Manual Configuration of Alerts

To configure alerts manually, refer to the Grafana documentation for setting up alerts.

Configuration in Grafana Web UI

  1. Open the Grafana Web UI.

  2. Navigate to Alerts > Alerts Rules.

  3. In the top right corner, click New alert rule.

  4. In Step 1, enter the alert name.

  5. Select your data source.

  6. Configure the alert query and expression.

  7. In Step 4, create a folder or assign the alert to an existing folder.

  8. In Step 5, either select an existing or create new evaluation Group which defines the sample rate for all your alerts in the group. Configure the applicable pending mode.

  9. Give the alert a summary and attach it to your dashboard widgets if needed.

Example Configuration Queries for Alerts

Query for alert - Security Gateway is "Down"

PromQL syntax for the query:

clamp_min(count(count by(host_name) (rate(sdwan_modules_cost[5d]))), 0) - clamp_min(count(count by(host_name) (rate(sdwan_modules_cost[3m]))), 0)

Expression:

Expression C:

  • Type: Threshold

  • Input: A

  • Is above: 0

Alert Summary:

The Security Gateway was up in the last 5 days but it is not sending telemetry in the last 3 minutes.

The Security Gateway may be down or unreachable.

Remediation:

  1. Verify the Security Gateway is powered on.

  2. Check connectivity, modem status and reachability with ping / SSH.

  3. Check connectivity and skyline configuration between the Security Gateway and the monitoring system.

  4. Based on the results of previous steps, contact the ISP Support or Check Point Support.

Labels:

  1. Importance: Critical

  2. Severity: Critical

Query for alert - ISP "Down"

PromQL syntax for the query:

count by(host_name, isp_name) (system_sdwan_rules_steering_isp_cost{isp_state="DOWN"})

Expression:

Is above or equal to: 1

Alert Summary:

SD-WAN detected that an ISP is unreachable based on nexthop probes.

This may be caused by a physical link failure, upstream outage, or unresponsive next hop.

Remediation:

  1. Verify interface and modem status on the gateway.

  2. Review recent changes in the ISP link configuration (speed/duplex, VLANs, etc.).

  3. Follow the ISP troubleshooting steps in the admin guide.

  4. If the link remains down, contact the ISP Support or Check Point Support.

Labels:

  1. Importance: Critical

  2. Severity: Critical

Query for alert - Link QOE is low

PromQL syntax for the query:

avg by (isp_name, host_name) (

  max by (host_name, steering_policy, steering_policy_uuid, isp_name) (

    system_sdwan_rules_steering_isp_cost{} >= bool 0

  )

  *

on (steering_policy_uuid, steering_policy, isp_name) group_left()

  (

    1

    + 0.035 *

      clamp_min(

        clamp_max(

          94.2

          - (

              0.024 * (

                (

                  max by (steering_policy, steering_policy_uuid, isp_name) (

                    avg_over_time(system_sdwan_rules_steering_latency_stat{}[5m])

                  ) / 2

                )

                + max by (steering_policy, steering_policy_uuid, isp_name) (

                    avg_over_time(system_sdwan_rules_steering_jitter_stat{}[5m])

                  )

              )

              + 0.11 * (

                  (

                    (

                      max by (steering_policy, steering_policy_uuid, isp_name) (

                        avg_over_time(system_sdwan_rules_steering_latency_stat{}[5m])

                      ) / 2

                    )

                    + max by (steering_policy, steering_policy_uuid, isp_name) (

                        avg_over_time(system_sdwan_rules_steering_jitter_stat{}[5m])

                      )

                    - 177.3

                  )

                  * (

                    (

                      (

                        max by (steering_policy, steering_policy_uuid, isp_name) (

                          avg_over_time(system_sdwan_rules_steering_latency_stat{}[5m])

                        ) / 2

                      )

                      + max by (steering_policy, steering_policy_uuid, isp_name) (

                          avg_over_time(system_sdwan_rules_steering_jitter_stat{}[5m])

                        )

                      - 177.3

                    ) > bool 0

                  )

              )

            )

          - (

              (95 * max by (steering_policy, steering_policy_uuid, isp_name) (

                     avg_over_time(system_sdwan_rules_steering_packet_lost_percentage{}[5m])

                 ))

              /

              (max by (steering_policy, steering_policy_uuid, isp_name) (

                 avg_over_time(system_sdwan_rules_steering_packet_lost_percentage{}[5m])

               ) + 25)

            )

        , 100)

      , 0)

    + 0.000007 *

      clamp_min(

        clamp_max(

          94.2

          - (

              0.024 * (

                (

                  max by (steering_policy, steering_policy_uuid, isp_name) (

                    avg_over_time(system_sdwan_rules_steering_latency_stat{}[5m])

                  ) / 2

                )

                + max by (steering_policy, steering_policy_uuid, isp_name) (

                    avg_over_time(system_sdwan_rules_steering_jitter_stat{}[5m])

                  )

              )

              + 0.11 * (

                  (

                    (

                      max by (steering_policy, steering_policy_uuid, isp_name) (

                        avg_over_time(system_sdwan_rules_steering_latency_stat{}[5m])

                      ) / 2

                    )

                    + max by (steering_policy, steering_policy_uuid, isp_name) (

                        avg_over_time(system_sdwan_rules_steering_jitter_stat{}[5m])

                      )

                    - 177.3

                  )

                  * (

                    (

                      (

                        max by (steering_policy, steering_policy_uuid, isp_name) (

                          avg_over_time(system_sdwan_rules_steering_latency_stat{}[5m])

                        ) / 2

                      )

                      + max by (steering_policy, steering_policy_uuid, isp_name) (

                          avg_over_time(system_sdwan_rules_steering_jitter_stat{}[5m])

                        )

                      - 177.3

                    ) > bool 0

                  )

              )

            )

          - (

              (95 * max by (steering_policy, steering_policy_uuid, isp_name) (

                     avg_over_time(system_sdwan_rules_steering_packet_lost_percentage{}[5m])

                 ))

              /

              (max by (steering_policy, steering_policy_uuid, isp_name) (

                 avg_over_time(system_sdwan_rules_steering_packet_lost_percentage{}[5m])

               ) + 25)

            )

        , 100)

      , 0)

    *

    (

      clamp_min(

        clamp_max(

          94.2

          - (

              0.024 * (

                (

                  max by (steering_policy, steering_policy_uuid, isp_name) (

                    avg_over_time(system_sdwan_rules_steering_latency_stat{}[5m])

                  ) / 2

                )

                + max by (steering_policy, steering_policy_uuid, isp_name) (

                    avg_over_time(system_sdwan_rules_steering_jitter_stat{}[5m])

                  )

              )

              + 0.11 * (

                  (

                    (

                      max by (steering_policy, steering_policy_uuid, isp_name) (

                        avg_over_time(system_sdwan_rules_steering_latency_stat{}[5m])

                      ) / 2

                    )

                    + max by (steering_policy, steering_policy_uuid, isp_name) (

                        avg_over_time(system_sdwan_rules_steering_jitter_stat{}[5m])

                      )

                    - 177.3

                  )

                  * (

                    (

                      (

                        max by (steering_policy, steering_policy_uuid, isp_name) (

                          avg_over_time(system_sdwan_rules_steering_latency_stat{}[5m])

                        ) / 2

                      )

                      + max by (steering_policy, steering_policy_uuid, isp_name) (

                          avg_over_time(system_sdwan_rules_steering_jitter_stat{}[5m])

                        )

                      - 177.3

                    ) > bool 0

                  )

              )

            )

          - (

              (95 * max by (steering_policy, steering_policy_uuid, isp_name) (

                     avg_over_time(system_sdwan_rules_steering_packet_lost_percentage{}[5m])

                 ))

              /

              (max by (steering_policy, steering_policy_uuid, isp_name) (

                 avg_over_time(system_sdwan_rules_steering_packet_lost_percentage{}[5m])

               ) + 25)

            )

        , 100)

      , 0) - 60

    )

    *

    (

      100 -

      clamp_min(

        clamp_max(

          94.2

          - (

              0.024 * (

                (

                  max by (steering_policy, steering_policy_uuid, isp_name) (

                    avg_over_time(system_sdwan_rules_steering_latency_stat{}[5m])

                  ) / 2

                )

                + max by (steering_policy, steering_policy_uuid, isp_name) (

                    avg_over_time(system_sdwan_rules_steering_jitter_stat{}[5m])

                  )

              )

              + 0.11 * (

                  (

                    (

                      max by (steering_policy, steering_policy_uuid, isp_name) (

                        avg_over_time(system_sdwan_rules_steering_latency_stat{}[5m])

                      ) / 2

                    )

                    + max by (steering_policy, steering_policy_uuid, isp_name) (

                        avg_over_time(system_sdwan_rules_steering_jitter_stat{}[5m])

                      )

                    - 177.3

                  )

                  * (

                    (

                      (

                        max by (steering_policy, steering_policy_uuid, isp_name) (

                          avg_over_time(system_sdwan_rules_steering_latency_stat{}[5m])

                        ) / 2

                      )

                      + max by (steering_policy, steering_policy_uuid, isp_name) (

                          avg_over_time(system_sdwan_rules_steering_jitter_stat{}[5m])

                        )

                      - 177.3

                    ) > bool 0

                  )

              )

            )

          - (

              (95 * max by (steering_policy, steering_policy_uuid, isp_name) (

                     avg_over_time(system_sdwan_rules_steering_packet_lost_percentage{}[5m])

                 ))

              /

              (max by (steering_policy, steering_policy_uuid, isp_name) (

                 avg_over_time(system_sdwan_rules_steering_packet_lost_percentage{}[5m])

               ) + 25)

            )

        , 100)

      , 0)

    )

  )

)

Expression:

Is below: 3.8

Alert Summary:

WAN link QOE score is lower than 3.8, which indicate degraded performance.

Remediation:

  1. Check for high traffic volume, latency, jitter, or packet loss on the interface.

  2. If degradation persists, open a ticket with the ISP and provide the time/metrics.

Labels:

  1. Importance: High

  2. Severity: High

Query for alert - VPN tunnel is "Down" while ISP link is "UP"

PromQL syntax for the query:

count by (host_name, vpn_isp) (

  system_sdwan_overlay_cost{vpn_state="DOWN"}

)

unless

on (host_name, vpn_isp)

label_replace(

  count by (host_name, isp_name) (

    system_sdwan_rules_steering_isp_cost{isp_state="DOWN"}

  ),

  "vpn_isp", "$1", "isp_name", "(.*)"

)

Expression:

Is above: 1

Alert Summary:

SD-WAN detected that the ISP is operational, but the Overlay VPN tunnel endpoint is not responding to SD-WAN overlay probing.

This can be a result of configuration mismatches, peer-side issues, or encryption failures.

Remediation:

  1. Check interface / VPN configuration changes.

  2. Verify that there is no Undelay link down on a remote Security Gateway.

  3. Follow troubleshooting steps in the admin guide. If the tunnel remains down.

  4. Contact Check Point Support.

Labels:

  1. Importance: Low

  2. Severity: Low

Query for alert - All public ISPs exceeded thresholds of one steering object

PromQL syntax for the query:

(sum by(host_name)((sum by (host_name,steering_policy) (

  system_sdwan_rules_steering_latency_stat{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

system_sdwan_rules_steering_latency_threshold{isp_state!="DOWN"}

) ) == bool

count by(host_name, steering_policy) (system_sdwan_rules_steering_latency_stat)) > bool 0)

+(sum by(host_name)((sum by (host_name,steering_policy) (

  system_sdwan_rules_steering_jitter_stat{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

  system_sdwan_rules_steering_jitter_threshold{isp_state!="DOWN"}

) ) == bool

count by(host_name, steering_policy) (system_sdwan_rules_steering_jitter_stat)) > bool 0)+(sum by(host_name)((sum by (host_name,steering_policy) (

  system_sdwan_rules_steering_packet_lost_percentage{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

  system_sdwan_rules_steering_packet_lost_threshold{isp_state!="DOWN"}

) ) == bool

count by(host_name, steering_policy) (system_sdwan_rules_steering_packet_lost_percentage)) > bool 0)

Expression:

Is above: 0

Alert Summary:

SD-WAN detected that every public ISP link assigned to this steering object violated one or more thresholds (latency, packet loss, or jitter).

No healthy public ISP path was available during this time.

Remediation:

  1. Investigate local network metrics and utilization, utilization of resources on the Security Gateway, and last-mile connectivity.

  2. Check the probing target / Application.

  3. Contact the ISP Support if degradation persists.

Labels:

  1. Importance: Medium

  2. Severity: Medium

Query for alert - All public ISPs exceeded thresholds for multiple steering objects

PromQL syntax for the query:

(sum by(host_name)((sum by (host_name,steering_policy) (

  system_sdwan_rules_steering_latency_stat{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

system_sdwan_rules_steering_latency_threshold{isp_state!="DOWN"}

) ) == bool

count by(host_name, steering_policy) (system_sdwan_rules_steering_latency_stat)) > bool 0)

+(sum by(host_name)((sum by (host_name,steering_policy) (

  system_sdwan_rules_steering_jitter_stat{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

  system_sdwan_rules_steering_jitter_threshold{isp_state!="DOWN"}

) ) == bool

count by(host_name, steering_policy) (system_sdwan_rules_steering_jitter_stat)) > bool 0)+(sum by(host_name)((sum by (host_name,steering_policy) (

  system_sdwan_rules_steering_packet_lost_percentage{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

  system_sdwan_rules_steering_packet_lost_threshold{isp_state!="DOWN"}

) ) == bool

count by(host_name, steering_policy) (system_sdwan_rules_steering_packet_lost_percentage)) > bool 0)

Expression:

Is above: 1

Alert Summary:

SD-WAN detected simultaneous threshold violations on all public ISP links across more than one steering object.

This suggests a gateway-level, access-network, or regional ISP issue.

Remediation:

  1. Review the Security Gateway health (CPU, drops, link utilization, shaping) and local network conditions.

  2. Review ISP metrics and recent changes.

  3. Contact the ISP Support if degradation persists.

Labels:

  1. Importance: High

  2. Severity: High

Query for alert - ISP exceeded threshold on one steering object

PromQL syntax for the query:

(sum by(host_name, isp_name) (

  system_sdwan_rules_steering_latency_stat{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

  system_sdwan_rules_steering_latency_threshold{isp_state!="DOWN"}

) > bool 0)

+

(sum by(host_name,  isp_name) (

  system_sdwan_rules_steering_jitter_stat{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

  system_sdwan_rules_steering_jitter_threshold{isp_state!="DOWN"}

) > bool 0)

+

(sum by(host_name,  isp_name) (

  system_sdwan_rules_steering_packet_lost_percentage{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

  system_sdwan_rules_steering_packet_lost_threshold{isp_state!="DOWN"}

) > bool 0)

Expression:

Is equal to: 1

Alert Summary:

SD-WAN continuously monitors ISP performance. This alert was generated because one of the metrics in ISP crossed the configured threshold for the specified steering object.

Remediation:

  1. Review current and historical ISP performance metrics.

  2. Verify whether the issue is temporary or persistent.

  3. Check application or probing target for issues.

  4. If degradation continues beyond a short time window, contact the ISP Support.

Labels:

  1. Importance: Low

  2. Severity: Low

Query for alert - ISP exceeded thresholds for multiple steering objects

PromQL syntax for the query:

Query A:

(sum by(host_name,isp_name,steering_policy) (

  system_sdwan_rules_steering_latency_stat{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

  system_sdwan_rules_steering_latency_threshold{isp_state!="DOWN"}

) > bool 0)

+

(sum by(host_name,  isp_name,steering_policy) (

  system_sdwan_rules_steering_jitter_stat{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

  system_sdwan_rules_steering_jitter_threshold{isp_state!="DOWN"}

) > bool 0)

+

(sum by(host_name,  isp_name,steering_policy) (

  system_sdwan_rules_steering_packet_lost_percentage{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

  system_sdwan_rules_steering_packet_lost_threshold{isp_state!="DOWN"}

) > bool 0)

Query B:

(sum by(host_name,isp_name) (

  system_sdwan_rules_steering_latency_stat{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

  system_sdwan_rules_steering_latency_threshold{isp_state!="DOWN"}

) > bool 0)

+

(sum by(host_name,  isp_name) (

  system_sdwan_rules_steering_jitter_stat{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

  system_sdwan_rules_steering_jitter_threshold{isp_state!="DOWN"}

) > bool 0)

+

(sum by(host_name,  isp_name) (

  system_sdwan_rules_steering_packet_lost_percentage{isp_state!="DOWN"}

    > bool

  on (host_name, steering_policy, steering_policy_uuid, isp_name, isp_state) group_left

  system_sdwan_rules_steering_packet_lost_threshold{isp_state!="DOWN"}

) > bool 0)

Expression:

  1. Expression C.

    Type: Threshold

    Input: D

    Is equal to: 1

  2. Expression D.

    Type: Math

    ${B} > 1 && ${A} > 0

Example:

Alert Summary:

SD-WAN detected threshold violations for the same ISP across multiple steering objects within a short time window.

This pattern indicates a shared ISP issue.

Remediation:

  1. Review ISP metrics, link utilization, and recent changes.

  2. Contact the ISP Support if degradation persists.

Labels:

  1. Importance: Medium

  2. Severity: Medium

Query for alert - ISP state changes frequently

Scenario:

When the status of an ISP link changes from Down to UP, or from UP to Down, more than 5 times in 1 last hour.

PromQL syntax for the query:

changes(

  (

    count by (host_name, isp_name) (

      system_sdwan_rules_steering_isp_cost{isp_state="DOWN"}

    )

    or

    (

      count by (host_name, isp_name) (

        system_sdwan_rules_steering_isp_cost{isp_state!="DOWN"}

      ) * 0

    )

  )[1h:10s]

)

Expression:

Is above: 5

Alert Summary:

SD-WAN detected that an ISP is unreachable based on nexthop probes.

This may be caused by a physical link failure, upstream outage, or unresponsive next hop.

Remediation:

  1. Review link flap timing and correlate with environmental or power outages.

  2. Verify cabling, modem health, and local infrastructure.

  3. If instability continues, contact the ISP Support.

Labels:

  1. Importance: High

  2. Severity: High

Query for alert - Overlay VPN tunnel is down (ISP down)

PromQL syntax for the query:

count by(host_name, vpn_isp) (system_sdwan_overlay_cost{vpn_state="DOWN"}) unless on(host_name, vpn_isp) (label_replace(count by(host_name, isp_name) (system_sdwan_rules_steering_isp_cost{isp_state="UP"}), "vpn_isp", "$1", "isp_name", "(.*)"))

Expression:

Is above: 0

Alert Summary:

SD-WAN detected that an ISP is down, causing all Overlay VPN tunnels routed through it to go down.

Remediation:

  1. Restore ISP connectivity.

  2. Follow troubleshooting steps in the Administration Guide.

  3. If the tunnels remain down after recovery, contact Check Point Support.

Labels:

  1. Importance: Medium

  2. Severity: Medium

Query for alert - All Overlay VPN tunnels to a peer are down

PromQL syntax for the query:

count by(host_name, vpn_main_peer_ip) (system_sdwan_overlay_cost)

 unless

count by(host_name, vpn_main_peer_ip) (system_sdwan_overlay_cost{vpn_state!="DOWN"})

Expression:

Is above: 0

Alert Summary:

SD-WAN detected that an ISP is down, causing all Overlay VPN tunnels routed through it to go down.

Remediation:

  1. Check remote gateway status.

  2. Check VPN configuration.

  3. Follow troubleshooting steps in the Administration Guide.

  4. If the tunnel remains down, contact Check Point Support.

Labels:

  1. Importance: Critical

  2. Severity: Critical

Query for alert - Overlay VPN tunnel state changes frequently

PromQL syntax for the query:

changes(

  (

    count by (host_name,vpn_peer_ip,vpn_isp) (

      system_sdwan_overlay_cost{vpn_state="DOWN"}

    )

    or

    (

      count by (host_name,vpn_peer_ip,vpn_isp) (

       system_sdwan_overlay_cost{vpn_state!="DOWN"}

      ) * 0

    )

  )[1d:10s]

)

Expression:

Is above: 5

Alert Summary:

The Overlay VPN tunnel on the Security Gateway, the Overlay VPN tunnel from local ISP to peer had status change for at least 6 times over the last day.

This indicates an unstable connectivity.

Remediation:

  1. Review timing of the flapping events, verify link statuses, cabling and modem health, and assess environmental or power-related factors.

  2. Follow the troubleshooting steps in the Administration Guide.

  3. If the issue continues, contact Check Point Support.

Labels:

  1. Importance: High

  2. Severity: High

Query for alert - High CPU utilization

PromQL syntax for the query:

sum by (host_name)(system_cpu_utilization)/count by(host_name)(system_cpu_utilization)

Expression:

Is above: 75

Alert Summary:

CPU utilization on the Security Gateway is greater than 75%.

Remediation:

  1. Check for spikes in traffic volume or new large flows.

  2. Review CPU utilization by processes on the Security Gateway.

  3. Consider optimizing security policies, inspection profiles, or logging if relevant.

  4. If the issue persists, evaluate the Security Gateway capacity (scale-up / scale-out).

Labels:

  1. Importance: High

  2. Severity: High

Query for alert - High memory utilization

PromQL syntax for the query:

sum by (host_name)(system_fw_memory_utilization)

Expression:

Is above: 75

Alert Summary:

Memory utilization on the Security Gateway is greater than 75%.

Remediation:

  1. Review memory utilization by processes on the Security Gateway.

  2. Review logs for memory-related errors or crashes.

  3. Restart non-critical services during maintenance windows if needed.

  4. If the issue persists, plan for software upgrade or hardware resource increase.

Labels:

  1. Importance: High

  2. Severity: High