Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Fabric connector event trigger

With the Fabric Connector Event trigger, any supported Fabric connector is able to trigger an automation stitch on the FortiGate based on a specific event defined on the Fabric connector. Currently, only FortiDeceptor 4.1 supports this trigger for the Insider Threat, Notify Ban, and Notify Unban events.

In the following example, an authorized FortiDeceptor in the Security Fabric deploys a decoy called ubuntu16 configured with SSH, SAMBA, HTTP, and HTTPS services.

This example assumes the Security Fabric is already configured. Refer to Configuring the root FortiGate and downstream FortiGates and FortiDeceptor for detailed configuration steps. On the root FortiGate, the Allow downstream device REST API access option must be enabled (set downstream-access enable). The minimum permission required for the selected Administrator profile is Read/Write for User & Device (set authgrp read-write).

Three stitches are configured, one for each FortiDeceptor trigger type:

Stitch name

Fabric connector event trigger

Actions

fortideceptor_threat

Insider threat

Email and IP ban

fortideceptor_ban

Notify ban

Email and IP ban

fortideceptor_unban

Notify unban

Email and CLI script

To configure stitches with the Fabric connector event trigger in the GUI:
  1. Configure the triggers:

    1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

    2. In the Security Fabric section, click Fabric Connector Event and enter the following:

      Name

      fdc_Insider_Threat

      Description

      Insider_Threat

      Connector

      Select the FortiDeceptor connector

      Event Name

      Insider Threat

    3. Click OK.

    4. Repeat these steps to create two more triggers with the following settings:

      Name

      fdc_Notify_Ban

      Description

      Notify_Ban

      Connector

      Select the FortiDeceptor connector

      Event Name

      Notify Ban

      Name

      fdc_Notify_Unban

      Description

      Notify_Unban

      Connector

      Select the FortiDeceptor connector

      Event Name

      Notify Unban

  2. Configure the actions:

    1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

    2. In the Security Response section, click IP Ban and enter the following:

      Name

      fdc_ban-ip

      Delay

      5

      Required

      Enable

    3. Click OK.

    4. Repeat these steps to create an Email (in the Notifications section) and a CLI Script (in the General section) action with the following settings:

      Email

      Name

      email_log

      To

      Enter an email address

      Subject

      CSF stitch alert

      CLI Script

      Name

      fdc_unban

      Delay

      5

      Required

      Enable

      Script

      diagnose user quarantine delete src4 %%log.srcip%%

      Administrator profile

      super_admin

  3. Configure the fortideceptor_threat stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, fortideceptor_threat.

    3. Click Add Trigger. Select fdc_Insider_Threat and click Apply.

    4. Click Add Action. Select email_log and click Apply.

    5. Click Add Action. Select fdc_ban-ip and click Apply.

    6. Click OK.

  4. Configure the fortideceptor_ban stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, fortideceptor_ban.

    3. Click Add Trigger. Select fdc_Notify_Ban and click Apply.

    4. Click Add Action. Select email_log and click Apply.

    5. Click Add Action. Select fdc_ban-ip and click Apply.

    6. Click OK.

  5. Configure the fortideceptor_unban stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, fortideceptor_unban.

    3. Click Add Trigger. Select fdc_Notify_Unban and click Apply.

    4. Click Add Action. Select email_log and click Apply.

    5. Click Add Action. Select fdc_unban and click Apply.

    6. Click OK.

To configure stitches with the Fabric connector event trigger in the CLI:
  1. Configure the triggers:
    config system automation-trigger
        edit "fdc_Insider_Threat"
            set description "Insider_Threat"
            set event-type fabric-event
            set serial "FDC-VMTM210000**"
            set fabric-event-name "insider_threat"
        next
        edit "fdc_Notify_Ban"
            set description "Notify_Ban"
            set event-type fabric-event
            set serial "FDC-VMTM210000**"
            set fabric-event-name "notify_ban"
        next
        edit "fdc_Notify_Unban"
            set description "Notify_Unban"
            set event-type fabric-event
            set serial "FDC-VMTM210000**"
            set fabric-event-name "notify_unban"
        next
    end
  2. Configure the actions:
    config system automation-action
        edit "fdc_ban-ip"
            set action-type ban-ip
            set delay 5
            set required enable
        next
        edit "fdc_unban"
            set action-type cli-script
            set script "diagnose user quarantine delete src4 %%log.srcip%%"
            set accprofile "super_admin"
            set delay 5
            set required enable
        next
        edit "email_log"
            set action-type email
            set email-to "*******@fortinet.com"
            set email-subject "CSF stitch alert"
        next
    end
  3. Configure the stitches:
    config system automation-stitch
        edit "fortideceptor_threat"
            set trigger "fdc_Insider_Threat"
            set action "email_log" "fdc_ban-ip"
        next
        edit "fortideceptor_ban"
            set trigger "fdc_Notify_Ban"
            set action "email_log" "fdc_ban-ip"
        next
        edit "fortideceptor_unban"
            set trigger "fdc_Notify_Unban"
            set action "email_log" "fdc_unban"
        next
    end

Verification

A device with IP 172.16.200.33 uses SSH to access the decoy (ubuntu16) deployed in the FortiDeceptor. The FortiDeceptor will detect the attacker IP 172.16.200.33, automatically quarantine it, and send the insider threat notification to the FortiGate. This notification will trigger the fortideceptor_threat stitch due to the insider threat event trigger, so an email alert is sent and the attacker IP (172.16.200.33) is banned.

In FortiDeceptor, if the attacker IP (172.16.200.33) is manually blocked or unblocked, the FortiDeceptor will send out the internal block or unblock notification to FortiGate (see Quarantine Status for more details). This notification will trigger the fortideceptor_ban or fortideceptor_unban stitch due the notify ban or unban event trigger. An email alert is sent, and based on the event, the IP is banned or the CLI script runs to unban the IP.

To view the quarantine details in FortiDeceptor:
  1. Go to Fabric > Quarantine Status.
    1. Automatic quarantine:

    2. Manual block or unblock:

To confirm that the stitch was triggered in the FortiOS GUI:
  1. Go to Security Fabric > Automation and select the Stitch tab.
    1. Triggered insider threat:

    2. Triggered notify ban or unban:

To view the quarantined IP details in the FortiOS CLI:
# diagnose user quarantine list
src-ip-addr       created                  expires                  cause
172.16.200.33     Wed Jan  5 15:57:41 2022 indefinite               Administrative

If the IP is unbanned by the stitch, the list will be empty:

# diagnose user quarantine list
src-ip-addr       created                  expires                  cause

Fabric connector event trigger

With the Fabric Connector Event trigger, any supported Fabric connector is able to trigger an automation stitch on the FortiGate based on a specific event defined on the Fabric connector. Currently, only FortiDeceptor 4.1 supports this trigger for the Insider Threat, Notify Ban, and Notify Unban events.

In the following example, an authorized FortiDeceptor in the Security Fabric deploys a decoy called ubuntu16 configured with SSH, SAMBA, HTTP, and HTTPS services.

This example assumes the Security Fabric is already configured. Refer to Configuring the root FortiGate and downstream FortiGates and FortiDeceptor for detailed configuration steps. On the root FortiGate, the Allow downstream device REST API access option must be enabled (set downstream-access enable). The minimum permission required for the selected Administrator profile is Read/Write for User & Device (set authgrp read-write).

Three stitches are configured, one for each FortiDeceptor trigger type:

Stitch name

Fabric connector event trigger

Actions

fortideceptor_threat

Insider threat

Email and IP ban

fortideceptor_ban

Notify ban

Email and IP ban

fortideceptor_unban

Notify unban

Email and CLI script

To configure stitches with the Fabric connector event trigger in the GUI:
  1. Configure the triggers:

    1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

    2. In the Security Fabric section, click Fabric Connector Event and enter the following:

      Name

      fdc_Insider_Threat

      Description

      Insider_Threat

      Connector

      Select the FortiDeceptor connector

      Event Name

      Insider Threat

    3. Click OK.

    4. Repeat these steps to create two more triggers with the following settings:

      Name

      fdc_Notify_Ban

      Description

      Notify_Ban

      Connector

      Select the FortiDeceptor connector

      Event Name

      Notify Ban

      Name

      fdc_Notify_Unban

      Description

      Notify_Unban

      Connector

      Select the FortiDeceptor connector

      Event Name

      Notify Unban

  2. Configure the actions:

    1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

    2. In the Security Response section, click IP Ban and enter the following:

      Name

      fdc_ban-ip

      Delay

      5

      Required

      Enable

    3. Click OK.

    4. Repeat these steps to create an Email (in the Notifications section) and a CLI Script (in the General section) action with the following settings:

      Email

      Name

      email_log

      To

      Enter an email address

      Subject

      CSF stitch alert

      CLI Script

      Name

      fdc_unban

      Delay

      5

      Required

      Enable

      Script

      diagnose user quarantine delete src4 %%log.srcip%%

      Administrator profile

      super_admin

  3. Configure the fortideceptor_threat stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, fortideceptor_threat.

    3. Click Add Trigger. Select fdc_Insider_Threat and click Apply.

    4. Click Add Action. Select email_log and click Apply.

    5. Click Add Action. Select fdc_ban-ip and click Apply.

    6. Click OK.

  4. Configure the fortideceptor_ban stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, fortideceptor_ban.

    3. Click Add Trigger. Select fdc_Notify_Ban and click Apply.

    4. Click Add Action. Select email_log and click Apply.

    5. Click Add Action. Select fdc_ban-ip and click Apply.

    6. Click OK.

  5. Configure the fortideceptor_unban stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, fortideceptor_unban.

    3. Click Add Trigger. Select fdc_Notify_Unban and click Apply.

    4. Click Add Action. Select email_log and click Apply.

    5. Click Add Action. Select fdc_unban and click Apply.

    6. Click OK.

To configure stitches with the Fabric connector event trigger in the CLI:
  1. Configure the triggers:
    config system automation-trigger
        edit "fdc_Insider_Threat"
            set description "Insider_Threat"
            set event-type fabric-event
            set serial "FDC-VMTM210000**"
            set fabric-event-name "insider_threat"
        next
        edit "fdc_Notify_Ban"
            set description "Notify_Ban"
            set event-type fabric-event
            set serial "FDC-VMTM210000**"
            set fabric-event-name "notify_ban"
        next
        edit "fdc_Notify_Unban"
            set description "Notify_Unban"
            set event-type fabric-event
            set serial "FDC-VMTM210000**"
            set fabric-event-name "notify_unban"
        next
    end
  2. Configure the actions:
    config system automation-action
        edit "fdc_ban-ip"
            set action-type ban-ip
            set delay 5
            set required enable
        next
        edit "fdc_unban"
            set action-type cli-script
            set script "diagnose user quarantine delete src4 %%log.srcip%%"
            set accprofile "super_admin"
            set delay 5
            set required enable
        next
        edit "email_log"
            set action-type email
            set email-to "*******@fortinet.com"
            set email-subject "CSF stitch alert"
        next
    end
  3. Configure the stitches:
    config system automation-stitch
        edit "fortideceptor_threat"
            set trigger "fdc_Insider_Threat"
            set action "email_log" "fdc_ban-ip"
        next
        edit "fortideceptor_ban"
            set trigger "fdc_Notify_Ban"
            set action "email_log" "fdc_ban-ip"
        next
        edit "fortideceptor_unban"
            set trigger "fdc_Notify_Unban"
            set action "email_log" "fdc_unban"
        next
    end

Verification

A device with IP 172.16.200.33 uses SSH to access the decoy (ubuntu16) deployed in the FortiDeceptor. The FortiDeceptor will detect the attacker IP 172.16.200.33, automatically quarantine it, and send the insider threat notification to the FortiGate. This notification will trigger the fortideceptor_threat stitch due to the insider threat event trigger, so an email alert is sent and the attacker IP (172.16.200.33) is banned.

In FortiDeceptor, if the attacker IP (172.16.200.33) is manually blocked or unblocked, the FortiDeceptor will send out the internal block or unblock notification to FortiGate (see Quarantine Status for more details). This notification will trigger the fortideceptor_ban or fortideceptor_unban stitch due the notify ban or unban event trigger. An email alert is sent, and based on the event, the IP is banned or the CLI script runs to unban the IP.

To view the quarantine details in FortiDeceptor:
  1. Go to Fabric > Quarantine Status.
    1. Automatic quarantine:

    2. Manual block or unblock:

To confirm that the stitch was triggered in the FortiOS GUI:
  1. Go to Security Fabric > Automation and select the Stitch tab.
    1. Triggered insider threat:

    2. Triggered notify ban or unban:

To view the quarantined IP details in the FortiOS CLI:
# diagnose user quarantine list
src-ip-addr       created                  expires                  cause
172.16.200.33     Wed Jan  5 15:57:41 2022 indefinite               Administrative

If the IP is unbanned by the stitch, the list will be empty:

# diagnose user quarantine list
src-ip-addr       created                  expires                  cause