Fortinet black logo

New Features

Add new automation triggers for event logs

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:733368
Download PDF

Add new automation triggers for event logs

Six new automation triggers have been added based on event log categories:

  • Anomaly logs
  • IPS logs
  • SSH logs
  • Traffic violations
  • Virus logs
  • Web filter violations

When multi VDOM mode is enabled, individual VDOMs can be specified so that the trigger is only applied to those VDOMs.

config system automation-trigger
    edit <name>
        set event-type {ips-logs | anomaly-logs | virus-logs | ssh-logs | webfilter-violation | traffic-violation}
        set vdom <name>
    next
end

Example

In this example, an automation stitch is created that uses an anomaly logs trigger and an email notification action. The trigger specifies which VDOMs should be used. There is a three-second delay between the trigger and action.

To configure an automation stitch with the anomaly logs trigger in the GUI:
  1. Configure the trigger:
    1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

    2. In the Event Log Category section, click Anomaly Logs.

    3. Enter a name (anomaly-logs) and add the required VDOMs (root, vdom-nat, vdom-tp).

    4. Click OK.

  2. Configure the action:
    1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

    2. In the Notifications section, click Email and enter the following:

      Name

      email_default_rep_message

      To

      Enter an email address

      Subject

      CSF stitch alert

      Replacement message

      Enable

    3. Click OK.

  3. Configure the stitch:
    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, anomaly-logs-stitch.

    3. Click Add Trigger. Select anomaly-logs and click Apply.

    4. Click Add Action. Select email_default_rep_message and click Apply.

    5. Click Add delay (between the trigger and action). Enter 3 and click OK.

    6. Click OK.

To configure an automation stitch with the anomaly logs trigger in the CLI:
  1. Configure the trigger:
    config system automation-trigger
        edit "anomaly-logs"
            set event-type anomaly-logs
            set vdom "root" "vdom-nat" "vdom-tp"
        next
    end
  2. Configure the action:
    config system automation-action
        edit "email_default_rep_message"
            set action-type email
            set email-to "admin@fortinet.com"
            set email-subject "CSF stitch alert"
            set replacement-message enable
        next
    end
  3. Configure the stitch:
    config system automation-stitch
        edit "anomaly-logs-stitch"
            set description "anomaly-logs"
            set trigger "anomaly-logs"
            config actions
                edit 1
                    set action "email_default_rep_message"
                    set delay 3
                    set required enable
                next
            end
        next
    end

Verification

Once the anomaly log is generated, the automation stitch is triggered end the email notification is sent.

To confirm that the stitch was triggered in the GUI:
  1. Go to Security Fabric > Automation and select the Stitch tab.
  2. Verify the Last Triggered column.
To confirm that the stitch was triggered in the CLI:
# diagnose test application autod 2
...
stitch: anomaly-logs-stitch
        destinations: all
        trigger: anomaly-logs
                type:anomaly logs

                field ids:
                        (id:6)vd=root,vdom-nat,vdom-tp

        local hit: 1 relayed to: 0 relayed from: 0
        actions:
                email_default_rep_message type:email interval:0
                        delay:3 required:yes
                        subject: CSF stitch alert
                        body: %%log%%
                        sender:
                        mailto:admin@fortinet.com;

Add new automation triggers for event logs

Six new automation triggers have been added based on event log categories:

  • Anomaly logs
  • IPS logs
  • SSH logs
  • Traffic violations
  • Virus logs
  • Web filter violations

When multi VDOM mode is enabled, individual VDOMs can be specified so that the trigger is only applied to those VDOMs.

config system automation-trigger
    edit <name>
        set event-type {ips-logs | anomaly-logs | virus-logs | ssh-logs | webfilter-violation | traffic-violation}
        set vdom <name>
    next
end

Example

In this example, an automation stitch is created that uses an anomaly logs trigger and an email notification action. The trigger specifies which VDOMs should be used. There is a three-second delay between the trigger and action.

To configure an automation stitch with the anomaly logs trigger in the GUI:
  1. Configure the trigger:
    1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

    2. In the Event Log Category section, click Anomaly Logs.

    3. Enter a name (anomaly-logs) and add the required VDOMs (root, vdom-nat, vdom-tp).

    4. Click OK.

  2. Configure the action:
    1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

    2. In the Notifications section, click Email and enter the following:

      Name

      email_default_rep_message

      To

      Enter an email address

      Subject

      CSF stitch alert

      Replacement message

      Enable

    3. Click OK.

  3. Configure the stitch:
    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, anomaly-logs-stitch.

    3. Click Add Trigger. Select anomaly-logs and click Apply.

    4. Click Add Action. Select email_default_rep_message and click Apply.

    5. Click Add delay (between the trigger and action). Enter 3 and click OK.

    6. Click OK.

To configure an automation stitch with the anomaly logs trigger in the CLI:
  1. Configure the trigger:
    config system automation-trigger
        edit "anomaly-logs"
            set event-type anomaly-logs
            set vdom "root" "vdom-nat" "vdom-tp"
        next
    end
  2. Configure the action:
    config system automation-action
        edit "email_default_rep_message"
            set action-type email
            set email-to "admin@fortinet.com"
            set email-subject "CSF stitch alert"
            set replacement-message enable
        next
    end
  3. Configure the stitch:
    config system automation-stitch
        edit "anomaly-logs-stitch"
            set description "anomaly-logs"
            set trigger "anomaly-logs"
            config actions
                edit 1
                    set action "email_default_rep_message"
                    set delay 3
                    set required enable
                next
            end
        next
    end

Verification

Once the anomaly log is generated, the automation stitch is triggered end the email notification is sent.

To confirm that the stitch was triggered in the GUI:
  1. Go to Security Fabric > Automation and select the Stitch tab.
  2. Verify the Last Triggered column.
To confirm that the stitch was triggered in the CLI:
# diagnose test application autod 2
...
stitch: anomaly-logs-stitch
        destinations: all
        trigger: anomaly-logs
                type:anomaly logs

                field ids:
                        (id:6)vd=root,vdom-nat,vdom-tp

        local hit: 1 relayed to: 0 relayed from: 0
        actions:
                email_default_rep_message type:email interval:0
                        delay:3 required:yes
                        subject: CSF stitch alert
                        body: %%log%%
                        sender:
                        mailto:admin@fortinet.com;