Fortinet black logo

Cookbook

Webhook action

Copy Link
Copy Doc ID 4e2e9371-e0d6-11ea-96b9-00505692583a:989735
Download PDF

Webhook action

The webhook automation stitch action makes HTTP and HTTPS requests to a specified server, with custom headers, bodies, ports, and methods. It can be used to leverage the ubiquity of HTML requests and APIs to integrate with many other tools.

Tooltip

The URI and HTTP body can use parameters from logs or previous action results. Wrapping the parameter with %% will replace the expression with the JSON value for the parameter, for example: %%results.source%% is the source property from the previous action.

In this example, a specific log message (failed administrator log in attempt) triggers the FortiGate to send the contents of the log to a server. The server responds with a generic reply. This example assumes that the server is already configured and able to communicate with the FortiGate.

To configure the webhook automation stitch in the GUI:
  1. Go to Security Fabric > Automation.
  2. Click Create New.
  3. Enter a name for the stitch, and select the FortiGate devices that it will be applied to.
  4. Select the trigger FortiOS Event Log.
  5. Set Event to Admin login failed.
  6. Select Webhook and configure the settings:

    Name

    The action name.

    Delay

    The amount of time after the previous action before this action executes, in seconds (0 - 3600, default = 0).

    Protocol

    The request protocol to use: HTTP or HTTPS.

    Method

    The request method: POST, PUT, GET, PATCH, or DELETE.

    URI

    The request API URI.

    Port

    The protocol port.

    HTTP body

    The request body, if required, as a serialized JSON string.

    Use the parameter %%log%% to send the contents of the log from the trigger.

    HTTP header

    The HTTP request header name and value.

    +

    Click to add another action.

    Actions can be reorganized as needed by dragging and dropping.

  7. Click OK.
To configure the webhook automation stitch in the CLI:
  1. Create the automation action:
    config system automation-action
        edit "Send Log To Server"
            set action-type webhook
            set uri "172.16.200.44"
            set http-body "%%log%%"
            set port 80
            set headers "Header:1st Action"
        next
    end
  2. Create an automation trigger:
    config system automation-trigger
        edit "badLogin"
            set event-type event-log
            set logid 32002
        next
    end
  3. Create the automation stitch:
    config system automation-stitch
        edit "badLogin"
            set trigger "badLogin"
            set action "Send Log To Server"
        next
    end
To test the automation stitch:
  1. Attempt to log in to the FortiGate with an incorrect username or password.
  2. On the server, check the log to see that its contents have been sent by the FortiGate.

    The body content is replaced with the log of the trigger.

  3. On the FortiGate, go to Log & Report > Events and select System Events to confirm that the stitch was activated.

  4. Go to Security Fabric > Automation to see the last time that the stitch was triggered.

Diagnose commands

  • Enable log dumping:
    # diagnose test application autod 1
    autod dumped total:1 logs, num of logids:1
    autod log dumping is enabled
    
    vdom:root(0) logid:32002 len:408 log:
    date=2019-05-30 time=17:41:03 logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1559263263858888451 tz="-0700" logdesc="Admin login failed" sn="0" user="admin" ui="http(10.6.30.254)" method="http" srcip=10.6.30.254 dstip=10.6.30.5 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from http(10.6.30.254) because of invalid password"
    autod log dumping is disabled
    
    autod logs dumping summary:
            logid:32002 count:1
    
    autod dumped total:1 logs, num of logids:1
  • Show automation settings:
    # diagnose test application autod 2
    csf: enabled 	root:yes
    total stitches activated: 2
     
    stitch: badLogin
    	destinations: all
    	trigger: badLogin
     
    	local hit: 6 relayed to: 6 relayed from: 6
    	actions:
    		Send Log To Server type:webhook interval:0
    			delay:0 required:no
    			proto:0 method:0 port:80
    			uri: 172.16.200.44
    			http body: %%log%%
    			headers:
    			0. Header:1st Action
  • Show automation statistics:
    # diagnose test application autod 3
    
    stitch: badLogin 
     
    	local hit: 1 relayed to: 1 relayed from: 1
    	last trigger:Wed Jul 10 12:14:14 2019
    	last relay:Wed Jul 10 12:14:14 2019
     
    	actions:
    		Send Log To Server:
    			done: 1 relayed to: 1 relayed from: 1
    			last trigger:Wed Jul 10 12:14:14 2019
    			last relay:Wed Jul 10 12:14:14 2019
    
    logid2stitch mapping:
    id:32002  local hit: 3 relayed to: 3 relayed from: 3
    	badLogin
     
    action run cfg&stats:
    total:55 cur:0 done:55 drop:0
    	email:
    		flags:10
    		stats: total:4 cur:0 done:4 drop:0
    	ios-notification:
    		flags:1
    		stats: total:0 cur:0 done:0 drop:0
    	alert:
    		flags:0
    		stats: total:0 cur:0 done:0 drop:0
    	disable-ssid:
    		flags:7
    		stats: total:0 cur:0 done:0 drop:0
    	quarantine:
    		flags:7
    		stats: total:0 cur:0 done:0 drop:0
    	quarantine-forticlient:
    		flags:4
    		stats: total:0 cur:0 done:0 drop:0
    	quarantine-nsx:
    		flags:4
    		stats: total:0 cur:0 done:0 drop:0
    	ban-ip:
    		flags:7
    		stats: total:0 cur:0 done:0 drop:0
    	aws-lambda:
    		flags:11
    		stats: total:21 cur:0 done:21 drop:0
    	webhook:
    		flags:11
    		stats: total:6 cur:0 done:6 drop:0
    	cli-script:
    		flags:10
    		stats: total:4 cur:0 done:4 drop:0
    	azure-function:
    		flags:11
    		stats: total:0 cur:0 done:0 drop:0
    	google-cloud-function:
    		flags:11
    		stats: total:0 cur:0 done:0 drop:0
    	alicloud-function:
    		flags:11
    		stats: total:20 cur:0 done:20 drop:0
  • Enable debug output and turn on automation debug messages for about 30 minutes:
    # diagnose debug enable
    # diagnose debug application autod -1
    __auto_generate_generic_curl_request()-358: Generating generic automation CURL request for action (Send Log To Server).
    __auto_generate_generic_curl_request()-406: Generic automation CURL request POST data for action (Send Log To Server):
    date=2019-05-30 time=16:44:43 logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1559259884209355090 tz="-0700" logdesc="Admin login failed" sn="0" user="admin" ui="http(10.6.30.254)" method="http" srcip=10.6.30.254 dstip=10.6.30.5 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from http(10.6.30.254) because of invalid password"
    
    __auto_generic_curl_request_close()-512: Generic CURL request response body from http://172.16.200.44:
    {
      "userId": 1,
      "id": 1,
      "title": "Test Response",
      "body": "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    }

Webhook action

The webhook automation stitch action makes HTTP and HTTPS requests to a specified server, with custom headers, bodies, ports, and methods. It can be used to leverage the ubiquity of HTML requests and APIs to integrate with many other tools.

Tooltip

The URI and HTTP body can use parameters from logs or previous action results. Wrapping the parameter with %% will replace the expression with the JSON value for the parameter, for example: %%results.source%% is the source property from the previous action.

In this example, a specific log message (failed administrator log in attempt) triggers the FortiGate to send the contents of the log to a server. The server responds with a generic reply. This example assumes that the server is already configured and able to communicate with the FortiGate.

To configure the webhook automation stitch in the GUI:
  1. Go to Security Fabric > Automation.
  2. Click Create New.
  3. Enter a name for the stitch, and select the FortiGate devices that it will be applied to.
  4. Select the trigger FortiOS Event Log.
  5. Set Event to Admin login failed.
  6. Select Webhook and configure the settings:

    Name

    The action name.

    Delay

    The amount of time after the previous action before this action executes, in seconds (0 - 3600, default = 0).

    Protocol

    The request protocol to use: HTTP or HTTPS.

    Method

    The request method: POST, PUT, GET, PATCH, or DELETE.

    URI

    The request API URI.

    Port

    The protocol port.

    HTTP body

    The request body, if required, as a serialized JSON string.

    Use the parameter %%log%% to send the contents of the log from the trigger.

    HTTP header

    The HTTP request header name and value.

    +

    Click to add another action.

    Actions can be reorganized as needed by dragging and dropping.

  7. Click OK.
To configure the webhook automation stitch in the CLI:
  1. Create the automation action:
    config system automation-action
        edit "Send Log To Server"
            set action-type webhook
            set uri "172.16.200.44"
            set http-body "%%log%%"
            set port 80
            set headers "Header:1st Action"
        next
    end
  2. Create an automation trigger:
    config system automation-trigger
        edit "badLogin"
            set event-type event-log
            set logid 32002
        next
    end
  3. Create the automation stitch:
    config system automation-stitch
        edit "badLogin"
            set trigger "badLogin"
            set action "Send Log To Server"
        next
    end
To test the automation stitch:
  1. Attempt to log in to the FortiGate with an incorrect username or password.
  2. On the server, check the log to see that its contents have been sent by the FortiGate.

    The body content is replaced with the log of the trigger.

  3. On the FortiGate, go to Log & Report > Events and select System Events to confirm that the stitch was activated.

  4. Go to Security Fabric > Automation to see the last time that the stitch was triggered.

Diagnose commands

  • Enable log dumping:
    # diagnose test application autod 1
    autod dumped total:1 logs, num of logids:1
    autod log dumping is enabled
    
    vdom:root(0) logid:32002 len:408 log:
    date=2019-05-30 time=17:41:03 logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1559263263858888451 tz="-0700" logdesc="Admin login failed" sn="0" user="admin" ui="http(10.6.30.254)" method="http" srcip=10.6.30.254 dstip=10.6.30.5 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from http(10.6.30.254) because of invalid password"
    autod log dumping is disabled
    
    autod logs dumping summary:
            logid:32002 count:1
    
    autod dumped total:1 logs, num of logids:1
  • Show automation settings:
    # diagnose test application autod 2
    csf: enabled 	root:yes
    total stitches activated: 2
     
    stitch: badLogin
    	destinations: all
    	trigger: badLogin
     
    	local hit: 6 relayed to: 6 relayed from: 6
    	actions:
    		Send Log To Server type:webhook interval:0
    			delay:0 required:no
    			proto:0 method:0 port:80
    			uri: 172.16.200.44
    			http body: %%log%%
    			headers:
    			0. Header:1st Action
  • Show automation statistics:
    # diagnose test application autod 3
    
    stitch: badLogin 
     
    	local hit: 1 relayed to: 1 relayed from: 1
    	last trigger:Wed Jul 10 12:14:14 2019
    	last relay:Wed Jul 10 12:14:14 2019
     
    	actions:
    		Send Log To Server:
    			done: 1 relayed to: 1 relayed from: 1
    			last trigger:Wed Jul 10 12:14:14 2019
    			last relay:Wed Jul 10 12:14:14 2019
    
    logid2stitch mapping:
    id:32002  local hit: 3 relayed to: 3 relayed from: 3
    	badLogin
     
    action run cfg&stats:
    total:55 cur:0 done:55 drop:0
    	email:
    		flags:10
    		stats: total:4 cur:0 done:4 drop:0
    	ios-notification:
    		flags:1
    		stats: total:0 cur:0 done:0 drop:0
    	alert:
    		flags:0
    		stats: total:0 cur:0 done:0 drop:0
    	disable-ssid:
    		flags:7
    		stats: total:0 cur:0 done:0 drop:0
    	quarantine:
    		flags:7
    		stats: total:0 cur:0 done:0 drop:0
    	quarantine-forticlient:
    		flags:4
    		stats: total:0 cur:0 done:0 drop:0
    	quarantine-nsx:
    		flags:4
    		stats: total:0 cur:0 done:0 drop:0
    	ban-ip:
    		flags:7
    		stats: total:0 cur:0 done:0 drop:0
    	aws-lambda:
    		flags:11
    		stats: total:21 cur:0 done:21 drop:0
    	webhook:
    		flags:11
    		stats: total:6 cur:0 done:6 drop:0
    	cli-script:
    		flags:10
    		stats: total:4 cur:0 done:4 drop:0
    	azure-function:
    		flags:11
    		stats: total:0 cur:0 done:0 drop:0
    	google-cloud-function:
    		flags:11
    		stats: total:0 cur:0 done:0 drop:0
    	alicloud-function:
    		flags:11
    		stats: total:20 cur:0 done:20 drop:0
  • Enable debug output and turn on automation debug messages for about 30 minutes:
    # diagnose debug enable
    # diagnose debug application autod -1
    __auto_generate_generic_curl_request()-358: Generating generic automation CURL request for action (Send Log To Server).
    __auto_generate_generic_curl_request()-406: Generic automation CURL request POST data for action (Send Log To Server):
    date=2019-05-30 time=16:44:43 logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1559259884209355090 tz="-0700" logdesc="Admin login failed" sn="0" user="admin" ui="http(10.6.30.254)" method="http" srcip=10.6.30.254 dstip=10.6.30.5 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from http(10.6.30.254) because of invalid password"
    
    __auto_generic_curl_request_close()-512: Generic CURL request response body from http://172.16.200.44:
    {
      "userId": 1,
      "id": 1,
      "title": "Test Response",
      "body": "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    }