these servers using SSL/TLS. In this case, communication is still encrypted, but the identity of the server cannot be validated.

From e-mail address:

The e-mail address for the From: header in notification messages, which specifies the source. Some SMTP servers attempt to validate this address so the best practice is to use a real address in this field. This is commonly set to the same address as Notification E-mail address.

Notification E-mail address:

The e-mail address(es) for the To: header of the message, which is the destination where the notification e-mails will be delivered by the firewall.

Note

This field supports multiple addresses separated by a comma, for example: me@example.com,otheradmin@example.com.

Notification E-Mail Auth Username:

Optional. If the mail server requires a username and password for authentication, enter the username here.

Notification E-Mail Auth Password:

Optional. If the mail server requires a username and password for authentication, enter the password here and in the confirmation field.

Notification E-mail Auth Mechanism:

This field specifies the authentication mechanism required by the mail server. The majority of e-mail servers work with PLAIN authentication, others such as MS Exchange may require LOGIN style authentication.

Note

In 2022 Google phased out access to SMTP Submission and other similar services using the account username and password directly. To access these services Google has deemed “less secure”, the user must enable 2-Step Verification for their Google account and then create an App Password which can authenticate with these services.

Click fa-save Save at the bottom of the page to store the settings before proceeding.

Click fa-paper-plane Test SMTP Settings to generate a test notification and send it via SMTP using the previously stored settings. Save settings before clicking this button.

Sounds

Console Bell

When checked, emergency log messages, such as from a GUI login, will trigger a bell in connected consoles including serial terminals. On devices with a speaker, such messages can trigger an audible beep.

Startup/Shutdown Sound

If the firewall hardware has a PC speaker, it will play a sound when startup finishes and again when a shutdown is initiated.

Check Disable the startup/shutdown beep to prevent the firewall from playing these sounds.

Telegram

The notification system supports the Telegram API which can send notifications to desktops and mobile devices, among others.

Note

Using the Telegram API requires a Telegram Bot and its associated API key.

Enable Telegram:

When set, the firewall will attempt to send remote notifications using the Telegram API and the settings in this section.

API Key:

Required. The Telegram Bot API key the firewall will use to authenticate with the Telegram API server.

Chat ID:

The destination for the notifications. This can be a chat ID number for private notifications, or a channel @username for public notifications.

Click fa-save Save at the bottom of the page to store the settings before proceeding.

Click fa-paper-plane Test Telegram Settings to generate a test notification and send it using the Telegram API with the previously stored settings. Save settings before clicking this button.

Pushover

The notification system supports the Pushover API which can send notifications to desktops and mobile devices, among others.

Note

Using the Pushover API requires a Pushover account user key and API key (Pushover Registration).

Enable Pushover:

When set, the firewall will attempt to send remote notifications using the Pushover API and the settings in this section.

API Key:

Required. The Pushover API Key (Pushover Registration) the firewall will use to authenticate with the Pushover API server.

User Key:

Required. The User Key (Pushover Registration) of the Pushover account to which the API Key belongs.

Notification Sound:

The notification sound that the end user device (Phone, etc) will play when notification messages are sent by the firewall.

See also

For a list of sounds and audio, see the Pushover API Notification Sounds Documentation.

Message Priority:

The message priority for firewall notifications.

Note

For more information about the priorities and their meanings, see the Pushover API Priority Documentation.

The following priorities are available:

Normal:

Default setting. May trigger sound, vibration, and notification display depending on the user settings and client platform.

Lowest:

No sound or vibration, but increases the notification count on some platforms.

Low:

No sound or vibration. May trigger a notification display depending on the user settings and client platform.

High:

Always play sound and vibrate. Bypasses pre-set quiet hours. Notification display is highlighted in red.

Emergency:

Similar to High priority, but the notification is repeated until acknowledged by the user.

Emergency Priority Notification Retry Interval:

The amount of time, in seconds, the Pushover servers will send the same notification for Emergency priority notifications until the notification is acknowledged.

This parameter must have a value of at least 30 seconds between retries. Default is 60 seconds (1 minute).

Emergency Priority Notification Expiration:

The duration, in seconds, for which Emergency priority notifications will be retried until the notification is acknowledged. Notifications will be resent at intervals determined by the value of Emergency Priority Notification Retry Interval.

This parameter must have a maximum value of at most 10800 seconds (3 hours). Default is 300 seconds (5 minutes).

Click fa-save Save at the bottom of the page to store the settings before proceeding.

Click fa-paper-plane Test Pushover Settings to generate a test notification and send it using the Pushover API with the previously stored settings. Save settings before clicking this button.

Slack

The notification system supports the Slack API which can send notifications to Slack channels.

Note

Using the Slack API requires a Slack API key (Slack API Registration).

Enable Slack:

When set, the firewall will attempt to send remote notifications using the Slack API and the settings in this section.

API Key:

Required. The Slack API Key (Slack API Registration) the firewall will use to authenticate with Slack servers.

Slack Channel:

The name of the Slack channel to which the firewall will send notifications (e.g. #firewall).

Click fa-save Save at the bottom of the page to store the settings before proceeding.

Click fa-paper-plane Test Slack Settings to generate a test notification and send it using the Slack API with the previously stored settings. Save settings before clicking this button.