Does the firewall have multiple CPU cores?
Is the Universal Device Poller CPU core-aware?
Is the alert based on a single CPU core or multiple CPU/core?
1 of 1 people found this helpful
Is there a reset condition that needs to have its wording changed? Perhaps it's actually the alert clearing/ returning to normal, but text in the email may not make that abundantly clear. Not that I've ever done that to myself...I eventually started including 'return to normal' in the wording of my reset emails to clarify.
Another thought...create a report using the same logic as the alert, and then validate that what is seen is what is expected. Ensure that any alert suppression / return to normal conditions are represented.
Is it possible the trigger condition allows at least one of the cpu's to be greater than 20 ?
Thus at least one is within the trigger allowances even though the others are not ?
You might see if there is an OID for average CPU and use that and include a "period of time" equal to a polling interval (minimum) so that at least 2 polls must match the trigger conditions before an alert is triggered.
It would be helpful to include a bit more info (screenshots are great) of the poller and alert configuration so we have the same perspective you have as to how it is set up.