Fortinet black logo

Administration Guide

Email alerts

Email alerts

Alert emails are used to notify administrators about events on the FortiGate device, allowing a quick response to any issues.

There are two methods that can be used to configure email alerts:

The FortiGate has a default SMTP server, notification.fortinet.net, that provides secure mail service with SMTPS. It is used for all emails that are sent by the FortiGate, including alert emails, automation stitch emails, and FortiToken Mobile activations. You can also configure a custom email service.

To configure a custom email service in the GUI:
  1. Go to System > Settings.

  2. In the Email Service section, enable Use custom settings.

  3. Configure the following settings:

    SMTP Server

    If required, select Specify and enter the address or name of the SMTP server, such as smtp.example.com.

    Port

    If required, select Specify and enter a specific port number. The default is port 465.

    Authentication

    If required by the email server, enable authentication. If enabled, enter the Username and Password.

    Security Mode

    Set the security mode: None, SMTPS, or STARTTLS.

    Default Reply To

    Optionally, enter the reply to email address, such as noreply@example.com. This address will override the from address that is configured for an alert email.

    If SMTP Server is set to Default, the Default Reply To field is hidden and cannot be configured, and the default address is set to DoNotReply@notification.fortinet.net. This ensures that default SMTP server can work correctly.

  4. Click Apply.

To configure a custom email service in the CLI:
config system email-server
    set server "smtp.fortinet.net"
    set reply-to "noreply@example.com"
    set port 465
    set authenticate enable
    set username "fortigate"
    set password **********
    set security smtps
end
Note

If server is set to notification.fortinet.net, the reply-to command is hidden and cannot be configured, and the default reply to address is set to DoNotReply@notification.fortinet.net. This ensures that default SMTP server can work correctly.

Automation stitches

Automation stitches can be configured to send emails based on a variety of triggers, giving you control over the events that cause an alert, and who gets alerted. For more information, see Automation stitches.

In this example, the default mail service sends an email to two recipients when an Admin login failed event occurs or there is a configuration change.

To configure the automation stitch in the GUI:
  1. On the root FortiGate, go to Security Fabric > Automation and click Create New.

  2. Enter a name for the stitch, such as Admin Fail.

  3. Configure the trigger:

    1. Click Add Trigger.

    2. Click Create and select FortiOS Event Log.
    3. Enter a name for the trigger, such as Admin Fail.

    4. Click in the Event field, and in the slide out pane, search for and select Admin login failed.

    5. Click OK.

    6. Select the trigger in the list and click Apply.

  4. Configure the action:

    1. Click Add Action.

    2. Click Create and select Email.

    3. Configure the following settings:

      Name

      Enter a name for the action, such as Admin Fail_email.

      To

      Enter the two email recipients' addresses, such as admin@example.com and manager@example.com.

      Subject

      Enter an subject, such as Admin log in failed.

      Body

      Edit as required. By default, the email body will include all the fields from the log event that triggered the stitch.

    4. Click OK.
    5. Select the action in the list and click Apply.
  5. Click OK.

  6. Create a second stitch with Configuration Change as the trigger, and an email action with a different subject line (such as Configuration Change Detected).

To configure the automation stitch in the CLI:
  1. Create the automation triggers:
    config system automation-trigger
        edit "Admin Fail"
            set event-type event-log
            set logid 32002
        next
        edit "Config Change"
            set event-type config-change
        next
    end
  2. Create automation actions to send the email messages:

    config system automation-action
        edit "Admin Fail_email"
            set action-type email
            set email-to "admin@example.com" "manager@example.com"
            set email-subject "Admin log in failed"
        next
        edit "Config Change_email"
            set action-type email
            set email-to "admin@example.com" "manager@example.com"
            set email-subject "Configuration Change Detected"
        next
    end
  3. Create the automation stitches:

    config system automation-stitch
        edit "Admin Fail"
            set trigger "Admin Fail"
            config actions
                edit 1
                    set action "Admin Fail_email"
                    set required enable
                next
            end
        next
        edit "Config Change"
            set trigger "Config Change"
            config actions
                edit 1
                    set action "Config Change_email"
                    set required enable
                next
            end
        next
    end

Alert emails

When configuring an alert email, you can define the threshold when an issue becomes critical and requires attention. When the threshold is reached, an email is sent to up to three recipients on the configured schedule to notify them of the issue.

Alert email messages can be configured in the CLI. For more information on the available CLI commands, see Configure alert email settings.

Note

Alert email messages (under config alertemail setting) cannot monitor and notify users of the current logging status or the status of the miglogd daemon. In the event that the miglogd daemon is unresponsive, alert email messages cannot be triggered.

IPS, SSH, violation traffic, antivirus, and web filter logs are supported as triggers in automation stitches. For more information, see Event log category triggers.

In this example, the FortiGate is configured to send email messages to two addresses, admin@example.com and manager@example.com, every two minutes when multiple intrusions, administrator log in or out events, or configuration changes occur.

To configure an alert email:
config alertemail setting
    set username fortigate@example.com
    set mailto1 admin@example.com
    set mailto2 manager@example.com
    set filter-mode category
    set email-interval 2
    set IPS-logs enable
    set configuration-changes-logs enable
    set admin-login-logs enable
end

Email alerts

Alert emails are used to notify administrators about events on the FortiGate device, allowing a quick response to any issues.

There are two methods that can be used to configure email alerts:

The FortiGate has a default SMTP server, notification.fortinet.net, that provides secure mail service with SMTPS. It is used for all emails that are sent by the FortiGate, including alert emails, automation stitch emails, and FortiToken Mobile activations. You can also configure a custom email service.

To configure a custom email service in the GUI:
  1. Go to System > Settings.

  2. In the Email Service section, enable Use custom settings.

  3. Configure the following settings:

    SMTP Server

    If required, select Specify and enter the address or name of the SMTP server, such as smtp.example.com.

    Port

    If required, select Specify and enter a specific port number. The default is port 465.

    Authentication

    If required by the email server, enable authentication. If enabled, enter the Username and Password.

    Security Mode

    Set the security mode: None, SMTPS, or STARTTLS.

    Default Reply To

    Optionally, enter the reply to email address, such as noreply@example.com. This address will override the from address that is configured for an alert email.

    If SMTP Server is set to Default, the Default Reply To field is hidden and cannot be configured, and the default address is set to DoNotReply@notification.fortinet.net. This ensures that default SMTP server can work correctly.

  4. Click Apply.

To configure a custom email service in the CLI:
config system email-server
    set server "smtp.fortinet.net"
    set reply-to "noreply@example.com"
    set port 465
    set authenticate enable
    set username "fortigate"
    set password **********
    set security smtps
end
Note

If server is set to notification.fortinet.net, the reply-to command is hidden and cannot be configured, and the default reply to address is set to DoNotReply@notification.fortinet.net. This ensures that default SMTP server can work correctly.

Automation stitches

Automation stitches can be configured to send emails based on a variety of triggers, giving you control over the events that cause an alert, and who gets alerted. For more information, see Automation stitches.

In this example, the default mail service sends an email to two recipients when an Admin login failed event occurs or there is a configuration change.

To configure the automation stitch in the GUI:
  1. On the root FortiGate, go to Security Fabric > Automation and click Create New.

  2. Enter a name for the stitch, such as Admin Fail.

  3. Configure the trigger:

    1. Click Add Trigger.

    2. Click Create and select FortiOS Event Log.
    3. Enter a name for the trigger, such as Admin Fail.

    4. Click in the Event field, and in the slide out pane, search for and select Admin login failed.

    5. Click OK.

    6. Select the trigger in the list and click Apply.

  4. Configure the action:

    1. Click Add Action.

    2. Click Create and select Email.

    3. Configure the following settings:

      Name

      Enter a name for the action, such as Admin Fail_email.

      To

      Enter the two email recipients' addresses, such as admin@example.com and manager@example.com.

      Subject

      Enter an subject, such as Admin log in failed.

      Body

      Edit as required. By default, the email body will include all the fields from the log event that triggered the stitch.

    4. Click OK.
    5. Select the action in the list and click Apply.
  5. Click OK.

  6. Create a second stitch with Configuration Change as the trigger, and an email action with a different subject line (such as Configuration Change Detected).

To configure the automation stitch in the CLI:
  1. Create the automation triggers:
    config system automation-trigger
        edit "Admin Fail"
            set event-type event-log
            set logid 32002
        next
        edit "Config Change"
            set event-type config-change
        next
    end
  2. Create automation actions to send the email messages:

    config system automation-action
        edit "Admin Fail_email"
            set action-type email
            set email-to "admin@example.com" "manager@example.com"
            set email-subject "Admin log in failed"
        next
        edit "Config Change_email"
            set action-type email
            set email-to "admin@example.com" "manager@example.com"
            set email-subject "Configuration Change Detected"
        next
    end
  3. Create the automation stitches:

    config system automation-stitch
        edit "Admin Fail"
            set trigger "Admin Fail"
            config actions
                edit 1
                    set action "Admin Fail_email"
                    set required enable
                next
            end
        next
        edit "Config Change"
            set trigger "Config Change"
            config actions
                edit 1
                    set action "Config Change_email"
                    set required enable
                next
            end
        next
    end

Alert emails

When configuring an alert email, you can define the threshold when an issue becomes critical and requires attention. When the threshold is reached, an email is sent to up to three recipients on the configured schedule to notify them of the issue.

Alert email messages can be configured in the CLI. For more information on the available CLI commands, see Configure alert email settings.

Note

Alert email messages (under config alertemail setting) cannot monitor and notify users of the current logging status or the status of the miglogd daemon. In the event that the miglogd daemon is unresponsive, alert email messages cannot be triggered.

IPS, SSH, violation traffic, antivirus, and web filter logs are supported as triggers in automation stitches. For more information, see Event log category triggers.

In this example, the FortiGate is configured to send email messages to two addresses, admin@example.com and manager@example.com, every two minutes when multiple intrusions, administrator log in or out events, or configuration changes occur.

To configure an alert email:
config alertemail setting
    set username fortigate@example.com
    set mailto1 admin@example.com
    set mailto2 manager@example.com
    set filter-mode category
    set email-interval 2
    set IPS-logs enable
    set configuration-changes-logs enable
    set admin-login-logs enable
end