Fortinet white logo
Fortinet white logo

Handbook

Configuring Automation Actions

Configuring Automation Actions

On the Security Fabric > Automation > Action tab, you can view the list of available automation response actions that have been user-defined. After defining your automation actions, you can combine them with a trigger to create an automation stitch. For details, see Creating automation stitches

FortiADC supports six response action types:

  • SNMP Trap — Sends an SNMP trap to the specified server in response to the trigger. This action is not supported for the Schedule trigger.
  • FortiGate IP Ban — Blocks all traffic from the source IP addresses flagged by the FortiGate in response to the trigger. This action can only be used with the Period Block IP trigger.
  • Email — Sends a custom email notification in response to the trigger.
  • CLI Script — Runs a CLI script in response to the trigger. This action is not supported for the Period Block IP trigger.
  • Webhook — Sends data to another application using a REST callback in response to the trigger.
  • Syslog — Generates a syslog in response to the trigger.

Before you begin:
  • You must have Global Administrator access. Ensure that your admin account settings has Global Admin set to Yes. For more information, see Creating administrator users.

SNMP Trap

Use this action to send SNMP traps to the specified server in response to a trigger event.

To configure an SNMP Trap response action:
  1. Go to Security Fabric > Automation.
  2. Click the Action tab.
  3. Click Create New to display the Create New Automation Action configuration page.
  4. Under the Security Response section, click SNMP Trap to display the configuration editor.
  5. Configure the following response action settings:

    Setting

    Description

    NameEnter a name for the new SNMP Trap action. The configuration name cannot be edited once it has been saved.
    HostsSpecify the IP address that will receive this message.
    Version

    Select the SNMP version to use

    • v1

    • v2c

    • v3

    Note:

    If using the System Event trigger Admin user login failed and blocked IP, it is recommended to use SNMPv2 or SNMPv3 only. When using SNMPv1 with the Admin user login failed and blocked IP system event trigger, the event is not recorded on the SNMP client even when the SNMP action is triggered successfully. Whereas the SNMP client records using SNMPv2 or SNMPv3 both properly reflect the triggered action for Admin user login failed and blocked IP event.

    Local PortSpecify the source port number. Default: 162 Range: 0-65535
    Remote PortSpecify the destination port number. Default: 162 Range: 0-65535

    Security Level

    The Security Level option is available if v3 is selected for Version.

    The SNMP security level to use:

    • Auth But no Privacy

    • Auth And Privacy

    • No Privacy

    Auth Algorithm

    The Auth Algorithm option is available if Auth But no Privacy or Auth And Privacy is selected for Security Level.

    The authentication algorithm to use:

    • SHA1

    • MD5

    Auth Password

    The Auth Password option is available if Auth But no Privacy or Auth And Privacy is selected for Security Level.

    The password to the authentication algorithm.

    Private Algorithm

    The Private Algorithm option is available if Auth And Privacy is selected for Security Level.

    The private algorithm to use:

    • AES

    • DES

    Private Password

    The Private Password option is available if Auth And Privacy is selected for Security Level.

    The password to the private algorithm.

    User

    Specify the User.

  6. Click OK.

FortiGate IP Ban

Use this action to block all traffic from the source addresses flagged by the FortiGate in response to the Period Block IP trigger. See FortiGate IP Ban action for details.

To configure a FortiGate IP Ban response action:
  1. Go to Security Fabric > Automation.
  2. Click the Action tab.
  3. Click Create New to display the Create New Automation Action configuration page.
  4. Under the Security Response section, click FortiGate IP Ban to display the configuration editor.
  5. Configure the following response action settings:

    Setting

    Description

    NameEnter a name for the new FortiGate IP Ban action. The configuration name cannot be edited once it has been saved.
    TypeToken
    FortiGate Token

    Specify the FortiGate Token.

    To get the token, log in to FortiGate, go to System> Administrator, create a new REST API Administrator, then generate API key.

    FortiGate URLSpecify the IP address of the FortiGate URL. For example, https://10.106.155.107
  6. Click OK.

Email

Use this action to send a custom email notification in response to a trigger event.

To configure an Email response action:
  1. Go to Security Fabric > Automation.
  2. Click the Action tab.
  3. Click Create New to display the Create New Automation Action configuration page.
  4. Under the Notifications section, click Email to display the configuration editor.
  5. Configure the following settings:

    Setting

    Description

    NameEnter a name for the new Email action. The configuration name cannot be edited once it has been saved.
    FromSpecify the sender email address of this notification.

    To

    Specify the recipient email address of this notification.

    Email Subject

    Specify the email subject string.

    Email Body

    Write the email message in the Email Body. Maximum 256 characters.

    You can insert specific system data, such as parameters from logs or previous action results by wrapping the parameter with %% tags to replace the expression with the JSON value for that parameter.

    There are 6 available Action Parameters:

    • %%results%% — In automation stitches with more than one response action, %%results%% inserts the complete result from the previous action, such as a CLI Script action.
    • %%alert_msg%% — The complete alert string will be inserted from the event source when it happens, such as from the WAF module.
    • %%metric_obj%% — Applicable to System trigger alerts (SLB Metrics, System Metrics, and Interface Metrics), %%metric_obj%% inserts the metric instance (port) and value that was configured in the trigger alert.
    • %%block.srcip%% — The quarantined Source IP will be inserted when the WAF module blocks the IP.
    • %%event.srcip%% — The Source IP of the event will be inserted from the event source when it happens, such as from the WAF module.
    • %%log_msg%% — Applicable to the FortiADC Log trigger alert, %%log_msg%% inserts the complete log string from the log source when it happens.

  6. Click OK.

CLI Script

Use this action to run a CLI script in response to a trigger event, such as to make appropriate configuration changes. The scripts can be manually entered or uploaded as a file.

To configure a CLI Script response action:
  1. Go to Security Fabric > Automation.
  2. Click the Action tab.
  3. Click Create New to display the Create New Automation Action configuration page.
  4. Under the General section, click CLI Script to display the configuration editor.
  5. Configure the following response action settings:

    Setting

    Description

    NameEnter a name for the new CLI Script action. The configuration name cannot be edited once it has been saved.
    Script

    Manually enter or upload the script.

    • To manually enter the script, type it into the Script field.
    • To upload a script file, click Choose File and locate the file on your management computer.

    Maximum 256 characters.

  6. Click OK.

Webhook

Use this action to send data to another application using a REST callback in response to a trigger event.

To configure a Webhook response action:
  1. Go to Security Fabric > Automation.
  2. Click the Action tab.
  3. Click Create New to display the Create New Automation Action configuration page.
  4. Under the General section, click Webhook to display the configuration editor.
  5. Configure the following response action settings:

    Setting

    Description

    NameEnter a name for the new Webhook action. The configuration name cannot be edited once it has been saved.
    Protocol

    Select the request protocol to use:

    • HTTP

    • HTTPS

    Method

    Specify the request method:

    • POST

    • PUT

    • GET

    • PATCH

    • DELETE

    URLSpecify the request URL. For example, 10.106.155.130:90/test
    HTTP Body

    Specify the request body. For example, 'msg': 'abc', 'user': 'jack'

    You can insert specific system data, such as parameters from logs or previous action results by wrapping the parameter with %% tags to replace the expression with the JSON value for that parameter.

    There are 6 available Action Parameters:

    • %%results%% — In automation stitches with more than one response action, %%results%% inserts the complete result from the previous action, such as a CLI Script action.
    • %%alert_msg%% — The complete alert string will be inserted from the event source when it happens, such as from the WAF module.
    • %%metric_obj%% — Applicable to System trigger alerts (SLB Metrics, System Metrics, and Interface Metrics), %%metric_obj%% inserts the metric instance (port) and value that was configured in the trigger alert.
    • %%block.srcip%% — The quarantined Source IP will be inserted when the WAF module blocks the IP.
    • %%event.srcip%% — The Source IP of the event will be inserted from the event source when it happens, such as from the WAF module.
    • %%log_msg%% — Applicable to the FortiADC Log trigger alert, %%log_msg%% inserts the complete log string from the log source when it happens.

    HTTP Header

    Specify the HTTP request header name and value.

    For example, customerheader1:value1 customerheader2:value2
    Ensure to only use space as the delimiter for multiple headers.

    TLS Certificate

    The TLS Certificate option is available if the Protocol is HTTPS.

    Select a TLS certificate to verify by the server to validate the HTTPS connection to the webhook endpoint.

    A valid TLS certificate is required if the HTTPS server is enabled for two-way authentication. However, a TLS certificate is optional if the HTTPS server is not enabled for two-way authentication.

    Verify Remote Host

    The Verify Remote Host option is available if the Protocol is HTTPS.

    Enable to verify that the remote server matches the host URL using a CA certificate. This option is disabled by default.

    CA Certificate

    The CA Certificate option is available if the Protocol is HTTPS and Verify Remote Host is enabled.

    Select the CA certificate to use to verify the remote server. FortiADC will verify that the IP or domain name matches in the Remote host field or the Subject alternative name field in the certificate CN.

  6. Click OK.

Syslog

Use this action to generate a syslog message in response to a trigger event.

To configure a Syslog response action:
  1. Go to Security Fabric > Automation.
  2. Click the Action tab.
  3. Click Create New to display the Create New Automation Action configuration page.
  4. Under the General section, click Syslog to display the configuration editor.
  5. Configure the following response action settings:

    Setting

    Description

    NameEnter a name for the new Email action. The configuration name cannot be edited once it has been saved.
    AddressSpecify the IP address that will receive this message.
    PortSpecify the port that will receive this message. Range: 1-65535
  6. Click OK.

Configuring Automation Actions

Configuring Automation Actions

On the Security Fabric > Automation > Action tab, you can view the list of available automation response actions that have been user-defined. After defining your automation actions, you can combine them with a trigger to create an automation stitch. For details, see Creating automation stitches

FortiADC supports six response action types:

  • SNMP Trap — Sends an SNMP trap to the specified server in response to the trigger. This action is not supported for the Schedule trigger.
  • FortiGate IP Ban — Blocks all traffic from the source IP addresses flagged by the FortiGate in response to the trigger. This action can only be used with the Period Block IP trigger.
  • Email — Sends a custom email notification in response to the trigger.
  • CLI Script — Runs a CLI script in response to the trigger. This action is not supported for the Period Block IP trigger.
  • Webhook — Sends data to another application using a REST callback in response to the trigger.
  • Syslog — Generates a syslog in response to the trigger.

Before you begin:
  • You must have Global Administrator access. Ensure that your admin account settings has Global Admin set to Yes. For more information, see Creating administrator users.

SNMP Trap

Use this action to send SNMP traps to the specified server in response to a trigger event.

To configure an SNMP Trap response action:
  1. Go to Security Fabric > Automation.
  2. Click the Action tab.
  3. Click Create New to display the Create New Automation Action configuration page.
  4. Under the Security Response section, click SNMP Trap to display the configuration editor.
  5. Configure the following response action settings:

    Setting

    Description

    NameEnter a name for the new SNMP Trap action. The configuration name cannot be edited once it has been saved.
    HostsSpecify the IP address that will receive this message.
    Version

    Select the SNMP version to use

    • v1

    • v2c

    • v3

    Note:

    If using the System Event trigger Admin user login failed and blocked IP, it is recommended to use SNMPv2 or SNMPv3 only. When using SNMPv1 with the Admin user login failed and blocked IP system event trigger, the event is not recorded on the SNMP client even when the SNMP action is triggered successfully. Whereas the SNMP client records using SNMPv2 or SNMPv3 both properly reflect the triggered action for Admin user login failed and blocked IP event.

    Local PortSpecify the source port number. Default: 162 Range: 0-65535
    Remote PortSpecify the destination port number. Default: 162 Range: 0-65535

    Security Level

    The Security Level option is available if v3 is selected for Version.

    The SNMP security level to use:

    • Auth But no Privacy

    • Auth And Privacy

    • No Privacy

    Auth Algorithm

    The Auth Algorithm option is available if Auth But no Privacy or Auth And Privacy is selected for Security Level.

    The authentication algorithm to use:

    • SHA1

    • MD5

    Auth Password

    The Auth Password option is available if Auth But no Privacy or Auth And Privacy is selected for Security Level.

    The password to the authentication algorithm.

    Private Algorithm

    The Private Algorithm option is available if Auth And Privacy is selected for Security Level.

    The private algorithm to use:

    • AES

    • DES

    Private Password

    The Private Password option is available if Auth And Privacy is selected for Security Level.

    The password to the private algorithm.

    User

    Specify the User.

  6. Click OK.

FortiGate IP Ban

Use this action to block all traffic from the source addresses flagged by the FortiGate in response to the Period Block IP trigger. See FortiGate IP Ban action for details.

To configure a FortiGate IP Ban response action:
  1. Go to Security Fabric > Automation.
  2. Click the Action tab.
  3. Click Create New to display the Create New Automation Action configuration page.
  4. Under the Security Response section, click FortiGate IP Ban to display the configuration editor.
  5. Configure the following response action settings:

    Setting

    Description

    NameEnter a name for the new FortiGate IP Ban action. The configuration name cannot be edited once it has been saved.
    TypeToken
    FortiGate Token

    Specify the FortiGate Token.

    To get the token, log in to FortiGate, go to System> Administrator, create a new REST API Administrator, then generate API key.

    FortiGate URLSpecify the IP address of the FortiGate URL. For example, https://10.106.155.107
  6. Click OK.

Email

Use this action to send a custom email notification in response to a trigger event.

To configure an Email response action:
  1. Go to Security Fabric > Automation.
  2. Click the Action tab.
  3. Click Create New to display the Create New Automation Action configuration page.
  4. Under the Notifications section, click Email to display the configuration editor.
  5. Configure the following settings:

    Setting

    Description

    NameEnter a name for the new Email action. The configuration name cannot be edited once it has been saved.
    FromSpecify the sender email address of this notification.

    To

    Specify the recipient email address of this notification.

    Email Subject

    Specify the email subject string.

    Email Body

    Write the email message in the Email Body. Maximum 256 characters.

    You can insert specific system data, such as parameters from logs or previous action results by wrapping the parameter with %% tags to replace the expression with the JSON value for that parameter.

    There are 6 available Action Parameters:

    • %%results%% — In automation stitches with more than one response action, %%results%% inserts the complete result from the previous action, such as a CLI Script action.
    • %%alert_msg%% — The complete alert string will be inserted from the event source when it happens, such as from the WAF module.
    • %%metric_obj%% — Applicable to System trigger alerts (SLB Metrics, System Metrics, and Interface Metrics), %%metric_obj%% inserts the metric instance (port) and value that was configured in the trigger alert.
    • %%block.srcip%% — The quarantined Source IP will be inserted when the WAF module blocks the IP.
    • %%event.srcip%% — The Source IP of the event will be inserted from the event source when it happens, such as from the WAF module.
    • %%log_msg%% — Applicable to the FortiADC Log trigger alert, %%log_msg%% inserts the complete log string from the log source when it happens.

  6. Click OK.

CLI Script

Use this action to run a CLI script in response to a trigger event, such as to make appropriate configuration changes. The scripts can be manually entered or uploaded as a file.

To configure a CLI Script response action:
  1. Go to Security Fabric > Automation.
  2. Click the Action tab.
  3. Click Create New to display the Create New Automation Action configuration page.
  4. Under the General section, click CLI Script to display the configuration editor.
  5. Configure the following response action settings:

    Setting

    Description

    NameEnter a name for the new CLI Script action. The configuration name cannot be edited once it has been saved.
    Script

    Manually enter or upload the script.

    • To manually enter the script, type it into the Script field.
    • To upload a script file, click Choose File and locate the file on your management computer.

    Maximum 256 characters.

  6. Click OK.

Webhook

Use this action to send data to another application using a REST callback in response to a trigger event.

To configure a Webhook response action:
  1. Go to Security Fabric > Automation.
  2. Click the Action tab.
  3. Click Create New to display the Create New Automation Action configuration page.
  4. Under the General section, click Webhook to display the configuration editor.
  5. Configure the following response action settings:

    Setting

    Description

    NameEnter a name for the new Webhook action. The configuration name cannot be edited once it has been saved.
    Protocol

    Select the request protocol to use:

    • HTTP

    • HTTPS

    Method

    Specify the request method:

    • POST

    • PUT

    • GET

    • PATCH

    • DELETE

    URLSpecify the request URL. For example, 10.106.155.130:90/test
    HTTP Body

    Specify the request body. For example, 'msg': 'abc', 'user': 'jack'

    You can insert specific system data, such as parameters from logs or previous action results by wrapping the parameter with %% tags to replace the expression with the JSON value for that parameter.

    There are 6 available Action Parameters:

    • %%results%% — In automation stitches with more than one response action, %%results%% inserts the complete result from the previous action, such as a CLI Script action.
    • %%alert_msg%% — The complete alert string will be inserted from the event source when it happens, such as from the WAF module.
    • %%metric_obj%% — Applicable to System trigger alerts (SLB Metrics, System Metrics, and Interface Metrics), %%metric_obj%% inserts the metric instance (port) and value that was configured in the trigger alert.
    • %%block.srcip%% — The quarantined Source IP will be inserted when the WAF module blocks the IP.
    • %%event.srcip%% — The Source IP of the event will be inserted from the event source when it happens, such as from the WAF module.
    • %%log_msg%% — Applicable to the FortiADC Log trigger alert, %%log_msg%% inserts the complete log string from the log source when it happens.

    HTTP Header

    Specify the HTTP request header name and value.

    For example, customerheader1:value1 customerheader2:value2
    Ensure to only use space as the delimiter for multiple headers.

    TLS Certificate

    The TLS Certificate option is available if the Protocol is HTTPS.

    Select a TLS certificate to verify by the server to validate the HTTPS connection to the webhook endpoint.

    A valid TLS certificate is required if the HTTPS server is enabled for two-way authentication. However, a TLS certificate is optional if the HTTPS server is not enabled for two-way authentication.

    Verify Remote Host

    The Verify Remote Host option is available if the Protocol is HTTPS.

    Enable to verify that the remote server matches the host URL using a CA certificate. This option is disabled by default.

    CA Certificate

    The CA Certificate option is available if the Protocol is HTTPS and Verify Remote Host is enabled.

    Select the CA certificate to use to verify the remote server. FortiADC will verify that the IP or domain name matches in the Remote host field or the Subject alternative name field in the certificate CN.

  6. Click OK.

Syslog

Use this action to generate a syslog message in response to a trigger event.

To configure a Syslog response action:
  1. Go to Security Fabric > Automation.
  2. Click the Action tab.
  3. Click Create New to display the Create New Automation Action configuration page.
  4. Under the General section, click Syslog to display the configuration editor.
  5. Configure the following response action settings:

    Setting

    Description

    NameEnter a name for the new Email action. The configuration name cannot be edited once it has been saved.
    AddressSpecify the IP address that will receive this message.
    PortSpecify the port that will receive this message. Range: 1-65535
  6. Click OK.