Webhook action
The webhook automation stitch action makes HTTP and HTTPS requests to a specified server, with custom headers, bodies, ports, and methods. It can be used to leverage the ubiquity of HTML requests and APIs to integrate with other tools.
The URI and HTTP body can use parameters from logs or previous action results. Wrapping the parameter with %% will replace the expression with the JSON value for the parameter, for example: %%results.source%% is the source property from the previous action. |
In this example, a specific log message (failed administrator log in attempt) triggers the FortiGate to send the contents of the log to a server. The server responds with a generic reply. This example assumes that the server is already configured and able to communicate with the FortiGate.
To configure the webhook automation stitch in the GUI:
- Go to Security Fabric > Automation and click Create New.
- Enter the stitch name (badLogin).
- Configure the trigger:
- Click Add Trigger.
- Click Create and select FortiOS Event Log.
- Enter the following:
Name
badLogin
Event
Admin login failed
- Click OK.
- Select the trigger in the list and click Apply.
- Configure the automation stitch action:
- Click Add Action.
- Click Create and select Webhook.
- Enter the following:
Name
Send Log To Server
Protocol
HTTP
URL
172.16.200.44
Custom port
Enable and enter 80
Method
POST
HTTP body
%%log%%
HTTP header
Header : 1st Action
- Click OK.
- Select the action in the list and click Apply.
- Click OK.
To configure the webhook automation stitch in the CLI:
- Create an automation trigger:
config system automation-trigger edit "badLogin" set event-type event-log set logid 32002 next end
- Create the automation action:
config system automation-action edit "Send Log To Server" set action-type webhook set uri "172.16.200.44" set http-body "%%log%%" set port 80 set headers "Header:1st Action" next end
- Create the automation stitch:
config system automation-stitch edit "badLogin" set trigger "badLogin" config actions edit 1 set action "Send Log To Server" set required enable next end next end
To test the automation stitch:
- Attempt to log in to the FortiGate with an incorrect username or password.
- On the server, check the log to see that its contents were sent by the FortiGate.
The body content is replaced with the log from the trigger.
- On the FortiGate, go to Log & Report > Events and select System Events to confirm that the stitch was activated.
- Go to Security Fabric > Automation to see the last time that the stitch was triggered.
Diagnose commands
To enable log dumping:
# diagnose test application autod 1 autod dumped total:1 logs, num of logids:1 autod log dumping is enabled vdom:root(0) logid:32002 len:408 log: date=2019-05-30 time=17:41:03 logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1559263263858888451 tz="-0700" logdesc="Admin login failed" sn="0" user="admin" ui="http(10.6.30.254)" method="http" srcip=10.6.30.254 dstip=10.6.30.5 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from http(10.6.30.254) because of invalid password" autod log dumping is disabled autod logs dumping summary: logid:32002 count:1 autod dumped total:1 logs, num of logids:1
To show the automation settings:
# diagnose test application autod 2 csf: enabled root:yes total stitches activated: 2 stitch: badLogin destinations: all trigger: badLogin local hit: 6 relayed to: 6 relayed from: 6 actions: Send Log To Server type:webhook interval:0 delay:0 required:no proto:0 method:0 port:80 uri: 172.16.200.44 http body: %%log%% headers: 0. Header:1st Action
To show the automation statistics:
# diagnose test application autod 3 stitch: badLogin local hit: 1 relayed to: 1 relayed from: 1 last trigger:Wed Jul 10 12:14:14 2019 last relay:Wed Jul 10 12:14:14 2019 actions: Send Log To Server: done: 1 relayed to: 1 relayed from: 1 last trigger:Wed Jul 10 12:14:14 2019 last relay:Wed Jul 10 12:14:14 2019 logid2stitch mapping: id:32002 local hit: 3 relayed to: 3 relayed from: 3 badLogin action run cfg&stats: total:55 cur:0 done:55 drop:0 email: flags:10 stats: total:4 cur:0 done:4 drop:0 fortiexplorer-notification: flags:1 stats: total:0 cur:0 done:0 drop:0 alert: flags:0 stats: total:0 cur:0 done:0 drop:0 disable-ssid: flags:7 stats: total:0 cur:0 done:0 drop:0 quarantine: flags:7 stats: total:0 cur:0 done:0 drop:0 quarantine-forticlient: flags:4 stats: total:0 cur:0 done:0 drop:0 quarantine-nsx: flags:4 stats: total:0 cur:0 done:0 drop:0 ban-ip: flags:7 stats: total:0 cur:0 done:0 drop:0 aws-lambda: flags:11 stats: total:21 cur:0 done:21 drop:0 webhook: flags:11 stats: total:6 cur:0 done:6 drop:0 cli-script: flags:10 stats: total:4 cur:0 done:4 drop:0 azure-function: flags:11 stats: total:0 cur:0 done:0 drop:0 google-cloud-function: flags:11 stats: total:0 cur:0 done:0 drop:0 alicloud-function: flags:11 stats: total:20 cur:0 done:20 drop:0
To enable debug output and turn on automation debug messages for about 30 minutes:
# diagnose debug enable # diagnose debug application autod -1 __auto_generate_generic_curl_request()-358: Generating generic automation CURL request for action (Send Log To Server). __auto_generate_generic_curl_request()-406: Generic automation CURL request POST data for action (Send Log To Server): date=2019-05-30 time=16:44:43 logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1559259884209355090 tz="-0700" logdesc="Admin login failed" sn="0" user="admin" ui="http(10.6.30.254)" method="http" srcip=10.6.30.254 dstip=10.6.30.5 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from http(10.6.30.254) because of invalid password" __auto_generic_curl_request_close()-512: Generic CURL request response body from http://172.16.200.44: { "userId": 1, "id": 1, "title": "Test Response", "body": "ABCDEFGHIJKLMNOPQRSTUVWXYZ" }