Fortinet black logo

Administration Guide

Default automation stitches

Default automation stitches

The Automation menu contains eight webhook automation stitches, including an Incoming Webhook Quarantine trigger for API calls to the FortiGate, as well as a predefined License Expired Notification that replaces the existing license expiry alerts.

The automation stitches are available in new FortiGate installations and after upgrading from previous versions.

The following default stitches are included in the Automation menu:

  • Compromised Host Quarantine
  • Incoming Webhook quarantine
  • HA Failover
  • Network Down
  • Reboot
  • FortiAnalyzer Connection Down
  • License Expired Notification
  • Security rating Notification

To view the CLI configurations for the new automation stitches, see CLI configuration. To view the automation stitches in the GUI, go to Security Fabric > Automation.

Triggering a stitch example

To trigger an Incoming Webhook Quarantine stitch in the GUI:
  1. Create new API user:
    1. Go to System > Administrators.
    2. Click Create New > REST API Admin.
    3. Configure the New REST API Admin settings, and record the API key.

  2. Get the sample cURL request:
    1. Go to Security Fabric > Automation.
    2. Under Incoming Webhook, right-click Incoming Webhook Quarantine, and select Edit.
    3. Click Enabled, to enable the rule.
    4. In the API admin key field, enter the API key you recorded in the previous step. A Sample cURL request is created.
    5. Copy the Sample cURL request.

  3. Execute the request:
    1. Edit the sample cURL you recorded in the previous step.
    2. Add parameters to the data field ("mac" and "fctuid"), and then execute the request.

    root@pc:~# curl -k -X POST -H 'Authorization: Bearer cfgtct1mmx3fQxr4khb994p7swdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid": "0000BB0B0ABD0D00B0D0A0B0E0F0B00B"}' https://172.16.116.226/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20Quarantine

    {

    "http_method":"POST",

    "status":"success",

    "http_status":200,

    "serial":"FGT00E0Q00000000",

    "version":"v6.4.0",

    "build":1545

    Note

    Encode spaces in the automation-stitch name with %20. For example, Incoming%20Webhook%20Quarantine

    The automation rule Incoming Webhook Quarantine is triggered. The MAC address is quarantined in FortiGate and an event log is created. The FortiClient UUID is quarantined by EMS on the server side.

To trigger an Incoming Webhook Quarantine stitch in the CLI:
  1. Create new API user and record the API key:

    config system api-user

    edit "api"

    set api-key ENC SH00vqP0GKWKyZNz0FP0/jq00O0Ka/DHVEKdxUi+0kRDNKPpZppnnMk0KeunBI=

    set accprofile "api_profile"

    set vdom "root"

    config trusthost

    edit 1

    set ipv4-trusthost 10.6.30.0 200.200.200.0

    next

    end

    next

    end

  2. Configure the automation stitch:

    config system automation-stitch

    edit "Incoming Webhook Quarantine"

    set status enable

    set trigger "Incoming Webhook Quarantine"

    set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

    next

    end

  3. Add parameters in the data field ("mac" and "fctuid"), then execute the request on a device:

    root@pc56:~# curl -k -X POST -H 'Authorization: Bearer cfgtct1mmx0fQxr4khb000p70wdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid": "3000BB0B0ABD0D00B0D0A0B0E0F0B00B"}' https://100.10.100.200/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20Quarantine

    {

    "http_method":"POST",

    "status":"success",

    "http_status":200,

    "serial":"FGT80E0Q00000000",

    "version":"v6.4.0",

    "build":1545

    Note

    Encode spaces in the automation-stitch name with %20. For example, Incoming%20Webhook%20Quarantine

    The automation rule Incoming Webhook Quarantine is triggered. The MAC address is quarantined in FortiGate, and an event log is created. The FortiClient UUID will be quarantined on the EMS server side.

    config user quarantine

    config targets

    edit "0c:0a:00:0c:ce:b0"

    config macs

    edit 0c:0a:00:0c:ce:b0

    set description "Quarantined by automation stitch: Incoming Webhook Quarantine"

    next

    end

    next

    end

    end

    date=2020-02-14 time=15:37:48 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1581723468644200712 tz="-0800" logdesc="Automation stitch triggered" stitch="Incoming Webhook Quarantine" trigger="Incoming Webhook Quarantine" stitchaction="Compromised Host Quarantine_quarantine,Compromised Host Quarantine_quarantine-forticlient" from="log" msg="stitch:Incoming Webhook Quarantine is triggered."

CLI configuration

Compromised host

config system automation-action

edit "Compromised Host Quarantine_quarantine"

set action-type quarantine

set minimum-interval 0

set delay 0

set required disable

next

edit "Compromised Host Quarantine_quarantine-forticlient"

set action-type quarantine-forticlient

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Compromised Host Quarantine"

set trigger-type event-based

set event-type ioc

set ioc-level high

next

end

config system automation-stitch

edit "Compromised Host Quarantine"

set status disable

set trigger "Compromised Host Quarantine"

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

next

end

FortiAnalyzer connection down

config system automation-action

edit "FortiAnalyzer Connection Down_ios-notification"

set action-type ios-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "FortiAnalyzer Connection Down"

set trigger-type event-based

set event-type event-log

set logid 22902

next

end

config system automation-stitch

edit "FortiAnalyzer Connection Down"

set status enable

set trigger "FortiAnalyzer Connection Down"

set action "FortiAnalyzer Connection Down_ios-notification"

next

end

Network down

config system automation-action

edit "Network Down_email"

set action-type email

set email-from ''

set email-subject "Network Down"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "Network Down"

set trigger-type event-based

set event-type event-log

set logid 20099

config fields

edit 1

set name "status"

set value "DOWN"

next

end

next

end

config system automation-stitch

edit "Network Down"

set status disable

set trigger "Network Down"

set action "Network Down_email"

next

end

HA failover

config system automation-action

edit "HA Failover_email"

set action-type email

set email-from ''

set email-subject "HA Failover"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "HA Failover"

set trigger-type event-based

set event-type ha-failover

next

end

config system automation-stitch

edit "HA Failover"

set status disable

set trigger "HA Failover"

set action "HA Failover_email"

next

end

Incoming Webhook Quarantine

config system automation-action

edit "Compromised Host Quarantine_quarantine"

set action-type quarantine

set minimum-interval 0

set delay 0

set required disable

next

edit "Compromised Host Quarantine_quarantine-forticlient"

set action-type quarantine-forticlient

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Incoming Webhook Call"

set trigger-type event-based

set event-type incoming-webhook

next

end

config system automation-stitch

edit "Incoming Webhook Quarantine"

set status disable

set trigger "Incoming Webhook Call"

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

next

end

License expired

config system automation-action

edit "License Expired Notification_ios-notification"

set action-type ios-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "License Expired Notification"

set trigger-type event-based

set event-type license-near-expiry

set license-type any

next

end

config system automation-stitch

edit "License Expired Notification"

set status enable

set trigger "License Expired Notification"

set action "License Expired Notification_ios-notification"

next

end

Reboot

config system automation-action

edit "Reboot_email"

set action-type email

set email-from ''

set email-subject "Reboot"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "Reboot"

set trigger-type event-based

set event-type reboot

next

end

config system automation-stitch

edit "Reboot"

set status disable

set trigger "Reboot"

set action "Reboot_email"

next

end

Security rating

config system automation-action

edit "Security Rating Notification_ios-notification"

set action-type ios-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Security Rating Notification"

set trigger-type event-based

set event-type security-rating-summary

set report-type PostureReport

next

end

config system automation-stitch

edit "Security Rating Notification"

set status enable

set trigger "Security Rating Notification"

set action "Security Rating Notification_ios-notification"

next

end

Default automation stitches

The Automation menu contains eight webhook automation stitches, including an Incoming Webhook Quarantine trigger for API calls to the FortiGate, as well as a predefined License Expired Notification that replaces the existing license expiry alerts.

The automation stitches are available in new FortiGate installations and after upgrading from previous versions.

The following default stitches are included in the Automation menu:

  • Compromised Host Quarantine
  • Incoming Webhook quarantine
  • HA Failover
  • Network Down
  • Reboot
  • FortiAnalyzer Connection Down
  • License Expired Notification
  • Security rating Notification

To view the CLI configurations for the new automation stitches, see CLI configuration. To view the automation stitches in the GUI, go to Security Fabric > Automation.

Triggering a stitch example

To trigger an Incoming Webhook Quarantine stitch in the GUI:
  1. Create new API user:
    1. Go to System > Administrators.
    2. Click Create New > REST API Admin.
    3. Configure the New REST API Admin settings, and record the API key.

  2. Get the sample cURL request:
    1. Go to Security Fabric > Automation.
    2. Under Incoming Webhook, right-click Incoming Webhook Quarantine, and select Edit.
    3. Click Enabled, to enable the rule.
    4. In the API admin key field, enter the API key you recorded in the previous step. A Sample cURL request is created.
    5. Copy the Sample cURL request.

  3. Execute the request:
    1. Edit the sample cURL you recorded in the previous step.
    2. Add parameters to the data field ("mac" and "fctuid"), and then execute the request.

    root@pc:~# curl -k -X POST -H 'Authorization: Bearer cfgtct1mmx3fQxr4khb994p7swdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid": "0000BB0B0ABD0D00B0D0A0B0E0F0B00B"}' https://172.16.116.226/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20Quarantine

    {

    "http_method":"POST",

    "status":"success",

    "http_status":200,

    "serial":"FGT00E0Q00000000",

    "version":"v6.4.0",

    "build":1545

    Note

    Encode spaces in the automation-stitch name with %20. For example, Incoming%20Webhook%20Quarantine

    The automation rule Incoming Webhook Quarantine is triggered. The MAC address is quarantined in FortiGate and an event log is created. The FortiClient UUID is quarantined by EMS on the server side.

To trigger an Incoming Webhook Quarantine stitch in the CLI:
  1. Create new API user and record the API key:

    config system api-user

    edit "api"

    set api-key ENC SH00vqP0GKWKyZNz0FP0/jq00O0Ka/DHVEKdxUi+0kRDNKPpZppnnMk0KeunBI=

    set accprofile "api_profile"

    set vdom "root"

    config trusthost

    edit 1

    set ipv4-trusthost 10.6.30.0 200.200.200.0

    next

    end

    next

    end

  2. Configure the automation stitch:

    config system automation-stitch

    edit "Incoming Webhook Quarantine"

    set status enable

    set trigger "Incoming Webhook Quarantine"

    set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

    next

    end

  3. Add parameters in the data field ("mac" and "fctuid"), then execute the request on a device:

    root@pc56:~# curl -k -X POST -H 'Authorization: Bearer cfgtct1mmx0fQxr4khb000p70wdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid": "3000BB0B0ABD0D00B0D0A0B0E0F0B00B"}' https://100.10.100.200/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20Quarantine

    {

    "http_method":"POST",

    "status":"success",

    "http_status":200,

    "serial":"FGT80E0Q00000000",

    "version":"v6.4.0",

    "build":1545

    Note

    Encode spaces in the automation-stitch name with %20. For example, Incoming%20Webhook%20Quarantine

    The automation rule Incoming Webhook Quarantine is triggered. The MAC address is quarantined in FortiGate, and an event log is created. The FortiClient UUID will be quarantined on the EMS server side.

    config user quarantine

    config targets

    edit "0c:0a:00:0c:ce:b0"

    config macs

    edit 0c:0a:00:0c:ce:b0

    set description "Quarantined by automation stitch: Incoming Webhook Quarantine"

    next

    end

    next

    end

    end

    date=2020-02-14 time=15:37:48 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1581723468644200712 tz="-0800" logdesc="Automation stitch triggered" stitch="Incoming Webhook Quarantine" trigger="Incoming Webhook Quarantine" stitchaction="Compromised Host Quarantine_quarantine,Compromised Host Quarantine_quarantine-forticlient" from="log" msg="stitch:Incoming Webhook Quarantine is triggered."

CLI configuration

Compromised host

config system automation-action

edit "Compromised Host Quarantine_quarantine"

set action-type quarantine

set minimum-interval 0

set delay 0

set required disable

next

edit "Compromised Host Quarantine_quarantine-forticlient"

set action-type quarantine-forticlient

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Compromised Host Quarantine"

set trigger-type event-based

set event-type ioc

set ioc-level high

next

end

config system automation-stitch

edit "Compromised Host Quarantine"

set status disable

set trigger "Compromised Host Quarantine"

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

next

end

FortiAnalyzer connection down

config system automation-action

edit "FortiAnalyzer Connection Down_ios-notification"

set action-type ios-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "FortiAnalyzer Connection Down"

set trigger-type event-based

set event-type event-log

set logid 22902

next

end

config system automation-stitch

edit "FortiAnalyzer Connection Down"

set status enable

set trigger "FortiAnalyzer Connection Down"

set action "FortiAnalyzer Connection Down_ios-notification"

next

end

Network down

config system automation-action

edit "Network Down_email"

set action-type email

set email-from ''

set email-subject "Network Down"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "Network Down"

set trigger-type event-based

set event-type event-log

set logid 20099

config fields

edit 1

set name "status"

set value "DOWN"

next

end

next

end

config system automation-stitch

edit "Network Down"

set status disable

set trigger "Network Down"

set action "Network Down_email"

next

end

HA failover

config system automation-action

edit "HA Failover_email"

set action-type email

set email-from ''

set email-subject "HA Failover"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "HA Failover"

set trigger-type event-based

set event-type ha-failover

next

end

config system automation-stitch

edit "HA Failover"

set status disable

set trigger "HA Failover"

set action "HA Failover_email"

next

end

Incoming Webhook Quarantine

config system automation-action

edit "Compromised Host Quarantine_quarantine"

set action-type quarantine

set minimum-interval 0

set delay 0

set required disable

next

edit "Compromised Host Quarantine_quarantine-forticlient"

set action-type quarantine-forticlient

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Incoming Webhook Call"

set trigger-type event-based

set event-type incoming-webhook

next

end

config system automation-stitch

edit "Incoming Webhook Quarantine"

set status disable

set trigger "Incoming Webhook Call"

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

next

end

License expired

config system automation-action

edit "License Expired Notification_ios-notification"

set action-type ios-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "License Expired Notification"

set trigger-type event-based

set event-type license-near-expiry

set license-type any

next

end

config system automation-stitch

edit "License Expired Notification"

set status enable

set trigger "License Expired Notification"

set action "License Expired Notification_ios-notification"

next

end

Reboot

config system automation-action

edit "Reboot_email"

set action-type email

set email-from ''

set email-subject "Reboot"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "Reboot"

set trigger-type event-based

set event-type reboot

next

end

config system automation-stitch

edit "Reboot"

set status disable

set trigger "Reboot"

set action "Reboot_email"

next

end

Security rating

config system automation-action

edit "Security Rating Notification_ios-notification"

set action-type ios-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Security Rating Notification"

set trigger-type event-based

set event-type security-rating-summary

set report-type PostureReport

next

end

config system automation-stitch

edit "Security Rating Notification"

set status enable

set trigger "Security Rating Notification"

set action "Security Rating Notification_ios-notification"

next

end