Fortinet black logo

AWS Administration Guide

Configuring an example automation stitch

Copy Link
Copy Doc ID 9e3b59dc-ba0b-11e9-a989-00505692583a:979139
Download PDF

Configuring an example automation stitch

Let's try creating an example automation stitch with a simple pipeline. The example pipeline is as follows:

  1. When an event log is created due to a successful login to the FortiGate,
  2. Pick up one of the key-value pairs that the FortiGate sends to the API gateway
  3. Invoke its AWS Lambda script, and, as an action, output the value on CloudWatch

Other actions you may want to configure include quarantining an EC2 instance by applying a different security group, renaming an EC2 tag, and so on. You can configure a variety of actions as fits your deployment scenario.

For this example, do the following:

  1. Create an automation stitch by completing all steps in Creating an automation stitch.
  2. Under Trigger, select Event Log.
  3. In the Event dropdown list, select Admin Login Successful.

  4. You will need to know what elements FortiGate sends with the event log and what to pick on the Lambda script. Now let's make the example event happen by logging into the FortiGate successfully as an admin user. Log out of the FortiGate, then log in again. You will see the corresponding event log.
  5. Go to Log & Report > System Events. Find the desired event log.

  6. Download the log as a file. You can filter logs as shown below.

  7. Open the SystemEventLog-disk-<date/time/number>.log file in a text editor. It should look as below.

    date=2018-08-29 time=15:56:13 logid="0100032001" type="event" subtype="system" level="information" vd="root" eventtime=1535583373 logdesc="Admin login successful" sn="15355xyz73" user="admin" ui="https(208.xx.yy.1)" method="https" srcip=208.xx.yy.1 dstip=192.168.1.15 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(208.xx.yy.1)"

    You have a rough idea about what elements can be picked. Raw JSON data will look as follows:

    { email: 'your_email@xyz.com',

    data:

    { stitch: 'Your Stitch Name',

    actions: [ [Object] ],

    eventtype: 'logid',

    sn: 'Serial Number of your FortiGate',

    time: 1535587464,

    rawlog:

    { date: '2018-08-29',

    time: '17:04:24',

    logid: '0100032001',

    type: 'event',

    subtype: 'system',

    level: 'information',

    vd: 'root',

    eventtime: '1535587464',

    logdesc: 'Admin login successful',

    sn: 'xyz',

    user: 'admin',

    ui: 'https(FortiGate IP address)',

    method: 'https',

    srcip: 'FortiGate IP address',

    dstip: '10.10.1.12',

    action: 'login',

    status: 'success',

    reason: 'none',

    profile: 'super_admin',

    msg: 'Administrator admin logged in successfully from https(FortiGate IP address)'

    }

    }

    }

  8. You can pick available key-value pairs in your AWS Lambda code. In this particular event log, useful keys include stitch / date /time / vd / logdesc / user / ui / method / srcip / dstip / action / status / profile / msg.
  9. You can see all JSON logs sent by FortiGate on CloudWatch Log by entering the following line in the Lambda code:

    console.log(JSON.parse(event.body));

  10. Now, as an example, let's pick user: 'admin' and srcip: '208.xx.yy.1'. Here is the Lambda script:

    'use strict';

    var AWS = require('aws-sdk');

    exports.handler = function(event, context, callback) {

    let body = JSON.parse(event.body);

    var usr = body.data.rawlog.user;

    var sourceip = body.data.rawlog.srcip;

    // Write your automation scripts below

    // .... Actions ....

    console.log('Hello My Friend, ', usr, '@', sourceip, '!');

    callback();

    };

    This is what the Lambda script will look like:

  11. Save the script.
  12. Log out of the FortiGate, then log in again as an administrator. This triggers the event log. The Lambda code is invoked, and CloudWatch Log shows something like the following:

Configuring an example automation stitch

Let's try creating an example automation stitch with a simple pipeline. The example pipeline is as follows:

  1. When an event log is created due to a successful login to the FortiGate,
  2. Pick up one of the key-value pairs that the FortiGate sends to the API gateway
  3. Invoke its AWS Lambda script, and, as an action, output the value on CloudWatch

Other actions you may want to configure include quarantining an EC2 instance by applying a different security group, renaming an EC2 tag, and so on. You can configure a variety of actions as fits your deployment scenario.

For this example, do the following:

  1. Create an automation stitch by completing all steps in Creating an automation stitch.
  2. Under Trigger, select Event Log.
  3. In the Event dropdown list, select Admin Login Successful.

  4. You will need to know what elements FortiGate sends with the event log and what to pick on the Lambda script. Now let's make the example event happen by logging into the FortiGate successfully as an admin user. Log out of the FortiGate, then log in again. You will see the corresponding event log.
  5. Go to Log & Report > System Events. Find the desired event log.

  6. Download the log as a file. You can filter logs as shown below.

  7. Open the SystemEventLog-disk-<date/time/number>.log file in a text editor. It should look as below.

    date=2018-08-29 time=15:56:13 logid="0100032001" type="event" subtype="system" level="information" vd="root" eventtime=1535583373 logdesc="Admin login successful" sn="15355xyz73" user="admin" ui="https(208.xx.yy.1)" method="https" srcip=208.xx.yy.1 dstip=192.168.1.15 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(208.xx.yy.1)"

    You have a rough idea about what elements can be picked. Raw JSON data will look as follows:

    { email: 'your_email@xyz.com',

    data:

    { stitch: 'Your Stitch Name',

    actions: [ [Object] ],

    eventtype: 'logid',

    sn: 'Serial Number of your FortiGate',

    time: 1535587464,

    rawlog:

    { date: '2018-08-29',

    time: '17:04:24',

    logid: '0100032001',

    type: 'event',

    subtype: 'system',

    level: 'information',

    vd: 'root',

    eventtime: '1535587464',

    logdesc: 'Admin login successful',

    sn: 'xyz',

    user: 'admin',

    ui: 'https(FortiGate IP address)',

    method: 'https',

    srcip: 'FortiGate IP address',

    dstip: '10.10.1.12',

    action: 'login',

    status: 'success',

    reason: 'none',

    profile: 'super_admin',

    msg: 'Administrator admin logged in successfully from https(FortiGate IP address)'

    }

    }

    }

  8. You can pick available key-value pairs in your AWS Lambda code. In this particular event log, useful keys include stitch / date /time / vd / logdesc / user / ui / method / srcip / dstip / action / status / profile / msg.
  9. You can see all JSON logs sent by FortiGate on CloudWatch Log by entering the following line in the Lambda code:

    console.log(JSON.parse(event.body));

  10. Now, as an example, let's pick user: 'admin' and srcip: '208.xx.yy.1'. Here is the Lambda script:

    'use strict';

    var AWS = require('aws-sdk');

    exports.handler = function(event, context, callback) {

    let body = JSON.parse(event.body);

    var usr = body.data.rawlog.user;

    var sourceip = body.data.rawlog.srcip;

    // Write your automation scripts below

    // .... Actions ....

    console.log('Hello My Friend, ', usr, '@', sourceip, '!');

    callback();

    };

    This is what the Lambda script will look like:

  11. Save the script.
  12. Log out of the FortiGate, then log in again as an administrator. This triggers the event log. The Lambda code is invoked, and CloudWatch Log shows something like the following: