Hello.

Using FW Analyzer 5:
Running traffic report sorted by hits or volume, I occasionally observe hyper-active hosts on my intranet.
Wish to anticipate my observations by means of alerts.
Have not found the way to configure alert profile to react to a single, yet not pre-defined source.
Speaking in numbers, assume my intranet is 172.16.0.0/16 with some 500 hosts.
I am not particularly keen on trapping any particular host (as you demonstrate it in examples) nor creating as many alert profiles as IP sources. Still, I wish to be notified at the moment of event threshold excess which host caused threshold excess. I could not define better condition than:

( RESOURCE = firewall )
AND
( SRC >* 172.16. )

but obviously it behaves as a cumulative condition for all hosts on the 172.16.0.0/16 network. And I expect to catch a single one misbehaving.

Regards,

Rafal Sobecki