Response actions

There are four main types of alert notifications you can set up to respond to an event trigger: Email, FortiExplorer Notification, AWS Lambda, and Webhook. There are also additional response actions for the Compromised Host (IOC): Access Layer Quarantine, Quarantine FortiClient via EMS and IP ban.

note icon It's recommended that you set a Minimum Interval for each action. For more information, see Avoiding repeat event notifications.
Main Alert Notification Actions
Icon Action Description
Email

Use this action to send a custom email notification.

You must enter an email address and subject line.
FortiExplorer Notification

Use this action to send push notifications to FortiExplorer.

For the push to be successful, the FortiGate must be registered with FortiExplorer app on the iOS device you want to receive notifications on.

AWS Lambda

Use this action to invoke Amazon Web Services (AWS) Lambda.

For the API Gateway endpoint, you can manually enter the URL or you can enter the Parameters individually.

For URL, you must enter the following variables:

  • Enter the URL. For example, "1a2b3c.execute-api.us-east-1.amazonaws.com/stagename/notification"
  • For API Key, enter the same API Key that you use for your AWS API Gateway.

For Parameters, you must enter the following variables:

  • Set the Region. For example, "us-east-1"
  • Set the ID to the REST API ID. For example, "1a2b3c"
  • Set the Path to the resource you configured in your API Gateway. For example," notification".
  • Set the Stage to the stage name from your AWS API Gateway. For example, "stagename".
  • For the API Key, enter the same API key that you configured in your AWS API Gateway.
Webhook

Use this action to send data to another application using a REST callback.

You must enter the following:

  • For Protocol select HTTP or HTTPS.
  • For Method select POST, PUT, or GET.
  • Enter the URI. For example, "websitename.com/notifications"
  • Set the Port.
  • For HTTP Body enter the text you want (up to 1023 characters). For example, {"trigger":"reboot"}.
  • For HTTP Header, enter the Name and Value you want. For example, "x-notification-source" and "Fortinet".
Additional Compromised Host response actions
Icon Action Description
Access Layer Quarantine Use this action to impose a dynamic quarantine on multiple endpoints based on the access layer.
Quarantine FortiClient via EMS

Use this action to use FortiClient EMS to block all traffic from the source addresses flagged as compromised hosts. Quarantined devices are flagged on the Security Fabric Physical and Logical topology views.

Go to Monitor > Quarantine Monitor to view quarantined IP addresses. Addresses are automatically removed from the quarantine after a configurable period of time.
IP Ban

Use this action to block all traffic from the source addresses flagged by the IOC.
Go to Monitor > Quarantine Monitor to view banned IP addresses. Banned IP addresses can only be removed from the list by administrator intervention.

 

Avoiding repeat event notifications

The Minimum interval establishes the amount of time, in seconds, before you receive a repeat alert notification about the same event. This helps avoid receiving multiple alerts on your phone every few minutes for the same offense. When the interval has elapsed, a collated report detailing the activities during that time frame will be sent.

For example, if you were configuring an alert for high CPU usage, and you set the Minimum interval to 86400s (1 day) then you receive one alert when the CPU usage went above 90% and you would not get another alert notification for the same event until the next day. When the 86400s (1 day) elapses, you receive a notification with a summary that let's you know how many times the CPU usage exceeded 90% in the past day. See CPU and memory thresholds for information on customizing the CPU and memory use thresholds.