Default automation stitches
The following default automation stitches are included in FortiOS:
- Compromised Host Quarantine
- Incoming Webhook Quarantine
- HA Failover
- Network Down
- Reboot
- FortiAnalyzer Connection Down
- License Expired Notification
- Security Rating Notification
To view and edit the automation stitches in the GUI, go to Security Fabric > Automation.
CLI configurations
Compromised Host Quarantine
config system automation-action
edit "Quarantine on FortiSwitch + FortiAP"
set description "Default automation action configuration for quarantining a MAC address on FortiSwitches and FortiAPs."
set action-type quarantine
next
edit "Quarantine FortiClient EMS Endpoint"
set description "Default automation action configuration for quarantining a FortiClient EMS endpoint device."
set action-type quarantine-forticlient
next
end
config system automation-trigger
edit "Compromised Host - High"
set description "Default automation trigger configuration for when a high severity compromised host is detected."
next
end
config system automation-stitch
edit "Compromised Host Quarantine"
set description "Default automation stitch to quarantine a high severity compromised host on FortiAPs, FortiSwitches, and FortiClient EMS."
set status disable
set trigger "Compromised Host - High"
config actions
edit 1
set action "Quarantine on FortiSwitch + FortiAP"
next
edit 2
set action "Quarantine FortiClient EMS Endpoint"
next
end
next
end
FortiAnalyzer Connection Down
config system automation-action
edit "FortiExplorer Notification"
set description "Default automation action configuration for sending a notification to any FortiExplorer mobile application."
set action-type fortiexplorer-notification
next
end
config system automation-trigger
edit "FortiAnalyzer Connection Down"
set description "Default automation trigger configuration for when the FortiAnalyzer connection is lost."
set event-type event-log
set logid 22902
next
end
config system automation-stitch
edit "FortiAnalyzer Connection Down"
set description "Default automation stitch to send a FortiExplorer notification when the connection to FortiAnalyzer is lost."
set trigger "FortiAnalyzer Connection Down"
config actions
edit 1
set action "FortiExplorer Notification"
next
end
next
end
Network Down
config system automation-action
edit "Default Email"
set description "Default automation action configuration for sending an email with basic information on the log event."
set action-type email
set email-subject "%%log.logdesc%%"
next
end
config system automation-trigger
edit "Network Down"
set description "Default automation trigger configuration for when a network connection goes down."
set event-type event-log
set logid 20099
config fields
edit 1
set name "status"
set value "DOWN"
next
end
next
end
config system automation-stitch
edit "Network Down"
set description "Default automation stitch to send an email when a network goes down."
set status disable
set trigger "Network Down"
config actions
edit 1
set action "Default Email"
next
end
next
end
HA Failover
config system automation-action
edit "Default Email"
set description "Default automation action configuration for sending an email with basic information on the log event."
set action-type email
set email-subject "%%log.logdesc%%"
next
end
config system automation-trigger
edit "HA Failover"
set description "Default automation trigger configuration for when an HA failover occurs."
set event-type ha-failover
next
end
config system automation-stitch
edit "HA Failover"
set description "Default automation stitch to send an email when a HA failover is detected."
set status disable
set trigger "HA Failover"
config actions
edit 1
set action "Default Email"
next
end
next
end
Incoming Webhook Quarantine
config system automation-action
edit "Quarantine on FortiSwitch + FortiAP"
set description "Default automation action configuration for quarantining a MAC address on FortiSwitches and FortiAPs."
set action-type quarantine
next
edit "Quarantine FortiClient EMS Endpoint"
set description "Default automation action configuration for quarantining a FortiClient EMS endpoint device."
set action-type quarantine-forticlient
next
end
config system automation-trigger
edit "Incoming Webhook Call"
set description "Default automation trigger configuration for an incoming webhook."
set event-type incoming-webhook
next
end
config system automation-stitch
edit "Incoming Webhook Quarantine"
set description "Default automation stitch to quarantine a provided MAC address on FortiAPs, FortiSwitches, and FortiClient EMS using an Incoming Webhook."
set trigger "Incoming Webhook Call"
config actions
edit 1
set action "Quarantine on FortiSwitch + FortiAP"
next
edit 2
set action "Quarantine FortiClient EMS Endpoint"
next
end
next
end
License Expired Notification
config system automation-action
edit "FortiExplorer Notification"
set description "Default automation action configuration for sending a notification to any FortiExplorer mobile application."
set action-type fortiexplorer-notification
next
end
config system automation-trigger
edit "License Expired Notification"
set description "Default automation trigger configuration for when a license is near expiration."
set event-type license-near-expiry
set license-type any
next
end
config system automation-stitch
edit "License Expired Notification"
set description "Default automation stitch to send a FortiExplorer notification when a license is near expiration."
set trigger "License Expired Notification"
config actions
edit 1
set action "FortiExplorer Notification"
next
end
next
end
Reboot
config system automation-action
edit "Default Email"
set description "Default automation action configuration for sending an email with basic information on the log event."
set action-type email
set email-subject "%%log.logdesc%%"
next
end
config system automation-trigger
edit "Reboot"
set description "Default automation trigger configuration for when a FortiGate is rebooted."
set event-type reboot
next
end
config system automation-stitch
edit "Reboot"
set description "Default automation stitch to send an email when a FortiGate is rebooted."
set status disable
set trigger "Reboot"
config actions
edit 1
set action "Default Email"
next
end
next
end
Security Rating Notification
config system automation-action
edit "FortiExplorer Notification"
set description "Default automation action configuration for sending a notification to any FortiExplorer mobile application."
set action-type fortiexplorer-notification
next
end
config system automation-trigger
edit "Security Rating Notification"
set description "Default automation trigger configuration for when a new Security Rating report is available."
set event-type security-rating-summary
set report-type any
next
end
config system automation-stitch
edit "Security Rating Notification"
set description "Default automation stitch to send a FortiExplorer notification when a new Security Rating report is available."
set trigger "Security Rating Notification"
config actions
edit 1
set action "FortiExplorer Notification"
next
end
next
end