Alert emails are used to notify administrators about events on the FortiGate device, allowing a quick response to any issues.
There are two methods that can be used to configure email alerts:
The FortiGate has a default SMTP server, notification.fortinet.com, that provides secure mail service with SMTPS. It is used for all emails that are sent by the FortiGate, including alert emails, automation stitch emails, and FortiToken Mobile activations. You can also configure a custom email service.
Go to System > Settings.
In the Email Service section, enable Use custom settings.
Configure the following settings:
Enter the address or name of the SMTP server, such as smtp.example.com.
If required, select Specify and enter a specific port number. The default is port 465.
If required by the email server, enable authentication.
If enabled, enter the Username and Password.
Set the security mode: None, SMTPS, or STARTTLS.
Default Reply To
Optionally, enter the reply to email address, such as firstname.lastname@example.org.
This address will override the from address that is configured for an alert email.
config system email-server set reply-to "email@example.com" set server "smtp.fortinet.net" set port 465 set authenticate enable set username "fortigate" set password ********** set security smtps end
Automation stitches can be configured to send emails based on a variety of triggers, giving you control over the events that cause an alert, and who gets alerted. For more information, see Automation stitches.
In this example, the default mail service sends an email to two recipients when an Admin login failed event occurs or there is a configuration change.
On the root FortiGate, go to Security Fabric > Automation and click Create New.
Enter a name for the stitch, such as Admin Fail.
Configure the trigger:
Click Add Trigger.
- Click Create and select FortiOS Event Log.
Enter a name for the trigger, such as Admin Fail.
Click in the Event field, and in the slide out pane, search for and select Admin login failed.
Select the trigger in the list and click Apply.
Configure the action:
Click Add Action.
Click Create and select Email.
Configure the following settings:
Enter a name for the action, such as Admin Fail_email.
Enter the two email recipients' addresses, such as firstname.lastname@example.org and email@example.com.
Enter an subject, such as Admin log in failed.
Edit as required. By default, the email body will include all the fields from the log event that triggered the stitch.
- Click OK.
- Select the action in the list and click Apply.
Create a second stitch with Configuration Change as the trigger, and an email action with a different subject line (such as Configuration Change Detected).
Create automation actions to send the email messages:
config system automation-action edit "Config Change_email" set action-type email set email-to "firstname.lastname@example.org" "email@example.com" set email-subject "Configuration Change Detected" next edit "Admin Fail_email" set action-type email set email-to "firstname.lastname@example.org" "email@example.com" set email-subject "Admin log in failed" next end
- Create the automation triggers:
config system automation-trigger edit "Config Change" set event-type config-change next edit "Admin Fail" set event-type event-log set logid 32002 next end
Create the automation stitches:
config system automation-stitch edit "Config Change" set trigger "Config Change" set action "Config Change_email" next edit "Admin Fail" set trigger "Admin Fail" set action "Admin Fail_email" next end
When configuring an alert email, you can define the threshold when an issue becomes critical and requires attention. When the threshold is reached, an email is sent to up to three recipients on the configured schedule to notify them of the issue.
Alert email messages can be configured in the CLI. For more information on the available CLI commands, see Configure alert email settings.
In this example, the FortiGate is configured to send email messages to two addresses, firstname.lastname@example.org and email@example.com, every two minutes when multiple intrusions, administrator log in or out events, or configuration changes occur.
config alertemail setting set username firstname.lastname@example.org set mailto1 email@example.com set mailto2 firstname.lastname@example.org set filter-mode category set email-interval 2 set IPS-logs enable set configuration-changes-logs enable set admin-login-logs enable end