By Manny Fernandez

February 6, 2021

Setting Up Notification of FortiGate Firewalls with Automation

Staring in 6.2 there was the ability to set up automation stitches on the FortiGate firewalls.  In 6.4, Fortinet enhanced the capability of the automation section.

In this article, I will cover setting up a DHCP Lease Usage High notification and an OSPF neighbor change

Basic Setup 

In order to configure Automation , you will need to go to Security Fabric then Automation

2021-02-06_16-21-51.png

You will need to create a new automation stitch

2021-02-06_16-23-19.png.

Now we will discuss the components for this section

2021-02-06_16-25-45.png

You have two sections here.  One is the Trigger and the other is the Action.  The trigger is what you are monitoring for and the action is what to do once that condition is met.

2021-02-06_16-23-49.png

In this example, we are going to use the FortiOS Event Log as the trigger.  This section will give you all the event messages generated by FortiOS.

2021-02-06_16-24-19.png

As you can see in the screenshot above, we are going to give this stitch a name (1), then we will choose the FortiOS Event Log (2), then we will choose to list the events (3), lastly, we will choose from the list of entries (4).  Note: You can do a search (e.g. vpn)

2021-02-06_16-25-24.png

Now we are going to define the Action.  In my example, we are going to generate an email.  The Email body will contain all information from the log.

2021-02-06_16-40-30.png

As you can see, there are additional variables that you can replace or combine.

OSPF Example

2021-02-06_16-14-21.png

In the use case above, we are going to create a stitch for an OSPF Neighbor Change

  1. We are going to assign a name to the trigger.
  2. We change the status as needed.
  3. We are going to use the FortiOS Messages as the trigger
  4. The event for this example is OSPF neighbor status change
  5. The action we want for it to take is Email
  6. The destination email
  7. This is an open field.  I suggest using similar to the event log so it is easy to understand especially if you are creating multiple stitches.

2021-02-06_16-46-39.png

Here is a sample email with the OSPF neighbor Change message.

DHCP Lease Usage – High

In this example, we want to be notified if there is a DHCP scope that is close to full or could be attributed to a starvation attack.

2021-02-06_16-17-56.png

Reminder:  You can use Slack’s API to send messages to a Slack Group and Channel.  I used this (not with a FortiGate since it was not available then) when I ran a SOC and we had SOC Operators that would be on shift and would see notification.  When off shift, they would not get the alerts.

Also make sure you take a look at Webhook for integration with other API driven solutions.

Hope this helps.

Recent posts