Edit Alert Policy rules

Alert Policy rule settings include the Alert Sender, the Alert and Situation, Time, and Severity.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to Administration.
  2. Browse to Alert Configurations > Alert Policies.
  3. Right-click an Alert Policy, then select Edit <name>.
  4. Add a rule:
    • In an empty Alert Policy, right-click the rule table, then select Rule > Add Rule.
    • In an Alert Policy with existing rules, right-click a rule ID, then select Rule > Add Rule Before or Rule > Add Rule After.
  5. Specify the rule settings.
  6. Select which Alert Chain is processed when an alert event matches this rule.
  7. Click Save.

Alert Policy Editing view

Use this view to edit Alert rules in an Alert Policy element.

Option Definition
Resources Use this pane to create and add elements to a policy.
Search Opens a search field for the selected element list.
Up (Backspace) Returns to the previous folder.
New Opens the associated dialog box to create an element.
Tools Show Deleted Elements — Shows elements that have been moved to the Trash.
Option Definition
Policy Toolbar
Save Saves the changes.
Save and Install Saves the changes and installs the policy on the target engine.
Undo operation Undoes the last change made.
Redo operation Redoes the last change that was undone.
Tools
Validate Validates the rules in the policy. Opens the Validate Policy dialog box in which you can select which issues are checked in the rules.
Compare to Policy Snapshot Compares the policy with a previously created snapshot of the policy.
Expand Rule Sections If you have added Rule Sections, they are all expanded.
Collapse Rule Sections If you have added Rule Sections, and they are expanded, they are all collapsed.
Target selector Selects the target Domain for the Validate action.
Option Definition
Rules table
ID (Not editable) Automatically assigned ID number that indicates the order of the rules in the policy. The rules are matched against traffic in the order of the ID numbers. For example, the rule 14.3 is the third rule added in this policy to the insert point that is the fourteenth rule in the upper-level template.
Right-clicking this type of cell opens these menu items:
  • Properties — Opens the Rule Properties dialog box.
  • Cut Rule — Copies the rule to the clipboard and deletes the rule from the policy.
  • Copy Rule — Copies the rule from the policy.
  • Paste — Pastes the rule into the policy.
  • Delete Rule — Deletes the rule from the policy.
  • Disable Rule — Temporarily disables the rule without deleting it.
  • Add Rule Before — Adds the new rule before the selected rule or section.
  • Add Rule After — Adds the new rule after the selected rule or section.
  • Add Rule Section Before — Creates a collapsible section before the selected rule or section.
  • Add Rule Section After — Creates a collapsible section after the selected rule or section.
  • Move Rule Up — Moves the rule position up on the list.
  • Move Rule Down — Moves the rule position down on the list.
  • Show Related Logs — Filters the logs based on the identifier.
Sender Drag and drop elements from the Resources pane to specify the Alert Sender or keep the option Set to ANY.
Alert and Situation

(Optional)

Specifies the Alert and Situation that the rule matches.
Time

Allows you to specify when the rule starts being enforced, when the rule automatically expires, and when the rule is active.

By default, rules start being enforced when you install the policy, never expire automatically, and are always active.

Drag and drop a Rule Validity Time element to the cell.

Severity Double-click and specify the Severity value or the range of Severity values that this rule matches. The Select Severity dialog box opens.

To define a single Severity value, select Severity and one of the options.

If you want the rule to match a range of Severities, select Severity Range and define the range in the From and To lists.

Chain

(Optional)

Specifies which Alert Chain is processed when an alert event matches this rule.
Rule Name Contains a rule tag and optionally a rule name.
  • Name (Optional) — Name or description for the rule. Displayed alongside the rule tag.
  • Tag (Not editable) — Automatically assigned unique identification for the rule. Works as a link between the log entries and the rule that has generated the log entries. The rule tag consists of two parts (for example, @20.1). The first part of the tag is permanent and belongs to only that rule. The second part changes when the rule is changed. The first part and the second part are separated by a period.
Right-clicking this type of cell opens these menu items:
  • Edit Rule Name — Opens a text area that allows you to edit the rule name.
  • Clear Cell — Removes the cell content.
  • Remaining list items are the same as for the ID cell.
Comment An optional comment for your own reference.
Option Definition
General tab
Name Specifies the element name.
Rule Tag Rule tag of the rule.
Comment An optional comment for your own reference.
Rule Info tab The rule cells and their values.
Right-clicking the ID cell opens the following menu items:
  • Preview Alert Rule — Opens the Alert rule for preview.
  • Lock — Prevents edits until the rule is explicitly unlocked. Opens the Lock Properties dialog box.
Option Definition
History tab
Creator Shows the administrator who created the rule.
Created Shows the time when the rule was created.
Modifier Shows the administrator who modified the rule.
Modified Shows the time when the rule was modified.
Audit History Opens the Logs view and displays the audit log data for traffic that matches the rule.

Rule Validity Time Properties dialog box

Use this dialog box to create and modify Rule Validity Time elements.

Option Definition
Name The name of the element.
Time Zone
  • UTC — When selected, the times are specified in UTC time.
    Note: UTC time does not adjust for Daylight Saving Time (summer time).
  • NGFW Engine Local Time — When selected, the times are specified in the local time zone of the NGFW Engine.
Enable Starting From

(Optional)

The date when the rule starts being enforced. By default, the rule is enforced starting from the next policy installation.
Automatically Disable

(Optional)

The date when the rule automatically expires. When a rule automatically expires, traffic can no longer match the rule. By default, the rule never expires.
Active Specifies when the rule is active:
  • Always — The rule is always active.
  • Between These Times of the Day — The rule is active between the times specified in the Start Time and End Time fields.
  • On These Days of the Week — The rule is active on the selected days of the week between the times specified in the Start Time and End Time fields.
  • On These Days of the Month — The rule is active on the selected days of the month between the times specified in the Start Time and End Time fields.
  • On These Dates of the Year — The rule is active on the specified dates of the year between the times specified in the Start Time and End Time fields.
Start (When On These Dates of the Year is selected)

The date on which the rule becomes active.

End (When On These Dates of the Year is selected)

The date on which the rule stops being active.

Start Time (Either Start Time or End Time is required when Between These Times of the Day is selected. Optional for all other selections.)

The time of day when the rule becomes active.

End Time (Either Start Time or End Time is required when Between These Times of the Day is selected. Optional for all other selections.)

The time of day when the rule stops being active.

Comment

(Optional)

A comment for your own reference.

Select Severity dialog box

Use this dialog box to define the severity of an Alert rule in an Alert Policy element.

Option Definition
Severity Severity value or the range of Severity values that this rule matches.
  • Severity — Select to define a single Severity value, then select one of the Severity options.
  • Severity Range — Select if you want the rule to match a range of Severities, then define the range in the From and To lists.
Information Alerts that are meant for information only. Corresponds to numeric alert value 1.
Low The alerts that have a low severity. Corresponds to numeric alert values 2–4.
High The alerts that have a high severity. Corresponds to numeric alert values 5–7.
Critical Alerts that have the highest severity. Corresponds to numeric alert values 8–10.
From The start value of a Severity Range.
to The end value of a Severity Range.