Fortinet black logo

Handbook

Configuring Automation Triggers

Configuring Automation Triggers

On the Security Fabric > Automation > Trigger tab, you can view the list of available automation trigger events that are predefined or user-defined. After defining your automation triggers, you can combine them with response actions to create an automation stitch. For details, see Creating automation stitches

FortiADC supports eight trigger event types, wherein some events are predefined and some must be user-defined.

Predefined Triggers:
  • Security Events — Uses security events such as "DDoS SYNFLOOD attack start" or "bot detected" as the alert trigger.
  • HA Failover — Uses HA failover events such as "HA peer lost" as the alert trigger.
  • System Events — Uses system events such as "bad PSU fan" or "good device fan" as the alert trigger.

See Predefined automation trigger events for the full list of predefined events available for each trigger type.

User-defined Triggers:
  • SLB Metrics — Uses server load balance performance metrics as the alert trigger.
  • Period Block IP — Uses the FortiADC Source IP addresses that have been blocked by WAF as trigger events for the automated response actions. To view or release the blocked IPs, see Blocked IP.
  • System Metrics — Uses system metrics such as "average CPU usage" or "average memory usage" as the alert trigger.
  • Interface Metrics — Uses network interface events as the alert trigger.
  • Schedule — Uses user-defined schedules as the alert trigger.

SLB Metrics

To configure an SLB Metrics trigger alert:
  1. Go to Security Fabric > Automation.
  2. Click the Trigger tab.
  3. Click Create New and select SLB Metrics to display the configuration editor.
  4. Configure the following trigger alert settings:

    Setting

    Description

    NameEnter a name for the new SLB Metrics trigger alert. The configuration name cannot be edited once it has been saved.
    DescriptionOptionally, you can add a description about this trigger alert configuration.
    Instance

    Select the virtual server on which the SLB Metrics trigger applies.

    DurationSpecify the metric duration in seconds. Range: 5-3600 seconds.
  5. Click Save.
    Once the SLB Metrics trigger alert configuration has been saved, you can then add the alert member configurations under the Alert Metric Expire Member section.
  6. Under the Alert Metric Expire Member section, click Create New to display the configuration editor.
  7. Configure the following trigger alert member settings:

    Setting

    Description

    NameEnter a name for the new SLB Metrics trigger alert member. The configuration name cannot be edited once it has been saved.
    Metric Occurs

    Select the server load balance performance metric events that will trigger the action.

    Comparator

    The metric is compared to the Value field according to the selected option:

    • Ge—greater than

    • Le—less than

    • Eq—equal to

    The action will be triggered if the specified value satisfies the selected option.

    Value

    Specify the metric value that the Comparator uses to determine if the metric triggers an action (for example, 2 milliseconds).

  8. Click Save.
    The newly created trigger alert member is added under the Alert Metric Expire Member section.
  9. Click Save to commit the changes made for the trigger alert member to the SLB Metrics trigger alert configuration.

System Metrics

To configure a System Metrics trigger alert:
  1. Go to Security Fabric > Automation.
  2. Click the Trigger tab.
  3. Click Create New and select System Metrics to display the configuration editor.
  4. Configure the following trigger alert settings:

    Setting

    Description

    NameEnter a name for the new System Metrics trigger alert. The configuration name cannot be edited once it has been saved.
    DescriptionOptionally, you can add a description about this trigger alert configuration.
    DurationSpecify the metric duration in seconds. Range: 5-3600 seconds.
  5. Click Save.
    Once the System Metrics trigger alert configuration has been saved, you can then add the alert member configurations under the Alert Metric Expire Member section.
  6. Under the Alert Metric Expire Member section, click Create New to display the configuration editor.
  7. Configure the following trigger alert member settings:

    Setting

    Description

    NameEnter a name for the new System Metrics trigger alert member. The configuration name cannot be edited once it has been saved.
    Metric Occurs

    Select the system metrics events (average CPU usage, average memory usage, etc.) that will trigger the action.

    Comparator

    The metric is compared to the Value field according to the selected option:

    • Ge—greater than

    • Le—less than

    • Eq—equal to

    The action will be triggered if the specified value satisfies the selected option.

    Value

    Specify the metric value that the Comparator uses to determine if the metric triggers an action (for example, 2 milliseconds).

  8. Click Save.
    The newly created trigger alert member is added under the Alert Metric Expire Member section.
  9. Click Save to commit the changes made for the trigger alert member to the System Metrics trigger alert configuration.

Interface Metrics

To configure an Interface Metrics trigger alert:
  1. Go to Security Fabric > Automation.
  2. Click the Trigger tab.
  3. Click Create New and select Interface Metrics to display the configuration editor.
  4. Configure the following trigger alert settings:

    Setting

    Description

    NameEnter a name for the new Interface Metrics trigger alert. The configuration name cannot be edited once it has been saved.
    DescriptionOptionally, you can add a description about this trigger alert configuration.
    Instance

    Select the network interface on which the Interface Metrics trigger applies.

    DurationSpecify the metric duration in seconds. Range: 5-3600 seconds.
  5. Click Save.
    Once the Interface Metrics trigger alert configuration has been saved, you can then add the alert member configurations under the Alert Metric Expire Member section.
  6. Under the Alert Metric Expire Member section, click Create New to display the configuration editor.
  7. Configure the following trigger alert member settings:

    Setting

    Description

    NameEnter a name for the new Interface Metrics trigger alert member. The configuration name cannot be edited once it has been saved.
    Metric Occurs

    Select the network interface events that will trigger the action.

    Comparator

    The metric is compared to the Value field according to the selected option:

    • Ge—greater than

    • Le—less than

    • Eq—equal to

    The action will be triggered if the specified value satisfies the selected option.

    Value

    Specify the metric value that the Comparator uses to determine if the metric triggers an action (for example, 2 milliseconds).

  8. Click Save.
    The newly created trigger alert member is added under the Alert Metric Expire Member section.
  9. Click Save to commit the changes made for the trigger alert member to the Interface Metrics trigger alert configuration.

Schedule

To configure a Schedule trigger alert:
  1. Go to Security Fabric > Automation.
  2. Click the Trigger tab.
  3. Click Create New and select Schedule to display the configuration editor.
  4. Configure the following trigger alert settings:

    Setting

    Description

    NameEnter a name for the new Schedule trigger alert. The configuration name cannot be edited once it has been saved.
    DescriptionOptionally, you can add a description about this trigger alert configuration.
    Schedule OccursSelect a user-defined schedule group object or create a new schedule group. For details, see Creating schedule groups.
  5. Click Save.
Predefined automation trigger events

Trigger

Events

Security Events

Bot Detected

Brute Force Detected

CORS Violate Detected

CSRF Violate Detected

Data Leak Violate Detected

DDoS HTTP Access Limit

DDoS HTTP Connection Flood

DDoS HTTP Request Flood

DDoS IP Fragmentation

DDoS SYNFLOOD attack start

DDoS SYNFLOOD attack stop

DDoS TCP Access Flood

DDoS TCP Slow Data Attack

Generic Attack Detected

Geo Violate Detected

HTML Validation Detected

JSON Violate Detected

OPENAPI Violate Detected

Protocol Constraint Detected

Reputation Violate Detected

Request Blocked

SEC Biometrics Base Detected

SEC Threshold Violate Detected

SOAP Violate Detected

SQL Injection Attack Detected

URL Pattern Violate Detected

Virtual Server Authentication Fail

Web Anti Defacement Detected

XML Violate Detected

XSS Attack Detected

HA Failover

HA Master Failover

HA Peer Lost

System Events

ARP Conflict

Bad Device Fan

Bad PSU Fan

Certification Expire

Config Create

Config Delete

Config Update

CRL Expires

Device Rebooted

Device Upgrade Completed

FW SNAT Port Exhausted

Gateway HC Down

Gateway HC Up

Gateway Inbound Bandwidth

Gateway Inbound Spillover

Gateway Outbound Bandwidth

Gateway Outbound Spillover

Gateway Total Spillover

GLB GW Available

GLB GW Not Available

GLB Real Server Available

GLB Real Server Not Available

GLB Virtual Server Available

GLB Virtual Server Not Available

Good Device Fan

Good PSU Fan

High CPU Temp

High CPU Usage

High Device Temp

High Disk Usage

High Memory Usage

High Power Supply

High PSU Temp

High PSU Voltage

High Voltage

Link Group HC Down

Link Group HC Up

Log Full

Logical Interface Disabled

Logical Interface Down

Logical Interface Up

Lost Log Disk

Low Power Supply

Low PSU Voltage

Low Voltage

Normal CPU Temp

Normal Device Temp

Normal PSU Temp

OCSP Response Expires

PSU Failure

Real Server Connection Limit Start

Real Server Connection Limit Stop

Real Server Connection Rate Start

Real Server Connection Rate Stop

Real Server Disabled

Real Server Enabled

Real Server HC Down

Real Server HC Up

Real Server Maintain Mode

Slow Device Fan

Slow PSU Fan

SSD MWI Near Threshold

SSD MWI Reached Threshold

SSL Certificate Revoked

User Login

User Logout

Virtual Server Connection Limit Start

Virtual Server Connection Limit Stop

Virtual Server Connection Rate Start

Virtual Server Connection Rate Stop

Virtual Server Disabled

Virtual Server Down

Virtual Server Enabled

Virtual Server IP Pool Limit

Virtual Server Maintain Mode

Virtual Server Transaction Rate Start

Virtual Server Transaction Rate Stop

Virtual Server Up

Configuring Automation Triggers

On the Security Fabric > Automation > Trigger tab, you can view the list of available automation trigger events that are predefined or user-defined. After defining your automation triggers, you can combine them with response actions to create an automation stitch. For details, see Creating automation stitches

FortiADC supports eight trigger event types, wherein some events are predefined and some must be user-defined.

Predefined Triggers:
  • Security Events — Uses security events such as "DDoS SYNFLOOD attack start" or "bot detected" as the alert trigger.
  • HA Failover — Uses HA failover events such as "HA peer lost" as the alert trigger.
  • System Events — Uses system events such as "bad PSU fan" or "good device fan" as the alert trigger.

See Predefined automation trigger events for the full list of predefined events available for each trigger type.

User-defined Triggers:
  • SLB Metrics — Uses server load balance performance metrics as the alert trigger.
  • Period Block IP — Uses the FortiADC Source IP addresses that have been blocked by WAF as trigger events for the automated response actions. To view or release the blocked IPs, see Blocked IP.
  • System Metrics — Uses system metrics such as "average CPU usage" or "average memory usage" as the alert trigger.
  • Interface Metrics — Uses network interface events as the alert trigger.
  • Schedule — Uses user-defined schedules as the alert trigger.

SLB Metrics

To configure an SLB Metrics trigger alert:
  1. Go to Security Fabric > Automation.
  2. Click the Trigger tab.
  3. Click Create New and select SLB Metrics to display the configuration editor.
  4. Configure the following trigger alert settings:

    Setting

    Description

    NameEnter a name for the new SLB Metrics trigger alert. The configuration name cannot be edited once it has been saved.
    DescriptionOptionally, you can add a description about this trigger alert configuration.
    Instance

    Select the virtual server on which the SLB Metrics trigger applies.

    DurationSpecify the metric duration in seconds. Range: 5-3600 seconds.
  5. Click Save.
    Once the SLB Metrics trigger alert configuration has been saved, you can then add the alert member configurations under the Alert Metric Expire Member section.
  6. Under the Alert Metric Expire Member section, click Create New to display the configuration editor.
  7. Configure the following trigger alert member settings:

    Setting

    Description

    NameEnter a name for the new SLB Metrics trigger alert member. The configuration name cannot be edited once it has been saved.
    Metric Occurs

    Select the server load balance performance metric events that will trigger the action.

    Comparator

    The metric is compared to the Value field according to the selected option:

    • Ge—greater than

    • Le—less than

    • Eq—equal to

    The action will be triggered if the specified value satisfies the selected option.

    Value

    Specify the metric value that the Comparator uses to determine if the metric triggers an action (for example, 2 milliseconds).

  8. Click Save.
    The newly created trigger alert member is added under the Alert Metric Expire Member section.
  9. Click Save to commit the changes made for the trigger alert member to the SLB Metrics trigger alert configuration.

System Metrics

To configure a System Metrics trigger alert:
  1. Go to Security Fabric > Automation.
  2. Click the Trigger tab.
  3. Click Create New and select System Metrics to display the configuration editor.
  4. Configure the following trigger alert settings:

    Setting

    Description

    NameEnter a name for the new System Metrics trigger alert. The configuration name cannot be edited once it has been saved.
    DescriptionOptionally, you can add a description about this trigger alert configuration.
    DurationSpecify the metric duration in seconds. Range: 5-3600 seconds.
  5. Click Save.
    Once the System Metrics trigger alert configuration has been saved, you can then add the alert member configurations under the Alert Metric Expire Member section.
  6. Under the Alert Metric Expire Member section, click Create New to display the configuration editor.
  7. Configure the following trigger alert member settings:

    Setting

    Description

    NameEnter a name for the new System Metrics trigger alert member. The configuration name cannot be edited once it has been saved.
    Metric Occurs

    Select the system metrics events (average CPU usage, average memory usage, etc.) that will trigger the action.

    Comparator

    The metric is compared to the Value field according to the selected option:

    • Ge—greater than

    • Le—less than

    • Eq—equal to

    The action will be triggered if the specified value satisfies the selected option.

    Value

    Specify the metric value that the Comparator uses to determine if the metric triggers an action (for example, 2 milliseconds).

  8. Click Save.
    The newly created trigger alert member is added under the Alert Metric Expire Member section.
  9. Click Save to commit the changes made for the trigger alert member to the System Metrics trigger alert configuration.

Interface Metrics

To configure an Interface Metrics trigger alert:
  1. Go to Security Fabric > Automation.
  2. Click the Trigger tab.
  3. Click Create New and select Interface Metrics to display the configuration editor.
  4. Configure the following trigger alert settings:

    Setting

    Description

    NameEnter a name for the new Interface Metrics trigger alert. The configuration name cannot be edited once it has been saved.
    DescriptionOptionally, you can add a description about this trigger alert configuration.
    Instance

    Select the network interface on which the Interface Metrics trigger applies.

    DurationSpecify the metric duration in seconds. Range: 5-3600 seconds.
  5. Click Save.
    Once the Interface Metrics trigger alert configuration has been saved, you can then add the alert member configurations under the Alert Metric Expire Member section.
  6. Under the Alert Metric Expire Member section, click Create New to display the configuration editor.
  7. Configure the following trigger alert member settings:

    Setting

    Description

    NameEnter a name for the new Interface Metrics trigger alert member. The configuration name cannot be edited once it has been saved.
    Metric Occurs

    Select the network interface events that will trigger the action.

    Comparator

    The metric is compared to the Value field according to the selected option:

    • Ge—greater than

    • Le—less than

    • Eq—equal to

    The action will be triggered if the specified value satisfies the selected option.

    Value

    Specify the metric value that the Comparator uses to determine if the metric triggers an action (for example, 2 milliseconds).

  8. Click Save.
    The newly created trigger alert member is added under the Alert Metric Expire Member section.
  9. Click Save to commit the changes made for the trigger alert member to the Interface Metrics trigger alert configuration.

Schedule

To configure a Schedule trigger alert:
  1. Go to Security Fabric > Automation.
  2. Click the Trigger tab.
  3. Click Create New and select Schedule to display the configuration editor.
  4. Configure the following trigger alert settings:

    Setting

    Description

    NameEnter a name for the new Schedule trigger alert. The configuration name cannot be edited once it has been saved.
    DescriptionOptionally, you can add a description about this trigger alert configuration.
    Schedule OccursSelect a user-defined schedule group object or create a new schedule group. For details, see Creating schedule groups.
  5. Click Save.
Predefined automation trigger events

Trigger

Events

Security Events

Bot Detected

Brute Force Detected

CORS Violate Detected

CSRF Violate Detected

Data Leak Violate Detected

DDoS HTTP Access Limit

DDoS HTTP Connection Flood

DDoS HTTP Request Flood

DDoS IP Fragmentation

DDoS SYNFLOOD attack start

DDoS SYNFLOOD attack stop

DDoS TCP Access Flood

DDoS TCP Slow Data Attack

Generic Attack Detected

Geo Violate Detected

HTML Validation Detected

JSON Violate Detected

OPENAPI Violate Detected

Protocol Constraint Detected

Reputation Violate Detected

Request Blocked

SEC Biometrics Base Detected

SEC Threshold Violate Detected

SOAP Violate Detected

SQL Injection Attack Detected

URL Pattern Violate Detected

Virtual Server Authentication Fail

Web Anti Defacement Detected

XML Violate Detected

XSS Attack Detected

HA Failover

HA Master Failover

HA Peer Lost

System Events

ARP Conflict

Bad Device Fan

Bad PSU Fan

Certification Expire

Config Create

Config Delete

Config Update

CRL Expires

Device Rebooted

Device Upgrade Completed

FW SNAT Port Exhausted

Gateway HC Down

Gateway HC Up

Gateway Inbound Bandwidth

Gateway Inbound Spillover

Gateway Outbound Bandwidth

Gateway Outbound Spillover

Gateway Total Spillover

GLB GW Available

GLB GW Not Available

GLB Real Server Available

GLB Real Server Not Available

GLB Virtual Server Available

GLB Virtual Server Not Available

Good Device Fan

Good PSU Fan

High CPU Temp

High CPU Usage

High Device Temp

High Disk Usage

High Memory Usage

High Power Supply

High PSU Temp

High PSU Voltage

High Voltage

Link Group HC Down

Link Group HC Up

Log Full

Logical Interface Disabled

Logical Interface Down

Logical Interface Up

Lost Log Disk

Low Power Supply

Low PSU Voltage

Low Voltage

Normal CPU Temp

Normal Device Temp

Normal PSU Temp

OCSP Response Expires

PSU Failure

Real Server Connection Limit Start

Real Server Connection Limit Stop

Real Server Connection Rate Start

Real Server Connection Rate Stop

Real Server Disabled

Real Server Enabled

Real Server HC Down

Real Server HC Up

Real Server Maintain Mode

Slow Device Fan

Slow PSU Fan

SSD MWI Near Threshold

SSD MWI Reached Threshold

SSL Certificate Revoked

User Login

User Logout

Virtual Server Connection Limit Start

Virtual Server Connection Limit Stop

Virtual Server Connection Rate Start

Virtual Server Connection Rate Stop

Virtual Server Disabled

Virtual Server Down

Virtual Server Enabled

Virtual Server IP Pool Limit

Virtual Server Maintain Mode

Virtual Server Transaction Rate Start

Virtual Server Transaction Rate Stop

Virtual Server Up