Configuring automations, triggers, and actions in the CLI

Submit Search

Configuring automations, triggers, and actions in the CLI

This section provides instructions for how to create an automation, and expands on the CLI syntax shown in the introduction by explaining further details, including how to create both a trigger and an action.

To enable the Security Fabric - CLI:

config system csf

set status enable

end

To create an "automation-stitch" - CLI:

config system automation-stitch

edit <Automation-stitch-name>

set status {enable | disable}

set trigger <trigger-name>

set action <action-name>

set destination <serial-number>

end

Where the following variables are set:

Variable	Description	Default
`edit <Automation-stitch-name>`	Enter the name of the new automation.	No default
`set status {enable \| disable}`	Enter `enable` to enable the stitch.	Enable
`set trigger <trigger-name>`	Enter a trigger.	No default
`set action <action-name>`	Enter at least one action you want to occur when a trigger event or schedule occurs.	No default
`set destination <serial-number>`	The `destination` can be set to a list of device serial numbers, separated by spaces or left blank to use all members of the Security Fabric. Automation stitches are only applied to serial numbers listed in the destination.	All FortiGates

To create an "automation-action" - CLI:

config system automation-action

edit <action-name>

set action-type {email | ios-notification | alert | disable-ssid | quarantine | quarantine-forticlient | ban-ip | aws-lambda | webhook}

set email-to <email-address>

set email-subject <subject-name>

set minimum-interval <seconds>

end

Where the following variables are set:

Variable	Description	Default
`edit <Automation-action-name>`	Enter the name of the new automation action.	No default
`set action-type`	Select an action type from the following: email, ios-notification, alert, disable-ssid, quarantine, quarantine FortiClient, ban IP, AWS Lambda, and webhook.	No default
`set email-to <email-address>`	Enter the email address from which you would like to receive alert notifications. You can add multiple emails by selecting the + icon.	No default
`set email-subject <subject-name>`	Enter the email subject which you would like to see on your email notification alerts.	No default
`set minimum-interval`	Enter a minimal time interval between 0 to 2592000 seconds, during which a repeat offense of an action will be ignored to help avoid repeat alerts.	Default = 0 seconds

To create an "automation-trigger" - CLI:

config system automation-trigger

edit <trigger-name>

set trigger-type {event-based | scheduled}

set event-type {ioc | event-log | reboot | low-memory | high-cpu | license-near-expiry | ha-failover | config-change}

set ioc-level {medium | high}

set logid [1-99999]

set license-type {forticare-support | fortiguard-webfilter | fortiguard-antispam | fortiguard-antivirus | fortiguard-ips | fortiguard-management | forticloud | set trigger-frequency}

set trigger-frequency {hourly | daily | weekly | monthly}

set trigger-day <1-31>

set trigger-hour <0-23>

set trigger-minute <0-60>

end

Where the following variables are set:

Variable	Description	Default
`edit <automation-trigger-name>`	Enter the name of the new trigger.	No default
`set event-type`	Select the event type from the following: `ioc` `event-log` `reboot` `low-memory` `high-cpu` `license-near-expiry` `ha-failover` `config-change`	No default
`set ioc-level`	Set the IOC level to `medium` or `high`. Where: `medium` sends alerts for both medium and high IOC levels. `high` only sends alerts for high IOC levels. NOTE: Only available when `event-type` is set to `ioc`.	No default
`set logid`	Log ID to trigger event. Value from NOTE: Only available when `event-type` is set to `event-log`.	No default
`set license-type`	Select the license type that you would like to be notified of in the event of expiry. The options include: `forticare-support` ( FortiCare support license) `fortiguard-webfilter` (FortiGuard web filter license) `fortiguard-antispam` ( FortiGuard antispam license) `fortiguard-antivirus` (FortiGuard AntiVirus license) `fortiguard-ips` ( FortiGuard IPS license) `fortiguard-management` ( FortiGuard management service license) `forticloud` ( FortiCloud license) NOTE: Only available when `event-type` is set to `license-near-expiry`.	No default
`set trigger-type`	Enter the trigger type as either `event-based` or `scheduled`.	No default
`set trigger-frequency`	How often the trigger is run. The options for the scheduled trigger frequency are the following: hourly, daily, weekly, or monthly. NOTE: Only available when `trigger-type` is set to `scheduled`.	Daily.
`set trigger-day`	Enter an integer value from 1 to 31. This is the day within the month to trigger.	No default
`set trigger-hour`	Enter the hour of the day on which to trigger from 0 to 23. NOTE: Only available when `trigger-type` is set to `scheduled`.	1
`set trigger-minute`	Enter the minute of the hour on which to trigger (0 - 59, 60 to randomize).	No default

See CPU and memory thresholds for information on customizing the CPU and memory use thresholds.

Setting up an automation destination

The config system automation-destination command allows you to set the type to the primary FortiGate of an HA cluster or a single FortiGate, and both types of endpoint require it to be set to a destination [by serial number]. Then you can add the destination to any automation stitch. For more information on how to configure an HA cluster as the automation destination see the High Availability Handbook.

To set an automation destination:

config system automation-destination

edit <name>

set type {fortigate | ha-cluster}

set destination <serial_number>

set ha-group-id <number>

Then you can add the destination to any automation stitch:

config system automation-stitch

edit <stitch-name>

set destination <destination-name>

end