Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 7.4.1 Handbook
    7.4.1
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring Automation Actions

    Configuring Automation Actions

    On the Security Fabric > Automation > Action tab, you can view the list of available automation response actions that have been user-defined. After defining your automation actions, you can combine them with a trigger to create an automation stitch. For details, see Creating automation stitches

    FortiADC supports six response action types:

    • SNMP Trap — Sends an SNMP trap to the specified server in response to the trigger. This action is not supported for the Schedule trigger.
    • FortiGate IP Ban — Blocks all traffic from the source IP addresses flagged by the FortiGate in response to the trigger. This action can only be used with the Period Block IP trigger.
    • Email — Sends a custom email notification in response to the trigger.
    • CLI Script — Runs a CLI script in response to the trigger. This action is not supported for the Period Block IP trigger.
    • Webhook — Sends data to another application using a REST callback in response to the trigger.
    • Syslog — Generates a syslog in response to the trigger.

    SNMP Trap

    Use this action to send SNMP traps to the specified server in response to a trigger event.

    To configure an SNMP Trap response action:
    1. Go to Security Fabric > Automation.
    2. Click the Action tab.
    3. Click Create New to display the Create New Automation Action configuration page.
    4. Under the Security Response section, click SNMP Trap to display the configuration editor.
    5. Configure the following response action settings:

      Setting

      Description

      NameEnter a name for the new SNMP Trap action. The configuration name cannot be edited once it has been saved.
      HostsSpecify the IP address that will receive this message.
      Version

      Select the SNMP version to use

      • v1

      • v2c

      • v3

      Note:

      If using the System Event trigger Admin user login failed and blocked IP, it is recommended to use SNMPv2 or SNMPv3 only. When using SNMPv1 with the Admin user login failed and blocked IP system event trigger, the event is not recorded on the SNMP client even when the SNMP action is triggered successfully. Whereas the SNMP client records using SNMPv2 or SNMPv3 both properly reflect the triggered action for Admin user login failed and blocked IP event.

      Local PortSpecify the source port number. Default: 162 Range: 0-65535
      Remote PortSpecify the destination port number. Default: 162 Range: 0-65535

      Security Level

      The Security Level option is available if v3 is selected for Version.

      The SNMP security level to use:

      • Auth But no Privacy

      • Auth And Privacy

      • No Privacy

      Auth Algorithm

      The Auth Algorithm option is available if Auth But no Privacy or Auth And Privacy is selected for Security Level.

      The authentication algorithm to use:

      • SHA1

      • MD5

      Auth Password

      The Auth Password option is available if Auth But no Privacy or Auth And Privacy is selected for Security Level.

      The password to the authentication algorithm.

      Private Algorithm

      The Private Algorithm option is available if Auth And Privacy is selected for Security Level.

      The private algorithm to use:

      • AES

      • DES

      Private Password

      The Private Password option is available if Auth And Privacy is selected for Security Level.

      The password to the private algorithm.

      User

      Specify the User.

    6. Click OK.

    FortiGate IP Ban

    Use this action to block all traffic from the source addresses flagged by the FortiGate in response to the Period Block IP trigger. See FortiGate IP Ban action for details.

    To configure a FortiGate IP Ban response action:
    1. Go to Security Fabric > Automation.
    2. Click the Action tab.
    3. Click Create New to display the Create New Automation Action configuration page.
    4. Under the Security Response section, click FortiGate IP Ban to display the configuration editor.
    5. Configure the following response action settings:

      Setting

      Description

      NameEnter a name for the new FortiGate IP Ban action. The configuration name cannot be edited once it has been saved.
      TypeToken
      FortiGate Token

      Specify the FortiGate Token.

      To get the token, log in to FortiGate, go to System> Administrator, create a new REST API Administrator, then generate API key.

      FortiGate URLSpecify the IP address of the FortiGate URL. For example, https://10.106.155.107
    6. Click OK.

    Email

    Use this action to send a custom email notification in response to a trigger event.

    To configure an Email response action:
    1. Go to Security Fabric > Automation.
    2. Click the Action tab.
    3. Click Create New to display the Create New Automation Action configuration page.
    4. Under the Notifications section, click Email to display the configuration editor.
    5. Configure the following settings:

      Setting

      Description

      NameEnter a name for the new Email action. The configuration name cannot be edited once it has been saved.
      FromSpecify the sender email address of this notification.

      To

      Specify the recipient email address of this notification.

      Email Subject

      Specify the email subject string.

      Email Body

      Write the email message in the Email Body. Maximum 256 characters.

      You can insert specific system data, such as parameters from logs or previous action results by wrapping the parameter with %% tags to replace the expression with the JSON value for that parameter.

      There are 6 available Action Parameters:

      • %%results%% — In automation stitches with more than one response action, %%results%% inserts the complete result from the previous action, such as a CLI Script action.
      • %%alert_msg%% — The complete alert string will be inserted from the event source when it happens, such as from the WAF module.
      • %%metric_obj%% — Applicable to System trigger alerts (SLB Metrics, System Metrics, and Interface Metrics), %%metric_obj%% inserts the metric instance (port) and value that was configured in the trigger alert.
      • %%block.srcip%% — The quarantined Source IP will be inserted when the WAF module blocks the IP.
      • %%event.srcip%% — The Source IP of the event will be inserted from the event source when it happens, such as from the WAF module.

      • %%log_msg%% — Applicable to the FortiADC Log trigger alert, %%log_msg%% inserts the complete log string from the log source when it happens.

    6. Click OK.

    CLI Script

    Use this action to run a CLI script in response to a trigger event, such as to make appropriate configuration changes. The scripts can be manually entered or uploaded as a file.

    To configure a CLI Script response action:
    1. Go to Security Fabric > Automation.
    2. Click the Action tab.
    3. Click Create New to display the Create New Automation Action configuration page.
    4. Under the General section, click CLI Script to display the configuration editor.
    5. Configure the following response action settings:

      Setting

      Description

      NameEnter a name for the new CLI Script action. The configuration name cannot be edited once it has been saved.
      Script

      Manually enter or upload the script.

      • To manually enter the script, type it into the Script field.
      • To upload a script file, click Choose File and locate the file on your management computer.

      Maximum 256 characters.

    6. Click OK.

    Webhook

    Use this action to send data to another application using a REST callback in response to a trigger event.

    To configure a Webhook response action:
    1. Go to Security Fabric > Automation.
    2. Click the Action tab.
    3. Click Create New to display the Create New Automation Action configuration page.
    4. Under the General section, click Webhook to display the configuration editor.
    5. Configure the following response action settings:

      Setting

      Description

      NameEnter a name for the new Webhook action. The configuration name cannot be edited once it has been saved.
      Protocol

      Select the request protocol to use:

      • HTTP

      • HTTPS

      Method

      Specify the request method:

      • POST

      • PUT

      • GET

      • PATCH

      • DELETE

      URLSpecify the request URL. For example, 10.106.155.130:90/test
      HTTP Body

      Specify the request body. For example, 'msg': 'abc', 'user': 'jack'

      You can insert specific system data, such as parameters from logs or previous action results by wrapping the parameter with %% tags to replace the expression with the JSON value for that parameter.

      There are 6 available Action Parameters:

      • %%results%% — In automation stitches with more than one response action, %%results%% inserts the complete result from the previous action, such as a CLI Script action.
      • %%alert_msg%% — The complete alert string will be inserted from the event source when it happens, such as from the WAF module.
      • %%metric_obj%% — Applicable to System trigger alerts (SLB Metrics, System Metrics, and Interface Metrics), %%metric_obj%% inserts the metric instance (port) and value that was configured in the trigger alert.
      • %%block.srcip%% — The quarantined Source IP will be inserted when the WAF module blocks the IP.
      • %%event.srcip%% — The Source IP of the event will be inserted from the event source when it happens, such as from the WAF module.

      • %%log_msg%% — Applicable to the FortiADC Log trigger alert, %%log_msg%% inserts the complete log string from the log source when it happens.

      HTTP Header

      Specify the HTTP request header name and value.

      For example, customerheader1:value1 customerheader2:value2
      Ensure to only use space as the delimiter for multiple headers.

      TLS Certificate

      The TLS Certificate option is available if the Protocol is HTTPS.

      Select a TLS certificate to verify by the server to validate the HTTPS connection to the webhook endpoint.

      A valid TLS certificate is required if the HTTPS server is enabled for two-way authentication. However, a TLS certificate is optional if the HTTPS server is not enabled for two-way authentication.

      Verify Remote Host

      The Verify Remote Host option is available if the Protocol is HTTPS.

      Enable to verify that the remote server matches the host URL using a CA certificate. This option is disabled by default.

      CA Certificate

      The CA Certificate option is available if the Protocol is HTTPS and Verify Remote Host is enabled.

      Select the CA certificate to use to verify the remote server. FortiADC will verify that the IP or domain name matches in the Remote host field or the Subject alternative name field in the certificate CN.

    6. Click OK.

    Syslog

    Use this action to generate a syslog message in response to a trigger event.

    To configure a Syslog response action:
    1. Go to Security Fabric > Automation.
    2. Click the Action tab.
    3. Click Create New to display the Create New Automation Action configuration page.
    4. Under the General section, click Syslog to display the configuration editor.
    5. Configure the following response action settings:

      Setting

      Description

      NameEnter a name for the new Email action. The configuration name cannot be edited once it has been saved.
      AddressSpecify the IP address that will receive this message.
      PortSpecify the port that will receive this message. Range: 1-65535
    6. Click OK.
    Previous
    Next

    Configuring Automation Actions

    Configuring Automation Actions

    On the Security Fabric > Automation > Action tab, you can view the list of available automation response actions that have been user-defined. After defining your automation actions, you can combine them with a trigger to create an automation stitch. For details, see Creating automation stitches

    FortiADC supports six response action types:

    • SNMP Trap — Sends an SNMP trap to the specified server in response to the trigger. This action is not supported for the Schedule trigger.
    • FortiGate IP Ban — Blocks all traffic from the source IP addresses flagged by the FortiGate in response to the trigger. This action can only be used with the Period Block IP trigger.
    • Email — Sends a custom email notification in response to the trigger.
    • CLI Script — Runs a CLI script in response to the trigger. This action is not supported for the Period Block IP trigger.
    • Webhook — Sends data to another application using a REST callback in response to the trigger.
    • Syslog — Generates a syslog in response to the trigger.

    SNMP Trap

    Use this action to send SNMP traps to the specified server in response to a trigger event.

    To configure an SNMP Trap response action:
    1. Go to Security Fabric > Automation.
    2. Click the Action tab.
    3. Click Create New to display the Create New Automation Action configuration page.
    4. Under the Security Response section, click SNMP Trap to display the configuration editor.
    5. Configure the following response action settings:

      Setting

      Description

      NameEnter a name for the new SNMP Trap action. The configuration name cannot be edited once it has been saved.
      HostsSpecify the IP address that will receive this message.
      Version

      Select the SNMP version to use

      • v1

      • v2c

      • v3

      Note:

      If using the System Event trigger Admin user login failed and blocked IP, it is recommended to use SNMPv2 or SNMPv3 only. When using SNMPv1 with the Admin user login failed and blocked IP system event trigger, the event is not recorded on the SNMP client even when the SNMP action is triggered successfully. Whereas the SNMP client records using SNMPv2 or SNMPv3 both properly reflect the triggered action for Admin user login failed and blocked IP event.

      Local PortSpecify the source port number. Default: 162 Range: 0-65535
      Remote PortSpecify the destination port number. Default: 162 Range: 0-65535

      Security Level

      The Security Level option is available if v3 is selected for Version.

      The SNMP security level to use:

      • Auth But no Privacy

      • Auth And Privacy

      • No Privacy

      Auth Algorithm

      The Auth Algorithm option is available if Auth But no Privacy or Auth And Privacy is selected for Security Level.

      The authentication algorithm to use:

      • SHA1

      • MD5

      Auth Password

      The Auth Password option is available if Auth But no Privacy or Auth And Privacy is selected for Security Level.

      The password to the authentication algorithm.

      Private Algorithm

      The Private Algorithm option is available if Auth And Privacy is selected for Security Level.

      The private algorithm to use:

      • AES

      • DES

      Private Password

      The Private Password option is available if Auth And Privacy is selected for Security Level.

      The password to the private algorithm.

      User

      Specify the User.

    6. Click OK.

    FortiGate IP Ban

    Use this action to block all traffic from the source addresses flagged by the FortiGate in response to the Period Block IP trigger. See FortiGate IP Ban action for details.

    To configure a FortiGate IP Ban response action:
    1. Go to Security Fabric > Automation.
    2. Click the Action tab.
    3. Click Create New to display the Create New Automation Action configuration page.
    4. Under the Security Response section, click FortiGate IP Ban to display the configuration editor.
    5. Configure the following response action settings:

      Setting

      Description

      NameEnter a name for the new FortiGate IP Ban action. The configuration name cannot be edited once it has been saved.
      TypeToken
      FortiGate Token

      Specify the FortiGate Token.

      To get the token, log in to FortiGate, go to System> Administrator, create a new REST API Administrator, then generate API key.

      FortiGate URLSpecify the IP address of the FortiGate URL. For example, https://10.106.155.107
    6. Click OK.

    Email

    Use this action to send a custom email notification in response to a trigger event.

    To configure an Email response action:
    1. Go to Security Fabric > Automation.
    2. Click the Action tab.
    3. Click Create New to display the Create New Automation Action configuration page.
    4. Under the Notifications section, click Email to display the configuration editor.
    5. Configure the following settings:

      Setting

      Description

      NameEnter a name for the new Email action. The configuration name cannot be edited once it has been saved.
      FromSpecify the sender email address of this notification.

      To

      Specify the recipient email address of this notification.

      Email Subject

      Specify the email subject string.

      Email Body

      Write the email message in the Email Body. Maximum 256 characters.

      You can insert specific system data, such as parameters from logs or previous action results by wrapping the parameter with %% tags to replace the expression with the JSON value for that parameter.

      There are 6 available Action Parameters:

      • %%results%% — In automation stitches with more than one response action, %%results%% inserts the complete result from the previous action, such as a CLI Script action.
      • %%alert_msg%% — The complete alert string will be inserted from the event source when it happens, such as from the WAF module.
      • %%metric_obj%% — Applicable to System trigger alerts (SLB Metrics, System Metrics, and Interface Metrics), %%metric_obj%% inserts the metric instance (port) and value that was configured in the trigger alert.
      • %%block.srcip%% — The quarantined Source IP will be inserted when the WAF module blocks the IP.
      • %%event.srcip%% — The Source IP of the event will be inserted from the event source when it happens, such as from the WAF module.

      • %%log_msg%% — Applicable to the FortiADC Log trigger alert, %%log_msg%% inserts the complete log string from the log source when it happens.

    6. Click OK.

    CLI Script

    Use this action to run a CLI script in response to a trigger event, such as to make appropriate configuration changes. The scripts can be manually entered or uploaded as a file.

    To configure a CLI Script response action:
    1. Go to Security Fabric > Automation.
    2. Click the Action tab.
    3. Click Create New to display the Create New Automation Action configuration page.
    4. Under the General section, click CLI Script to display the configuration editor.
    5. Configure the following response action settings:

      Setting

      Description

      NameEnter a name for the new CLI Script action. The configuration name cannot be edited once it has been saved.
      Script

      Manually enter or upload the script.

      • To manually enter the script, type it into the Script field.
      • To upload a script file, click Choose File and locate the file on your management computer.

      Maximum 256 characters.

    6. Click OK.

    Webhook

    Use this action to send data to another application using a REST callback in response to a trigger event.

    To configure a Webhook response action:
    1. Go to Security Fabric > Automation.
    2. Click the Action tab.
    3. Click Create New to display the Create New Automation Action configuration page.
    4. Under the General section, click Webhook to display the configuration editor.
    5. Configure the following response action settings:

      Setting

      Description

      NameEnter a name for the new Webhook action. The configuration name cannot be edited once it has been saved.
      Protocol

      Select the request protocol to use:

      • HTTP

      • HTTPS

      Method

      Specify the request method:

      • POST

      • PUT

      • GET

      • PATCH

      • DELETE

      URLSpecify the request URL. For example, 10.106.155.130:90/test
      HTTP Body

      Specify the request body. For example, 'msg': 'abc', 'user': 'jack'

      You can insert specific system data, such as parameters from logs or previous action results by wrapping the parameter with %% tags to replace the expression with the JSON value for that parameter.

      There are 6 available Action Parameters:

      • %%results%% — In automation stitches with more than one response action, %%results%% inserts the complete result from the previous action, such as a CLI Script action.
      • %%alert_msg%% — The complete alert string will be inserted from the event source when it happens, such as from the WAF module.
      • %%metric_obj%% — Applicable to System trigger alerts (SLB Metrics, System Metrics, and Interface Metrics), %%metric_obj%% inserts the metric instance (port) and value that was configured in the trigger alert.
      • %%block.srcip%% — The quarantined Source IP will be inserted when the WAF module blocks the IP.
      • %%event.srcip%% — The Source IP of the event will be inserted from the event source when it happens, such as from the WAF module.

      • %%log_msg%% — Applicable to the FortiADC Log trigger alert, %%log_msg%% inserts the complete log string from the log source when it happens.

      HTTP Header

      Specify the HTTP request header name and value.

      For example, customerheader1:value1 customerheader2:value2
      Ensure to only use space as the delimiter for multiple headers.

      TLS Certificate

      The TLS Certificate option is available if the Protocol is HTTPS.

      Select a TLS certificate to verify by the server to validate the HTTPS connection to the webhook endpoint.

      A valid TLS certificate is required if the HTTPS server is enabled for two-way authentication. However, a TLS certificate is optional if the HTTPS server is not enabled for two-way authentication.

      Verify Remote Host

      The Verify Remote Host option is available if the Protocol is HTTPS.

      Enable to verify that the remote server matches the host URL using a CA certificate. This option is disabled by default.

      CA Certificate

      The CA Certificate option is available if the Protocol is HTTPS and Verify Remote Host is enabled.

      Select the CA certificate to use to verify the remote server. FortiADC will verify that the IP or domain name matches in the Remote host field or the Subject alternative name field in the certificate CN.

    6. Click OK.

    Syslog

    Use this action to generate a syslog message in response to a trigger event.

    To configure a Syslog response action:
    1. Go to Security Fabric > Automation.
    2. Click the Action tab.
    3. Click Create New to display the Create New Automation Action configuration page.
    4. Under the General section, click Syslog to display the configuration editor.
    5. Configure the following response action settings:

      Setting

      Description

      NameEnter a name for the new Email action. The configuration name cannot be edited once it has been saved.
      AddressSpecify the IP address that will receive this message.
      PortSpecify the port that will receive this message. Range: 1-65535
    6. Click OK.
    Previous
    Next