Response actions
There are four main types of alert notifications you can set up to respond to an event trigger: Email, FortiExplorer Notification, AWS Lambda, and Webhook. There are also additional response actions for the Compromised Host (IOC): Access Layer Quarantine, Quarantine FortiClient via EMS and IP ban.
It's recommended that you set a Minimum Interval for each action. For more information, see Avoiding repeat event notifications. |
Main Alert Notification Actions
Icon | Action | Description |
---|---|---|
Use this action to send a custom email notification. You must enter an email address and subject line. |
||
FortiExplorer Notification |
Use this action to send push notifications to FortiExplorer. For the push to be successful, the FortiGate must be registered with FortiExplorer app on the iOS device you want to receive notifications on. |
|
AWS Lambda |
Use this action to invoke Amazon Web Services (AWS) Lambda. For the API Gateway endpoint, you can manually enter the URL or you can enter the Parameters individually. For URL, you must enter the following variables:
For Parameters, you must enter the following variables:
|
|
Webhook |
Use this action to send data to another application using a REST callback. You must enter the following:
|
Additional Compromised Host response actions
Icon | Action | Description |
---|---|---|
Access Layer Quarantine | Use this action to impose a dynamic quarantine on multiple endpoints based on the access layer. | |
Quarantine FortiClient via EMS |
Use this action to use FortiClient EMS to block all traffic from the source addresses flagged as compromised hosts. Quarantined devices are flagged on the Security Fabric Physical and Logical topology views. Go to Monitor > Quarantine Monitor to view quarantined IP addresses. Addresses are automatically removed from the quarantine after a configurable period of time. |
|
IP Ban |
Use this action to block all traffic from the source addresses flagged by the IOC. |
Avoiding repeat event notifications
The Minimum interval establishes the amount of time, in seconds, before you receive a repeat alert notification about the same event. This helps avoid receiving multiple alerts on your phone every few minutes for the same offense. When the interval has elapsed, a collated report detailing the activities during that time frame will be sent.
For example, if you were configuring an alert for high CPU usage, and you set the Minimum interval to 86400s (1 day) then you receive one alert when the CPU usage went above 90% and you would not get another alert notification for the same event until the next day. When the 86400s (1 day) elapses, you receive a notification with a summary that let's you know how many times the CPU usage exceeded 90% in the past day. See CPU and memory thresholds for information on customizing the CPU and memory use thresholds.