Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Automation webhook stitches

The Automation menu contains eight webhook automation stitches, including an Incoming Webhook Quarantine trigger for API calls to the FortiGate, as well as a predefined License Expired Notification that replaces the existing license expiry alerts.

The automation stitches are available in new FortiGate installations by default. To install the stitches on an existing device, perform a factory reset.

Note

Performing a factory reset will wipe the existing configurations from the ForttGate.

Before performing a factory reset, backup the existing configuration. Contact Fortinet support for additional assistance.

The following webhook stitches are included in the Automation menu:

  • Compromised Host Quarantine
  • Incoming Webhook quarantine
  • HA Failover
  • Network Down
  • Reboot
  • FortiAnalyzer Connection Down
  • License Expired Notification
  • Security rating Notification

To view the automation stitches in the GUI, go to Security Fabric > Automation.

Note

After the factory reset, the email alert feature will be removed from the GUI (Log & Report > Email Alert Settings), and replaced with the Email automation stitches.

You can continue using the email alert feature with the CLI console.

To configure the automation stitches in the CLI console, use the following commands:

config system automation-action

config system automation-trigger

config system automation-stitch

Tooltip

To view the configurations for the new automation stitches, see the CLI reference at the bottom of the page.

To trigger an Incoming Webhook Quarantine stitch with the GUI:
  1. Create new API user.
    1. Go to System > Administrators.
    2. Click Create New > REST API Admin.
    3. Configure the New REST API Admin settings, and record the API key.

  2. Get the sample cURL request.
    1. Go to Security Fabric > Automation.
    2. Under Incoming Webhook, right-click Incoming Webhook Quarantine, and select Edit.
    3. Click Enabled, to enable the rule.
    4. In the API admin key field, enter the API key you recorded in the previous step. A Sample cURL request is created.
    5. Copy the Sample cURL request.

  3. Execute the request:
    1. Edit the sample cURL you recorded in the previous step.
    2. Add parameters to the data field ("mac" and "fctuid"), and then execute the request.

    root@pc:~# curl -k -X POST -H 'Authorization: Bearer cfgtct1mmx3fQxr4khb994p7swdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid": "0000BB0B0ABD0D00B0D0A0B0E0F0B00B"}' https://172.16.116.226/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20Quarantine

    {

    "http_method":"POST",

    "status":"success",

    "http_status":200,

    "serial":"FGT00E0Q00000000",

    "version":"v6.4.0",

    "build":1545

    Note

    Encode the spaces in the automation-stitch name with %20. For example, Incoming%20Webhook%20Quarantine

    The automation rule Incoming Webhook Quarantine is triggered.

    The MAC address is quarantined in FortiGate and an event log is created.

    The FortiClient UUID is quarantined by EMS on the server side.

To create an automated stitch with the CLI:
  1. Create new API user and record the API key.

    config system api-user

    edit "api"

    set api-key ENC SH00vqP0GKWKyZNz0FP0/jq00O0Ka/DHVEKdxUi+0kRDNKPpZppnnMk0KeunBI=

    set accprofile "api_profile"

    set vdom "root"

    config trusthost

    edit 1

    set ipv4-trusthost 10.6.30.0 200.200.200.0

    next

    end

    next

    end

  2. Configure the automation stitch, Incoming Webhook Quarantine.

    config system automation-stitch

    edit "Incoming Webhook Quarantine"

    set status enable

    set trigger "Incoming Webhook Quarantine"

    set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

    next

    end

  3. Add parameters in the data field ("mac" and "fctuid"), then execute the request on a device.

    root@pc56:~# curl -k -X POST -H 'Authorization: Bearer cfgtct1mmx0fQxr4khb000p70wdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid": "3000BB0B0ABD0D00B0D0A0B0E0F0B00B"}' https://100.10.100.200/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20Quarantine

    {

    "http_method":"POST",

    "status":"success",

    "http_status":200,

    "serial":"FGT80E0Q00000000",

    "version":"v6.4.0",

    "build":1545

    Note

    Encode the spaces in the automation-stitch name with %20. For example, Incoming%20Webhook%20Quarantine

    The automation rule "Incoming Webhook Quarantine" is triggered. The MAC address is quarantined in FortiGate, and an event log is created. The FortiClient UUID will be quarantined on the EMS server side.

    config user quarantine

    config targets

    edit "0c:0a:00:0c:ce:b0"

    config macs

    edit 0c:0a:00:0c:ce:b0

    set description "Quarantined by automation stitch: Incoming Webhook Quarantine"

    next

    end

    next

    end

    end

    date=2020-02-14 time=15:37:48 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1581723468644200712 tz="-0800" logdesc="Automation stitch triggered" stitch="Incoming Webhook Quarantine" trigger="Incoming Webhook Quarantine" stitchaction="Compromised Host Quarantine_quarantine,Compromised Host Quarantine_quarantine-forticlient" from="log" msg="stitch:Incoming Webhook Quarantine is triggered."

CLI Reference

Network down

config system automation-action

config system automation-action

edit "Network Down_email"

set action-type email

set email-from ''

set email-subject "Network Down"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

config system automation-trigger

edit "Network Down"

set trigger-type event-based

set event-type event-log

set logid 20099

config fields

edit 1

set name "status"

set value "DOWN"

next

end

next

end

config system automation-stitch

config system automation-stitch

edit "Network Down"

set status disable

set trigger "Network Down"

set action "Network Down_email"

next

end

HA failover

config system automation-action

config system automation-action

edit "HA Failover_email"

set action-type email

set email-from ''

set email-subject "HA Failover"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

config system automation-trigger

edit "HA Failover"

set trigger-type event-based

set event-type ha-failover

next

end

config system automation-stitch

config system automation-stitch

edit "HA Failover"

set status disable

set trigger "HA Failover"

set action "HA Failover_email"

next

end

Reboot

config system automation-action

config system automation-action

edit "Reboot_email"

set action-type email

set email-from ''

set email-subject "Reboot"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

config system automation-trigger

edit "Reboot"

set trigger-type event-based

set event-type reboot

next

end

config system automation-stitch

config system automation-stitch

edit "Reboot"

set status disable

set trigger "Reboot"

set action "Reboot_email"

next

end

Connection down

config system automation-action

config system automation-action

edit "FortiAnalyzer Connection Down_ios-notification"

set action-type ios-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

config system automation-trigger

edit "FortiAnalyzer Connection Down"

set trigger-type event-based

set event-type event-log

set logid 22902

next

end

config system automation-stitch

config system automation-stitch

edit "FortiAnalyzer Connection Down"

set status enable

set trigger "FortiAnalyzer Connection Down"

set action "FortiAnalyzer Connection Down_ios-notification"

next

end

License expired

config system automation-action

config system automation-action

edit "License Expired Notification_ios-notification"

set action-type ios-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

config system automation-trigger

edit "License Expired Notification"

set trigger-type event-based

set event-type license-near-expiry

set license-type any

next

end

config system automation-stitch

config system automation-stitch

edit "License Expired Notification"

set status enable

set trigger "License Expired Notification"

set action "License Expired Notification_ios-notification"

next

end

Compromised host

config system automation-action

config system automation-action

edit "Compromised Host Quarantine_quarantine"

set action-type quarantine

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

config system automation-trigger

edit "Compromised Host Quarantine"

set trigger-type event-based

set event-type ioc

set ioc-level high

next

end

config system automation-stitch

config system automation-stitch

edit "Compromised Host Quarantine"

set status disable

set trigger "Compromised Host Quarantine"

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

next

end

Quarantine FortiClient

config system automation-action

config system automation-action

edit "Compromised Host Quarantine_quarantine-forticlient"

set action-type quarantine-forticlient

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

config system automation-trigger

edit "Compromised Host Quarantine"

set trigger-type event-based

set event-type ioc

set ioc-level high

next

end

config system automation-stitch

config system automation-stitch

edit "Compromised Host Quarantine"

set status disable

set trigger "Compromised Host Quarantine"

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

next

end

Security rating

config system automation-action

config system automation-action

edit "Security Rating Notification_ios-notification"

set action-type ios-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

config system automation-trigger

edit "Security Rating Notification"

set trigger-type event-based

set event-type security-rating-summary

next

end

config system automation-stitch

config system automation-stitch

edit "Security Rating Notification"

set status enable

set trigger "Security Rating Notification"

set action "Security Rating Notification_ios-notification"

next

end

Automation webhook stitches

The Automation menu contains eight webhook automation stitches, including an Incoming Webhook Quarantine trigger for API calls to the FortiGate, as well as a predefined License Expired Notification that replaces the existing license expiry alerts.

The automation stitches are available in new FortiGate installations by default. To install the stitches on an existing device, perform a factory reset.

Note

Performing a factory reset will wipe the existing configurations from the ForttGate.

Before performing a factory reset, backup the existing configuration. Contact Fortinet support for additional assistance.

The following webhook stitches are included in the Automation menu:

  • Compromised Host Quarantine
  • Incoming Webhook quarantine
  • HA Failover
  • Network Down
  • Reboot
  • FortiAnalyzer Connection Down
  • License Expired Notification
  • Security rating Notification

To view the automation stitches in the GUI, go to Security Fabric > Automation.

Note

After the factory reset, the email alert feature will be removed from the GUI (Log & Report > Email Alert Settings), and replaced with the Email automation stitches.

You can continue using the email alert feature with the CLI console.

To configure the automation stitches in the CLI console, use the following commands:

config system automation-action

config system automation-trigger

config system automation-stitch

Tooltip

To view the configurations for the new automation stitches, see the CLI reference at the bottom of the page.

To trigger an Incoming Webhook Quarantine stitch with the GUI:
  1. Create new API user.
    1. Go to System > Administrators.
    2. Click Create New > REST API Admin.
    3. Configure the New REST API Admin settings, and record the API key.

  2. Get the sample cURL request.
    1. Go to Security Fabric > Automation.
    2. Under Incoming Webhook, right-click Incoming Webhook Quarantine, and select Edit.
    3. Click Enabled, to enable the rule.
    4. In the API admin key field, enter the API key you recorded in the previous step. A Sample cURL request is created.
    5. Copy the Sample cURL request.

  3. Execute the request:
    1. Edit the sample cURL you recorded in the previous step.
    2. Add parameters to the data field ("mac" and "fctuid"), and then execute the request.

    root@pc:~# curl -k -X POST -H 'Authorization: Bearer cfgtct1mmx3fQxr4khb994p7swdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid": "0000BB0B0ABD0D00B0D0A0B0E0F0B00B"}' https://172.16.116.226/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20Quarantine

    {

    "http_method":"POST",

    "status":"success",

    "http_status":200,

    "serial":"FGT00E0Q00000000",

    "version":"v6.4.0",

    "build":1545

    Note

    Encode the spaces in the automation-stitch name with %20. For example, Incoming%20Webhook%20Quarantine

    The automation rule Incoming Webhook Quarantine is triggered.

    The MAC address is quarantined in FortiGate and an event log is created.

    The FortiClient UUID is quarantined by EMS on the server side.

To create an automated stitch with the CLI:
  1. Create new API user and record the API key.

    config system api-user

    edit "api"

    set api-key ENC SH00vqP0GKWKyZNz0FP0/jq00O0Ka/DHVEKdxUi+0kRDNKPpZppnnMk0KeunBI=

    set accprofile "api_profile"

    set vdom "root"

    config trusthost

    edit 1

    set ipv4-trusthost 10.6.30.0 200.200.200.0

    next

    end

    next

    end

  2. Configure the automation stitch, Incoming Webhook Quarantine.

    config system automation-stitch

    edit "Incoming Webhook Quarantine"

    set status enable

    set trigger "Incoming Webhook Quarantine"

    set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

    next

    end

  3. Add parameters in the data field ("mac" and "fctuid"), then execute the request on a device.

    root@pc56:~# curl -k -X POST -H 'Authorization: Bearer cfgtct1mmx0fQxr4khb000p70wdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid": "3000BB0B0ABD0D00B0D0A0B0E0F0B00B"}' https://100.10.100.200/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20Quarantine

    {

    "http_method":"POST",

    "status":"success",

    "http_status":200,

    "serial":"FGT80E0Q00000000",

    "version":"v6.4.0",

    "build":1545

    Note

    Encode the spaces in the automation-stitch name with %20. For example, Incoming%20Webhook%20Quarantine

    The automation rule "Incoming Webhook Quarantine" is triggered. The MAC address is quarantined in FortiGate, and an event log is created. The FortiClient UUID will be quarantined on the EMS server side.

    config user quarantine

    config targets

    edit "0c:0a:00:0c:ce:b0"

    config macs

    edit 0c:0a:00:0c:ce:b0

    set description "Quarantined by automation stitch: Incoming Webhook Quarantine"

    next

    end

    next

    end

    end

    date=2020-02-14 time=15:37:48 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1581723468644200712 tz="-0800" logdesc="Automation stitch triggered" stitch="Incoming Webhook Quarantine" trigger="Incoming Webhook Quarantine" stitchaction="Compromised Host Quarantine_quarantine,Compromised Host Quarantine_quarantine-forticlient" from="log" msg="stitch:Incoming Webhook Quarantine is triggered."

CLI Reference

Network down

config system automation-action

config system automation-action

edit "Network Down_email"

set action-type email

set email-from ''

set email-subject "Network Down"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

config system automation-trigger

edit "Network Down"

set trigger-type event-based

set event-type event-log

set logid 20099

config fields

edit 1

set name "status"

set value "DOWN"

next

end

next

end

config system automation-stitch

config system automation-stitch

edit "Network Down"

set status disable

set trigger "Network Down"

set action "Network Down_email"

next

end

HA failover

config system automation-action

config system automation-action

edit "HA Failover_email"

set action-type email

set email-from ''

set email-subject "HA Failover"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

config system automation-trigger

edit "HA Failover"

set trigger-type event-based

set event-type ha-failover

next

end

config system automation-stitch

config system automation-stitch

edit "HA Failover"

set status disable

set trigger "HA Failover"

set action "HA Failover_email"

next

end

Reboot

config system automation-action

config system automation-action

edit "Reboot_email"

set action-type email

set email-from ''

set email-subject "Reboot"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

config system automation-trigger

edit "Reboot"

set trigger-type event-based

set event-type reboot

next

end

config system automation-stitch

config system automation-stitch

edit "Reboot"

set status disable

set trigger "Reboot"

set action "Reboot_email"

next

end

Connection down

config system automation-action

config system automation-action

edit "FortiAnalyzer Connection Down_ios-notification"

set action-type ios-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

config system automation-trigger

edit "FortiAnalyzer Connection Down"

set trigger-type event-based

set event-type event-log

set logid 22902

next

end

config system automation-stitch

config system automation-stitch

edit "FortiAnalyzer Connection Down"

set status enable

set trigger "FortiAnalyzer Connection Down"

set action "FortiAnalyzer Connection Down_ios-notification"

next

end

License expired

config system automation-action

config system automation-action

edit "License Expired Notification_ios-notification"

set action-type ios-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

config system automation-trigger

edit "License Expired Notification"

set trigger-type event-based

set event-type license-near-expiry

set license-type any

next

end

config system automation-stitch

config system automation-stitch

edit "License Expired Notification"

set status enable

set trigger "License Expired Notification"

set action "License Expired Notification_ios-notification"

next

end

Compromised host

config system automation-action

config system automation-action

edit "Compromised Host Quarantine_quarantine"

set action-type quarantine

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

config system automation-trigger

edit "Compromised Host Quarantine"

set trigger-type event-based

set event-type ioc

set ioc-level high

next

end

config system automation-stitch

config system automation-stitch

edit "Compromised Host Quarantine"

set status disable

set trigger "Compromised Host Quarantine"

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

next

end

Quarantine FortiClient

config system automation-action

config system automation-action

edit "Compromised Host Quarantine_quarantine-forticlient"

set action-type quarantine-forticlient

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

config system automation-trigger

edit "Compromised Host Quarantine"

set trigger-type event-based

set event-type ioc

set ioc-level high

next

end

config system automation-stitch

config system automation-stitch

edit "Compromised Host Quarantine"

set status disable

set trigger "Compromised Host Quarantine"

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

next

end

Security rating

config system automation-action

config system automation-action

edit "Security Rating Notification_ios-notification"

set action-type ios-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

config system automation-trigger

edit "Security Rating Notification"

set trigger-type event-based

set event-type security-rating-summary

next

end

config system automation-stitch

config system automation-stitch

edit "Security Rating Notification"

set status enable

set trigger "Security Rating Notification"

set action "Security Rating Notification_ios-notification"

next

end