Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.4 Administration Guide
    7.2.4
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Actions

    Actions

    The following table outlines the available actions. Multiple actions can be added to an automation stitch. Actions can be reorganized in the Edit Automation Stitch page by dragging and dropping the actions in the diagram.

    Category

    Action

    Description

    Security Response

    		Access Layer Quarantine

    This option is only available for Compromised Host triggers.

    Quarantine the MAC address on access layer devices (FortiSwitch and FortiAP).

    		FortiClient Quarantine

    This option is only available for Compromised Host triggers.

    Use FortiClient EMS to block all traffic from the source addresses that are flagged as compromised hosts.

    Quarantined devices are flagged on the Security Fabric topology views. Go to the Dashboard > Users & Devices > Quarantine widget to view and manage quarantined IP addresses.

    FortiNAC Quarantine

    This option is only available for Compromised Host and Incoming Webhook triggers.

    Use FortiNAC to quarantine a client PC and disable its MAC address. See FortiNAC Quarantine action for details.

    		VMware NSX Security Tag

    This option is only available for Compromised Host triggers.

    If an endpoint instance in a VMware NSX environment is compromised, the configured security tag is assigned to the compromised endpoint. See VMware NSX security tag action and VMware NSX-T security tag action for details.

    		IP Ban

    This option is only available for Compromised Host triggers.

    Block all traffic from the source addresses flagged by the IoC.

    Go to the Dashboard > Users & Devices > Quarantine widget to view and manage quarantined IP addresses.

    Notifications

    		Email

    Send a custom email message to the selected recipients. At least one recipient and an email subject must be specified.

    The email body can use parameters from logs or previous action results. Wrapping the parameter with %% will replace the expression with the JSON value for the parameter, for example: %%results.source%% is the source property from the previous action.

    Replacement messages can be enabled in the email body to create branded email alerts. See Replacement messages for email alerts for details.

    		FortiExplorer Notification

    Send push notifications to FortiExplorer.

    The FortiGate must be registered to FortiCare on the mobile app that will receive the notification.

    Slack Notification

    Send a notification to a Slack channel. See Slack Notification action for details.

    Microsoft Teams Notification

    Send a notification to channels in Microsoft Teams. See Microsoft Teams Notification action for details.

    Cloud Compute

    		AWS Lambda

    Send log data to an integrated AWS service. See AWS Lambda action for details.

    		Azure Function

    Send log data to an Azure function. See Azure Function action for details.

    		Google Cloud Function

    Send log data to a Google Cloud function. See Google Cloud Function action for details.

    		AliCloud Function

    Send log data to an AliCloud function. See AliCloud Function action for details.

    General

    		CLI Script

    Run one or more CLI scripts. See CLI script action for details. See Execute a CLI script based on memory and CPU thresholds for an example.

    		Webhook

    Send an HTTP request using a REST callback. See Webhook action for details, and Slack integration webhook and Microsoft Teams integration webhook for examples.

    System Action

    Execute one of the following system actions: reboot, shut down, or back up the configuration. See System action for an example.

    Alert

    Generate a FortiOS dashboard alert.

    This option is only available in the CLI.

    Disable SSID

    Disable the SSID interface.

    This option is only available in the CLI.
    Previous
    Next

    Actions

    Actions

    The following table outlines the available actions. Multiple actions can be added to an automation stitch. Actions can be reorganized in the Edit Automation Stitch page by dragging and dropping the actions in the diagram.

    Category

    Action

    Description

    Security Response

    		Access Layer Quarantine

    This option is only available for Compromised Host triggers.

    Quarantine the MAC address on access layer devices (FortiSwitch and FortiAP).

    		FortiClient Quarantine

    This option is only available for Compromised Host triggers.

    Use FortiClient EMS to block all traffic from the source addresses that are flagged as compromised hosts.

    Quarantined devices are flagged on the Security Fabric topology views. Go to the Dashboard > Users & Devices > Quarantine widget to view and manage quarantined IP addresses.

    FortiNAC Quarantine

    This option is only available for Compromised Host and Incoming Webhook triggers.

    Use FortiNAC to quarantine a client PC and disable its MAC address. See FortiNAC Quarantine action for details.

    		VMware NSX Security Tag

    This option is only available for Compromised Host triggers.

    If an endpoint instance in a VMware NSX environment is compromised, the configured security tag is assigned to the compromised endpoint. See VMware NSX security tag action and VMware NSX-T security tag action for details.

    		IP Ban

    This option is only available for Compromised Host triggers.

    Block all traffic from the source addresses flagged by the IoC.

    Go to the Dashboard > Users & Devices > Quarantine widget to view and manage quarantined IP addresses.

    Notifications

    		Email

    Send a custom email message to the selected recipients. At least one recipient and an email subject must be specified.

    The email body can use parameters from logs or previous action results. Wrapping the parameter with %% will replace the expression with the JSON value for the parameter, for example: %%results.source%% is the source property from the previous action.

    Replacement messages can be enabled in the email body to create branded email alerts. See Replacement messages for email alerts for details.

    		FortiExplorer Notification

    Send push notifications to FortiExplorer.

    The FortiGate must be registered to FortiCare on the mobile app that will receive the notification.

    Slack Notification

    Send a notification to a Slack channel. See Slack Notification action for details.

    Microsoft Teams Notification

    Send a notification to channels in Microsoft Teams. See Microsoft Teams Notification action for details.

    Cloud Compute

    		AWS Lambda

    Send log data to an integrated AWS service. See AWS Lambda action for details.

    		Azure Function

    Send log data to an Azure function. See Azure Function action for details.

    		Google Cloud Function

    Send log data to a Google Cloud function. See Google Cloud Function action for details.

    		AliCloud Function

    Send log data to an AliCloud function. See AliCloud Function action for details.

    General

    		CLI Script

    Run one or more CLI scripts. See CLI script action for details. See Execute a CLI script based on memory and CPU thresholds for an example.

    		Webhook

    Send an HTTP request using a REST callback. See Webhook action for details, and Slack integration webhook and Microsoft Teams integration webhook for examples.

    System Action

    Execute one of the following system actions: reboot, shut down, or back up the configuration. See System action for an example.

    Alert

    Generate a FortiOS dashboard alert.

    This option is only available in the CLI.

    Disable SSID

    Disable the SSID interface.

    This option is only available in the CLI.
    Previous
    Next