Configuring Automation Actions
On the Security Fabric > Automation > Action tab, you can view the list of available automation response actions that have been user-defined. After defining your automation actions, you can combine them with a trigger to create an automation stitch. For details, see Creating automation stitches
FortiADC supports six response action types:
- SNMP Trap — Sends an SNMP trap to the specified server in response to the trigger. This action is not supported for the Schedule trigger.
- FortiGate IP Ban — Blocks all traffic from the source IP addresses flagged by the FortiGate in response to the trigger. This action can only be used with the Period Block IP trigger.
- Email — Sends a custom email notification in response to the trigger.
- CLI Script — Runs a CLI script in response to the trigger. This action is not supported for the Period Block IP trigger.
- Webhook — Sends data to another application using a REST callback in response to the trigger.
- Syslog — Generates a syslog in response to the trigger.
Before you begin:
-
You must have Global Administrator access. Ensure that your admin account settings has Global Admin set to Yes. For more information, see Creating administrator users.
SNMP Trap
Use this action to send SNMP traps to the specified server in response to a trigger event.
To configure an SNMP Trap response action:
- Go to Security Fabric > Automation.
- Click the Action tab.
- Click Create New to display the Create New Automation Action configuration page.
- Under the Security Response section, click SNMP Trap to display the configuration editor.
- Configure the following response action settings:
Setting
Description
Name Enter a name for the new SNMP Trap action. The configuration name cannot be edited once it has been saved. Hosts Specify the IP address that will receive this message. Version Select the SNMP version to use
v1
v2c
v3
Note:
If using the System Event trigger Admin user login failed and blocked IP, it is recommended to use SNMPv2 or SNMPv3 only. When using SNMPv1 with the Admin user login failed and blocked IP system event trigger, the event is not recorded on the SNMP client even when the SNMP action is triggered successfully. Whereas the SNMP client records using SNMPv2 or SNMPv3 both properly reflect the triggered action for Admin user login failed and blocked IP event.
Local Port Specify the source port number. Default: 162 Range: 0-65535 Remote Port Specify the destination port number. Default: 162 Range: 0-65535 Security Level
The Security Level option is available if v3 is selected for Version.
The SNMP security level to use:
Auth But no Privacy
Auth And Privacy
No Privacy
Auth Algorithm
The Auth Algorithm option is available if Auth But no Privacy or Auth And Privacy is selected for Security Level.
The authentication algorithm to use:
SHA1
MD5
Auth Password
The Auth Password option is available if Auth But no Privacy or Auth And Privacy is selected for Security Level.
The password to the authentication algorithm.
Private Algorithm
The Private Algorithm option is available if Auth And Privacy is selected for Security Level.
The private algorithm to use:
AES
DES
Private Password
The Private Password option is available if Auth And Privacy is selected for Security Level.
The password to the private algorithm.
User
Specify the User.
- Click OK.
FortiGate IP Ban
Use this action to block all traffic from the source addresses flagged by the FortiGate in response to the Period Block IP trigger. See FortiGate IP Ban action for details.
To configure a FortiGate IP Ban response action:
- Go to Security Fabric > Automation.
- Click the Action tab.
- Click Create New to display the Create New Automation Action configuration page.
- Under the Security Response section, click FortiGate IP Ban to display the configuration editor.
- Configure the following response action settings:
Setting
Description
Name Enter a name for the new FortiGate IP Ban action. The configuration name cannot be edited once it has been saved. Type Token FortiGate Token Specify the FortiGate Token.
To get the token, log in to FortiGate, go to System> Administrator, create a new REST API Administrator, then generate API key.
FortiGate URL Specify the IP address of the FortiGate URL. For example, https://10.106.155.107 - Click OK.
Use this action to send a custom email notification in response to a trigger event.
To configure an Email response action:
- Go to Security Fabric > Automation.
- Click the Action tab.
- Click Create New to display the Create New Automation Action configuration page.
- Under the Notifications section, click Email to display the configuration editor.
- Configure the following settings:
Setting
Description
Name Enter a name for the new Email action. The configuration name cannot be edited once it has been saved. From Specify the sender email address of this notification. To
Specify the recipient email address of this notification.
Email Subject
Specify the email subject string.
Email Body
Write the email message in the Email Body. Maximum 256 characters.
You can insert specific system data, such as parameters from logs or previous action results by wrapping the parameter with
%%
tags to replace the expression with the JSON value for that parameter.There are 6 available Action Parameters:
- %%results%% — In automation stitches with more than one response action, %%results%% inserts the complete result from the previous action, such as a CLI Script action.
- %%alert_msg%% — The complete alert string will be inserted from the event source when it happens, such as from the WAF module.
- %%metric_obj%% — Applicable to System trigger alerts (SLB Metrics, System Metrics, and Interface Metrics), %%metric_obj%% inserts the metric instance (port) and value that was configured in the trigger alert.
- %%block.srcip%% — The quarantined Source IP will be inserted when the WAF module blocks the IP.
- %%event.srcip%% — The Source IP of the event will be inserted from the event source when it happens, such as from the WAF module.
%%log_msg%% — Applicable to the FortiADC Log trigger alert, %%log_msg%% inserts the complete log string from the log source when it happens.
- Click OK.
CLI Script
Use this action to run a CLI script in response to a trigger event, such as to make appropriate configuration changes. The scripts can be manually entered or uploaded as a file.
To configure a CLI Script response action:
- Go to Security Fabric > Automation.
- Click the Action tab.
- Click Create New to display the Create New Automation Action configuration page.
- Under the General section, click CLI Script to display the configuration editor.
- Configure the following response action settings:
Setting
Description
Name Enter a name for the new CLI Script action. The configuration name cannot be edited once it has been saved. Script Manually enter or upload the script.
- To manually enter the script, type it into the Script field.
- To upload a script file, click Choose File and locate the file on your management computer.
Maximum 256 characters.
- Click OK.
Webhook
Use this action to send data to another application using a REST callback in response to a trigger event.
To configure a Webhook response action:
- Go to Security Fabric > Automation.
- Click the Action tab.
- Click Create New to display the Create New Automation Action configuration page.
- Under the General section, click Webhook to display the configuration editor.
- Configure the following response action settings:
Setting
Description
Name Enter a name for the new Webhook action. The configuration name cannot be edited once it has been saved. Protocol Select the request protocol to use:
HTTP
HTTPS
Method Specify the request method:
POST
PUT
GET
PATCH
DELETE
URL Specify the request URL. For example, 10.106.155.130:90/test HTTP Body Specify the request body. For example, 'msg': 'abc', 'user': 'jack'
You can insert specific system data, such as parameters from logs or previous action results by wrapping the parameter with
%%
tags to replace the expression with the JSON value for that parameter.There are 6 available Action Parameters:
- %%results%% — In automation stitches with more than one response action, %%results%% inserts the complete result from the previous action, such as a CLI Script action.
- %%alert_msg%% — The complete alert string will be inserted from the event source when it happens, such as from the WAF module.
- %%metric_obj%% — Applicable to System trigger alerts (SLB Metrics, System Metrics, and Interface Metrics), %%metric_obj%% inserts the metric instance (port) and value that was configured in the trigger alert.
- %%block.srcip%% — The quarantined Source IP will be inserted when the WAF module blocks the IP.
- %%event.srcip%% — The Source IP of the event will be inserted from the event source when it happens, such as from the WAF module.
%%log_msg%% — Applicable to the FortiADC Log trigger alert, %%log_msg%% inserts the complete log string from the log source when it happens.
HTTP Header Specify the HTTP request header name and value.
For example, customerheader1:value1 customerheader2:value2
Ensure to only use space as the delimiter for multiple headers.TLS Certificate
The TLS Certificate option is available if the Protocol is HTTPS.
Select a TLS certificate to verify by the server to validate the HTTPS connection to the webhook endpoint.
A valid TLS certificate is required if the HTTPS server is enabled for two-way authentication. However, a TLS certificate is optional if the HTTPS server is not enabled for two-way authentication.
Verify Remote Host
The Verify Remote Host option is available if the Protocol is HTTPS.
Enable to verify that the remote server matches the host URL using a CA certificate. This option is disabled by default.
CA Certificate
The CA Certificate option is available if the Protocol is HTTPS and Verify Remote Host is enabled.
Select the CA certificate to use to verify the remote server. FortiADC will verify that the IP or domain name matches in the Remote host field or the Subject alternative name field in the certificate CN.
- Click OK.
Syslog
Use this action to generate a syslog message in response to a trigger event.
To configure a Syslog response action:
- Go to Security Fabric > Automation.
- Click the Action tab.
- Click Create New to display the Create New Automation Action configuration page.
- Under the General section, click Syslog to display the configuration editor.
- Configure the following response action settings:
Setting
Description
Name Enter a name for the new Email action. The configuration name cannot be edited once it has been saved. Address Specify the IP address that will receive this message. Port Specify the port that will receive this message. Range: 1-65535 - Click OK.