Creating automation stitches
Automation stitches pair a trigger with one or more response actions to allow FortiADC to automatically respond with the action(s) once the trigger condition is met.
From the GUI, Security Fabric > Automation page, you can create an automation stitch by selecting a Trigger event type and the corresponding Action that you would like to automate from the same configuration editor.
FortiADC supports eight trigger event types and six response actions for automation.
-
Triggers: Security Events, SLB Metrics, Period Block IP, HA Failover, System Metrics, Schedule, System Events, and Interface Metrics.
-
Actions: CLI Script, Email, Syslog, SNMP Trap, Webhook, and FortiGate IP Ban.
However, some response actions are only supported for certain trigger types. The table below lists each trigger type and their available response actions.
|
Security Events |
SLB Metrics |
Period Block IP |
HA Failover |
System Metrics |
Schedule |
System Events |
Interface Metrics |
---|---|---|---|---|---|---|---|---|
CLI Script |
|
|
|
|||||
|
|
|
||||||
Syslog |
|
|
|
|||||
SNMP Trap |
|
|
|
|||||
Webhook |
|
|
|
|||||
FortiGate IP Ban |
|
|
|
FortiADC offers Predefined Automation Stitch configurations you can use to get started.
To configure an automation stitch:
- Go to Security Fabric > Automation.
- Click Create New to display the configuration editor.
- Configure the following settings for the Automation Stitch:
Setting
Description
Name Enter a name for the new automation stitch. The configuration name cannot be edited once it has been saved. Status Enable/disable the automation stitch. Egress VDOM
The Egress VDOM determines the VDOM from which the alert packets will be sent, regardless of the local VDOM from which the automation is configured. This affects automation actions that require alert packets to be sent, which include Syslog, SNMP Trap, Webhook, and Email. Actions such as Syslog, SNMP Trap, and Webhook can egress from either the local or root VDOM. However, for Email actions, the Egress VDOM must be Root to correspond with the SMTP server configured in Global Settings.
Select the Egress VDOM from which the alert packets will be sent:
Local — Alert packets will be sent from the local VDOM from which the automation is configured.
Root — Alert packets will be sent from the Root VDOM.
- Under the Trigger section, select a trigger event and configure the settings specific to each trigger event type.
Some trigger events are predefined while some trigger events are user-defined. For example, the System Event trigger provides a list of predefined system events for selection, whereas the SLB Metrics trigger requires users to define the alert metrics. For details about each trigger event type, see Configuring Automation Triggers.Trigger
Description
Security Events
Apply to
Select whether to apply the security events automation stitch to All or VS:
- All — All related events will trigger the Alert action.
- VS — Only specified Virtual Server related events will trigger the Alert action.
Virtual Server
The Virtual Server option appears if Apply to is VS.
Specify the virtual server. This is required.
Event
Select the security events (such as DDoS SYNFLOOD attack start, bot detected, etc.) that will trigger the action. The list of available security events is predefined. For details, see Configuring Automation Triggers.
Advanced Settings
Click Advanced Settings to display additional settings for Rolling Window.
Rolling Window
Enable to define a Rolling Window Time and Number of Occurence.
The Rolling Window Time sets a period of time in which a number of events must take place for an action to be triggered. The number of events that must take place within this period of time is set in the Number of Occurrences option.
Rolling Window Time
The Rolling Window Time option appears if Rolling Window is enabled.
Specify the range of time (in seconds) for the rolling window.
Number of Occurrences
The Number of Occurrences option appears if Rolling Window is enabled.
Specify the number of events that must take place before FortiADC will trigger the action.
SLB Metric
Alert
Select a user-defined Alert trigger or create a new alert trigger for SLB Metrics. For details, see Configuring Automation Triggers.
Period Block IP
Period Block IP
Select this trigger to retrieve the Source IP addresses from the Period Block list.
HA Failover
Event
Select the HA failover events (such as HA peer lost) that will trigger the action. The list of available HA failover events is predefined. For details, see Configuring Automation Triggers.
Advanced Settings
Click Advanced Settings to display additional settings for Rolling Window.
Rolling Window
Enable to define a Rolling Window Time and Number of Occurence.
The Rolling Window Time sets a period of time in which a number of events must take place for an action to be triggered. The number of events that must take place within this period of time is set in the Number of Occurrences option.
Rolling Window Time
The Rolling Window Time option appears if Rolling Window is enabled.
Specify the range of time (in seconds) for the rolling window.
Number of Occurrences
The Number of Occurrences option appears if Rolling Window is enabled.
Specify the number of events that must take place before FortiADC will trigger the action.
System Metrics
Alert
Select a user-defined Alert trigger or create a new alert trigger for System Metrics. For details, see Configuring Automation Triggers.
Schedule
Schedule
Select a user-defined Alert trigger or create a new alert trigger for Schedule. For details, see Configuring Automation Triggers.
System Events
Apply to
Select whether to apply the system events automation stitch to All, VS or Real Server:
- All — All related events will trigger the Alert action.
- VS — Only specified Virtual Server related events will trigger the Alert action.
- Real Server — Only the specified Virtual Server, Pool, and Real Server related events will trigger the Alert action.
Virtual Server
The Virtual Server option appears if Apply to is VS or Real Server.
Specify the virtual server. This is required if Apply to is VS.
Pool
The Real Server option appears if Apply to is Real Server.
Specify the pool. This is optional.
Real Server
The Real Server option appears if Apply to is Real Server.
Specify the real server. This is required.
Event
Select the system events (such as bad PSU fan, good device fan, etc.) that will trigger the action. The list of available System events is predefined. For details, see Configuring Automation Triggers.
Advanced Settings
Click Advanced Settings to display additional settings for Rolling Window.
Rolling Window
Enable to define a Rolling Window Time and Number of Occurence.
The Rolling Window Time sets a period of time in which a number of events must take place for an action to be triggered. The number of events that must take place within this period of time is set in the Number of Occurrences option.
Rolling Window Time
The Rolling Window Time option appears if Rolling Window is enabled.
Specify the range of time (in seconds) for the rolling window.
Number of Occurrences
The Number of Occurrences option appears if Rolling Window is enabled.
Specify the number of events that must take place before FortiADC will trigger the action.
Interface Metric
Alert
Select a user-defined Alert trigger or create a new alert trigger for Interface Metrics. For details, see Configuring Automation Triggers.
- Under the Action section, select a response action or actions supported for the selected trigger event.
- In the Minimum interval (seconds) field, enter a minimum time interval, in seconds, during which you would not receive repeated notifications for the same trigger occurrence. When the minimum time interval expires, you will receive an alert with a compilation report of any events that occurred during the allotted interval period.
For example, if you are configuring an alert for high CPU usage, and you set the Minimum interval to 86400s (1 day) then you would receive one alert when the CPU usage goes above 90% and you would not get another alert notification for the same event until the next day. When the 86400s (1 day) elapses, you would receive a notification with a summary that lets you know how many times the CPU usage exceeded 90% in the past day. - Configure the settings specific to each response action. Each Action is user-defined. For details about each response action, see Configuring Automation Actions.
- In the Minimum interval (seconds) field, enter a minimum time interval, in seconds, during which you would not receive repeated notifications for the same trigger occurrence. When the minimum time interval expires, you will receive an alert with a compilation report of any events that occurred during the allotted interval period.
- Click Save.
The newly created automation stitch appears on the Security Fabric > Automation page, under its trigger event type.
After configuring the automation stitch, you may test it through CLI command diagnose debug module alertd
.
Predefined Automation Stitch configurations
The following Automation Stitch configurations have predefined trigger events but no response actions selected. You may clone these predefined configurations and use them as a template.
Name |
Type |
Trigger events |
---|---|---|
HA_Template | HA Failover |
HA Peer Lost HA Master Failover |
Admin_Template | System Events |
User Login User Logout |
Configuration_Template | System Events |
Config Create Config Delete Config Update |
System_basic_Template | System Events |
Lost Log Disk High CPU Usage High Disk Usage High Memory Usage SSD MWI Near Threshold SSD MWI Reached Threshold |
Health_check_Template | System Events |
Real Server HC Down Real Server HC Up Virtual Server Down Virtual Server Up Gateway HC Down Link Group HC Down Gateway HC Up Link Group HC Up GLB Real Server Not Available GLB Real Server Available GLB Virtual Server Not Available GLB Virtual Server Available GLB GW Not Available GLB GW Available |
Certificate_Template | System Events | Certificate Expire |
SNMP_sys_event_Template | System Events |
High CPU Temp Normal CPU Temp High Device Temp Normal Device Temp High PSU Temp Normal PSU Temp Slow PSU Fan Slow Device Fan Bad PSU Fan Good PSU Fan Bad Device Fan Good Device Fan High Voltage Low Voltage High Power Supply Low Power Supply High PSU Voltage Low PSU Voltage PSU Failure Lost Log Disk High CPU Usage High Disk Usage High Memory Usage SSD MWI Near Threshold SSD MWI Reached Threshold Device Rebooted Device Upgrade Completed User Login User Logout ARP Conflict Logical Interface Up Logical Interface Down Logical Interface Disabled Log Full FW SNAT Port Exhausted Real Server HC Down Real Server HC Up Real Server Enabled Real Server Disabled Real Server Maintain Mode Real Server Connection Rate Start Real Server Connection Rate Stop Real Server Connection Limit Start Real Server Connection Limit Stop Virtual Server Down Virtual Server Up Virtual Server Enabled Virtual Server Disabled Virtual Server Maintain Mode Virtual Server Connection Rate Start Virtual Server Connection Rate Stop Virtual Server Connection Limit Start Virtual Server Connection Limit Stop Virtual Server Transaction Rate Start Virtual Server Transaction Rate Stop Virtual Server IP Pool Limit Certification Expire Gateway HC Down Link Group HC Down Gateway HC Up Link Group HC Up Gateway Inbound Bandwidth Gateway Outbound Bandwidth Gateway Inbound Spillover Gateway Outbound Spillover Gateway Total Spillover GLB Real Server Not Available GLB Real Server Available GLB Virtual Server Not Available GLB Virtual Server Available GLB GW Not Available GLB GW Available Config Create Config Delete Config Update OCSP Response Expires SSL Certificate Revoked CRL Expires |
SNMP_sec_event_Template | Security Events |
DDoS SYNFLOOD attack start DDoS SYNFLOOD attack stop Request Blocked XSS Attack Detected SQL Injection Attack Detected Generic Attack Detected URL Pattern Violate Detected Protocol Constraint Detected Bot Detected Geo Violate Detected Reputation Violate Detected Virtual Server Authentication Failed JSON Violate Detected XML Violate Detected SOAP Violate Detected Web Anti Defacement Detected CSRF Violate Detected Brute Force Detected Data Leak Violate Detected HTML Validation Detected DDoS IP Fragmentation DDoS TCP Slow Data Attack DDoS TCP Access Flood DDoS HTTP Connection Flood DDoS HTTP Request Flood DDoS HTTP Access Limit OPENAPI Violate Detected CORS Violate Detected SEC Threshold Violate Detected SEC Biometrics Base Detected |
SNMP_HA_event_Template |
HA Failover |
HA Peer Lost HA Master Failover |