Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.1 Administration Guide
    7.2.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    FortiAnalyzer event handler trigger

    FortiAnalyzer event handler trigger

    You can trigger automation stitches based on FortiAnalyzer event handlers. This allows you to define rules based on complex correlations across devices, log types, frequencies, and other criteria.

    To set up a FortiAnalyzer event handler trigger:

    1. Configure a FortiGate event handler on the FortiAnalyzer
    2. Configure FortiAnalyzer logging on the FortiGate
    3. Configure an automation stitch that is triggered by a FortiAnalyzer event handler

    Configure a FortiGate event handler on the FortiAnalyzer

    On the FortiAnalyzer, configure an event handler for the automation stitch. In this example, the event handler is triggered when an administrator logs in to the FortiGate. See Creating a custom event handler in the FortiAnalyzer Administration Guide for more information.

    To configure an event handler on the FortiAnalyzer:
    1. Go to FortiSoC > Handlers > FortiGate Event Handlers, and click Create New.
    2. Configure an event handler with two conditions for the automation stitch:

      Log Type

      Event Log

      Log Subtype

      System

      Group By

      Device ID

      Logs match

      Any of the following conditions

      Log Field

      Level

      Match Criteria

      Equal To

      Value

      Information

      Log Field

      Action

      Match Criteria

      Equal To

      Value

      login

    3. Configure the other settings as needed.

    4. Click OK.

    Configure FortiAnalyzer logging on the FortiGate

    See Configuring FortiAnalyzer for more information.

    To configure FortiAnalyzer logging in the GUI:
    1. Go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging card.
    2. Ensure the Status is Enabled, and configure the settings as needed.

    3. Click OK.
    To configure FortiAnalyzer logging in the CLI:
    config log fortianalyzer setting
    set status enable
    set server "10.6.30.250"
    set serial "FL-4HET000000000"
    set upload-option realtime
    set reliable enable
end

    Configure an automation stitch that is triggered by a FortiAnalyzer event handler

    When a FortiAnalyzer event handler is triggered, it sends a notification to the FortiGate automation framework, which generates a log and triggers the automation stitch.

    To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the GUI:
    1. Go to Security Fabric > Automation and click Create New.
    2. Enter the stitch name, auto-faz-1.
    3. Configure the trigger:
      1. Click Add Trigger.
      2. Click Create and select FortiAnalyzer Event Handler.
      3. Enter the following:

        Name

        auto-faz-1

        Event handler name

        system-log-handler2

        Event severity

        Medium

        Event tag

        User login successful

      4. Click OK.
      5. Select the trigger in the list and click Apply.
    4. Configure the Email notification action:
      1. Click Add Action.
      2. Click Create and select Email.
      3. Enter the following:

        Name

        auto-faz-1_email

        To

        Enter an email address

        Subject

        CSF stitch alert

        Body

        User login FortiGate successfully.

      4. Click OK.
      5. Select the action in the list and click Apply.
    5. Click OK.
    To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the CLI:
    1. Create an automation trigger:
      config system automation-trigger
    edit "auto-faz-1"
        set event-type faz-event
        set faz-event-name "system-log-handler2"
        set faz-event-severity "medium"
        set faz-event-tags "User log in successful"
    next
end
    2. Create an automation action:
      config system automation-action
    edit "auto-faz-1_email"
        set action-type email
        set email-to "admin@fortinet.com"
        set email-subject "CSF stitch alert"
        set message "User login FortiGate successfully."
    next
end
    3. Create the automation stitch:
      config system automation-stitch
    edit "auto-faz-1"
        set trigger "auto-faz-1"
        config actions
            edit 1
                set action "auto-faz-1_email"
                set required enable
            next
        end
    next
end

    View the trigger event log

    To view the trigger event log in the GUI:
    1. Log in to the FortiGate.

      The FortiAnalyzer sends a notification to the FortiGate automation framework, generates an event log on the FortiGate, and triggers the automation stitch.

    2. Go to Log & Report > System Events and select General System Events. From the log location dropdown, select FortiAnalyzer.
    To view the trigger event log in the CLI:
    # execute log display
    ...
    date=2019-02-05 time=14:16:17 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1549404977 logdesc="Automation stitch triggered" stitch="auto-faz-1" trigger="auto-faz-1" from="log" msg="stitch:auto-faz-1 is triggered."
    ...

    Sample email

    The email sent by the action will look similar to the following:

    Previous
    Next

    FortiAnalyzer event handler trigger

    FortiAnalyzer event handler trigger

    You can trigger automation stitches based on FortiAnalyzer event handlers. This allows you to define rules based on complex correlations across devices, log types, frequencies, and other criteria.

    To set up a FortiAnalyzer event handler trigger:

    1. Configure a FortiGate event handler on the FortiAnalyzer
    2. Configure FortiAnalyzer logging on the FortiGate
    3. Configure an automation stitch that is triggered by a FortiAnalyzer event handler

    Configure a FortiGate event handler on the FortiAnalyzer

    On the FortiAnalyzer, configure an event handler for the automation stitch. In this example, the event handler is triggered when an administrator logs in to the FortiGate. See Creating a custom event handler in the FortiAnalyzer Administration Guide for more information.

    To configure an event handler on the FortiAnalyzer:
    1. Go to FortiSoC > Handlers > FortiGate Event Handlers, and click Create New.
    2. Configure an event handler with two conditions for the automation stitch:

      Log Type

      Event Log

      Log Subtype

      System

      Group By

      Device ID

      Logs match

      Any of the following conditions

      Log Field

      Level

      Match Criteria

      Equal To

      Value

      Information

      Log Field

      Action

      Match Criteria

      Equal To

      Value

      login

    3. Configure the other settings as needed.

    4. Click OK.

    Configure FortiAnalyzer logging on the FortiGate

    See Configuring FortiAnalyzer for more information.

    To configure FortiAnalyzer logging in the GUI:
    1. Go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging card.
    2. Ensure the Status is Enabled, and configure the settings as needed.

    3. Click OK.
    To configure FortiAnalyzer logging in the CLI:
    config log fortianalyzer setting
    set status enable
    set server "10.6.30.250"
    set serial "FL-4HET000000000"
    set upload-option realtime
    set reliable enable
end

    Configure an automation stitch that is triggered by a FortiAnalyzer event handler

    When a FortiAnalyzer event handler is triggered, it sends a notification to the FortiGate automation framework, which generates a log and triggers the automation stitch.

    To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the GUI:
    1. Go to Security Fabric > Automation and click Create New.
    2. Enter the stitch name, auto-faz-1.
    3. Configure the trigger:
      1. Click Add Trigger.
      2. Click Create and select FortiAnalyzer Event Handler.
      3. Enter the following:

        Name

        auto-faz-1

        Event handler name

        system-log-handler2

        Event severity

        Medium

        Event tag

        User login successful

      4. Click OK.
      5. Select the trigger in the list and click Apply.
    4. Configure the Email notification action:
      1. Click Add Action.
      2. Click Create and select Email.
      3. Enter the following:

        Name

        auto-faz-1_email

        To

        Enter an email address

        Subject

        CSF stitch alert

        Body

        User login FortiGate successfully.

      4. Click OK.
      5. Select the action in the list and click Apply.
    5. Click OK.
    To configure an automation stitch that is triggered by a FortiAnalyzer event handler in the CLI:
    1. Create an automation trigger:
      config system automation-trigger
    edit "auto-faz-1"
        set event-type faz-event
        set faz-event-name "system-log-handler2"
        set faz-event-severity "medium"
        set faz-event-tags "User log in successful"
    next
end
    2. Create an automation action:
      config system automation-action
    edit "auto-faz-1_email"
        set action-type email
        set email-to "admin@fortinet.com"
        set email-subject "CSF stitch alert"
        set message "User login FortiGate successfully."
    next
end
    3. Create the automation stitch:
      config system automation-stitch
    edit "auto-faz-1"
        set trigger "auto-faz-1"
        config actions
            edit 1
                set action "auto-faz-1_email"
                set required enable
            next
        end
    next
end

    View the trigger event log

    To view the trigger event log in the GUI:
    1. Log in to the FortiGate.

      The FortiAnalyzer sends a notification to the FortiGate automation framework, generates an event log on the FortiGate, and triggers the automation stitch.

    2. Go to Log & Report > System Events and select General System Events. From the log location dropdown, select FortiAnalyzer.
    To view the trigger event log in the CLI:
    # execute log display
    ...
    date=2019-02-05 time=14:16:17 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1549404977 logdesc="Automation stitch triggered" stitch="auto-faz-1" trigger="auto-faz-1" from="log" msg="stitch:auto-faz-1 is triggered."
    ...

    Sample email

    The email sent by the action will look similar to the following:

    Previous
    Next