Fortinet Document Library

Version:


Table of Contents

About FortiGate for AWS

Deploying FortiGate on AWS

Deploying auto scaling on AWS

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on AWS

Security Fabric Connector Integration with AWS

Resources

Upgrade Path Tool
6.0.0
Copy Link

Configuring an example automation stitch

Let's try creating an example automation stitch with a simple pipeline. The example pipeline is as follows:

  1. When an event log is created due to a successful login to the FortiGate,
  2. Pick up one of the key-value pairs that FortiGate sends to the API gateway
  3. Invoke its AWS Lambda script, and, as an action, output the value on CloudWatch

Other actions you may want to configure include quarantining an EC2 instance by applying a different security group, renaming an EC2 tag, and so on. You can configure a variety of actions as fits your deployment scenario.

For this example, do the following:

  1. Create an automation stitch by completing all steps in Creating an automation stitch.
  2. Under Trigger, select Event Log.
  3. In the Event dropdown list, select Admin Login Successful.
  4. You must know what elements FortiGate sends with the event log and what to pick on the Lambda script. Make the example event happen by logging into the FortiGate successfully as an admin user. Log out of the FortiGate, then log in again. You see the corresponding event log.
  5. View the resulting logs:
    1. Go to Log & Report > System Events. Find the desired event log.

    2. Download the log as a file. You can filter logs as shown below.

    3. Open the SystemEventLog-disk-<date/time/number>.log file in a text editor. It should look as below.

      date=2018-08-29 time=15:56:13 logid="0100032001" type="event" subtype="system" level="information" vd="root" eventtime=1535583373 logdesc="Admin login successful" sn="15355xyz73" user="admin" ui="https(208.xx.yy.1)" method="https" srcip=208.xx.yy.1 dstip=192.168.1.15 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(208.xx.yy.1)"

      You have a rough idea about what elements can be picked. Raw JSON data looks as follows:

      { email: 'your_email@xyz.com',

      data:

      { stitch: 'Your Stitch Name',

      actions: [ [Object] ],

      eventtype: 'logid',

      sn: 'Serial Number of your FortiGate',

      time: 1535587464,

      rawlog:

      { date: '2018-08-29',

      time: '17:04:24',

      logid: '0100032001',

      type: 'event',

      subtype: 'system',

      level: 'information',

      vd: 'root',

      eventtime: '1535587464',

      logdesc: 'Admin login successful',

      sn: 'xyz',

      user: 'admin',

      ui: 'https(FortiGate IP address)',

      method: 'https',

      srcip: 'FortiGate IP address',

      dstip: '10.10.1.12',

      action: 'login',

      status: 'success',

      reason: 'none',

      profile: 'super_admin',

      msg: 'Administrator admin logged in successfully from https(FortiGate IP address)'

      }

      }

      }

    4. You can pick available key-value pairs in your AWS Lambda code. In this particular event log, useful keys include stitch / date /time / vd / logdesc / user / ui / method / srcip / dstip / action / status / profile / msg.
    5. You can see all JSON logs sent by FortiGate on CloudWatch Log by entering the following line in the Lambda code:

      console.log(JSON.parse(event.body));

  6. Now, as an example, let's pick user: 'admin' and srcip: '208.xx.yy.1'. Here is the Lambda script:

    'use strict';

    var AWS = require('aws-sdk');

    exports.handler = function(event, context, callback) {

    let body = JSON.parse(event.body);

    var usr = body.data.rawlog.user;

    var sourceip = body.data.rawlog.srcip;

    // Write your automation scripts below

    // .... Actions ....

    console.log('Hello My Friend, ', usr, '@', sourceip, '!');

    callback();

    };

    This is what the Lambda script looks like:

  7. Save the script.
  8. Log out of the FortiGate, then log in again as an administrator. This triggers the event log. The Lambda code is invoked, and CloudWatch Log shows something like the following:

Resources

Configuring an example automation stitch

Let's try creating an example automation stitch with a simple pipeline. The example pipeline is as follows:

  1. When an event log is created due to a successful login to the FortiGate,
  2. Pick up one of the key-value pairs that FortiGate sends to the API gateway
  3. Invoke its AWS Lambda script, and, as an action, output the value on CloudWatch

Other actions you may want to configure include quarantining an EC2 instance by applying a different security group, renaming an EC2 tag, and so on. You can configure a variety of actions as fits your deployment scenario.

For this example, do the following:

  1. Create an automation stitch by completing all steps in Creating an automation stitch.
  2. Under Trigger, select Event Log.
  3. In the Event dropdown list, select Admin Login Successful.
  4. You must know what elements FortiGate sends with the event log and what to pick on the Lambda script. Make the example event happen by logging into the FortiGate successfully as an admin user. Log out of the FortiGate, then log in again. You see the corresponding event log.
  5. View the resulting logs:
    1. Go to Log & Report > System Events. Find the desired event log.

    2. Download the log as a file. You can filter logs as shown below.

    3. Open the SystemEventLog-disk-<date/time/number>.log file in a text editor. It should look as below.

      date=2018-08-29 time=15:56:13 logid="0100032001" type="event" subtype="system" level="information" vd="root" eventtime=1535583373 logdesc="Admin login successful" sn="15355xyz73" user="admin" ui="https(208.xx.yy.1)" method="https" srcip=208.xx.yy.1 dstip=192.168.1.15 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(208.xx.yy.1)"

      You have a rough idea about what elements can be picked. Raw JSON data looks as follows:

      { email: 'your_email@xyz.com',

      data:

      { stitch: 'Your Stitch Name',

      actions: [ [Object] ],

      eventtype: 'logid',

      sn: 'Serial Number of your FortiGate',

      time: 1535587464,

      rawlog:

      { date: '2018-08-29',

      time: '17:04:24',

      logid: '0100032001',

      type: 'event',

      subtype: 'system',

      level: 'information',

      vd: 'root',

      eventtime: '1535587464',

      logdesc: 'Admin login successful',

      sn: 'xyz',

      user: 'admin',

      ui: 'https(FortiGate IP address)',

      method: 'https',

      srcip: 'FortiGate IP address',

      dstip: '10.10.1.12',

      action: 'login',

      status: 'success',

      reason: 'none',

      profile: 'super_admin',

      msg: 'Administrator admin logged in successfully from https(FortiGate IP address)'

      }

      }

      }

    4. You can pick available key-value pairs in your AWS Lambda code. In this particular event log, useful keys include stitch / date /time / vd / logdesc / user / ui / method / srcip / dstip / action / status / profile / msg.
    5. You can see all JSON logs sent by FortiGate on CloudWatch Log by entering the following line in the Lambda code:

      console.log(JSON.parse(event.body));

  6. Now, as an example, let's pick user: 'admin' and srcip: '208.xx.yy.1'. Here is the Lambda script:

    'use strict';

    var AWS = require('aws-sdk');

    exports.handler = function(event, context, callback) {

    let body = JSON.parse(event.body);

    var usr = body.data.rawlog.user;

    var sourceip = body.data.rawlog.srcip;

    // Write your automation scripts below

    // .... Actions ....

    console.log('Hello My Friend, ', usr, '@', sourceip, '!');

    callback();

    };

    This is what the Lambda script looks like:

  7. Save the script.
  8. Log out of the FortiGate, then log in again as an administrator. This triggers the event log. The Lambda code is invoked, and CloudWatch Log shows something like the following: