Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Add or modify alarm mapping

  1. Select Logs > Event to Alarm Mappings.
  2. Click Add or double-click on an existing mapping to modify it.
  3. Refer to the table below for detailed information about each field.
  4. The new mapping is enabled by default. If you wish to disable it, remove the check mark from the Enabled check box.
  5. In the Apply To section, select the element affected by this mapping. You can apply mappings to all elements, a single group of elements, or specific elements.

    Available selections vary depending upon the selected trigger event.

  6. Click the box and select an element from the drop-down list.
  7. If you choose to Apply To a Group, you can select a group from the list or use the icons next to the group field to add a new group or modify the group shown in the drop-down list. Note that if you modify a group, it is modified for all features that make use of that group. See Add groups for additional information.
  8. Select the Notify Users settings.
  9. If you choose to notify users, you can select an admin group from the list or use the icons next to the Group field to add a new group or modify the group shown in the drop-down list. Note that if you modify a group, it is modified for all features that make use of that group. See Add groups for additional information.
  10. Select the Trigger Rule for the event from the drop-down list. Rules determine when an Event triggers the creation of an Alarm.
  11. If you enable the Action option, select the action to take when the event occurs and the alarm is asserted. These are basic actions that FortiNAC executes on a given alarm.
  12. Action parameters display. Select the Primary Task from the drop-down list.
  13. For some actions there is a secondary task. If desired, click the Enable box in the Run Secondary Task section, select Min, Hr, or Day and enter the corresponding value.
  14. Click OK. The new mapping is saved and appears in the Event/Alarm Map View.
Settings

Field

Definition

Alarm definition

Enabled

If checked, the alarm mapping is enabled. Default = Enabled.

Trigger Event

Event that causes the alarm. Whenever this event occurs, its associated alarm is generated. The alarm is automatically listed when you select the event.

Alarm to Assert

The alarm generated when the event occurs.

Severity

Sets the severity of the alarm. Select one of the values from the drop-down list: Critical, Informational, Minor, and Warning. This value may be changed for existing Alarm and Event mappings.

Clear on Event

To automatically clear the alarm when a specific event occurs, select this check box. Select the event that, when generated, causes this alarm to be removed.

If you leave the check box unchecked, you must manually clear the alarm.

Default = Unchecked (Disabled)

Send Alarm to External Log Hosts

The alarm is sent to an external log host when the trigger event occurs, select this check box. See Log receivers for details on configuring an external log host.

Default = Unchecked (Disabled)

Send Alarm to Custom Script

You can specify a particular command line script to be executed when this alarm is triggered. These command line scripts are for advanced use, such as administrator-created Perl scripts.

First, write the script that is to be used as the alarm action. Store the script in this directory: /home/cm/scripts

If there are no scripts in the directory, this field is not available. Click the check box to enable the option and select the correct script from the drop-down list.

The arguments that are automatically passed to the script are as follows:

  • type: EndStation. User or network device
  • name: name of element
  • ip: IP address
  • mac: MAC address
  • user: userID
  • msg: email message from alarm

Apply To

  • All: Applies this mapping to all elements.
  • Group: Applies this mapping to a single group of elements.
  • Specific: Applies this mapping to the element that you select from a list.

Notify users

Notify

If checked, the administrators in the selected group are notified when an alarm occurs.

Send Email

If checked, the administrators in the selected group are sent an email when the alarm occurs. Administrators must have an email address configured in the Modify User dialog to receive this email.

Send SMS

If checked, the administrators in the selected group are sent an SMS message when an alarm occurs. Administrators must have a Mobile Number and Mobile Provider configured to receive this SMS message.

Trigger rules

One Event to One Alarm

Every occurrence of the event generates a unique alarm.

All Events to One Alarm

The first occurrence of the event generates a unique alarm. Each subsequent occurrence of the event does not generate an alarm, as long as the alarm persists when subsequent events occur.

When the alarm clears, the next occurrence of the event generates another unique alarm.

Event Frequency

The number of the occurrences of the event generated by the same element within a user specified amount of time determines the generation of a unique alarm. Settings are updated when the Action is configured.

Example:

Assume the host connected event is mapped to an alarm and the frequency is set to 3 times in 10 minutes.

  • Host A connects 3 times in 10 minutes and the alarm is triggered.
  • Host A connects 2 times and host B connects 2 times, there are 4 connections in 10 minutes. No alarm is generated because the hosts are different.
  • Host A connects at minutes 1, 8 and 12. No alarm is triggered because the host did not connect 3 times in 10 minutes.
  • Host A connects at minutes 1, 8, 12, and 14. An alarm is triggered because connections at minutes 8, 12 and 14 fall within the 10 minute sliding window.

Event Lifetime

The duration of an alarm event without a clearing event within a specified time, determines the generation of a unique alarm.

Example:

Event A occurs. If Event B (clear event) does not occur within the specified time, an alarm is generated.

Actions

Action

If checked, the selected action is taken when the alarm mapping is active and the alarm is asserted.

Host Access Action

Host is disabled and then re-enabled after the specified time has passed.

Host Role

The host's role is changed and then set back to the original role after the specified time has passed. Roles are attributes of the host and are used as filters in user/host profiles. Those profiles determine which network access policy, endpoint compliance policy or Supplicant EasyConnect Policy to apply.

If roles are based on a user's attribute from your LDAP or Active Directory, this role change is reversed the next time the directory and the FortiNAC database resynchronize.

Host Security Action

Host is set At Risk and then set to Safe after the specified time has passed.

Command Line Script

You can specify a particular command line script to be executed as an alarm action. These command line scripts are for advanced use, such as administrator-created Perl scripts.

First, write the script that is to be used as the alarm action. Store the script in this directory: /home/cm/scripts

The IP and MAC address arguments that are automatically passed to the script are in the format shown in this example:

/home/cm/scripts/testScript 192.168.10.1 00:00:00:00:00:00

Email User Action

An email is sent to the user associated with the host. The text of the email is entered in the Email Host Action dialog box.

HTML tags may be added to text within the content of the email in order to format the text, convert the text to a link, etc.

For example, you can add the <b> and tags to text in the Email message window to bold the selected text in the recipient's email message.

SMS User Action

An SMS Message is sent to the user associated with the host. The text of the message is entered in the SMS User Action dialog box. The recipient must have a Mobile Number and Mobile Provider configured.

%host%

Allows you to include information specific to the non-compliant host in the email or SMS alert message.

For example, this message:

The system referenced below has been found at risk. Please contact your Help Desk for assistance in remediating this issue. %host%

is displayed as:

The system referenced below has been found at risk. Please contact your Help Desk for assistance in remediating this issue:

Host:

Host Name: TestUser-MacBook-Pro-2

OS: macOS 10.7.5

Network Adapters:

Connected 3C:07:54:2A:88:6F,192.168.10.143,Concord-3750 Fa3/0/46

Disconnected 60:C5:47:8F:B1:66,192.168.4.70,Concord_Cisco_1131.example.com VLAN 4

%event%

Allows you to include information specific to the event in the email or SMS alert message.

For example, this message:

The system referenced below has been found at risk. Please contact your Help Desk for assistance in remediating this issue: %event%

is displayed as:

The system referenced below has been found at risk. Please contact your Help Desk for assistance in remediating this issue:

Host failed Test-Host

Tests:

Failed :: Anti-Virus :: ClamXav

MAC address: 3C:07:54:2A:88:6F

Last Known Adapter IP: 192.168.10.143

Host Location: Concord-3750 Fa3/0/46

. Remediation Delayed.

Port State Action

The port is disabled and then re-enabled after the specified time has passed.

Send Message to
Desktop

Send a text message to the desktop of a host(s) with the Persistent Agent or Mobile Agent installed.

Add or modify alarm mapping

  1. Select Logs > Event to Alarm Mappings.
  2. Click Add or double-click on an existing mapping to modify it.
  3. Refer to the table below for detailed information about each field.
  4. The new mapping is enabled by default. If you wish to disable it, remove the check mark from the Enabled check box.
  5. In the Apply To section, select the element affected by this mapping. You can apply mappings to all elements, a single group of elements, or specific elements.

    Available selections vary depending upon the selected trigger event.

  6. Click the box and select an element from the drop-down list.
  7. If you choose to Apply To a Group, you can select a group from the list or use the icons next to the group field to add a new group or modify the group shown in the drop-down list. Note that if you modify a group, it is modified for all features that make use of that group. See Add groups for additional information.
  8. Select the Notify Users settings.
  9. If you choose to notify users, you can select an admin group from the list or use the icons next to the Group field to add a new group or modify the group shown in the drop-down list. Note that if you modify a group, it is modified for all features that make use of that group. See Add groups for additional information.
  10. Select the Trigger Rule for the event from the drop-down list. Rules determine when an Event triggers the creation of an Alarm.
  11. If you enable the Action option, select the action to take when the event occurs and the alarm is asserted. These are basic actions that FortiNAC executes on a given alarm.
  12. Action parameters display. Select the Primary Task from the drop-down list.
  13. For some actions there is a secondary task. If desired, click the Enable box in the Run Secondary Task section, select Min, Hr, or Day and enter the corresponding value.
  14. Click OK. The new mapping is saved and appears in the Event/Alarm Map View.
Settings

Field

Definition

Alarm definition

Enabled

If checked, the alarm mapping is enabled. Default = Enabled.

Trigger Event

Event that causes the alarm. Whenever this event occurs, its associated alarm is generated. The alarm is automatically listed when you select the event.

Alarm to Assert

The alarm generated when the event occurs.

Severity

Sets the severity of the alarm. Select one of the values from the drop-down list: Critical, Informational, Minor, and Warning. This value may be changed for existing Alarm and Event mappings.

Clear on Event

To automatically clear the alarm when a specific event occurs, select this check box. Select the event that, when generated, causes this alarm to be removed.

If you leave the check box unchecked, you must manually clear the alarm.

Default = Unchecked (Disabled)

Send Alarm to External Log Hosts

The alarm is sent to an external log host when the trigger event occurs, select this check box. See Log receivers for details on configuring an external log host.

Default = Unchecked (Disabled)

Send Alarm to Custom Script

You can specify a particular command line script to be executed when this alarm is triggered. These command line scripts are for advanced use, such as administrator-created Perl scripts.

First, write the script that is to be used as the alarm action. Store the script in this directory: /home/cm/scripts

If there are no scripts in the directory, this field is not available. Click the check box to enable the option and select the correct script from the drop-down list.

The arguments that are automatically passed to the script are as follows:

  • type: EndStation. User or network device
  • name: name of element
  • ip: IP address
  • mac: MAC address
  • user: userID
  • msg: email message from alarm

Apply To

  • All: Applies this mapping to all elements.
  • Group: Applies this mapping to a single group of elements.
  • Specific: Applies this mapping to the element that you select from a list.

Notify users

Notify

If checked, the administrators in the selected group are notified when an alarm occurs.

Send Email

If checked, the administrators in the selected group are sent an email when the alarm occurs. Administrators must have an email address configured in the Modify User dialog to receive this email.

Send SMS

If checked, the administrators in the selected group are sent an SMS message when an alarm occurs. Administrators must have a Mobile Number and Mobile Provider configured to receive this SMS message.

Trigger rules

One Event to One Alarm

Every occurrence of the event generates a unique alarm.

All Events to One Alarm

The first occurrence of the event generates a unique alarm. Each subsequent occurrence of the event does not generate an alarm, as long as the alarm persists when subsequent events occur.

When the alarm clears, the next occurrence of the event generates another unique alarm.

Event Frequency

The number of the occurrences of the event generated by the same element within a user specified amount of time determines the generation of a unique alarm. Settings are updated when the Action is configured.

Example:

Assume the host connected event is mapped to an alarm and the frequency is set to 3 times in 10 minutes.

  • Host A connects 3 times in 10 minutes and the alarm is triggered.
  • Host A connects 2 times and host B connects 2 times, there are 4 connections in 10 minutes. No alarm is generated because the hosts are different.
  • Host A connects at minutes 1, 8 and 12. No alarm is triggered because the host did not connect 3 times in 10 minutes.
  • Host A connects at minutes 1, 8, 12, and 14. An alarm is triggered because connections at minutes 8, 12 and 14 fall within the 10 minute sliding window.

Event Lifetime

The duration of an alarm event without a clearing event within a specified time, determines the generation of a unique alarm.

Example:

Event A occurs. If Event B (clear event) does not occur within the specified time, an alarm is generated.

Actions

Action

If checked, the selected action is taken when the alarm mapping is active and the alarm is asserted.

Host Access Action

Host is disabled and then re-enabled after the specified time has passed.

Host Role

The host's role is changed and then set back to the original role after the specified time has passed. Roles are attributes of the host and are used as filters in user/host profiles. Those profiles determine which network access policy, endpoint compliance policy or Supplicant EasyConnect Policy to apply.

If roles are based on a user's attribute from your LDAP or Active Directory, this role change is reversed the next time the directory and the FortiNAC database resynchronize.

Host Security Action

Host is set At Risk and then set to Safe after the specified time has passed.

Command Line Script

You can specify a particular command line script to be executed as an alarm action. These command line scripts are for advanced use, such as administrator-created Perl scripts.

First, write the script that is to be used as the alarm action. Store the script in this directory: /home/cm/scripts

The IP and MAC address arguments that are automatically passed to the script are in the format shown in this example:

/home/cm/scripts/testScript 192.168.10.1 00:00:00:00:00:00

Email User Action

An email is sent to the user associated with the host. The text of the email is entered in the Email Host Action dialog box.

HTML tags may be added to text within the content of the email in order to format the text, convert the text to a link, etc.

For example, you can add the <b> and tags to text in the Email message window to bold the selected text in the recipient's email message.

SMS User Action

An SMS Message is sent to the user associated with the host. The text of the message is entered in the SMS User Action dialog box. The recipient must have a Mobile Number and Mobile Provider configured.

%host%

Allows you to include information specific to the non-compliant host in the email or SMS alert message.

For example, this message:

The system referenced below has been found at risk. Please contact your Help Desk for assistance in remediating this issue. %host%

is displayed as:

The system referenced below has been found at risk. Please contact your Help Desk for assistance in remediating this issue:

Host:

Host Name: TestUser-MacBook-Pro-2

OS: macOS 10.7.5

Network Adapters:

Connected 3C:07:54:2A:88:6F,192.168.10.143,Concord-3750 Fa3/0/46

Disconnected 60:C5:47:8F:B1:66,192.168.4.70,Concord_Cisco_1131.example.com VLAN 4

%event%

Allows you to include information specific to the event in the email or SMS alert message.

For example, this message:

The system referenced below has been found at risk. Please contact your Help Desk for assistance in remediating this issue: %event%

is displayed as:

The system referenced below has been found at risk. Please contact your Help Desk for assistance in remediating this issue:

Host failed Test-Host

Tests:

Failed :: Anti-Virus :: ClamXav

MAC address: 3C:07:54:2A:88:6F

Last Known Adapter IP: 192.168.10.143

Host Location: Concord-3750 Fa3/0/46

. Remediation Delayed.

Port State Action

The port is disabled and then re-enabled after the specified time has passed.

Send Message to
Desktop

Send a text message to the desktop of a host(s) with the Persistent Agent or Mobile Agent installed.