Creating automation stitches

Automation stitches pair a trigger with one or more response actions to allow FortiADC to automatically respond with the action(s) once the trigger condition is met.

From the GUI, Security Fabric > Automation page, you can create an automation stitch by selecting a Trigger event type and the corresponding Action that you would like to automate from the same configuration editor.

FortiADC supports eight trigger event types and six response actions for automation.

Triggers: Security Events, SLB Metrics, Period Block IP, HA Failover, System Metrics, System Events, Interface Metrics, Schedule and FortiADC Log.
Actions: CLI Script, Email, Syslog, SNMP Trap, Webhook, and FortiGate IP Ban.

However, some response actions are only supported for certain trigger types. The table below lists each trigger type and their available response actions.

	Security Events	SLB Metrics	Period Block IP	HA Failover	System Metrics	System Events	Interface Metrics	Schedule	FortiADC Log
CLI Script
Email
Syslog
SNMP Trap
Webhook
FortiGate IP Ban

FortiADC offers Predefined Automation Stitch configurations you can use to get started.

Before you begin:

You must have Global Administrator access. Ensure that your admin account settings has Global Admin set to Yes. For more information, see Creating administrator users.

To configure an automation stitch:

Go to Security Fabric > Automation.
The configuration page displays the Stitch tab.
Click Create New to display the configuration editor.

Configure the following settings for the Automation Stitch:

Setting	Description
Name	Enter a name for the new automation stitch. The configuration name cannot be edited once it has been saved.
Status	Enable/disable the automation stitch.
Egress VDOM	The Egress VDOM determines the VDOM from which the alert packets will be sent, regardless of the local VDOM from which the automation is configured. This affects automation actions that require alert packets to be sent, which include Syslog, SNMP Trap, Webhook, and Email. Actions such as Syslog, SNMP Trap, and Webhook can egress from either the local or root VDOM. However, for Email actions, the Egress VDOM must be Root to correspond with the SMTP server configured in Global Settings. Select the Egress VDOM from which the alert packets will be sent: Local — Alert packets will be sent from the local VDOM from which the automation is configured. Root — Alert packets will be sent from the Root VDOM.

Setting

Description

Name

Enter a name for the new automation stitch. The configuration name cannot be edited once it has been saved.

Status

Enable/disable the automation stitch.

Egress VDOM

The Egress VDOM determines the VDOM from which the alert packets will be sent, regardless of the local VDOM from which the automation is configured. This affects automation actions that require alert packets to be sent, which include Syslog, SNMP Trap, Webhook, and Email. Actions such as Syslog, SNMP Trap, and Webhook can egress from either the local or root VDOM. However, for Email actions, the Egress VDOM must be Root to correspond with the SMTP server configured in Global Settings.

Select the Egress VDOM from which the alert packets will be sent:

Local — Alert packets will be sent from the local VDOM from which the automation is configured.
Root — Alert packets will be sent from the Root VDOM.

Under the Stitch section, click Add Trigger to select an Automation Trigger event and configure the settings specific to each trigger event type. Some trigger events are predefined while some trigger events are user-defined. For example, the System Event trigger provides a list of predefined system events for selection, whereas the SLB Metrics trigger requires users to define the alert metrics. For details about each trigger event type, see Configuring Automation Triggers.

Trigger	Description
Security Events
Apply to	Select whether to apply the security events automation stitch to All or VS: All — All related events will trigger the Alert action. VS — Only specified Virtual Server related events will trigger the Alert action.
Virtual Server	The Virtual Server option appears if Apply to is VS. Specify the virtual server. This is required.
Event	Select the security events (such as DDoS SYNFLOOD attack start, bot detected, etc.) that will trigger the action. The list of available security events is predefined. For details, see Configuring Automation Triggers.
Advanced Settings	Click Advanced Settings to display additional settings for Rolling Window.
Rolling Window	Enable to define a Rolling Window Time and Number of Occurence. The Rolling Window Time sets a period of time in which a number of events must take place for an action to be triggered. The number of events that must take place within this period of time is set in the Number of Occurrences option.
Rolling Window Time	The Rolling Window Time option appears if Rolling Window is enabled. Specify the range of time (in seconds) for the rolling window.
Number of Occurrences	The Number of Occurrences option appears if Rolling Window is enabled. Specify the number of events that must take place before FortiADC will trigger the action.
SLB Metric
Alert	Select a user-defined Alert trigger or create a new alert trigger for SLB Metrics. For details, see Configuring Automation Triggers.
Period Block IP
Period Block IP	Select this trigger to retrieve the Source IP addresses from the Period Block list.
HA Failover
Event	Select the HA failover events (such as HA peer lost) that will trigger the action. The list of available HA failover events is predefined. For details, see Configuring Automation Triggers.
Advanced Settings	Click Advanced Settings to display additional settings for Rolling Window.
Rolling Window	Enable to define a Rolling Window Time and Number of Occurence. The Rolling Window Time sets a period of time in which a number of events must take place for an action to be triggered. The number of events that must take place within this period of time is set in the Number of Occurrences option.
Rolling Window Time	The Rolling Window Time option appears if Rolling Window is enabled. Specify the range of time (in seconds) for the rolling window.
Number of Occurrences	The Number of Occurrences option appears if Rolling Window is enabled. Specify the number of events that must take place before FortiADC will trigger the action.
System Metrics
Alert	Select a user-defined Alert trigger or create a new alert trigger for System Metrics. For details, see Configuring Automation Triggers.
System Events
Apply to	Select whether to apply the system events automation stitch to All, VS or Real Server: All — All related events will trigger the Alert action. VS — Only specified Virtual Server related events will trigger the Alert action. Real Server — Only the specified Virtual Server, Pool, and Real Server related events will trigger the Alert action.
Virtual Server	The Virtual Server option appears if Apply to is VS or Real Server. Specify the virtual server. This is required if Apply to is VS.
Pool	The Real Server option appears if Apply to is Real Server. Specify the pool. This is optional.
Real Server	The Real Server option appears if Apply to is Real Server. Specify the real server. This is required.
Event	Select the system events (such as bad PSU fan, good device fan, etc.) that will trigger the action. The list of available System events is predefined. For details, see Configuring Automation Triggers.
Advanced Settings	Click Advanced Settings to display additional settings for Rolling Window.
Rolling Window	Enable to define a Rolling Window Time and Number of Occurence. The Rolling Window Time sets a period of time in which a number of events must take place for an action to be triggered. The number of events that must take place within this period of time is set in the Number of Occurrences option.
Rolling Window Time	The Rolling Window Time option appears if Rolling Window is enabled. Specify the range of time (in seconds) for the rolling window.
Number of Occurrences	The Number of Occurrences option appears if Rolling Window is enabled. Specify the number of events that must take place before FortiADC will trigger the action.
Interface Metric
Alert	Select a user-defined Alert trigger or create a new alert trigger for Interface Metrics. For details, see Configuring Automation Triggers.
Schedule
Schedule	Select a user-defined Alert trigger or create a new alert trigger for Schedule. For details, see Configuring Automation Triggers.
FortiADC Log
Event	Select a user-defined Event trigger or create a new alert trigger for FortiADC Log. For details, see Configuring Automation Triggers.

Click OK to commit the Automation Trigger selection and exit from the dialog.
Once an Automation Trigger has been selected, you can now add an automation response action.
Under the Stitch section, Click Add Action to select a response action supported for the selected trigger event.

Configure the settings specific to each response action. Each Action is user-defined. For details about each response action, see Configuring Automation Actions.
Click OK to commit the Automation Action selection and exit from the dialog.
Once the first Automation Action has been added, you have the option to stitch more actions to the trigger.
Optionally, you can add a delay to trigger the response action, or delay between multiple response actions. After adding an Automation Action to your Trigger or a second Action, the Add Delay option appears.

Click Add Delay to specify the delay (in seconds) to trigger the response action or between multiple response actions. The default is 0 second delay, and any configuration changes to the Trigger or Action in the stitch will set the delay back to default.
Click OK to save the Automation Stitch.
The newly created automation stitch appears on the Security Fabric > Stitch page, under its trigger event type.

After configuring the automation stitch, you may test it through CLI command diagnose debug module alertd.

Predefined Automation Stitch configurations

The following Automation Stitch configurations have predefined trigger events but no response actions selected. You may clone these predefined configurations and use them as a template.

Name	Type	Trigger events
HA_Template	HA Failover	HA Peer Lost HA Master Failover
Admin_Template	System Events	User Login User Logout
Configuration_Template	System Events	Config Create Config Delete Config Update
System_basic_Template	System Events	Lost Log Disk High CPU Usage High Disk Usage High Memory Usage SSD MWI Near Threshold SSD MWI Reached Threshold
Health_check_Template	System Events	Real Server HC Down Real Server HC Up Virtual Server Down Virtual Server Up Gateway HC Down Link Group HC Down Gateway HC Up Link Group HC Up GLB Real Server Not Available GLB Real Server Available GLB Virtual Server Not Available GLB Virtual Server Available GLB GW Not Available GLB GW Available
Certificate_Template	System Events	Certificate Expire
SNMP_sys_event_Template	System Events	High CPU Temp Normal CPU Temp High Device Temp Normal Device Temp High PSU Temp Normal PSU Temp Slow PSU Fan Slow Device Fan Bad PSU Fan Good PSU Fan Bad Device Fan Good Device Fan High Voltage Low Voltage High Power Supply Low Power Supply High PSU Voltage Low PSU Voltage PSU Failure Lost Log Disk High CPU Usage High Disk Usage High Memory Usage SSD MWI Near Threshold SSD MWI Reached Threshold Device Rebooted Device Upgrade Completed User Login User Logout ARP Conflict Logical Interface Up Logical Interface Down Logical Interface Disabled Log Full FW SNAT Port Exhausted Real Server HC Down Real Server HC Up Real Server Enabled Real Server Disabled Real Server Maintain Mode Real Server Connection Rate Start Real Server Connection Rate Stop Real Server Connection Limit Start Real Server Connection Limit Stop Virtual Server Down Virtual Server Up Virtual Server Enabled Virtual Server Disabled Virtual Server Maintain Mode Virtual Server Connection Rate Start Virtual Server Connection Rate Stop Virtual Server Connection Limit Start Virtual Server Connection Limit Stop Virtual Server Transaction Rate Start Virtual Server Transaction Rate Stop Virtual Server IP Pool Limit Certification Expire Gateway HC Down Link Group HC Down Gateway HC Up Link Group HC Up Gateway Inbound Bandwidth Gateway Outbound Bandwidth Gateway Inbound Spillover Gateway Outbound Spillover Gateway Total Spillover GLB Real Server Not Available GLB Real Server Available GLB Virtual Server Not Available GLB Virtual Server Available GLB GW Not Available GLB GW Available Config Create Config Delete Config Update OCSP Response Expires SSL Certificate Revoked CRL Expires
SNMP_sec_event_Template	Security Events	DDoS SYNFLOOD attack start DDoS SYNFLOOD attack stop Request Blocked XSS Attack Detected SQL Injection Attack Detected Generic Attack Detected URL Pattern Violate Detected Protocol Constraint Detected Bot Detected Geo Violate Detected Reputation Violate Detected Virtual Server Authentication Failed JSON Violate Detected XML Violate Detected SOAP Violate Detected Web Anti Defacement Detected CSRF Violate Detected Brute Force Detected Data Leak Violate Detected HTML Validation Detected DDoS IP Fragmentation DDoS TCP Slow Data Attack DDoS TCP Access Flood DDoS HTTP Connection Flood DDoS HTTP Request Flood DDoS HTTP Access Limit OPENAPI Violate Detected CORS Violate Detected SEC Threshold Violate Detected SEC Biometrics Base Detected
SNMP_HA_event_Template	HA Failover	HA Peer Lost HA Master Failover