Fabric connector event trigger

With the Fabric Connector Event trigger, any supported Fabric connector is able to trigger an automation stitch on the FortiGate based on a specific event defined on the Fabric connector. Currently, only FortiDeceptor 4.1 supports this trigger for the Insider Threat, Notify Ban, and Notify Unban events.

In the following example, an authorized FortiDeceptor in the Security Fabric deploys a decoy called ubuntu16 configured with SSH, SAMBA, HTTP, and HTTPS services.

This example assumes the Security Fabric is already configured. Refer to Configuring the root FortiGate and downstream FortiGates and FortiDeceptor for detailed configuration steps. On the root FortiGate, the Allow downstream device REST API access option must be enabled (set downstream-access enable). The minimum permission required for the selected Administrator profile is Read/Write for User & Device (set authgrp read-write).

Three stitches are configured, one for each FortiDeceptor trigger type:

Stitch name

Fabric connector event trigger

Actions

fortideceptor_threat

Insider threat

Email and IP ban

fortideceptor_ban

Notify ban

Email and IP ban

fortideceptor_unban

Notify unban

Email and CLI script

To configure stitches with the Fabric connector event trigger in the GUI:
  1. Configure the triggers:

    1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

    2. In the Security Fabric section, click Fabric Connector Event and enter the following:

      Name

      fdc_Insider_Threat

      Description

      Insider_Threat

      Connector

      Select the FortiDeceptor connector

      Event Name

      Insider Threat

    3. Click OK.

    4. Repeat these steps to create two more triggers with the following settings:

      Name

      fdc_Notify_Ban

      Description

      Notify_Ban

      Connector

      Select the FortiDeceptor connector

      Event Name

      Notify Ban

      Name

      fdc_Notify_Unban

      Description

      Notify_Unban

      Connector

      Select the FortiDeceptor connector

      Event Name

      Notify Unban

  2. Configure the actions:

    1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

    2. In the Security Response section, click IP Ban and enter the name, fd