The CloudGuard Dome9 Circuit Breaker for misconfigured Notification Policies
Dome9 has a mechanism to block Notification Policies for Continuous Compliance in runtime if they are misconfigured or otherwise not functioning.
If the Dome9 compliance engine encounters a number of failures when attempting to send a finding to a Notification Policy target (for example an SNS queue, or an HTTP Endpoint), the target is blocked for a period of 6 hrs. During this time, notifications will not be sent to this target. Other targets in the same Nofitication Policy will not be blocked. So, if , say, a Notification Policy sends findings to the Alerts Console, to an SNS queue and to an HTTP Endpoint, and the repeated attempts to send findings to the HTTP endpoint fail, this target will be blocked, but the other ones (the Console and the SNS) remain active. The block is automatically removed after 6 hrs, but is applied again immediately if another failure occurs.
The user will notice this indication in the Notifications Page that a Notification Policy has a problem:
Open the Notification Policy to see detail for the problem:
Once the problem is resolved, click Validate. Dome9 will test the channel and clear the block if it is found functional.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.