Technical Tip: How to create Event handler in FortiAnalyzer for Policy delete in FortiGate

Description

This article describes how to create an Event handler in FortiAnalyzer for Policy deletion in FortiGate and send an email to the administrator.
When FortiGate sends logs to a FortiManager with FortiAnalyzer features enabled, it is possible to use the same event handler.

Solution

1. Create a mail server.
   
   Login to FortiAnalyzer, navigate to System setting -> Mail server, and select 'Create new'.
   
   After, enter the mail server details.

 

3. Login to FortiAnalyzer, navigate to Incident and Event -> Event Handler list, and select 'Create new'.
   
   Enter the details as per the following screenshot, and on the same page, enter the email notification details:
    
   To: Destination Email address.
   From: Source Email address which is present in the mail server.
   Mail Server: Created in 1.
   Generic text: cfgpath=firewall.policy.
   Log Description: Object configured.
   Action: Delete.

 

4. Troubleshooting.

If the email notification is not received, run the debug flow below and collect information for TAC support.

diagnose debug application fazmaild 255
diagnose debug enable

To stop the debug flow:

diagnose debug disable

diagnose debug reset

For FortiManager / FortiAnalyzer 7.6 or above flow capture:

diagnose debug application fazmaild 8
diagnose debug enable

To stop the debug flow:

diagnose debug disable

diagnose debug reset

Related articles:

• Technical Tip: How to configure email alerts for configuration changes on FortiGate using FortiAnalyzer event handler
• Technical Tip: How create event handler in FortiAnalzyer for policy change in FortiGate
• Technical Tip: Setting up a FortiAnalyzer event handler with a specific time schedule
• Technical Tip: How to set up Email Notifications with notification.fortinet.net
• Troubleshooting Tip: How to understand the email SMTP issues and its causes
• Troubleshoot: FortiAnalyzer unable resolve DNS to mail server