Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.5
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 8.0.5 Administration Guide
    8.0.5
    8.0.5
    8.0.4
    8.0.3
    8.0.2
    8.0.1
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Creating a trigger

    Creating a trigger

    Define the events to trigger the system to take actions. You can define the "FortiWeb Log" trigger event or use the pre-defined triggers including low memory, HA failover, reboot, etc.

    FortiWeb supports the following triggers.

    Trigger

    Description
    System triggers
    Reboot The "Reboot" trigger detects whether the system reboots.
    Low memory The "Low memory" trigger detects whether FortiWeb's available memory is less than the value specified in Log&Report > Log Config > Other Log Settings > Memory Utilization.
    HA

    The "HA" trigger detects whether the following HA events occur:

    • HA_SWITCH (Event log ID = 11004101)

    • HA_SYNC (Event log ID = 11004102)

    • HA_MEMBER (Event log ID = 11004103)

    • HA_REBOOT (Event log ID = 11004104)

    • HA_RESTORE_CONF (Event log ID = 11004105)

    • HA_RESTORE_IMG (Event log ID = 11004106)

    • HA_UPDATE (Event log ID = 11004107)

    • HA_MONITOR_PORT (Event log ID = 11004108)

    High CPU

    The "High CPU" trigger detects whether the CPU usage of FortiWeb is higher than the value specified in Log&Report > Log Config > Other Log Settings > CPU Utilization.

    Refer to Use case: Real-time incident alerts for an example of the High CPU use case.

    Local Certificate Expired

    The Local Certificate is used to encrypt the HTTPS connections between:

    • Your users and FortiWeb;

    • FortiWeb and the back-end servers;

    • The admin users and FortiWeb's GUI

    If the certificate expires, users will see a certificate invalid warning.

    To avoid such warning messages displayed to users, you can use a "Local Certificate Expired" trigger to detect whether the certificates you have uploaded on the following pages are about to expire then update them in time:

    • The CA tab on Server Objects > Certificates> CA.

    • The Local tab on Server Objects > Certificates> Local.

    • The Admin Cert Local tab on System > Admin > Certificates.

    FortiWeb by default doesn't log the SSL certificate expire event. Therefore, to use this trigger, you need to run the following command to set the notification time (the days) to a value other than 0 (0 means disabled), so FortiWeb will send notification on the specified day before the certificate expires.

    config system global

    set cert-expire-check-time <integer>

    end

    Refer to Use case: Expired SSL certificate management for an example of the use case.

    License Expired

    The "License Expired" trigger detects whether the FortiWeb license expires.

    Please note that if the network of FortiWeb is disconnected over 48 hours, it will also trigger the "License Expired" event.

    Refer to Example: Notification Message for the "License Expired" trigger for the suggested message to be sent when "License Expired" trigger occurs.

    FDS DB updates

    This trigger detects whether FortiGuard Database (FDS DB) Update occurs. The FortiGuard Database provides up-to-date threat intelligence.

    When an FDS DB update occurs, go to the Signature Update Management tab on System > Config > FortiGuard. The newly added or updated signatures are listed there and are set to alert mode by default. Test the signatures first to ensure they don't trigger false positives or block legitimate traffic. Once deemed safe, select the signature and click Approve.

    Refer toUse case: Automated response to FortiGuard Database (FDS DB) updates for an example of the use case.

    Miscellaneous triggers
    FortiWeb Log

    Use this trigger to initiate the automation action when system prints certain even logs or attack logs.

    Refer to the following use cases.

    Schedule

    Use this trigger to schedule FortiWeb to take certain actions regularly. For example, run get system status every week at 1 am on Monday.

    All the System triggers are pre-defined. You can only enter a name and description for them. The configuration is straightforward so we will not elaborate on it.

    Advanced Settings

    The Advanced Settings section provides additional configuration options to fine-tune the behavior and execution parameters of automation triggers. This section allows for more granular control over how and when trigger conditions are evaluated, ensuring that automation workflows align with specific operational requirements and organizational policies.

    Rolling Window

    The Rolling Window configuration enables frequency-based control for specific automation triggers. Instead of an action firing every time a single event is detected, the trigger only activates if a specific number of occurrences are recorded within a defined time interval. This mechanism is essential for mitigating "alert flooding" in scenarios such as sustained attacks or high-frequency log generations.

    To configure these frequency controls, enable Advanced Settings within the trigger configuration page for the following supported trigger types:

    • Low memory

    • HA (HA failover)

    • High CPU

    • Local Certificate Expired

    • FDS DB updates

    • FortiWeb Log

    Setting

    Description
    Rolling Window Enables or disables the frequency-based threshold mechanism for the selected trigger. When disabled, the automation fires immediately every time the trigger condition is met. This is disabled by default.
    Rolling Window Time Specifies the time interval, in seconds, during which FortiWeb monitors and counts trigger events. If the timer expires before the occurrence threshold is reached, the system resets the count and timer to zero. The valid range is 1 to 3,600 seconds, the default is 300 seconds.
    Number of Occurrences Sets the specific number of times a trigger condition must be met within the Rolling Window Time before the action is initiated. Once this threshold is reached, the action triggers, and both the counter and timer reset. The valid range is 1 to 3,600, the default is 300 seconds.

    Note: Every automation trigger maintains its own independent timer and occurrence counter.

    For high-volume attack logs, you might set a Rolling Window Time of 600 seconds with 600 Occurrences. This ensures your automation stitch (such as an email alert or CLI script) only activates when a threat reaches a significant, sustained frequency, effectively filtering out noise from isolated incidents.

    In the following sections, we will introduce how to create the two triggers that have more complicated settings:

    When the trigger occurs, it's important to provide sufficient information in the notification sent to your security or IT team so that they can take appropriate actions. We have provided some example of the messages for your reference: Notification message examples.

    Previous
    Next

    Creating a trigger

    Creating a trigger

    Define the events to trigger the system to take actions. You can define the "FortiWeb Log" trigger event or use the pre-defined triggers including low memory, HA failover, reboot, etc.

    FortiWeb supports the following triggers.

    Trigger

    Description
    System triggers
    Reboot The "Reboot" trigger detects whether the system reboots.
    Low memory The "Low memory" trigger detects whether FortiWeb's available memory is less than the value specified in Log&Report > Log Config > Other Log Settings > Memory Utilization.
    HA

    The "HA" trigger detects whether the following HA events occur:

    • HA_SWITCH (Event log ID = 11004101)

    • HA_SYNC (Event log ID = 11004102)

    • HA_MEMBER (Event log ID = 11004103)

    • HA_REBOOT (Event log ID = 11004104)

    • HA_RESTORE_CONF (Event log ID = 11004105)

    • HA_RESTORE_IMG (Event log ID = 11004106)

    • HA_UPDATE (Event log ID = 11004107)

    • HA_MONITOR_PORT (Event log ID = 11004108)

    High CPU

    The "High CPU" trigger detects whether the CPU usage of FortiWeb is higher than the value specified in Log&Report > Log Config > Other Log Settings > CPU Utilization.

    Refer to Use case: Real-time incident alerts for an example of the High CPU use case.

    Local Certificate Expired

    The Local Certificate is used to encrypt the HTTPS connections between:

    • Your users and FortiWeb;

    • FortiWeb and the back-end servers;

    • The admin users and FortiWeb's GUI

    If the certificate expires, users will see a certificate invalid warning.

    To avoid such warning messages displayed to users, you can use a "Local Certificate Expired" trigger to detect whether the certificates you have uploaded on the following pages are about to expire then update them in time:

    • The CA tab on Server Objects > Certificates> CA.

    • The Local tab on Server Objects > Certificates> Local.

    • The Admin Cert Local tab on System > Admin > Certificates.

    FortiWeb by default doesn't log the SSL certificate expire event. Therefore, to use this trigger, you need to run the following command to set the notification time (the days) to a value other than 0 (0 means disabled), so FortiWeb will send notification on the specified day before the certificate expires.

    config system global

    set cert-expire-check-time <integer>

    end

    Refer to Use case: Expired SSL certificate management for an example of the use case.

    License Expired

    The "License Expired" trigger detects whether the FortiWeb license expires.

    Please note that if the network of FortiWeb is disconnected over 48 hours, it will also trigger the "License Expired" event.

    Refer to Example: Notification Message for the "License Expired" trigger for the suggested message to be sent when "License Expired" trigger occurs.

    FDS DB updates

    This trigger detects whether FortiGuard Database (FDS DB) Update occurs. The FortiGuard Database provides up-to-date threat intelligence.

    When an FDS DB update occurs, go to the Signature Update Management tab on System > Config > FortiGuard. The newly added or updated signatures are listed there and are set to alert mode by default. Test the signatures first to ensure they don't trigger false positives or block legitimate traffic. Once deemed safe, select the signature and click Approve.

    Refer toUse case: Automated response to FortiGuard Database (FDS DB) updates for an example of the use case.

    Miscellaneous triggers
    FortiWeb Log

    Use this trigger to initiate the automation action when system prints certain even logs or attack logs.

    Refer to the following use cases.

    Schedule

    Use this trigger to schedule FortiWeb to take certain actions regularly. For example, run get system status every week at 1 am on Monday.

    All the System triggers are pre-defined. You can only enter a name and description for them. The configuration is straightforward so we will not elaborate on it.

    Advanced Settings

    The Advanced Settings section provides additional configuration options to fine-tune the behavior and execution parameters of automation triggers. This section allows for more granular control over how and when trigger conditions are evaluated, ensuring that automation workflows align with specific operational requirements and organizational policies.

    Rolling Window

    The Rolling Window configuration enables frequency-based control for specific automation triggers. Instead of an action firing every time a single event is detected, the trigger only activates if a specific number of occurrences are recorded within a defined time interval. This mechanism is essential for mitigating "alert flooding" in scenarios such as sustained attacks or high-frequency log generations.

    To configure these frequency controls, enable Advanced Settings within the trigger configuration page for the following supported trigger types:

    • Low memory

    • HA (HA failover)

    • High CPU

    • Local Certificate Expired

    • FDS DB updates

    • FortiWeb Log

    Setting

    Description
    Rolling Window Enables or disables the frequency-based threshold mechanism for the selected trigger. When disabled, the automation fires immediately every time the trigger condition is met. This is disabled by default.
    Rolling Window Time Specifies the time interval, in seconds, during which FortiWeb monitors and counts trigger events. If the timer expires before the occurrence threshold is reached, the system resets the count and timer to zero. The valid range is 1 to 3,600 seconds, the default is 300 seconds.
    Number of Occurrences Sets the specific number of times a trigger condition must be met within the Rolling Window Time before the action is initiated. Once this threshold is reached, the action triggers, and both the counter and timer reset. The valid range is 1 to 3,600, the default is 300 seconds.

    Note: Every automation trigger maintains its own independent timer and occurrence counter.

    For high-volume attack logs, you might set a Rolling Window Time of 600 seconds with 600 Occurrences. This ensures your automation stitch (such as an email alert or CLI script) only activates when a threat reaches a significant, sustained frequency, effectively filtering out noise from isolated incidents.

    In the following sections, we will introduce how to create the two triggers that have more complicated settings:

    When the trigger occurs, it's important to provide sufficient information in the notification sent to your security or IT team so that they can take appropriate actions. We have provided some example of the messages for your reference: Notification message examples.

    Previous
    Next