Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiNAC-F 7.2.0 Administration Guide
    7.2.0
    7.6.0
    7.4.0
    7.2.0

    Map events to alarms

    Map events to alarms

    An event indicates that something significant has happened within FortiNAC. All events that are generated are logged in the event log. If an event is mapped to an alarm, you are immediately informed by the alarm notification system. Some events are mapped to alarms by default.

    To view events that are mapped to alarms select Logs > Events & Alarms > Mappings. For a list of possible alarms see Events and alarms list.

    If an event is disabled, the associated Alarm Mapping is grayed out and has a line through it. To enable the event, right click on the Alarm Mapping and select one of the Enable options.

    Enable/disable alarm mappings

    When mapping events to alarms, you have the option to disable an alarm mapping to prevent the generation of alarms when the selected event occurs. This may be useful during periods you know will generate many events. An example of this is during the repair of a modeled network device. You may want to block the Device Contact Lost and Established events from getting to the system since they will be expected. Another example is to block the Rogue User Detected event during an Open House when many rogues will be detected. Use Enable and Disable at the top of the view to enable and disable selected alarm mapping records.

    Settings

    Refer to Add or modify alarm mapping for additional information on each field.

    Field

    Definition

    Enable Buttons

    Enables or disables the selected Alarm Mappings. Disabled mappings do not trigger an alarm when the associated event is generated.

    Enabled

    A green check mark indicates that the mapping is enabled. A red circle indicates that the mapping is disabled.

    Event

    Name of the Event that triggers this alarm.

    Alarm

    Name of the Alarm that is mapped to the event.

    Clear Event

    Name of the event that must be generated to clear the alarm mapped in this Alarm and Event combination.

    Severity

    Critical, Minor, Warning, or Informational.

    Only the text of the severity is displayed. Severity icons do not display in the Alarm Mappings table.

    Notify Users

    Indicates who will be notified if this alarm is triggered, such as All Management group.

    Trigger Rule

    Rules that determine when the alarm is triggered. Options include:

    • One Event to One Alarm: Every occurrence of the event generates a unique alarm.
    • All Events to One Alarm: The first occurrence of the event generates a unique alarm. Each subsequent occurrence of the event does not generate an alarm, as long as the alarm persists when subsequent events occur. When the alarm clears, the next occurrence of the event generates another unique alarm.
    • Event Frequency: Number of the occurrences of the event generated by the same element within a user specified amount of time determines the generation of a unique alarm.
    • Event Lifetime: Duration of an alarm event without a clearing event within a specified time, determines the generation of a unique alarm.

    Apply To

    Elements to which this alarm mapping applies. Options include:

    • All: Applies this mapping to all elements.
    • Group: Applies this mapping to a single group of elements.
    • Specific: Applies this mapping to an element that you select from a list.

    Action

    If an Action is enabled in the mapping, displays the action that will be taken when this alarm is triggered. Options include:

    • Host Access Action: Host is disabled and then re-enabled after the specified time has passed.
    • Host Role: The host's role is changed and then set back to the original role after the specified time has passed.
    • Host Security Action: Host is set At Risk and then set to Safe after the specified time has passed.
    • Command Line Script: You can specify a particular command line script to be executed as an alarm action.
    • Email User Action: An email is sent to the user associated with the host.
    • SMS User Action: An SMS Message is sent to the user associated with the host.
    • Port State Action: Port is disabled and then re-enabled after the specified time has passed.
    • Send Message to Desktop: Send a text message to the desktop of a host(s) with the Persistent Agent or Mobile Agent installed.

    Send To External Log Hosts

    Indicates whether this alarm is sent to an external log host when the trigger event occurs, select this check box. Default = No.

    To configure remote hosts that will receive externally logged alarms, see Log receivers.

    Send To Custom Script

    Name of the command line script to be executed when this alarm is triggered. These command line scripts are for advanced use, such as administrator-created Perl scripts. Scripts are stored on the server in the following directory: /home/cm/scripts

    The script will receive one packed argument that the script can parse for the desired data.

    Example

    'type="Network" name="FortiNAC" msg="Alarm Admin User Login Failure asserted on FortiNAC Mon Feb 27 14:34:35 EST 2017. The following Events caused the Alarm. Admin user efewfwf failed to log in. Admin user efewfwf failed to log in. Admin user efewfwf failed to log in. "'

    Event Logging

    Indicates where the event is being logged or if logging has been disabled. Options include:

    • Disabled: Event is disabled and will not be generated or logged anywhere.
    • Internal: Logs only to an internal events database.
    • External: Logs only to an external host.
    • Internal & External: Logs both to an internal events database and an external host.

    Event Logging Group

    Group name of a group of elements, such as port group, device group or user group used to limit generation of the selected event to the items in the group. If set to All Groups, then the event is generated for all items, such as ports, devices, hosts or users.

    Last Modified By

    User name of the last user to modify the mapping.

    Last Modified Date

    Date and time of the last modification to this mapping.

    Right click options

    Delete

    Deletes selected mappings from the database.

    Modify

    Opens the Modify dialog and allows you to modify the selected mapping.

    When multiple mappings are selected, opens a limited Modify dialog and allows you to modify Severity and Notification settings. See Bulk modify alarm mappings.

    Show Audit Log

    Opens the admin auditing log showing all changes made to the selected item.

    For information about the admin auditing log, see Audit Logs.

    Note

    You must have permission to view the admin auditing log. See Add an administrator profile.

    Enable

    Enables the selected mappings.

    Disable

    Disables the selected mappings.

    Event Logging - Disable

    Disables the events associated with the selected mappings.

    Event Logging - Internal

    Enables the events associated with the selected mappings and logs to an internal events database.

    Event Logging - External

    Enables the events associated with the selected mappings and logs to an external host.

    Event Logging - Internal & External

    Enables the events associated with the selected mappings and logs to both an internal events database and an external host.

    Export

    Exports data to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.
    Previous
    Next

    Map events to alarms

    Map events to alarms

    An event indicates that something significant has happened within FortiNAC. All events that are generated are logged in the event log. If an event is mapped to an alarm, you are immediately informed by the alarm notification system. Some events are mapped to alarms by default.

    To view events that are mapped to alarms select Logs > Events & Alarms > Mappings. For a list of possible alarms see Events and alarms list.

    If an event is disabled, the associated Alarm Mapping is grayed out and has a line through it. To enable the event, right click on the Alarm Mapping and select one of the Enable options.

    Enable/disable alarm mappings

    When mapping events to alarms, you have the option to disable an alarm mapping to prevent the generation of alarms when the selected event occurs. This may be useful during periods you know will generate many events. An example of this is during the repair of a modeled network device. You may want to block the Device Contact Lost and Established events from getting to the system since they will be expected. Another example is to block the Rogue User Detected event during an Open House when many rogues will be detected. Use Enable and Disable at the top of the view to enable and disable selected alarm mapping records.

    Settings

    Refer to Add or modify alarm mapping for additional information on each field.

    Field

    Definition

    Enable Buttons

    Enables or disables the selected Alarm Mappings. Disabled mappings do not trigger an alarm when the associated event is generated.

    Enabled

    A green check mark indicates that the mapping is enabled. A red circle indicates that the mapping is disabled.

    Event

    Name of the Event that triggers this alarm.

    Alarm

    Name of the Alarm that is mapped to the event.

    Clear Event

    Name of the event that must be generated to clear the alarm mapped in this Alarm and Event combination.

    Severity

    Critical, Minor, Warning, or Informational.

    Only the text of the severity is displayed. Severity icons do not display in the Alarm Mappings table.

    Notify Users

    Indicates who will be notified if this alarm is triggered, such as All Management group.

    Trigger Rule

    Rules that determine when the alarm is triggered. Options include:

    • One Event to One Alarm: Every occurrence of the event generates a unique alarm.
    • All Events to One Alarm: The first occurrence of the event generates a unique alarm. Each subsequent occurrence of the event does not generate an alarm, as long as the alarm persists when subsequent events occur. When the alarm clears, the next occurrence of the event generates another unique alarm.
    • Event Frequency: Number of the occurrences of the event generated by the same element within a user specified amount of time determines the generation of a unique alarm.
    • Event Lifetime: Duration of an alarm event without a clearing event within a specified time, determines the generation of a unique alarm.

    Apply To

    Elements to which this alarm mapping applies. Options include:

    • All: Applies this mapping to all elements.
    • Group: Applies this mapping to a single group of elements.
    • Specific: Applies this mapping to an element that you select from a list.

    Action

    If an Action is enabled in the mapping, displays the action that will be taken when this alarm is triggered. Options include:

    • Host Access Action: Host is disabled and then re-enabled after the specified time has passed.
    • Host Role: The host's role is changed and then set back to the original role after the specified time has passed.
    • Host Security Action: Host is set At Risk and then set to Safe after the specified time has passed.
    • Command Line Script: You can specify a particular command line script to be executed as an alarm action.
    • Email User Action: An email is sent to the user associated with the host.
    • SMS User Action: An SMS Message is sent to the user associated with the host.
    • Port State Action: Port is disabled and then re-enabled after the specified time has passed.
    • Send Message to Desktop: Send a text message to the desktop of a host(s) with the Persistent Agent or Mobile Agent installed.

    Send To External Log Hosts

    Indicates whether this alarm is sent to an external log host when the trigger event occurs, select this check box. Default = No.

    To configure remote hosts that will receive externally logged alarms, see Log receivers.

    Send To Custom Script

    Name of the command line script to be executed when this alarm is triggered. These command line scripts are for advanced use, such as administrator-created Perl scripts. Scripts are stored on the server in the following directory: /home/cm/scripts

    The script will receive one packed argument that the script can parse for the desired data.

    Example

    'type="Network" name="FortiNAC" msg="Alarm Admin User Login Failure asserted on FortiNAC Mon Feb 27 14:34:35 EST 2017. The following Events caused the Alarm. Admin user efewfwf failed to log in. Admin user efewfwf failed to log in. Admin user efewfwf failed to log in. "'

    Event Logging

    Indicates where the event is being logged or if logging has been disabled. Options include:

    • Disabled: Event is disabled and will not be generated or logged anywhere.
    • Internal: Logs only to an internal events database.
    • External: Logs only to an external host.
    • Internal & External: Logs both to an internal events database and an external host.

    Event Logging Group

    Group name of a group of elements, such as port group, device group or user group used to limit generation of the selected event to the items in the group. If set to All Groups, then the event is generated for all items, such as ports, devices, hosts or users.

    Last Modified By

    User name of the last user to modify the mapping.

    Last Modified Date

    Date and time of the last modification to this mapping.

    Right click options

    Delete

    Deletes selected mappings from the database.

    Modify

    Opens the Modify dialog and allows you to modify the selected mapping.

    When multiple mappings are selected, opens a limited Modify dialog and allows you to modify Severity and Notification settings. See Bulk modify alarm mappings.

    Show Audit Log

    Opens the admin auditing log showing all changes made to the selected item.

    For information about the admin auditing log, see Audit Logs.

    Note

    You must have permission to view the admin auditing log. See Add an administrator profile.

    Enable

    Enables the selected mappings.

    Disable

    Disables the selected mappings.

    Event Logging - Disable

    Disables the events associated with the selected mappings.

    Event Logging - Internal

    Enables the events associated with the selected mappings and logs to an internal events database.

    Event Logging - External

    Enables the events associated with the selected mappings and logs to an external host.

    Event Logging - Internal & External

    Enables the events associated with the selected mappings and logs to both an internal events database and an external host.

    Export

    Exports data to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.
    Previous
    Next