Configuring Automation Triggers

On the Security Fabric > Automation > Trigger tab, you can view the list of available automation trigger events that are predefined or user-defined. After defining your automation triggers, you can combine them with response actions to create an automation stitch. For details, see Creating automation stitches

FortiADC supports eight trigger event types, wherein some events are predefined and some must be user-defined.

Predefined Triggers:

• Security Events — Uses security events such as "DDoS SYNFLOOD attack start" or "bot detected" as the alert trigger.
• HA Failover — Uses HA failover events such as "HA peer lost" as the alert trigger.
• System Events — Uses system events such as "bad PSU fan" or "good device fan" as the alert trigger.

See Predefined automation trigger events for the full list of predefined events available for each trigger type.

User-defined Triggers:

• SLB Metrics — Uses server load balance performance metrics as the alert trigger.
• Period Block IP — Uses the FortiADC Source IP addresses that have been blocked by WAF as trigger events for the automated response actions. To view or release the blocked IPs, see Blocked IP.
• System Metrics — Uses system metrics such as "average CPU usage" or "average memory usage" as the alert trigger.
• Interface Metrics — Uses network interface events as the alert trigger.
• Schedule — Uses user-defined schedules as the alert trigger.

SLB Metrics

To configure an SLB Metrics trigger alert:

1. Go to Security Fabric > Automation.
2. Click the Trigger tab.
3. Click Create New and select SLB Metrics to display the configuration editor.
4. Configure the following trigger alert settings:
   

   Setting	Description
   Name	Enter a name for the new SLB Metrics trigger alert. The configuration name cannot be edited once it has been saved.
   Description	Optionally, you can add a description about this trigger alert configuration.
   Instance	Select the virtual server on which the SLB Metrics trigger applies.
   Duration	Specify the metric duration in seconds. Range: 5-3600 seconds.

5. Click Save.
   Once the SLB Metrics trigger alert configuration has been saved, you can then add the alert member configurations under the Alert Metric Expire Member section.
   
6. Under the Alert Metric Expire Member section, click Create New to display the configuration editor.
7. Configure the following trigger alert member settings:
   

   Setting	Description
   Name	Enter a name for the new SLB Metrics trigger alert member. The configuration name cannot be edited once it has been saved.
   Metric Occurs	Select the server load balance performance metric events that will trigger the action.
   Comparator	The metric is compared to the Value field according to the selected option: Ge—greater than Le—less than Eq—equal to The action will be triggered if the specified value satisfies the selected option.
   Value	Specify the metric value that the Comparator uses to determine if the metric triggers an action (for example, 2 milliseconds).

8. Click Save.
   The newly created trigger alert member is added under the Alert Metric Expire Member section.
9. Click Save to commit the changes made for the trigger alert member to the SLB Metrics trigger alert configuration.
   

System Metrics

To configure a System Metrics trigger alert:

1. Go to Security Fabric > Automation.
2. Click the Trigger tab.
3. Click Create New and select System Metrics to display the configuration editor.
4. Configure the following trigger alert settings:
   

   Setting	Description
   Name	Enter a name for the new System Metrics trigger alert. The configuration name cannot be edited once it has been saved.
   Description	Optionally, you can add a description about this trigger alert configuration.
   Duration	Specify the metric duration in seconds. Range: 5-3600 seconds.

5. Click Save.
   Once the System Metrics trigger alert configuration has been saved, you can then add the alert member configurations under the Alert Metric Expire Member section.
   
6. Under the Alert Metric Expire Member section, click Create New to display the configuration editor.
7. Configure the following trigger alert member settings:
   

   Setting	Description
   Name	Enter a name for the new System Metrics trigger alert member. The configuration name cannot be edited once it has been saved.
   Metric Occurs	Select the system metrics events (average CPU usage, average memory usage, etc.) that will trigger the action.
   Comparator	The metric is compared to the Value field according to the selected option: Ge—greater than Le—less than Eq—equal to The action will be triggered if the specified value satisfies the selected option.
   Value	Specify the metric value that the Comparator uses to determine if the metric triggers an action (for example, 2 milliseconds).

8. Click Save.
   The newly created trigger alert member is added under the Alert Metric Expire Member section.
9. Click Save to commit the changes made for the trigger alert member to the System Metrics trigger alert configuration.
   

Interface Metrics

To configure an Interface Metrics trigger alert:

1. Go to Security Fabric > Automation.
2. Click the Trigger tab.
3. Click Create New and select Interface Metrics to display the configuration editor.
4. Configure the following trigger alert settings:
   

   Setting	Description
   Name	Enter a name for the new Interface Metrics trigger alert. The configuration name cannot be edited once it has been saved.
   Description	Optionally, you can add a description about this trigger alert configuration.
   Instance	Select the network interface on which the Interface Metrics trigger applies.
   Duration	Specify the metric duration in seconds. Range: 5-3600 seconds.

5. Click Save.
   Once the Interface Metrics trigger alert configuration has been saved, you can then add the alert member configurations under the Alert Metric Expire Member section.
   
6. Under the Alert Metric Expire Member section, click Create New to display the configuration editor.
7. Configure the following trigger alert member settings:
   

   Setting	Description
   Name	Enter a name for the new Interface Metrics trigger alert member. The configuration name cannot be edited once it has been saved.
   Metric Occurs	Select the network interface events that will trigger the action.
   Comparator	The metric is compared to the Value field according to the selected option: Ge—greater than Le—less than Eq—equal to The action will be triggered if the specified value satisfies the selected option.
   Value	Specify the metric value that the Comparator uses to determine if the metric triggers an action (for example, 2 milliseconds).

8. Click Save.
   The newly created trigger alert member is added under the Alert Metric Expire Member section.
9. Click Save to commit the changes made for the trigger alert member to the Interface Metrics trigger alert configuration.
   

Schedule

To configure a Schedule trigger alert:

1. Go to Security Fabric > Automation.
2. Click the Trigger tab.
3. Click Create New and select Schedule to display the configuration editor.
4. Configure the following trigger alert settings:
   

   Setting	Description
   Name	Enter a name for the new Schedule trigger alert. The configuration name cannot be edited once it has been saved.
   Description	Optionally, you can add a description about this trigger alert configuration.
   Schedule Occurs	Select a user-defined schedule group object or create a new schedule group. For details, see Creating schedule groups.

5. Click Save.

Predefined automation trigger events

Trigger	Events
Security Events	Bot Detected Brute Force Detected CORS Violate Detected CSRF Violate Detected Data Leak Violate Detected DDoS HTTP Access Limit DDoS HTTP Connection Flood DDoS HTTP Request Flood DDoS IP Fragmentation DDoS SYNFLOOD attack start DDoS SYNFLOOD attack stop DDoS TCP Access Flood DDoS TCP Slow Data Attack Generic Attack Detected Geo Violate Detected HTML Validation Detected JSON Violate Detected OPENAPI Violate Detected Protocol Constraint Detected Reputation Violate Detected Request Blocked SEC Biometrics Base Detected SEC Threshold Violate Detected SOAP Violate Detected SQL Injection Attack Detected URL Pattern Violate Detected Virtual Server Authentication Fail Web Anti Defacement Detected XML Violate Detected XSS Attack Detected
HA Failover	HA Master Failover HA Peer Lost
System Events	ARP Conflict Bad Device Fan Bad PSU Fan Certification Expire Config Create Config Delete Config Update CRL Expires Device Rebooted Device Upgrade Completed FW SNAT Port Exhausted Gateway HC Down Gateway HC Up Gateway Inbound Bandwidth Gateway Inbound Spillover Gateway Outbound Bandwidth Gateway Outbound Spillover Gateway Total Spillover GLB GW Available GLB GW Not Available GLB Real Server Available GLB Real Server Not Available GLB Virtual Server Available GLB Virtual Server Not Available Good Device Fan Good PSU Fan High CPU Temp High CPU Usage High Device Temp High Disk Usage High Memory Usage High Power Supply High PSU Temp High PSU Voltage High Voltage Link Group HC Down Link Group HC Up Log Full Logical Interface Disabled Logical Interface Down Logical Interface Up Lost Log Disk Low Power Supply Low PSU Voltage Low Voltage Normal CPU Temp Normal Device Temp Normal PSU Temp OCSP Response Expires PSU Failure Real Server Connection Limit Start Real Server Connection Limit Stop Real Server Connection Rate Start Real Server Connection Rate Stop Real Server Disabled Real Server Enabled Real Server HC Down Real Server HC Up Real Server Maintain Mode Slow Device Fan Slow PSU Fan SSD MWI Near Threshold SSD MWI Reached Threshold SSL Certificate Revoked User Login User Logout Virtual Server Connection Limit Start Virtual Server Connection Limit Stop Virtual Server Connection Rate Start Virtual Server Connection Rate Stop Virtual Server Disabled Virtual Server Down Virtual Server Enabled Virtual Server IP Pool Limit Virtual Server Maintain Mode Virtual Server Transaction Rate Start Virtual Server Transaction Rate Stop Virtual Server Up