Notification Properties
Return to
Policies if you’re looking for an overview of policies.
The Notification page specifies the recipient to notify when an alert occurs. Notifications can be sent by several different means, as specified by the recipient. You can define recipients using the Definitions > Recipients page if you anticipate that they will be reused frequently, or you can specify an ordinary Email address if that’s more convenient.
To define the alert Notification:
1. Click Generate a separate alert for each violating entity to cause alerts for a collective object (such as Any App or Any Host) to be sent for each constituent object (such as each individual application or individual host), instead.
2. Choose Add Recipient to open a list of recipients that have been specified on the Definitions > Recipients page.
3. Select the check boxes in the entries for the recipients that are to receive notifications.
4. Choose Add Email if you want to specify one or more ordinary Email addresses to which to send notifications. You can click Test to send a message to the address to confirm that it’s been configured as you expect.
5. Choose the alerting thresholds the recipient/address is monitoring, and for which they will receive notifications.
6. To notify a recipient/address during every minute that the alert is ongoing, click in the right side of the “Notify continuously” slider or use your mouse to click-drag the slider to the right side.
7. Choose Finish to exit the wizard and add the policy definition to the list on the Policies page.
When recipients are notified
All recipients are notified when an alert threshold they are monitoring is crossed in either direction. For example, a new Critical alert crosses Minor, Major, and Critical alerting thresholds, so all recipients will receive notifications that the threshold they are monitoring has been crossed.
Recipients are notified about the starting and stopping of the alert severity level they are monitoring. The policy violation may be more severe than the alert level, but recipients receive notifications about only the alert levels selected in the Notification step of the policy definition.
When the severity of a policy violation decreases below a monitored threshold, recipients monitoring that threshold are notified. For example, assume that Recipient A is monitoring only Critical alerts and Recipient B is monitoring both Critical and Major alerts. Assume that as network conditions improve, the policy violation severity drops below the Critical alert threshold but is still above the Major alert threshold. If no more Critical alerts occur within the specified time span, both Recipient A and Recipient B are notified that the Critical alert is no longer ongoing. This is because both recipients are monitoring Critical alerts. Now, assume that the same policy violation decreases in severity until it no longer exceeds the Major alert threshold. Recipient B is notified that the Major alert is no longer ongoing.
The Alert Event Over option sends a notification to all subscribed recipients up to and including the maximum alert level attained by the alert when it expires due to not having been updated. No additional updates are made to an expired alert, and subsequent violations of the policy will create a new alert. The Alert Event Over notification is sent to all recipients up to, and including, the maximum alert level attained by the alert. For example, if an alert starts at minor, changes after a time to major, subsequently returns to minor, then expires, only minor and major recipients will receive Alert Event Over notifications. Any recipients of critical alerts would not receive an Alert Event Over notification, since they never received an Alert Has Started notification.
There is a limit of 25 alerts/evaluation period imposed for all policies (user-defined policies and built-in policies). This limit prevents overly sensitive policies from flooding the alerting and notification systems. If a particular policy has more than 25 alerts in a single evaluation cycle, the alerts will be triaged by severity: more severe alerts will have priority over less severe ones.
Notification example
The product checks for policy violations once per minute. Assume that you specify that an alert is to be generated if a policy violation occurs more than twice during a 5-minute period. Assume that there are currently no policy violations. Alerting could proceed as in this example:
12:00 - No violations.
12:01 - No violations.
12:02 - No violations.
12:03 - A Minor violation occurs. No alert is generated, but the appliance waits to see if a second Minor violation will occur within 5 minutes of the first violation.
12:04 - No violations.
12:05 - No violations.
12:06 - A second Minor violation occurs. It has not been 5 minutes since the first policy violation occurred at 12:03, so the appliance recognizes a Minor alert and sends notifications (if configured) that a Minor alert has started.
12:07 - No new violations. If configured to continuously notify recipients, the appliance sends notifications that the Minor alert is ongoing.
12:08 - A Major violation occurs. This violates both the Minor criteria and the Major criteria. So the appliance sends notifications that a Major alert has started.
12:09 - No new violations. The appliance sends notifications to continuously notified recipients that the Major alert is ongoing.
12:10 - 12:12 - No new violations. The appliance continues to send notifications each minute that the Major alert is still ongoing and continues to wait for another alert to occur within 5 minutes of the latest alert.
12:13 - No new violations within the past 5 minutes. The appliance sends notifications that the Major and Minor alerts have ended.