Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.0.0 Administration Guide
    7.0.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Default automation stitches

    Default automation stitches

    The following default automation stitches are included in FortiOS:

    • Compromised Host Quarantine
    • Incoming Webhook Quarantine
    • HA Failover
    • Network Down
    • Reboot
    • FortiAnalyzer Connection Down
    • License Expired Notification
    • Security Rating Notification

    To view and edit the automation stitches in the GUI, go to Security Fabric > Automation.

    CLI configurations

    Compromised Host Quarantine

    config system automation-action

    edit "Compromised Host Quarantine_quarantine"

    set action-type quarantine

    set minimum-interval 0

    set delay 0

    set required disable

    next

    edit "Compromised Host Quarantine_quarantine-forticlient"

    set action-type quarantine-forticlient

    set minimum-interval 0

    set delay 0

    set required disable

    next

    end

    config system automation-trigger

    edit "Compromised Host Quarantine"

    set trigger-type event-based

    set event-type ioc

    set ioc-level high

    next

    end

    config system automation-stitch

    edit "Compromised Host Quarantine"

    set status disable

    set trigger "Compromised Host Quarantine"

    set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

    next

    end

    FortiAnalyzer Connection Down

    config system automation-action

    edit "FortiAnalyzer Connection Down_fortiexplorer-notification"

    set action-type fortiexplorer-notification

    set minimum-interval 0

    set delay 0

    set required disable

    next

    end

    config system automation-trigger

    edit "FortiAnalyzer Connection Down"

    set trigger-type event-based

    set event-type event-log

    set logid 22902

    next

    end

    config system automation-stitch

    edit "FortiAnalyzer Connection Down"

    set status enable

    set trigger "FortiAnalyzer Connection Down"

    set action "FortiAnalyzer Connection Down_fortiexplorer-notification"

    next

    end

    Network Down

    config system automation-action

    edit "Network Down_email"

    set action-type email

    set email-from ''

    set email-subject "Network Down"

    set minimum-interval 0

    set delay 0

    set required disable

    set message "%%log%%"

    next

    end

    config system automation-trigger

    edit "Network Down"

    set trigger-type event-based

    set event-type event-log

    set logid 20099

    config fields

    edit 1

    set name "status"

    set value "DOWN"

    next

    end

    next

    end

    config system automation-stitch

    edit "Network Down"

    set status disable

    set trigger "Network Down"

    set action "Network Down_email"

    next

    end

    HA Failover

    config system automation-action

    edit "HA Failover_email"

    set action-type email

    set email-from ''

    set email-subject "HA Failover"

    set minimum-interval 0

    set delay 0

    set required disable

    set message "%%log%%"

    next

    end

    config system automation-trigger

    edit "HA Failover"

    set trigger-type event-based

    set event-type ha-failover

    next

    end

    config system automation-stitch

    edit "HA Failover"

    set status disable

    set trigger "HA Failover"

    set action "HA Failover_email"

    next

    end

    Incoming Webhook Quarantine

    config system automation-action

    edit "Compromised Host Quarantine_quarantine"

    set action-type quarantine

    set minimum-interval 0

    set delay 0

    set required disable

    next

    edit "Compromised Host Quarantine_quarantine-forticlient"

    set action-type quarantine-forticlient

    set minimum-interval 0

    set delay 0

    set required disable

    next

    end

    config system automation-trigger

    edit "Incoming Webhook Call"

    set trigger-type event-based

    set event-type incoming-webhook

    next

    end

    config system automation-stitch

    edit "Incoming Webhook Quarantine"

    set status disable

    set trigger "Incoming Webhook Call"

    set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

    next

    end

    License Expired Notification

    config system automation-action

    edit "License Expired Notification_fortiexplorer-notification"

    set action-type fortiexplorer-notification

    set minimum-interval 0

    set delay 0

    set required disable

    next

    end

    config system automation-trigger

    edit "License Expired Notification"

    set trigger-type event-based

    set event-type license-near-expiry

    set license-type any

    next

    end

    config system automation-stitch

    edit "License Expired Notification"

    set status enable

    set trigger "License Expired Notification"

    set action "License Expired Notification_fortiexplorer-notification"

    next

    end

    Reboot

    config system automation-action

    edit "Reboot_email"

    set action-type email

    set email-from ''

    set email-subject "Reboot"

    set minimum-interval 0

    set delay 0

    set required disable

    set message "%%log%%"

    next

    end

    config system automation-trigger

    edit "Reboot"

    set trigger-type event-based

    set event-type reboot

    next

    end

    config system automation-stitch

    edit "Reboot"

    set status disable

    set trigger "Reboot"

    set action "Reboot_email"

    next

    end

    Security Rating Notification

    config system automation-action

    edit "Security Rating Notification_fortiexplorer-notification"

    set action-type fortiexplorer-notification

    set minimum-interval 0

    set delay 0

    set required disable

    next

    end

    config system automation-trigger

    edit "Security Rating Notification"

    set trigger-type event-based

    set event-type security-rating-summary

    set report-type posture

    next

    end

    config system automation-stitch

    edit "Security Rating Notification"

    set status enable

    set trigger "Security Rating Notification"

    set action "Security Rating Notification_fortiexplorer-notification"

    next

    end

    Previous
    Next

    Default automation stitches

    Default automation stitches

    The following default automation stitches are included in FortiOS:

    • Compromised Host Quarantine
    • Incoming Webhook Quarantine
    • HA Failover
    • Network Down
    • Reboot
    • FortiAnalyzer Connection Down
    • License Expired Notification
    • Security Rating Notification

    To view and edit the automation stitches in the GUI, go to Security Fabric > Automation.

    CLI configurations

    Compromised Host Quarantine

    config system automation-action

    edit "Compromised Host Quarantine_quarantine"

    set action-type quarantine

    set minimum-interval 0

    set delay 0

    set required disable

    next

    edit "Compromised Host Quarantine_quarantine-forticlient"

    set action-type quarantine-forticlient

    set minimum-interval 0

    set delay 0

    set required disable

    next

    end

    config system automation-trigger

    edit "Compromised Host Quarantine"

    set trigger-type event-based

    set event-type ioc

    set ioc-level high

    next

    end

    config system automation-stitch

    edit "Compromised Host Quarantine"

    set status disable

    set trigger "Compromised Host Quarantine"

    set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

    next

    end

    FortiAnalyzer Connection Down

    config system automation-action

    edit "FortiAnalyzer Connection Down_fortiexplorer-notification"

    set action-type fortiexplorer-notification

    set minimum-interval 0

    set delay 0

    set required disable

    next

    end

    config system automation-trigger

    edit "FortiAnalyzer Connection Down"

    set trigger-type event-based

    set event-type event-log

    set logid 22902

    next

    end

    config system automation-stitch

    edit "FortiAnalyzer Connection Down"

    set status enable

    set trigger "FortiAnalyzer Connection Down"

    set action "FortiAnalyzer Connection Down_fortiexplorer-notification"

    next

    end

    Network Down

    config system automation-action

    edit "Network Down_email"

    set action-type email

    set email-from ''

    set email-subject "Network Down"

    set minimum-interval 0

    set delay 0

    set required disable

    set message "%%log%%"

    next

    end

    config system automation-trigger

    edit "Network Down"

    set trigger-type event-based

    set event-type event-log

    set logid 20099

    config fields

    edit 1

    set name "status"

    set value "DOWN"

    next

    end

    next

    end

    config system automation-stitch

    edit "Network Down"

    set status disable

    set trigger "Network Down"

    set action "Network Down_email"

    next

    end

    HA Failover

    config system automation-action

    edit "HA Failover_email"

    set action-type email

    set email-from ''

    set email-subject "HA Failover"

    set minimum-interval 0

    set delay 0

    set required disable

    set message "%%log%%"

    next

    end

    config system automation-trigger

    edit "HA Failover"

    set trigger-type event-based

    set event-type ha-failover

    next

    end

    config system automation-stitch

    edit "HA Failover"

    set status disable

    set trigger "HA Failover"

    set action "HA Failover_email"

    next

    end

    Incoming Webhook Quarantine

    config system automation-action

    edit "Compromised Host Quarantine_quarantine"

    set action-type quarantine

    set minimum-interval 0

    set delay 0

    set required disable

    next

    edit "Compromised Host Quarantine_quarantine-forticlient"

    set action-type quarantine-forticlient

    set minimum-interval 0

    set delay 0

    set required disable

    next

    end

    config system automation-trigger

    edit "Incoming Webhook Call"

    set trigger-type event-based

    set event-type incoming-webhook

    next

    end

    config system automation-stitch

    edit "Incoming Webhook Quarantine"

    set status disable

    set trigger "Incoming Webhook Call"

    set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

    next

    end

    License Expired Notification

    config system automation-action

    edit "License Expired Notification_fortiexplorer-notification"

    set action-type fortiexplorer-notification

    set minimum-interval 0

    set delay 0

    set required disable

    next

    end

    config system automation-trigger

    edit "License Expired Notification"

    set trigger-type event-based

    set event-type license-near-expiry

    set license-type any

    next

    end

    config system automation-stitch

    edit "License Expired Notification"

    set status enable

    set trigger "License Expired Notification"

    set action "License Expired Notification_fortiexplorer-notification"

    next

    end

    Reboot

    config system automation-action

    edit "Reboot_email"

    set action-type email

    set email-from ''

    set email-subject "Reboot"

    set minimum-interval 0

    set delay 0

    set required disable

    set message "%%log%%"

    next

    end

    config system automation-trigger

    edit "Reboot"

    set trigger-type event-based

    set event-type reboot

    next

    end

    config system automation-stitch

    edit "Reboot"

    set status disable

    set trigger "Reboot"

    set action "Reboot_email"

    next

    end

    Security Rating Notification

    config system automation-action

    edit "Security Rating Notification_fortiexplorer-notification"

    set action-type fortiexplorer-notification

    set minimum-interval 0

    set delay 0

    set required disable

    next

    end

    config system automation-trigger

    edit "Security Rating Notification"

    set trigger-type event-based

    set event-type security-rating-summary

    set report-type posture

    next

    end

    config system automation-stitch

    edit "Security Rating Notification"

    set status enable

    set trigger "Security Rating Notification"

    set action "Security Rating Notification_fortiexplorer-notification"

    next

    end

    Previous
    Next