Fortinet white logo
Fortinet white logo

Administration Guide

Actions

Actions

There are two types of automation actions that can be configured in automation stitches: static and dynamic.

Static automation actions are included in FortiOS by default. They require only a name, description, and one setting. Static automation actions can be edited, but they cannot be deleted.

Dynamic automation actions require multiple settings to be configured. Dynamic automation actions can be created by clicking the Create New button on the Action tab, or clicking Create within the Create Automation Stitch page.

Multiple actions can be added to an automation stitch. Actions can be reorganized in the Edit Automation Stitch page by dragging and dropping the actions in the diagram.

The following table outlines the available static actions.

Action

Description

Access Layer Quarantine

This option is only available for Compromised Host triggers.

Quarantine the MAC address on access layer devices (FortiSwitch and FortiAP).

FortiClient Quarantine

This option is only available for Compromised Host triggers.

Use FortiClient EMS to block all traffic from the source addresses that are flagged as compromised hosts.

Quarantined devices are flagged on the Security Fabric topology views. Go to the Dashboard > Assets & Identities > Quarantine widget to view and manage quarantined IP addresses.

FortiNAC Quarantine

This option is only available for Compromised Host and Incoming Webhook triggers.

Use FortiNAC to quarantine a client PC and disable its MAC address. See FortiNAC Quarantine action for details.

IP Ban

This option is only available for Compromised Host triggers.

Block all traffic from the source addresses flagged by the IoC.

Go to the Dashboard > Assets & Identities > Quarantine widget to view and manage quarantined IP addresses.

System Action > Backup Config Disk

Back up the FortiGate's configuration. The default minimum interval is 0 seconds. See System actions for an example.

System Action > Reboot FortiGate

Reboot the FortiGate. The default minimum interval is 5 minutes (300 seconds in the CLI). See System actions for an example.

System Action > Shutdown FortiGate

Shut down the FortiGate. The default minimum interval is 0 seconds.

The following table outlines the available dynamic actions.

Category

Action

Description

Security Response

VMware NSX Security Tag

This option is only available for Compromised Host triggers.

If an endpoint instance in a VMware NSX environment is compromised, the configured security tag is assigned to the compromised endpoint. See VMware NSX security tag action and VMware NSX-T security tag action for details.

Notifications

Email

Send a custom email message to the selected recipients. At least one recipient and an email subject must be specified.

Enable Send to FortiCare email to send the message to the email address associated with the FortiCare Support entitlement. This is the FortiCloud email address visible on the System > FortiGuard page under the FortiCare Support license information.

The email body can use parameters from logs or previous action results. Wrapping the parameter with %% will replace the expression with the JSON value for the parameter, for example: %%results.source%% is the source property from the previous action.

Replacement messages can be enabled in the email body to create branded email alerts. See Replacement messages for email alerts for details.

FortiExplorer Notification

Send push notifications to FortiExplorer.

The FortiGate must be registered to FortiCare on the mobile app that will receive the notification.

Slack Notification

Send a notification to a Slack channel. See Slack Notification action for details.

Microsoft Teams Notification

Send a notification to channels in Microsoft Teams. See Microsoft Teams Notification action for details.

Cloud Compute

AWS Lambda

Send log data to an integrated AWS service. See AWS Lambda action for details.

Azure Function

Send log data to an Azure function. See Azure Function action for details.

Google Cloud Function

Send log data to a Google Cloud function. See Google Cloud Function action for details.

AliCloud Function

Send log data to an AliCloud function. See AliCloud Function action for details.

General

CLI Script

Run one or more CLI scripts. See CLI script action for details. See Execute a CLI script based on memory and CPU thresholds for an example.

Webhook

Send an HTTP request using a REST callback. See Webhook action for details, and Slack integration webhook and Microsoft Teams integration webhook for examples.

Alert

Generate a FortiOS dashboard alert.

This option is only available in the CLI.

Disable SSID

Disable the SSID interface.

This option is only available in the CLI.

Actions

Actions

There are two types of automation actions that can be configured in automation stitches: static and dynamic.

Static automation actions are included in FortiOS by default. They require only a name, description, and one setting. Static automation actions can be edited, but they cannot be deleted.

Dynamic automation actions require multiple settings to be configured. Dynamic automation actions can be created by clicking the Create New button on the Action tab, or clicking Create within the Create Automation Stitch page.

Multiple actions can be added to an automation stitch. Actions can be reorganized in the Edit Automation Stitch page by dragging and dropping the actions in the diagram.

The following table outlines the available static actions.

Action

Description

Access Layer Quarantine

This option is only available for Compromised Host triggers.

Quarantine the MAC address on access layer devices (FortiSwitch and FortiAP).

FortiClient Quarantine

This option is only available for Compromised Host triggers.

Use FortiClient EMS to block all traffic from the source addresses that are flagged as compromised hosts.

Quarantined devices are flagged on the Security Fabric topology views. Go to the Dashboard > Assets & Identities > Quarantine widget to view and manage quarantined IP addresses.

FortiNAC Quarantine

This option is only available for Compromised Host and Incoming Webhook triggers.

Use FortiNAC to quarantine a client PC and disable its MAC address. See FortiNAC Quarantine action for details.

IP Ban

This option is only available for Compromised Host triggers.

Block all traffic from the source addresses flagged by the IoC.

Go to the Dashboard > Assets & Identities > Quarantine widget to view and manage quarantined IP addresses.

System Action > Backup Config Disk

Back up the FortiGate's configuration. The default minimum interval is 0 seconds. See System actions for an example.

System Action > Reboot FortiGate

Reboot the FortiGate. The default minimum interval is 5 minutes (300 seconds in the CLI). See System actions for an example.

System Action > Shutdown FortiGate

Shut down the FortiGate. The default minimum interval is 0 seconds.

The following table outlines the available dynamic actions.

Category

Action

Description

Security Response

VMware NSX Security Tag

This option is only available for Compromised Host triggers.

If an endpoint instance in a VMware NSX environment is compromised, the configured security tag is assigned to the compromised endpoint. See VMware NSX security tag action and VMware NSX-T security tag action for details.

Notifications

Email

Send a custom email message to the selected recipients. At least one recipient and an email subject must be specified.

Enable Send to FortiCare email to send the message to the email address associated with the FortiCare Support entitlement. This is the FortiCloud email address visible on the System > FortiGuard page under the FortiCare Support license information.

The email body can use parameters from logs or previous action results. Wrapping the parameter with %% will replace the expression with the JSON value for the parameter, for example: %%results.source%% is the source property from the previous action.

Replacement messages can be enabled in the email body to create branded email alerts. See Replacement messages for email alerts for details.

FortiExplorer Notification

Send push notifications to FortiExplorer.

The FortiGate must be registered to FortiCare on the mobile app that will receive the notification.

Slack Notification

Send a notification to a Slack channel. See Slack Notification action for details.

Microsoft Teams Notification

Send a notification to channels in Microsoft Teams. See Microsoft Teams Notification action for details.

Cloud Compute

AWS Lambda

Send log data to an integrated AWS service. See AWS Lambda action for details.

Azure Function

Send log data to an Azure function. See Azure Function action for details.

Google Cloud Function

Send log data to a Google Cloud function. See Google Cloud Function action for details.

AliCloud Function

Send log data to an AliCloud function. See AliCloud Function action for details.

General

CLI Script

Run one or more CLI scripts. See CLI script action for details. See Execute a CLI script based on memory and CPU thresholds for an example.

Webhook

Send an HTTP request using a REST callback. See Webhook action for details, and Slack integration webhook and Microsoft Teams integration webhook for examples.

Alert

Generate a FortiOS dashboard alert.

This option is only available in the CLI.

Disable SSID

Disable the SSID interface.

This option is only available in the CLI.