Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiWeb 8.0.3 CLI Reference
    8.0.3
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0

    system automation-trigger

    system automation-trigger

    Use this command to configure the triggers in the Automation feature.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the mntgrp area. For details, see Permissions.

    Syntax

    config system automation-trigger

    edit <trigger_name>

    set comments <string>

    set trigger-type {event-based | schedule}

    set event-type {HA | event-log | fds-updated | high-cpu | licensed-expired | local-cert-expire | low-memory | reboot}

    set trigger-frequency {daily | hourly | monthly | weekly}

    set trigger-hour <integer>

    set trigger-minute <integer>

    set use-rolling-window {enable | disable}

    set rolling-window <integer>

    set occurrence-number <integer>

    set logid <int>

    config fields

    edit <index>

    set name <string>

    set value <string>

    next

    end

    next

    end
    Variable Description Default

    <trigger_name>

    		 Enter a name for the trigger. No default.

    comments <string>

    Enter a description for the trigger.

    		 No default.

    trigger-type {event-based | schedule}

    		 Select whether the trigger is initiated by a specific system event or according to a defined time schedule. event-based

    event-type {HA | event-log | fds-updated | high-cpu | licensed-expired | local-cert-expire | low-memory | reboot}

    Select the type of the event for the trigger. FortiWeb will take action when the specified event occurs.

    • HA: Triggers when high-availability events occur.

    • event-log: Triggers when the system generates specific event or attack logs.

    • fds-updated: Triggers when a FortiGuard Database update occurs.

    • high-cpu: Triggers when CPU usage exceeds the configured threshold.

    • license-expired: Triggers when the system license expires.

    • local-cert-expire: Triggers when a local certificate is nearing expiration.

    • low-memory: Triggers when available memory drops below the threshold.

    • reboot: Triggers when the system reboots.

    No default.

    trigger-frequency {daily | hourly | monthly | weekly}

    Select the recurrence interval for a schedule-based trigger.

    daily

    trigger-hour <integer>

    Specify the hour of the day (0–23) for the trigger to execute.

    1

    trigger-minute <integer>

    Specify the minute of the hour (0–59) for the trigger to execute.

    0

    The following parameters configure the Rolling Window that enables frequency-based control for specific automation triggers. Instead of an action firing every time a single event is detected, the trigger only activates if a specific number of occurrences are recorded within a defined time interval. This mechanism is essential for mitigating "alert flooding" in scenarios such as sustained attacks or high-frequency log generations.

    The following trigger types are supported:

    • low-memory (Low memory)

    • HA (HA failover)

    • high-cpu (High CPU)

    • local-cert-expire (Local Certificate Expired)

    • fds-updated (FDS DB updates)

    use-rolling-window {enable | disable}

    		 Enables or disables the frequency-based threshold mechanism for the selected trigger. When disabled, the automation fires immediately every time the trigger condition is met.

    disable

    rolling-window <integer>

    		 Specifies the time interval, in seconds, during which FortiWeb monitors and counts trigger events. If the timer expires before the occurrence threshold is reached, the system resets the count and timer to zero. The valid range is 1 to 3,600 seconds.

    300

    occurrence-number <integer>

    		 Sets the specific number of times a trigger condition must be met within the Rolling Window Time (use-rolling-window) before the action is initiated. Once this threshold is reached, the action triggers, and both the counter and timer reset. The valid range is 1 to 3,600 seconds.

    300

    If the event-type is event-log, define the following parameters:

    logid

    Enter the id of the event log.

    No default.

    <index>

    Enter the index of the filter to filter out specific event logs.

    No default.

    name <string>

    The name of the log field to be used to filter out certain logs.

    No default.

    value <string>

    The value of the log field to be used to filter out certain logs.

    No default.

    Related topics

    Previous
    Next

    system automation-trigger

    system automation-trigger

    Use this command to configure the triggers in the Automation feature.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the mntgrp area. For details, see Permissions.

    Syntax

    config system automation-trigger

    edit <trigger_name>

    set comments <string>

    set trigger-type {event-based | schedule}

    set event-type {HA | event-log | fds-updated | high-cpu | licensed-expired | local-cert-expire | low-memory | reboot}

    set trigger-frequency {daily | hourly | monthly | weekly}

    set trigger-hour <integer>

    set trigger-minute <integer>

    set use-rolling-window {enable | disable}

    set rolling-window <integer>

    set occurrence-number <integer>

    set logid <int>

    config fields

    edit <index>

    set name <string>

    set value <string>

    next

    end

    next

    end
    Variable Description Default

    <trigger_name>

    		 Enter a name for the trigger. No default.

    comments <string>

    Enter a description for the trigger.

    		 No default.

    trigger-type {event-based | schedule}

    		 Select whether the trigger is initiated by a specific system event or according to a defined time schedule. event-based

    event-type {HA | event-log | fds-updated | high-cpu | licensed-expired | local-cert-expire | low-memory | reboot}

    Select the type of the event for the trigger. FortiWeb will take action when the specified event occurs.

    • HA: Triggers when high-availability events occur.

    • event-log: Triggers when the system generates specific event or attack logs.

    • fds-updated: Triggers when a FortiGuard Database update occurs.

    • high-cpu: Triggers when CPU usage exceeds the configured threshold.

    • license-expired: Triggers when the system license expires.

    • local-cert-expire: Triggers when a local certificate is nearing expiration.

    • low-memory: Triggers when available memory drops below the threshold.

    • reboot: Triggers when the system reboots.

    No default.

    trigger-frequency {daily | hourly | monthly | weekly}

    Select the recurrence interval for a schedule-based trigger.

    daily

    trigger-hour <integer>

    Specify the hour of the day (0–23) for the trigger to execute.

    1

    trigger-minute <integer>

    Specify the minute of the hour (0–59) for the trigger to execute.

    0

    The following parameters configure the Rolling Window that enables frequency-based control for specific automation triggers. Instead of an action firing every time a single event is detected, the trigger only activates if a specific number of occurrences are recorded within a defined time interval. This mechanism is essential for mitigating "alert flooding" in scenarios such as sustained attacks or high-frequency log generations.

    The following trigger types are supported:

    • low-memory (Low memory)

    • HA (HA failover)

    • high-cpu (High CPU)

    • local-cert-expire (Local Certificate Expired)

    • fds-updated (FDS DB updates)

    use-rolling-window {enable | disable}

    		 Enables or disables the frequency-based threshold mechanism for the selected trigger. When disabled, the automation fires immediately every time the trigger condition is met.

    disable

    rolling-window <integer>

    		 Specifies the time interval, in seconds, during which FortiWeb monitors and counts trigger events. If the timer expires before the occurrence threshold is reached, the system resets the count and timer to zero. The valid range is 1 to 3,600 seconds.

    300

    occurrence-number <integer>

    		 Sets the specific number of times a trigger condition must be met within the Rolling Window Time (use-rolling-window) before the action is initiated. Once this threshold is reached, the action triggers, and both the counter and timer reset. The valid range is 1 to 3,600 seconds.

    300

    If the event-type is event-log, define the following parameters:

    logid

    Enter the id of the event log.

    No default.

    <index>

    Enter the index of the filter to filter out specific event logs.

    No default.

    name <string>

    The name of the log field to be used to filter out certain logs.

    No default.

    value <string>

    The value of the log field to be used to filter out certain logs.

    No default.

    Related topics

    Previous
    Next