Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.4 Administration Guide
    7.2.4
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Event log category triggers

    Event log category triggers

    There are six automation triggers based on event log categories:

    • Anomaly logs
    • IPS logs
    • SSH logs
    • Traffic violations
    • Virus logs
    • Web filter violations

    When multi VDOM mode is enabled, individual VDOMs can be specified so that the trigger is only applied to those VDOMs.

    config system automation-trigger
    edit <name>
        set event-type {ips-logs | anomaly-logs | virus-logs | ssh-logs | webfilter-violation | traffic-violation}
        set vdom <name>
    next
end

    Example

    In this example, an automation stitch is created that uses an anomaly logs trigger and an email notification action. The trigger specifies which VDOMs should be used. There is a three-second delay between the trigger and action.

    To configure an automation stitch with the anomaly logs trigger in the GUI:
    1. Configure the trigger:

      1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

      2. In the Event Log Category section, click Anomaly Logs.

      3. Enter a name (anomaly-logs) and add the required VDOMs (root, vdom-nat, vdom-tp).

      4. Click OK.

    2. Configure the action:

      1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

      2. In the Notifications section, click Email and enter the following:

        Name

        email_default_rep_message

        To

        Enter an email address

        Subject

        CSF stitch alert

        Replacement message

        Enable

      3. Click OK.

    3. Configure the stitch:

      1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

      2. Enter the name, anomaly-logs-stitch.

      3. Click Add Trigger. Select anomaly-logs and click Apply.

      4. Click Add Action. Select email_default_rep_message and click Apply.

      5. Click Add delay (between the trigger and action). Enter 3 and click OK.

      6. Click OK.

    To configure an automation stitch with the anomaly logs trigger in the CLI:
    1. Configure the trigger:
      config system automation-trigger
    edit "anomaly-logs"
        set event-type anomaly-logs
        set vdom "root" "vdom-nat" "vdom-tp"
    next
end
    2. Configure the action:
      config system automation-action
    edit "email_default_rep_message"
        set action-type email
        set email-to "admin@fortinet.com"
        set email-subject "CSF stitch alert"
        set replacement-message enable
    next
end
    3. Configure the stitch:
      config system automation-stitch
    edit "anomaly-logs-stitch"
        set description "anomaly-logs"
        set trigger "anomaly-logs"
        config actions
            edit 1
                set action "email_default_rep_message"
                set delay 3
                set required enable
            next
        end
    next
end

    Verification

    Once the anomaly log is generated, the automation stitch is triggered end the email notification is sent.

    To confirm that the stitch was triggered in the GUI:
    1. Go to Security Fabric > Automation and select the Stitch tab.
    2. Verify the Last Triggered column.
    To confirm that the stitch was triggered in the CLI:
    # diagnose test application autod 2
...
stitch: anomaly-logs-stitch
        destinations: all
        trigger: anomaly-logs
                type:anomaly logs

                field ids:
                        (id:6)vd=root,vdom-nat,vdom-tp

        local hit: 1 relayed to: 0 relayed from: 0
        actions:
                email_default_rep_message type:email interval:0
                        delay:3 required:yes
                        subject: CSF stitch alert
                        body: %%log%%
                        sender:
                        mailto:admin@fortinet.com;
    Previous
    Next

    Event log category triggers

    Event log category triggers

    There are six automation triggers based on event log categories:

    • Anomaly logs
    • IPS logs
    • SSH logs
    • Traffic violations
    • Virus logs
    • Web filter violations

    When multi VDOM mode is enabled, individual VDOMs can be specified so that the trigger is only applied to those VDOMs.

    config system automation-trigger
    edit <name>
        set event-type {ips-logs | anomaly-logs | virus-logs | ssh-logs | webfilter-violation | traffic-violation}
        set vdom <name>
    next
end

    Example

    In this example, an automation stitch is created that uses an anomaly logs trigger and an email notification action. The trigger specifies which VDOMs should be used. There is a three-second delay between the trigger and action.

    To configure an automation stitch with the anomaly logs trigger in the GUI:
    1. Configure the trigger:

      1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

      2. In the Event Log Category section, click Anomaly Logs.

      3. Enter a name (anomaly-logs) and add the required VDOMs (root, vdom-nat, vdom-tp).

      4. Click OK.

    2. Configure the action:

      1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

      2. In the Notifications section, click Email and enter the following:

        Name

        email_default_rep_message

        To

        Enter an email address

        Subject

        CSF stitch alert

        Replacement message

        Enable

      3. Click OK.

    3. Configure the stitch:

      1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

      2. Enter the name, anomaly-logs-stitch.

      3. Click Add Trigger. Select anomaly-logs and click Apply.

      4. Click Add Action. Select email_default_rep_message and click Apply.

      5. Click Add delay (between the trigger and action). Enter 3 and click OK.

      6. Click OK.

    To configure an automation stitch with the anomaly logs trigger in the CLI:
    1. Configure the trigger:
      config system automation-trigger
    edit "anomaly-logs"
        set event-type anomaly-logs
        set vdom "root" "vdom-nat" "vdom-tp"
    next
end
    2. Configure the action:
      config system automation-action
    edit "email_default_rep_message"
        set action-type email
        set email-to "admin@fortinet.com"
        set email-subject "CSF stitch alert"
        set replacement-message enable
    next
end
    3. Configure the stitch:
      config system automation-stitch
    edit "anomaly-logs-stitch"
        set description "anomaly-logs"
        set trigger "anomaly-logs"
        config actions
            edit 1
                set action "email_default_rep_message"
                set delay 3
                set required enable
            next
        end
    next
end

    Verification

    Once the anomaly log is generated, the automation stitch is triggered end the email notification is sent.

    To confirm that the stitch was triggered in the GUI:
    1. Go to Security Fabric > Automation and select the Stitch tab.
    2. Verify the Last Triggered column.
    To confirm that the stitch was triggered in the CLI:
    # diagnose test application autod 2
...
stitch: anomaly-logs-stitch
        destinations: all
        trigger: anomaly-logs
                type:anomaly logs

                field ids:
                        (id:6)vd=root,vdom-nat,vdom-tp

        local hit: 1 relayed to: 0 relayed from: 0
        actions:
                email_default_rep_message type:email interval:0
                        delay:3 required:yes
                        subject: CSF stitch alert
                        body: %%log%%
                        sender:
                        mailto:admin@fortinet.com;
    Previous
    Next