Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.2.10 Administration Guide
    7.2.10
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Webhook action

    Webhook action

    The webhook automation stitch action makes HTTP and HTTPS requests to a specified server, with custom headers, bodies, ports, and methods. It can be used to leverage the ubiquity of HTML requests and APIs to integrate with other tools.

    Tooltip

    The URI and HTTP body can use parameters from logs or previous action results. Wrapping the parameter with %% will replace the expression with the JSON value for the parameter, for example: %%results.source%% is the source property from the previous action.

    In this example, a specific log message (failed administrator log in attempt) triggers the FortiProxy to send the contents of the log to a server. The server responds with a generic reply. This example assumes that the server is already configured and able to communicate with the FortiProxy.

    To configure the webhook automation stitch in the GUI:

    1. Go to Security Fabric > Automation and click Create New.

    2. Enter the stitch name (badLogin).

    3. Configure the trigger:

      1. Click Add Trigger.

      2. Click Create and select FortiProxy Event Log.

      3. Enter the following:

        Name

        badLogin

        Event

        Admin login failed

      4. Click OK.

      5. Select the trigger in the list and click Apply.

    4. Configure the automation stitch action:

      1. Click Add Action.

      2. Click Create and select Webhook.

      3. Enter the following:

        Name

        Send Log To Server

        Protocol

        HTTP

        URL

        172.16.200.44

        Custom port

        Enable and enter 80

        Method

        POST

        HTTP body

        %%log%%

        HTTP header

        Header : 1st Action

      4. Click OK.

      5. Select the action in the list and click Apply.

    5. Click OK.

    To configure the webhook automation stitch in the CLI:

    1. Create an automation trigger:

      config system automation-trigger
    edit "badLogin"
        set event-type event-log
        set logid 32002
    next
end

    2. Create the automation action:

      config system automation-action
    edit "Send Log To Server"
        set action-type webhook
        set uri "172.16.200.44"
        set http-body "%%log%%"
        set port 80
        config http-headers
            edit 1
                set key "Header"
                set value "1st Action"
            next
        end
    next
end

    3. Create the automation stitch:

      config system automation-stitch
    edit "badLogin"
        set trigger "badLogin"
        config actions
            edit 1
                set action "Send Log To Server"
                set required enable
            next
        end
    next
end
    To test the automation stitch:

    1. Attempt to log in to the FortiProxy with an incorrect username or password.

    2. On the server, check the log to see that its contents were sent by the FortiProxy.

      The body content is replaced with the log from the trigger.

    3. On the FortiProxy, go to Log & Report > Events and select System Events to confirm that the stitch was activated.

    4. Go to Security Fabric > Automation to see the last time that the stitch was triggered.

    Diagnose commands

    To enable log dumping:
    # diagnose test application autod 1
autod dumped total:1 logs, num of logids:1
autod log dumping is enabled

vdom:root(0) logid:32002 len:408 log:
date=2019-05-30 time=17:41:03 logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1559263263858888451 tz="-0700" logdesc="Admin login failed" sn="0" user="admin" ui="http(10.6.30.254)" method="http" srcip=10.6.30.254 dstip=10.6.30.5 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from http(10.6.30.254) because of invalid password"
autod log dumping is disabled

autod logs dumping summary:
        logid:32002 count:1

autod dumped total:1 logs, num of logids:1
    To show the automation settings:
    # diagnose test application autod 2
csf: enabled 	root:yes
total stitches activated: 2
 
stitch: badLogin
	destinations: all
	trigger: badLogin
 
	local hit: 6 relayed to: 6 relayed from: 6
	actions:
		Send Log To Server type:webhook interval:0
			delay:0 required:no
			proto:0 method:0 port:80
			uri: 172.16.200.44
			http body: %%log%%
			headers:
			0. Header:1st Action
    To show the automation statistics:
    # diagnose test application autod 3

stitch: badLogin 
 
	local hit: 1 relayed to: 1 relayed from: 1
	last trigger:Tue Sep 13 13:25:09 2022
	last relay:Tue Sep 13 13:25:09 2022
 
	actions:
		Send Log To Server:
			done: 1 relayed to: 1 relayed from: 1
			last trigger:Tue Sep 13 13:25:09 2022
			last relay:Tue Sep 13 13:25:09 2022

logid2stitch mapping:
id:32002  local hit: 3 relayed to: 3 relayed from: 3
	badLogin
 
action run cfg&stats:
total:55 cur:0 done:55 drop:0
	email:
		flags:10
		stats: total:4 cur:0 done:4 drop:0
	fortiexplorer-notification:
		flags:1
		stats: total:0 cur:0 done:0 drop:0
	alert:
		flags:0
		stats: total:0 cur:0 done:0 drop:0
	disable-ssid:
		flags:7
		stats: total:0 cur:0 done:0 drop:0
	quarantine:
		flags:7
		stats: total:0 cur:0 done:0 drop:0
	quarantine-forticlient:
		flags:4
		stats: total:0 cur:0 done:0 drop:0
	quarantine-nsx:
		flags:4
		stats: total:0 cur:0 done:0 drop:0
	ban-ip:
		flags:7
		stats: total:0 cur:0 done:0 drop:0
	aws-lambda:
		flags:11
		stats: total:21 cur:0 done:21 drop:0
	webhook:
		flags:11
		stats: total:6 cur:0 done:6 drop:0
	cli-script:
		flags:10
		stats: total:4 cur:0 done:4 drop:0
	azure-function:
		flags:11
		stats: total:0 cur:0 done:0 drop:0
	google-cloud-function:
		flags:11
		stats: total:0 cur:0 done:0 drop:0
	alicloud-function:
		flags:11
		stats: total:20 cur:0 done:20 drop:0
    Previous
    Next

    Webhook action

    Webhook action

    The webhook automation stitch action makes HTTP and HTTPS requests to a specified server, with custom headers, bodies, ports, and methods. It can be used to leverage the ubiquity of HTML requests and APIs to integrate with other tools.

    Tooltip

    The URI and HTTP body can use parameters from logs or previous action results. Wrapping the parameter with %% will replace the expression with the JSON value for the parameter, for example: %%results.source%% is the source property from the previous action.

    In this example, a specific log message (failed administrator log in attempt) triggers the FortiProxy to send the contents of the log to a server. The server responds with a generic reply. This example assumes that the server is already configured and able to communicate with the FortiProxy.

    To configure the webhook automation stitch in the GUI:

    1. Go to Security Fabric > Automation and click Create New.

    2. Enter the stitch name (badLogin).

    3. Configure the trigger:

      1. Click Add Trigger.

      2. Click Create and select FortiProxy Event Log.

      3. Enter the following:

        Name

        badLogin

        Event

        Admin login failed

      4. Click OK.

      5. Select the trigger in the list and click Apply.

    4. Configure the automation stitch action:

      1. Click Add Action.

      2. Click Create and select Webhook.

      3. Enter the following:

        Name

        Send Log To Server

        Protocol

        HTTP

        URL

        172.16.200.44

        Custom port

        Enable and enter 80

        Method

        POST

        HTTP body

        %%log%%

        HTTP header

        Header : 1st Action

      4. Click OK.

      5. Select the action in the list and click Apply.

    5. Click OK.

    To configure the webhook automation stitch in the CLI:

    1. Create an automation trigger:

      config system automation-trigger
    edit "badLogin"
        set event-type event-log
        set logid 32002
    next
end

    2. Create the automation action:

      config system automation-action
    edit "Send Log To Server"
        set action-type webhook
        set uri "172.16.200.44"
        set http-body "%%log%%"
        set port 80
        config http-headers
            edit 1
                set key "Header"
                set value "1st Action"
            next
        end
    next
end

    3. Create the automation stitch:

      config system automation-stitch
    edit "badLogin"
        set trigger "badLogin"
        config actions
            edit 1
                set action "Send Log To Server"
                set required enable
            next
        end
    next
end
    To test the automation stitch:

    1. Attempt to log in to the FortiProxy with an incorrect username or password.

    2. On the server, check the log to see that its contents were sent by the FortiProxy.

      The body content is replaced with the log from the trigger.

    3. On the FortiProxy, go to Log & Report > Events and select System Events to confirm that the stitch was activated.

    4. Go to Security Fabric > Automation to see the last time that the stitch was triggered.

    Diagnose commands

    To enable log dumping:
    # diagnose test application autod 1
autod dumped total:1 logs, num of logids:1
autod log dumping is enabled

vdom:root(0) logid:32002 len:408 log:
date=2019-05-30 time=17:41:03 logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1559263263858888451 tz="-0700" logdesc="Admin login failed" sn="0" user="admin" ui="http(10.6.30.254)" method="http" srcip=10.6.30.254 dstip=10.6.30.5 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from http(10.6.30.254) because of invalid password"
autod log dumping is disabled

autod logs dumping summary:
        logid:32002 count:1

autod dumped total:1 logs, num of logids:1
    To show the automation settings:
    # diagnose test application autod 2
csf: enabled 	root:yes
total stitches activated: 2
 
stitch: badLogin
	destinations: all
	trigger: badLogin
 
	local hit: 6 relayed to: 6 relayed from: 6
	actions:
		Send Log To Server type:webhook interval:0
			delay:0 required:no
			proto:0 method:0 port:80
			uri: 172.16.200.44
			http body: %%log%%
			headers:
			0. Header:1st Action
    To show the automation statistics:
    # diagnose test application autod 3

stitch: badLogin 
 
	local hit: 1 relayed to: 1 relayed from: 1
	last trigger:Tue Sep 13 13:25:09 2022
	last relay:Tue Sep 13 13:25:09 2022
 
	actions:
		Send Log To Server:
			done: 1 relayed to: 1 relayed from: 1
			last trigger:Tue Sep 13 13:25:09 2022
			last relay:Tue Sep 13 13:25:09 2022

logid2stitch mapping:
id:32002  local hit: 3 relayed to: 3 relayed from: 3
	badLogin
 
action run cfg&stats:
total:55 cur:0 done:55 drop:0
	email:
		flags:10
		stats: total:4 cur:0 done:4 drop:0
	fortiexplorer-notification:
		flags:1
		stats: total:0 cur:0 done:0 drop:0
	alert:
		flags:0
		stats: total:0 cur:0 done:0 drop:0
	disable-ssid:
		flags:7
		stats: total:0 cur:0 done:0 drop:0
	quarantine:
		flags:7
		stats: total:0 cur:0 done:0 drop:0
	quarantine-forticlient:
		flags:4
		stats: total:0 cur:0 done:0 drop:0
	quarantine-nsx:
		flags:4
		stats: total:0 cur:0 done:0 drop:0
	ban-ip:
		flags:7
		stats: total:0 cur:0 done:0 drop:0
	aws-lambda:
		flags:11
		stats: total:21 cur:0 done:21 drop:0
	webhook:
		flags:11
		stats: total:6 cur:0 done:6 drop:0
	cli-script:
		flags:10
		stats: total:4 cur:0 done:4 drop:0
	azure-function:
		flags:11
		stats: total:0 cur:0 done:0 drop:0
	google-cloud-function:
		flags:11
		stats: total:0 cur:0 done:0 drop:0
	alicloud-function:
		flags:11
		stats: total:20 cur:0 done:20 drop:0
    Previous
    Next