Default automation stitches
The Automation menu contains eight webhook automation stitches, including an Incoming Webhook Quarantine trigger for API calls to the FortiGate, as well as a predefined License Expired Notification that replaces the existing license expiry alerts.
The automation stitches are available in new FortiGate installations and after upgrading from previous versions.
The following default stitches are included in the Automation menu:
- Compromised Host Quarantine
- Incoming Webhook quarantine
- HA Failover
- Network Down
- Reboot
- FortiAnalyzer Connection Down
- License Expired Notification
- Security rating Notification
To view the CLI configurations for the new automation stitches, see CLI configuration. To view the automation stitches in the GUI, go to Security Fabric > Automation.
Triggering a stitch example
To trigger an Incoming Webhook Quarantine stitch in the GUI:
- Create new API user:
- Go to System > Administrators.
- Click Create New > REST API Admin.
- Configure the New REST API Admin settings, and record the API key.
- Get the sample cURL request:
- Go to Security Fabric > Automation.
- Under Incoming Webhook, right-click Incoming Webhook Quarantine, and select Edit.
- Click Enabled, to enable the rule.
- In the API admin key field, enter the API key you recorded in the previous step. A Sample cURL request is created.
- Copy the Sample cURL request.
- Execute the request:
- Edit the sample cURL you recorded in the previous step.
- Add parameters to the
datafield ("mac"and "fctuid"), and then execute the request.
root@pc:~# curl -k -X POST -H 'Authorization: Bearer cfgtct1mmx3fQxr4khb994p7swdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid": "0000BB0B0ABD0D00B0D0A0B0E0F0B00B"}' https://172.16.116.226/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20Quarantine{
"http_method":"POST",
"status":"success",
"http_status":200,
"serial":"FGT00E0Q00000000",
"version":"v6.4.0",
"build":1545
Encode spaces in the automation-stitch name with
%20. For example,Incoming%20Webhook%20QuarantineThe automation rule Incoming Webhook Quarantine is triggered. The MAC address is quarantined in FortiGate and an event log is created. The FortiClient UUID is quarantined by EMS on the server side.
To trigger an Incoming Webhook Quarantine stitch in the CLI:
- Create new API user and record the API key:
config system api-user
edit "api"
set api-key ENC SH00vqP0GKWKyZNz0FP0/jq00O0Ka/DHVEKdxUi+0kRDNKPpZppnnMk0KeunBI=
set accprofile "api_profile"
set vdom "root"
config trusthost
edit 1
set ipv4-trusthost 10.6.30.0 200.200.200.0
next
end
next
end
- Configure the automation stitch:
config system automation-stitch
edit "Incoming Webhook Quarantine"
set status enable
set trigger "Incoming Webhook Quarantine"
set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"
next
end
- Add parameters in the
datafield ("mac"and"fctuid"), then execute the request on a device:root@pc56:~# curl -k -X POST -H 'Authorization: Bearer cfgtct1mmx0fQxr4khb000p70wdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid": "3000BB0B0ABD0D00B0D0A0B0E0F0B00B"}' https://100.10.100.200/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20Quarantine{
"http_method":"POST",
"status":"success",
"http_status":200,
"serial":"FGT80E0Q00000000",
"version":"v6.4.0",
"build":1545
Encode spaces in the automation-stitch name with
%20. For example,Incoming%20Webhook%20QuarantineThe automation rule Incoming Webhook Quarantine is triggered. The MAC address is quarantined in FortiGate, and an event log is created. The FortiClient UUID will be quarantined on the EMS server side.
config user quarantine
config targets
edit "0c:0a:00:0c:ce:b0"
config macs
edit 0c:0a:00:0c:ce:b0
set description "Quarantined by automation stitch: Incoming Webhook Quarantine"
next
end
next
end
end
date=2020-02-14 time=15:37:48 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1581723468644200712 tz="-0800" logdesc="Automation stitch triggered" stitch="Incoming Webhook Quarantine" trigger="Incoming Webhook Quarantine" stitchaction="Compromised Host Quarantine_quarantine,Compromised Host Quarantine_quarantine-forticlient" from="log" msg="stitch:Incoming Webhook Quarantine is triggered."
CLI configuration
Compromised host
config system automation-action
edit "Compromised Host Quarantine_quarantine"
set action-type quarantine
set minimum-interval 0
set delay 0
set required disable
next
edit "Compromised Host Quarantine_quarantine-forticlient"
set action-type quarantine-forticlient
set minimum-interval 0
set delay 0
set required disable
next
end
config system automation-trigger
edit "Compromised Host Quarantine"
set trigger-type event-based
set event-type ioc
set ioc-level high
next
end
config system automation-stitch
edit "Compromised Host Quarantine"
set status disable
set trigger "Compromised Host Quarantine"
set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"
next
end
FortiAnalyzer connection down
config system automation-action
edit "FortiAnalyzer Connection Down_ios-notification"
set action-type ios-notification
set minimum-interval 0
set delay 0
set required disable
next
end
config system automation-trigger
edit "FortiAnalyzer Connection Down"
set trigger-type event-based
set event-type event-log
set logid 22902
next
end
config system automation-stitch
edit "FortiAnalyzer Connection Down"
set status enable
set trigger "FortiAnalyzer Connection Down"
set action "FortiAnalyzer Connection Down_ios-notification"
next
end
Network down
config system automation-action
edit "Network Down_email"
set action-type email
set email-from ''
set email-subject "Network Down"
set minimum-interval 0
set delay 0
set required disable
set message "%%log%%"
next
end
config system automation-trigger
edit "Network Down"
set trigger-type event-based
set event-type event-log
set logid 20099
config fields
edit 1
set name "status"
set value "DOWN"
next
end
next
end
config system automation-stitch
edit "Network Down"
set status disable
set trigger "Network Down"
set action "Network Down_email"
next
end
HA failover
config system automation-action
edit "HA Failover_email"
set action-type email
set email-from ''
set email-subject "HA Failover"
set minimum-interval 0
set delay 0
set required disable
set message "%%log%%"
next
end
config system automation-trigger
edit "HA Failover"
set trigger-type event-based
set event-type ha-failover
next
end
config system automation-stitch
edit "HA Failover"
set status disable
set trigger "HA Failover"
set action "HA Failover_email"
next
end
Incoming Webhook Quarantine
config system automation-action
edit "Compromised Host Quarantine_quarantine"
set action-type quarantine
set minimum-interval 0
set delay 0
set required disable
next
edit "Compromised Host Quarantine_quarantine-forticlient"
set action-type quarantine-forticlient
set minimum-interval 0
set delay 0
set required disable
next
end
config system automation-trigger
edit "Incoming Webhook Call"
set trigger-type event-based
set event-type incoming-webhook
next
end
config system automation-stitch
edit "Incoming Webhook Quarantine"
set status disable
set trigger "Incoming Webhook Call"
set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"
next
end
License expired
config system automation-action
edit "License Expired Notification_ios-notification"
set action-type ios-notification
set minimum-interval 0
set delay 0
set required disable
next
end
config system automation-trigger
edit "License Expired Notification"
set trigger-type event-based
set event-type license-near-expiry
set license-type any
next
end
config system automation-stitch
edit "License Expired Notification"
set status enable
set trigger "License Expired Notification"
set action "License Expired Notification_ios-notification"
next
end
Reboot
config system automation-action
edit "Reboot_email"
set action-type email
set email-from ''
set email-subject "Reboot"
set minimum-interval 0
set delay 0
set required disable
set message "%%log%%"
next
end
config system automation-trigger
edit "Reboot"
set trigger-type event-based
set event-type reboot
next
end
config system automation-stitch
edit "Reboot"
set status disable
set trigger "Reboot"
set action "Reboot_email"
next
end
Security rating
config system automation-action
edit "Security Rating Notification_ios-notification"
set action-type ios-notification
set minimum-interval 0
set delay 0
set required disable
next
end
config system automation-trigger
edit "Security Rating Notification"
set trigger-type event-based
set event-type security-rating-summary
set report-type PostureReport
next
end
config system automation-stitch
edit "Security Rating Notification"
set status enable
set trigger "Security Rating Notification"
set action "Security Rating Notification_ios-notification"
next
end