Creating automation stitches

To create an automation, you can set up a trigger event and response actions that cause the FortiOS to respond in a predetermined way. From the root FortiGate, you can set up triggers for event types, such as compromised host, high CPU, and configuration changes. The automation launches actions in response, such as email alerts, FortiExplorer notifications, and webhooks. The Compromised Host trigger has additional actions, such as access layer quarantine and quarantine FortiClient via EMS.

To create and test an automation - GUI:
  1. Log in to the root FortiGate, and go to Security Fabric > Automation. Select Create New.
  2. Customize the stitch by selecting a Trigger event type and the corresponding Action that you would like to automate. You can configure multiple actions for the same event trigger.

Enter the following information:

Name Enter a name for the new automation.
Status Select Enabled to enable this automation.
FortiGate From the drop-down menu, select the FortiGate device to apply this automation to or select All FortiGates (default) to apply to all.
Trigger

Select a Trigger from the following event types:

  • Compromised Host
  • Set IOC level threshold to Medium or High.
  • Event Log
  • Enter a Log ID.
  • Reboot
  • Conserve Mode
  • High CPU
  • License Expiry
  • Set the Licensetype to one of the following: FortiCare Support, FortiGuard Web Filter, FortiGuard AntiSpam, FortiGuard AntiVirus, FortiGuard IPS, FortiGuard Management Service, or FortiCloud.
  • HA Failover
  • Configuration Changes
Action

If the Trigger event you select occurs, an alert is sent using the methods that you select here. Select at least one of the following Action types:

  • Email
  • Email subject: Enter an email subject.
  • To: Enter at least one email address. Select the plus + icon to add additional email addresses.
  • FortiExplorer Notification
  • AWS Lambda
  • Webhook

 

NOTE:  When you set the trigger to Compromised Host, the following Actions are available:

  • Access Layer Quarantine
  • Quarantine FortiClient via EMS
  • IP Ban
Minimum interval (seconds) Enter a minimum time interval, in seconds, during which you won't receive repeated notifications for the same trigger occurrence. When the minimum time interval expires, you'll receive an alert with a compilation report of any events that occurred during the alloted interval period.
  1. Select OK.
  2. To test the new automation, right-click it and select Test Automation Stitch.


When an automation stitch is triggered, the FortiGate creates an event log, which you can view by going to Log & Report > System Events.

To create and test an automation - CLI:

config system automation-stitch

edit <automation-stitch-name>

set status {enable | disable}

set trigger <trigger-name>

set action <action-name>

set destination <serial-number>

next

end

 

diagnose automation test <automation-stitch-name> <log>

 

note icon You can configure an automation using the config system automation-stitch command shown above. For more information about configuring the Trigger<trigger-name> and Action<action-name> components, see: Configuring automations, triggers, and actions in the CLI .