Creating Alert Policy elements

Alert Policies determine the criteria for selecting which alerts generated by various sources are escalated to which Alert Chains.

Firewalls, Layer 2 Firewalls, IPS engines, and SMC servers are possible sources for alerts. If Domain elements have been configured, you can select a Domain as a Sender in an Alert Policy in the Shared Domain.

An Alert Policy contains rules for matching incoming alert entries. Alert entries that match an Alert Policy rule are escalated to the Alert Chain defined in the rule. Make sure that your Alert Policies also escalate System Alerts. If an alert entry does not match any rule in the Alert Policy, the alert entry is not escalated.

The fields in Alert Policy rules are explained in the following table.
Table 1. Alert Policy fields
Option Definition
ID A unique identifier for the rule. You cannot edit the ID.
Sender Allows you to limit the rule to match alerts entries generated by one or more particular components.

NGFW Engines and SMC servers are possible senders for alerts. If Domain elements have been configured in your system, a Domain can also be selected as a Sender in an Alert Policy in the Shared Domain.

Alert and Situation Allows you to limit the rule to match alert entries that are based on one or more particular Alert elements or Situation elements.
Time Allows you to limit the time of day and day of the week when the rule is active. For example, you can send different notifications for weekends or nights.
Severity Allows you to limit the rule to match alert entries that have a Severity value within a certain range.

For example, you can escalate only the most critical alerts using SMS notification, and escalate the other alerts using email notification.

Chain Defines the Alert Chain that is used for escalating matching alert entries.
Comment

(Optional)

A comment for your own reference.
Rule Name Contains a rule tag that cannot be edited. You can optionally also add a name for the rule, which is displayed alongside the rule tag.