Fortinet black logo

Administration Guide

Incoming Webhook Quarantine stitch

Incoming Webhook Quarantine stitch

The Incoming Webhook Quarantine stitch for API calls to the FortiGate accepts multiple parameters (MAC address and FortiClient UUID) from an Incoming Webhook trigger, which enacts either the Access Layer Quarantine action (MAC address) or the FortiClient Quarantine action (FortiClient UUID). This is a default automation stitch included in FortiOS.

To trigger the Incoming Webhook Quarantine stitch in the GUI:
  1. Create a new API user:

    1. Go to System > Administrators.

    2. Click Create New > REST API Admin.

    3. Configure the New REST API Admin settings, and copy the API key to the clipboard.

  2. Enable the stitch:

    1. Go to Security Fabric > Automation.

    2. Under Incoming Webhook, right-click Incoming Webhook Quarantine, and select Select Status > Enable.

  3. Get the sample cURL request:

    1. Click the Trigger trigger tab.

    2. Under Incoming Webhook, right-click Incoming Webhook Call, and select Edit.

    3. In the API admin key field, enter the API key you recorded previously. The Sample cURL request field updates.

    4. Copy the Sample cURL request to the clipboard.

    5. Click OK.

  4. Execute the request:

    1. Edit the sample cURL request you just copied.

    2. Add parameters to the data field ("mac" and "fctuid"), and then execute the request.

    root@pc:~# curl -k -X POST -H 'Authorization: Bearer cfgtct1mmx3fQxr4khb994p7swdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid": "0000BB0B0ABD0D00B0D0A0B0E0F0B00B"}' https://172.16.116.226/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20Quarantine

    {

    "http_method":"POST",

    "status":"success",

    "http_status":200,

    "serial":"FGT00E0Q00000000",

    "version":"v6.4.0",

    "build":1545

    Note

    Encode spaces in the automation stitch name with %20. For example, Incoming%20Webhook%20Quarantine

    Once the automation stitch is triggered, the MAC address is quarantined by the FortiGate, and an event log is created. The FortiClient UUID is quarantined on the EMS server side.

To trigger the Incoming Webhook Quarantine stitch in the CLI:
  1. Create a new API user and note the API key:

    config system api-user
  2. Enable the automation stitch:

    config system api-user
        edit "api"
            set api-key ************
            set accprofile "api_profile"
            set vdom "root"
            config trusthost
                edit 1
                    set ipv4-trusthost 10.6.30.0 200.200.200.0
                next
            end
        next
    end
  3. Edit the cURL request to include parameters in the data field ("mac" and "fctuid"), then execute the request:

    root@pc56:~# curl -k -X POST -H 'Authorization: Bearer cfgtct1mmx0fQxr4khb000p70wdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid": "3000BB0B0ABD0D00B0D0A0B0E0F0B00B"}' https://100.10.100.200/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20Quarantine

    {

    "http_method":"POST",

    "status":"success",

    "http_status":200,

    "serial":"FGT80E0Q00000000",

    "version":"v6.4.0",

    "build":1545

    Note

    Encode spaces in the automation stitch name with %20. For example, Incoming%20Webhook%20Quarantine.

    Once the automation stitch is triggered, the MAC address is quarantined by the FortiGate, and an event log is created. The FortiClient UUID is quarantined on the EMS server side.

    Sample log
    date=2020-02-14 time=15:37:48 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1581723468644200712 tz="-0800" logdesc="Automation stitch triggered" stitch="Incoming Webhook Quarantine" trigger="Incoming Webhook Quarantine" stitchaction="Compromised Host Quarantine_quarantine,Compromised Host Quarantine_quarantine-forticlient" from="log" msg="stitch:Incoming Webhook Quarantine is triggered."

Incoming Webhook Quarantine stitch

The Incoming Webhook Quarantine stitch for API calls to the FortiGate accepts multiple parameters (MAC address and FortiClient UUID) from an Incoming Webhook trigger, which enacts either the Access Layer Quarantine action (MAC address) or the FortiClient Quarantine action (FortiClient UUID). This is a default automation stitch included in FortiOS.

To trigger the Incoming Webhook Quarantine stitch in the GUI:
  1. Create a new API user:

    1. Go to System > Administrators.

    2. Click Create New > REST API Admin.

    3. Configure the New REST API Admin settings, and copy the API key to the clipboard.

  2. Enable the stitch:

    1. Go to Security Fabric > Automation.

    2. Under Incoming Webhook, right-click Incoming Webhook Quarantine, and select Select Status > Enable.

  3. Get the sample cURL request:

    1. Click the Trigger trigger tab.

    2. Under Incoming Webhook, right-click Incoming Webhook Call, and select Edit.

    3. In the API admin key field, enter the API key you recorded previously. The Sample cURL request field updates.

    4. Copy the Sample cURL request to the clipboard.

    5. Click OK.

  4. Execute the request:

    1. Edit the sample cURL request you just copied.

    2. Add parameters to the data field ("mac" and "fctuid"), and then execute the request.

    root@pc:~# curl -k -X POST -H 'Authorization: Bearer cfgtct1mmx3fQxr4khb994p7swdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid": "0000BB0B0ABD0D00B0D0A0B0E0F0B00B"}' https://172.16.116.226/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20Quarantine

    {

    "http_method":"POST",

    "status":"success",

    "http_status":200,

    "serial":"FGT00E0Q00000000",

    "version":"v6.4.0",

    "build":1545

    Note

    Encode spaces in the automation stitch name with %20. For example, Incoming%20Webhook%20Quarantine

    Once the automation stitch is triggered, the MAC address is quarantined by the FortiGate, and an event log is created. The FortiClient UUID is quarantined on the EMS server side.

To trigger the Incoming Webhook Quarantine stitch in the CLI:
  1. Create a new API user and note the API key:

    config system api-user
  2. Enable the automation stitch:

    config system api-user
        edit "api"
            set api-key ************
            set accprofile "api_profile"
            set vdom "root"
            config trusthost
                edit 1
                    set ipv4-trusthost 10.6.30.0 200.200.200.0
                next
            end
        next
    end
  3. Edit the cURL request to include parameters in the data field ("mac" and "fctuid"), then execute the request:

    root@pc56:~# curl -k -X POST -H 'Authorization: Bearer cfgtct1mmx0fQxr4khb000p70wdfmk' --data '{ "mac":"0c:0a:00:0c:ce:b0", "fctuid": "3000BB0B0ABD0D00B0D0A0B0E0F0B00B"}' https://100.10.100.200/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20Quarantine

    {

    "http_method":"POST",

    "status":"success",

    "http_status":200,

    "serial":"FGT80E0Q00000000",

    "version":"v6.4.0",

    "build":1545

    Note

    Encode spaces in the automation stitch name with %20. For example, Incoming%20Webhook%20Quarantine.

    Once the automation stitch is triggered, the MAC address is quarantined by the FortiGate, and an event log is created. The FortiClient UUID is quarantined on the EMS server side.

    Sample log
    date=2020-02-14 time=15:37:48 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1581723468644200712 tz="-0800" logdesc="Automation stitch triggered" stitch="Incoming Webhook Quarantine" trigger="Incoming Webhook Quarantine" stitchaction="Compromised Host Quarantine_quarantine,Compromised Host Quarantine_quarantine-forticlient" from="log" msg="stitch:Incoming Webhook Quarantine is triggered."