Fortinet white logo
Fortinet white logo

Handbook

Creating automation stitches

Creating automation stitches

Automation stitches pair a trigger with one or more response actions to allow FortiADC to automatically respond with the action(s) once the trigger condition is met.

From the GUI, Security Fabric > Automation page, you can create an automation stitch by selecting a Trigger event type and the corresponding Action that you would like to automate from the same configuration editor.

FortiADC supports eight trigger event types and six response actions for automation.

  • Triggers: Security Events, SLB Metrics, Period Block IP, HA Failover, System Metrics, Schedule, System Events, and Interface Metrics.

  • Actions: CLI Script, Email, Syslog, SNMP Trap, Webhook, and FortiGate IP Ban.

However, some response actions are only supported for certain trigger types. The table below lists each trigger type and their available response actions.

Security Events

SLB Metrics

Period Block IP

HA Failover

System Metrics

Schedule

System Events

Interface Metrics

CLI Script

Email

Syslog

SNMP Trap

Webhook

FortiGate IP Ban

FortiADC offers Predefined Automation Stitch configurations you can use to get started.

To configure an automation stitch:
  1. Go to Security Fabric > Automation.
  2. Click Create New to display the configuration editor.
  3. Configure the following settings for the Automation Stitch:

    Setting

    Description

    NameEnter a name for the new automation stitch. The configuration name cannot be edited once it has been saved.
    StatusEnable/disable the automation stitch.

    Egress VDOM

    The Egress VDOM determines the VDOM from which the alert packets will be sent, regardless of the local VDOM from which the automation is configured. This affects automation actions that require alert packets to be sent, which include Syslog, SNMP Trap, Webhook, and Email. Actions such as Syslog, SNMP Trap, and Webhook can egress from either the local or root VDOM. However, for Email actions, the Egress VDOM must be Root to correspond with the SMTP server configured in Global Settings.

    Select the Egress VDOM from which the alert packets will be sent:

    • Local — Alert packets will be sent from the local VDOM from which the automation is configured.

    • Root — Alert packets will be sent from the Root VDOM.

  4. Under the Trigger section, select a trigger event and configure the settings specific to each trigger event type.
    Some trigger events are predefined while some trigger events are user-defined. For example, the System Event trigger provides a list of predefined system events for selection, whereas the SLB Metrics trigger requires users to define the alert metrics. For details about each trigger event type, see Configuring Automation Triggers.

    Trigger

    Description

    Security Events

    Apply to

    Select whether to apply the security events automation stitch to All or VS:

    • All — All related events will trigger the Alert action.
    • VS — Only specified Virtual Server related events will trigger the Alert action.

    Virtual Server

    The Virtual Server option appears if Apply to is VS.

    Specify the virtual server. This is required.

    Event

    Select the security events (such as DDoS SYNFLOOD attack start, bot detected, etc.) that will trigger the action. The list of available security events is predefined. For details, see Configuring Automation Triggers.

    Advanced Settings

    Click Advanced Settings to display additional settings for Rolling Window.

    Rolling Window

    Enable to define a Rolling Window Time and Number of Occurence.

    The Rolling Window Time sets a period of time in which a number of events must take place for an action to be triggered. The number of events that must take place within this period of time is set in the Number of Occurrences option.

    Rolling Window Time

    The Rolling Window Time option appears if Rolling Window is enabled.

    Specify the range of time (in seconds) for the rolling window.

    Number of Occurrences

    The Number of Occurrences option appears if Rolling Window is enabled.

    Specify the number of events that must take place before FortiADC will trigger the action.

    SLB Metric

    Alert

    Select a user-defined Alert trigger or create a new alert trigger for SLB Metrics. For details, see Configuring Automation Triggers.

    Period Block IP

    Period Block IP

    Select this trigger to retrieve the Source IP addresses from the Period Block list.

    HA Failover

    Event

    Select the HA failover events (such as HA peer lost) that will trigger the action. The list of available HA failover events is predefined. For details, see Configuring Automation Triggers.

    Advanced Settings

    Click Advanced Settings to display additional settings for Rolling Window.

    Rolling Window

    Enable to define a Rolling Window Time and Number of Occurence.

    The Rolling Window Time sets a period of time in which a number of events must take place for an action to be triggered. The number of events that must take place within this period of time is set in the Number of Occurrences option.

    Rolling Window Time

    The Rolling Window Time option appears if Rolling Window is enabled.

    Specify the range of time (in seconds) for the rolling window.

    Number of Occurrences

    The Number of Occurrences option appears if Rolling Window is enabled.

    Specify the number of events that must take place before FortiADC will trigger the action.

    System Metrics

    Alert

    Select a user-defined Alert trigger or create a new alert trigger for System Metrics. For details, see Configuring Automation Triggers.

    Schedule

    Schedule

    Select a user-defined Alert trigger or create a new alert trigger for Schedule. For details, see Configuring Automation Triggers.

    System Events

    Apply to

    Select whether to apply the system events automation stitch to All, VS or Real Server:

    • All — All related events will trigger the Alert action.
    • VS — Only specified Virtual Server related events will trigger the Alert action.
    • Real Server — Only the specified Virtual Server, Pool, and Real Server related events will trigger the Alert action.

    Virtual Server

    The Virtual Server option appears if Apply to is VS or Real Server.

    Specify the virtual server. This is required if Apply to is VS.

    Pool

    The Real Server option appears if Apply to is Real Server.

    Specify the pool. This is optional.

    Real Server

    The Real Server option appears if Apply to is Real Server.

    Specify the real server. This is required.

    Event

    Select the system events (such as bad PSU fan, good device fan, etc.) that will trigger the action. The list of available System events is predefined. For details, see Configuring Automation Triggers.

    Advanced Settings

    Click Advanced Settings to display additional settings for Rolling Window.

    Rolling Window

    Enable to define a Rolling Window Time and Number of Occurence.

    The Rolling Window Time sets a period of time in which a number of events must take place for an action to be triggered. The number of events that must take place within this period of time is set in the Number of Occurrences option.

    Rolling Window Time

    The Rolling Window Time option appears if Rolling Window is enabled.

    Specify the range of time (in seconds) for the rolling window.

    Number of Occurrences

    The Number of Occurrences option appears if Rolling Window is enabled.

    Specify the number of events that must take place before FortiADC will trigger the action.

    Interface Metric

    Alert

    Select a user-defined Alert trigger or create a new alert trigger for Interface Metrics. For details, see Configuring Automation Triggers.

  5. Under the Action section, select a response action or actions supported for the selected trigger event.
    1. In the Minimum interval (seconds) field, enter a minimum time interval, in seconds, during which you would not receive repeated notifications for the same trigger occurrence. When the minimum time interval expires, you will receive an alert with a compilation report of any events that occurred during the allotted interval period.
      For example, if you are configuring an alert for high CPU usage, and you set the Minimum interval to 86400s (1 day) then you would receive one alert when the CPU usage goes above 90% and you would not get another alert notification for the same event until the next day. When the 86400s (1 day) elapses, you would receive a notification with a summary that lets you know how many times the CPU usage exceeded 90% in the past day.
    2. Configure the settings specific to each response action. Each Action is user-defined. For details about each response action, see Configuring Automation Actions.
  6. Click Save.
    The newly created automation stitch appears on the Security Fabric > Automation page, under its trigger event type.

After configuring the automation stitch, you may test it through CLI command diagnose debug module alertd.

Predefined Automation Stitch configurations

The following Automation Stitch configurations have predefined trigger events but no response actions selected. You may clone these predefined configurations and use them as a template.

Name

Type

Trigger events

HA_Template HA Failover

HA Peer Lost

HA Master Failover

Admin_Template System Events

User Login

User Logout

Configuration_Template System Events

Config Create

Config Delete

Config Update

System_basic_Template System Events

Lost Log Disk

High CPU Usage

High Disk Usage

High Memory Usage

SSD MWI Near Threshold

SSD MWI Reached Threshold

Health_check_Template System Events

Real Server HC Down

Real Server HC Up

Virtual Server Down

Virtual Server Up

Gateway HC Down

Link Group HC Down

Gateway HC Up

Link Group HC Up

GLB Real Server Not Available

GLB Real Server Available

GLB Virtual Server Not Available

GLB Virtual Server Available

GLB GW Not Available

GLB GW Available

Certificate_Template System Events Certificate Expire
SNMP_sys_event_Template System Events

High CPU Temp

Normal CPU Temp

High Device Temp

Normal Device Temp

High PSU Temp

Normal PSU Temp

Slow PSU Fan

Slow Device Fan

Bad PSU Fan

Good PSU Fan

Bad Device Fan

Good Device Fan

High Voltage

Low Voltage

High Power Supply

Low Power Supply

High PSU Voltage

Low PSU Voltage

PSU Failure

Lost Log Disk

High CPU Usage

High Disk Usage

High Memory Usage

SSD MWI Near Threshold

SSD MWI Reached Threshold

Device Rebooted

Device Upgrade Completed

User Login

User Logout

ARP Conflict

Logical Interface Up

Logical Interface Down

Logical Interface Disabled

Log Full

FW SNAT Port Exhausted

Real Server HC Down

Real Server HC Up

Real Server Enabled

Real Server Disabled

Real Server Maintain Mode

Real Server Connection Rate Start

Real Server Connection Rate Stop

Real Server Connection Limit Start

Real Server Connection Limit Stop

Virtual Server Down

Virtual Server Up

Virtual Server Enabled

Virtual Server Disabled

Virtual Server Maintain Mode

Virtual Server Connection Rate Start

Virtual Server Connection Rate Stop

Virtual Server Connection Limit Start

Virtual Server Connection Limit Stop

Virtual Server Transaction Rate Start

Virtual Server Transaction Rate Stop

Virtual Server IP Pool Limit

Certification Expire

Gateway HC Down

Link Group HC Down

Gateway HC Up

Link Group HC Up

Gateway Inbound Bandwidth

Gateway Outbound Bandwidth

Gateway Inbound Spillover

Gateway Outbound Spillover

Gateway Total Spillover

GLB Real Server Not Available

GLB Real Server Available

GLB Virtual Server Not Available

GLB Virtual Server Available

GLB GW Not Available

GLB GW Available

Config Create

Config Delete

Config Update

OCSP Response Expires

SSL Certificate Revoked

CRL Expires

SNMP_sec_event_Template Security Events

DDoS SYNFLOOD attack start

DDoS SYNFLOOD attack stop

Request Blocked

XSS Attack Detected

SQL Injection Attack Detected

Generic Attack Detected

URL Pattern Violate Detected

Protocol Constraint Detected

Bot Detected

Geo Violate Detected

Reputation Violate Detected

Virtual Server Authentication Failed

JSON Violate Detected

XML Violate Detected

SOAP Violate Detected

Web Anti Defacement Detected

CSRF Violate Detected

Brute Force Detected

Data Leak Violate Detected

HTML Validation Detected

DDoS IP Fragmentation

DDoS TCP Slow Data Attack

DDoS TCP Access Flood

DDoS HTTP Connection Flood

DDoS HTTP Request Flood

DDoS HTTP Access Limit

OPENAPI Violate Detected

CORS Violate Detected

SEC Threshold Violate Detected

SEC Biometrics Base Detected

SNMP_HA_event_Template

HA Failover

HA Peer Lost

HA Master Failover

Creating automation stitches

Creating automation stitches

Automation stitches pair a trigger with one or more response actions to allow FortiADC to automatically respond with the action(s) once the trigger condition is met.

From the GUI, Security Fabric > Automation page, you can create an automation stitch by selecting a Trigger event type and the corresponding Action that you would like to automate from the same configuration editor.

FortiADC supports eight trigger event types and six response actions for automation.

  • Triggers: Security Events, SLB Metrics, Period Block IP, HA Failover, System Metrics, Schedule, System Events, and Interface Metrics.

  • Actions: CLI Script, Email, Syslog, SNMP Trap, Webhook, and FortiGate IP Ban.

However, some response actions are only supported for certain trigger types. The table below lists each trigger type and their available response actions.

Security Events

SLB Metrics

Period Block IP

HA Failover

System Metrics

Schedule

System Events

Interface Metrics

CLI Script

Email

Syslog

SNMP Trap

Webhook

FortiGate IP Ban

FortiADC offers Predefined Automation Stitch configurations you can use to get started.

To configure an automation stitch:
  1. Go to Security Fabric > Automation.
  2. Click Create New to display the configuration editor.
  3. Configure the following settings for the Automation Stitch:

    Setting

    Description

    NameEnter a name for the new automation stitch. The configuration name cannot be edited once it has been saved.
    StatusEnable/disable the automation stitch.

    Egress VDOM

    The Egress VDOM determines the VDOM from which the alert packets will be sent, regardless of the local VDOM from which the automation is configured. This affects automation actions that require alert packets to be sent, which include Syslog, SNMP Trap, Webhook, and Email. Actions such as Syslog, SNMP Trap, and Webhook can egress from either the local or root VDOM. However, for Email actions, the Egress VDOM must be Root to correspond with the SMTP server configured in Global Settings.

    Select the Egress VDOM from which the alert packets will be sent:

    • Local — Alert packets will be sent from the local VDOM from which the automation is configured.

    • Root — Alert packets will be sent from the Root VDOM.

  4. Under the Trigger section, select a trigger event and configure the settings specific to each trigger event type.
    Some trigger events are predefined while some trigger events are user-defined. For example, the System Event trigger provides a list of predefined system events for selection, whereas the SLB Metrics trigger requires users to define the alert metrics. For details about each trigger event type, see Configuring Automation Triggers.

    Trigger

    Description

    Security Events

    Apply to

    Select whether to apply the security events automation stitch to All or VS:

    • All — All related events will trigger the Alert action.
    • VS — Only specified Virtual Server related events will trigger the Alert action.

    Virtual Server

    The Virtual Server option appears if Apply to is VS.

    Specify the virtual server. This is required.

    Event

    Select the security events (such as DDoS SYNFLOOD attack start, bot detected, etc.) that will trigger the action. The list of available security events is predefined. For details, see Configuring Automation Triggers.

    Advanced Settings

    Click Advanced Settings to display additional settings for Rolling Window.

    Rolling Window

    Enable to define a Rolling Window Time and Number of Occurence.

    The Rolling Window Time sets a period of time in which a number of events must take place for an action to be triggered. The number of events that must take place within this period of time is set in the Number of Occurrences option.

    Rolling Window Time

    The Rolling Window Time option appears if Rolling Window is enabled.

    Specify the range of time (in seconds) for the rolling window.

    Number of Occurrences

    The Number of Occurrences option appears if Rolling Window is enabled.

    Specify the number of events that must take place before FortiADC will trigger the action.

    SLB Metric

    Alert

    Select a user-defined Alert trigger or create a new alert trigger for SLB Metrics. For details, see Configuring Automation Triggers.

    Period Block IP

    Period Block IP

    Select this trigger to retrieve the Source IP addresses from the Period Block list.

    HA Failover

    Event

    Select the HA failover events (such as HA peer lost) that will trigger the action. The list of available HA failover events is predefined. For details, see Configuring Automation Triggers.

    Advanced Settings

    Click Advanced Settings to display additional settings for Rolling Window.

    Rolling Window

    Enable to define a Rolling Window Time and Number of Occurence.

    The Rolling Window Time sets a period of time in which a number of events must take place for an action to be triggered. The number of events that must take place within this period of time is set in the Number of Occurrences option.

    Rolling Window Time

    The Rolling Window Time option appears if Rolling Window is enabled.

    Specify the range of time (in seconds) for the rolling window.

    Number of Occurrences

    The Number of Occurrences option appears if Rolling Window is enabled.

    Specify the number of events that must take place before FortiADC will trigger the action.

    System Metrics

    Alert

    Select a user-defined Alert trigger or create a new alert trigger for System Metrics. For details, see Configuring Automation Triggers.

    Schedule

    Schedule

    Select a user-defined Alert trigger or create a new alert trigger for Schedule. For details, see Configuring Automation Triggers.

    System Events

    Apply to

    Select whether to apply the system events automation stitch to All, VS or Real Server:

    • All — All related events will trigger the Alert action.
    • VS — Only specified Virtual Server related events will trigger the Alert action.
    • Real Server — Only the specified Virtual Server, Pool, and Real Server related events will trigger the Alert action.

    Virtual Server

    The Virtual Server option appears if Apply to is VS or Real Server.

    Specify the virtual server. This is required if Apply to is VS.

    Pool

    The Real Server option appears if Apply to is Real Server.

    Specify the pool. This is optional.

    Real Server

    The Real Server option appears if Apply to is Real Server.

    Specify the real server. This is required.

    Event

    Select the system events (such as bad PSU fan, good device fan, etc.) that will trigger the action. The list of available System events is predefined. For details, see Configuring Automation Triggers.

    Advanced Settings

    Click Advanced Settings to display additional settings for Rolling Window.

    Rolling Window

    Enable to define a Rolling Window Time and Number of Occurence.

    The Rolling Window Time sets a period of time in which a number of events must take place for an action to be triggered. The number of events that must take place within this period of time is set in the Number of Occurrences option.

    Rolling Window Time

    The Rolling Window Time option appears if Rolling Window is enabled.

    Specify the range of time (in seconds) for the rolling window.

    Number of Occurrences

    The Number of Occurrences option appears if Rolling Window is enabled.

    Specify the number of events that must take place before FortiADC will trigger the action.

    Interface Metric

    Alert

    Select a user-defined Alert trigger or create a new alert trigger for Interface Metrics. For details, see Configuring Automation Triggers.

  5. Under the Action section, select a response action or actions supported for the selected trigger event.
    1. In the Minimum interval (seconds) field, enter a minimum time interval, in seconds, during which you would not receive repeated notifications for the same trigger occurrence. When the minimum time interval expires, you will receive an alert with a compilation report of any events that occurred during the allotted interval period.
      For example, if you are configuring an alert for high CPU usage, and you set the Minimum interval to 86400s (1 day) then you would receive one alert when the CPU usage goes above 90% and you would not get another alert notification for the same event until the next day. When the 86400s (1 day) elapses, you would receive a notification with a summary that lets you know how many times the CPU usage exceeded 90% in the past day.
    2. Configure the settings specific to each response action. Each Action is user-defined. For details about each response action, see Configuring Automation Actions.
  6. Click Save.
    The newly created automation stitch appears on the Security Fabric > Automation page, under its trigger event type.

After configuring the automation stitch, you may test it through CLI command diagnose debug module alertd.

Predefined Automation Stitch configurations

The following Automation Stitch configurations have predefined trigger events but no response actions selected. You may clone these predefined configurations and use them as a template.

Name

Type

Trigger events

HA_Template HA Failover

HA Peer Lost

HA Master Failover

Admin_Template System Events

User Login

User Logout

Configuration_Template System Events

Config Create

Config Delete

Config Update

System_basic_Template System Events

Lost Log Disk

High CPU Usage

High Disk Usage

High Memory Usage

SSD MWI Near Threshold

SSD MWI Reached Threshold

Health_check_Template System Events

Real Server HC Down

Real Server HC Up

Virtual Server Down

Virtual Server Up

Gateway HC Down

Link Group HC Down

Gateway HC Up

Link Group HC Up

GLB Real Server Not Available

GLB Real Server Available

GLB Virtual Server Not Available

GLB Virtual Server Available

GLB GW Not Available

GLB GW Available

Certificate_Template System Events Certificate Expire
SNMP_sys_event_Template System Events

High CPU Temp

Normal CPU Temp

High Device Temp

Normal Device Temp

High PSU Temp

Normal PSU Temp

Slow PSU Fan

Slow Device Fan

Bad PSU Fan

Good PSU Fan

Bad Device Fan

Good Device Fan

High Voltage

Low Voltage

High Power Supply

Low Power Supply

High PSU Voltage

Low PSU Voltage

PSU Failure

Lost Log Disk

High CPU Usage

High Disk Usage

High Memory Usage

SSD MWI Near Threshold

SSD MWI Reached Threshold

Device Rebooted

Device Upgrade Completed

User Login

User Logout

ARP Conflict

Logical Interface Up

Logical Interface Down

Logical Interface Disabled

Log Full

FW SNAT Port Exhausted

Real Server HC Down

Real Server HC Up

Real Server Enabled

Real Server Disabled

Real Server Maintain Mode

Real Server Connection Rate Start

Real Server Connection Rate Stop

Real Server Connection Limit Start

Real Server Connection Limit Stop

Virtual Server Down

Virtual Server Up

Virtual Server Enabled

Virtual Server Disabled

Virtual Server Maintain Mode

Virtual Server Connection Rate Start

Virtual Server Connection Rate Stop

Virtual Server Connection Limit Start

Virtual Server Connection Limit Stop

Virtual Server Transaction Rate Start

Virtual Server Transaction Rate Stop

Virtual Server IP Pool Limit

Certification Expire

Gateway HC Down

Link Group HC Down

Gateway HC Up

Link Group HC Up

Gateway Inbound Bandwidth

Gateway Outbound Bandwidth

Gateway Inbound Spillover

Gateway Outbound Spillover

Gateway Total Spillover

GLB Real Server Not Available

GLB Real Server Available

GLB Virtual Server Not Available

GLB Virtual Server Available

GLB GW Not Available

GLB GW Available

Config Create

Config Delete

Config Update

OCSP Response Expires

SSL Certificate Revoked

CRL Expires

SNMP_sec_event_Template Security Events

DDoS SYNFLOOD attack start

DDoS SYNFLOOD attack stop

Request Blocked

XSS Attack Detected

SQL Injection Attack Detected

Generic Attack Detected

URL Pattern Violate Detected

Protocol Constraint Detected

Bot Detected

Geo Violate Detected

Reputation Violate Detected

Virtual Server Authentication Failed

JSON Violate Detected

XML Violate Detected

SOAP Violate Detected

Web Anti Defacement Detected

CSRF Violate Detected

Brute Force Detected

Data Leak Violate Detected

HTML Validation Detected

DDoS IP Fragmentation

DDoS TCP Slow Data Attack

DDoS TCP Access Flood

DDoS HTTP Connection Flood

DDoS HTTP Request Flood

DDoS HTTP Access Limit

OPENAPI Violate Detected

CORS Violate Detected

SEC Threshold Violate Detected

SEC Biometrics Base Detected

SNMP_HA_event_Template

HA Failover

HA Peer Lost

HA Master Failover