Configuring Automation Triggers
On the Security Fabric > Automation > Trigger tab, you can view the list of available automation trigger events that are predefined or user-defined. After defining your automation triggers, you can combine them with response actions to create an automation stitch. For details, see Creating automation stitches
FortiADC supports eight trigger event types, wherein some events are predefined and some must be user-defined.
Predefined Triggers:
- Security Events — Uses security events such as "DDoS SYNFLOOD attack start" or "bot detected" as the alert trigger.
- HA Failover — Uses HA failover events such as "HA peer lost" as the alert trigger.
- System Events — Uses system events such as "bad PSU fan" or "good device fan" as the alert trigger.
See Predefined automation trigger events for the full list of predefined events available for each trigger type.
User-defined Triggers:
- SLB Metrics — Uses server load balance performance metrics as the alert trigger.
- Period Block IP — Uses the FortiADC Source IP addresses that have been blocked by WAF as trigger events for the automated response actions. To view or release the blocked IPs, see Blocked IP.
- System Metrics — Uses system metrics such as "average CPU usage" or "average memory usage" as the alert trigger.
- Interface Metrics — Uses network interface events as the alert trigger.
- Schedule — Uses user-defined schedules as the alert trigger.
- FortiADC Log — Uses a specific FortiADC logged event occurrence (identified through log ID) as the alert trigger.
Before you begin:
-
You must have Global Administrator access. Ensure that your admin account settings has Global Admin set to Yes. For more information, see Creating administrator users.
SLB Metrics
To configure an SLB Metrics trigger alert:
- Go to Security Fabric > Automation.
- Click the Trigger tab.
- Click Create New to display the Create New Automation Trigger configuration page.
- Under the System section, click SLB Metrics to display the configuration editor.
- Configure the following trigger alert settings:
Setting
Description
Name Enter a name for the new SLB Metrics trigger alert. The configuration name cannot be edited once it has been saved. Description Optionally, you can add a description about this trigger alert configuration. SLB Instance Select the virtual server on which the SLB Metrics trigger applies.
Duration Specify the metric duration in seconds. Range: 5-3600 seconds. - Click OK to commit the SLB Metrics trigger settings.
Once the SLB Metrics trigger alert configuration has been saved, you can then add the alert member configurations under the Alert Metric Expire Member section. - Under the Alert Metric Expire Member section, click Create New to display the configuration editor.
- Configure the following trigger alert member settings:
Setting
Description
Name Enter a name for the new SLB Metrics trigger alert member. The configuration name cannot be edited once it has been saved. Metric Occurs Select the server load balance performance metric events that will trigger the action.
Comparator
The metric is compared to the Value field according to the selected option:
Ge—greater than
Le—less than
Eq—equal to
The action will be triggered if the specified value satisfies the selected option.
Value
Specify the metric value that the Comparator uses to determine if the metric triggers an action (for example, 2 milliseconds).
- Click OK to commit the trigger alert member settings.
The newly created trigger alert member is added under the Alert Metric Expire Member section. - Click OK to save the SLB Metrics trigger alert configuration.
System Metrics
To configure a System Metrics trigger alert:
- Go to Security Fabric > Automation.
- Click the Trigger tab.
- Click Create New to display the Create New Automation Trigger configuration page.
- Under the System section, click System Metrics to display the configuration editor.
- Configure the following trigger alert settings:
Setting
Description
Name Enter a name for the new System Metrics trigger alert. The configuration name cannot be edited once it has been saved. Description Optionally, you can add a description about this trigger alert configuration. Duration Specify the metric duration in seconds. Range: 5-3600 seconds. - Click OK to commit the System Metrics trigger settings.
Once the System Metrics trigger alert configuration has been saved, you can then add the alert member configurations under the Alert Metric Expire Member section. - Under the Alert Metric Expire Member section, click Create New to display the configuration editor.
- Configure the following trigger alert member settings:
Setting
Description
Name Enter a name for the new System Metrics trigger alert member. The configuration name cannot be edited once it has been saved. Metric Occurs Select the system metrics events (average CPU usage, average memory usage, etc.) that will trigger the action.
Comparator
The metric is compared to the Value field according to the selected option:
Ge—greater than
Le—less than
Eq—equal to
The action will be triggered if the specified value satisfies the selected option.
Value
Specify the metric value that the Comparator uses to determine if the metric triggers an action (for example, 2 milliseconds).
- Click OK to commit the trigger alert member settings.
The newly created trigger alert member is added under the Alert Metric Expire Member section. - Click OK to save the System Metrics trigger alert configuration.
Interface Metrics
To configure an Interface Metrics trigger alert:
- Go to Security Fabric > Automation.
- Click the Trigger tab.
- Click Create New to display the Create New Automation Trigger configuration page.
- Under the System section, click Interface Metrics to display the configuration editor.
- Configure the following trigger alert settings:
Setting
Description
Name Enter a name for the new Interface Metrics trigger alert. The configuration name cannot be edited once it has been saved. Description Optionally, you can add a description about this trigger alert configuration. Instance Select the network interface on which the Interface Metrics trigger applies.
Duration Specify the metric duration in seconds. Range: 5-3600 seconds. - Click OK to commit the Interface Metrics trigger settings.
Once the Interface Metrics trigger alert configuration has been saved, you can then add the alert member configurations under the Alert Metric Expire Member section. - Under the Alert Metric Expire Member section, click Create New to display the configuration editor.
- Configure the following trigger alert member settings:
Setting
Description
Name Enter a name for the new Interface Metrics trigger alert member. The configuration name cannot be edited once it has been saved. Metric Occurs Select the network interface events that will trigger the action.
Comparator
The metric is compared to the Value field according to the selected option:
Ge—greater than
Le—less than
Eq—equal to
The action will be triggered if the specified value satisfies the selected option.
Value
Specify the metric value that the Comparator uses to determine if the metric triggers an action (for example, 2 milliseconds).
- Click OK to commit the trigger alert member settings.
The newly created trigger alert member is added under the Alert Metric Expire Member section. - Click OK to save the Interface Metrics trigger alert configuration.
Schedule
To configure a Schedule trigger alert:
- Go to Security Fabric > Automation.
- Click the Trigger tab.
- Click Create New to display the Create New Automation Trigger configuration page.
- Under the Miscellaneous section, click Schedule to display the configuration editor.
- Configure the following trigger alert settings:
Setting
Description
Name Enter a name for the new Schedule trigger alert. The configuration name cannot be edited once it has been saved. Description Optionally, you can add a description about this trigger alert configuration. Schedule Occurs Select a user-defined schedule group object or create a new schedule group. For details, see Schedule Group. - Click OK.
FortiADC Log
You can configure a FortiADC Log trigger for when a specific event log ID occurs. You can select multiple event log IDs, and apply log field filters.
Exact information from the Event Log is required to configure the FortiADC Log trigger alert, so it is recommended that you download the specific log files to obtain the information prior to beginning the configuration.
To configure a FortiADC Log trigger alert:
- Go to Security Fabric > Automation.
- Click the Trigger tab.
- Click Create New to display the Create New Automation Trigger configuration page.
- Under the Miscellaneous section, click FortiADC Log to display the configuration editor.
You can view the last 4 digits of the log ID by hovering over the event entry in the Log Event list. - Configure the following trigger alert settings:
Setting
Description
Name Enter a name for the new FortiADC Log trigger alert. The configuration name cannot be edited once it has been saved. Description Optionally, you can add a description about this trigger alert configuration. Event Select the FortiADC Log event (identified through the log ID) that will trigger the automation stitch.
The Event options correspond to the Message listed in the FortiADC event log. Hover over an entry to view the tooltip that includes the Log Event and Log ID. The Log ID refers to the last 4 digits of the Log ID from the event log.
The maximum is 32 log events per trigger configuration.
Field Filters
Enter the Field name and the Value of the logged event that will trigger the automation stitch.
The Field name and Value refers to the "key" and its value as it is recorded in the log file. To successfully trigger an automation stitch using the FortiADC Log trigger alert, the field name and value must match what is recorded in the log file exactly.Field name — Enter the field name as it appears exactly in the log file.
Value — Specify the value of the specified field name as it appears exactly in the log file.
- Click OK.
Example: Create a FortiADC Log trigger alert for failed logins
In this example, you will create a FortiADC Log alert to trigger when a login fails due to incorrect password input.
- Download the required event log file to obtain the specific information to use in the FortiADC Log trigger configuration.
- Go to Log & Report > Event Log.
- Locate the "Admin login" event log.
- Download the log file.
- Open the log file to obtain the required information.
date=2023-12-13 time=10:28:41 log_id=0001001000 type=event subtype=admin pri=information vd=root msg_id=32713167 user=admin ui=172.19.162.70 action=login status=failure reason=passwd_invalid logdesc=Admin login msg=User admin login successfully from 172.19.162.70
Copy the log id and reason fields and their values to use in later steps.
- Go to Security Fabric > Automation, click the Trigger tab and Create New.
- Click FortiADC Log to configure a new FortiADC Log automation trigger using the event log information collected earlier.
- Select the Event as Log id admin login. The last 4 digits of the "log id" from the log file should match the "Log ID" of the selected log event entry.
- Enter the Field name as reason and Value as passwd_invalid.
- Click OK.
Predefined automation trigger events
Trigger |
Events |
---|---|
Security Events |
Bot Detected Brute Force Detected CORS Violate Detected CSRF Violate Detected Data Leak Violate Detected DDoS HTTP Access Limit DDoS HTTP Connection Flood DDoS HTTP Request Flood DDoS IP Fragmentation DDoS SYNFLOOD attack start DDoS SYNFLOOD attack stop DDoS TCP Access Flood DDoS TCP Slow Data Attack Generic Attack Detected Geo Violate Detected HTML Validation Detected JSON Violate Detected OPENAPI Violate Detected Protocol Constraint Detected Reputation Violate Detected Request Blocked SEC Biometrics Base Detected SEC Threshold Violate Detected SOAP Violate Detected SQL Injection Attack Detected URL Pattern Violate Detected Virtual Server Authentication Fail Web Anti Defacement Detected XML Violate Detected XSS Attack Detected |
HA Failover |
HA Master Failover HA Peer Lost |
System Events |
Admin user login failed and blocked IP ARP Conflict Bad Device Fan Bad PSU Fan Certification Expire Config Create Config Delete Config Update CRL Expires Device Rebooted Device Upgrade Completed FW SNAT Port Exhausted Gateway HC Down Gateway HC Up Gateway Inbound Bandwidth Gateway Inbound Spillover Gateway Outbound Bandwidth Gateway Outbound Spillover Gateway Total Spillover GLB GW Available GLB GW Not Available GLB Real Server Available GLB Real Server Not Available GLB Virtual Server Available GLB Virtual Server Not Available Good Device Fan Good PSU Fan High CPU Temp High CPU Usage High Device Temp High Disk Usage High Memory Usage High Power Supply High PSU Temp High PSU Voltage High Voltage Link Group HC Down Link Group HC Up Log Full Logical Interface Disabled Logical Interface Down Logical Interface Up Lost Log Disk Low Power Supply Low PSU Voltage Low Voltage Normal CPU Temp Normal Device Temp Normal PSU Temp OCSP Response Expires PSU Failure Real Server Connection Limit Start Real Server Connection Limit Stop Real Server Connection Rate Start Real Server Connection Rate Stop Real Server Disabled Real Server Enabled Real Server HC Down Real Server HC Up Real Server Maintain Mode Slow Device Fan Slow PSU Fan SSD MWI Near Threshold SSD MWI Reached Threshold SSL Certificate Revoked User Login User Logout Virtual Server Connection Limit Start Virtual Server Connection Limit Stop Virtual Server Connection Rate Start Virtual Server Connection Rate Stop Virtual Server Disabled Virtual Server Down Virtual Server Enabled Virtual Server IP Pool Limit Virtual Server Maintain Mode Virtual Server Transaction Rate Start Virtual Server Transaction Rate Stop Virtual Server Up |