Skip to main content
nevan
Staff
nevan
Staff
February 6, 2026

Technical Tip: Automation stitch configuration for compromised host quarantine and debugging of execution

  • February 6, 2026
  • 0 replies
  • 1010 views
Description This article describes the configuration and debug analysis of the FortiGate Automation Stitch designed to respond to high severity compromised host events. The stitch automatically quarantines affected endpoints at the access layer and sends notification emails.
Scope FortiGate.
Solution

When FortiGate detects a host classified as compromised high severity by FortiGate itself, either FortiGuard or FortiAnalyzer with an IOC license can identify the compromised endpoint MAC address, can apply MAC-based quarantine on managed FortiSwitches and FortiAPs, and can send an email notification to administrators with the appropriate automation stitch configuration. 

The automation stitch configuration is as follows:

Trigger condition:

config system automation-trigger
      edit "Compromised Host - High"
          set description "Default automation trigger configuration for when a high severity compromised host is detected."
       next
   end

 

Automation action:

config system automation-action
     edit "Quarantine on FortiSwitch + FortiAP"
            set description "Default automation action configuration for quarantining a MAC address on FortiSwitches and FortiAPs."
            set action-type quarantine
        next


     edit "Access Layer Quarantine"
           set description "Quarantine the MAC address on access layer devices (FortiSwitch and FortiAP)."
           set action-type quarantine
        next
    end

 

Automation destination:

 

config system automation-destination

    edit "QuadDestination"
        set type ha-cluster
        set destination "ha-cluster"
    next

 

Automation Stitch:

config system automation-stitch
    edit "Compromise Host -HIGH"
        set trigger "Compromised Host - High"
            config actions
                edit 2
                    set action "Quarantine on FortiSwitch + FortiAP"
                    set required enable
                next
                edit 4
                    set action "Access Layer Quarantine"
                    set required enable
                next
            end
        set destination "QuadDestination"
    next
end

 

After setting up the correct configuration, follow the steps below to confirm that the automation stitch is working as intended.

  1. Stop the rest of the automation script with the command 'execute auto-script stopall'.
  2. Run the following commands:

diagnose debug reset
diagnose debug application autod -1
diagnose debug console timestamp enable
diagnose debug enable

 

  1. Open another CLI window and execute the automation stitch with the command 'execute auto-script start <script_name>'. Or, in the GUI, right-click on the automation stitch name and select 'Test Automation Stitch'.
  2. Collect the debug output and disable the debug processes with the following commands:

 

diagnose debug disable
diagnose debug reset

 

In the debug output for a successful execution of the automation stitch, the following results are expected:

__action_ioc_quarantine_hdl(): ioc quarantine action is called

{ "name": "Quarantine on FortiSwitch + FortiAP", "status": "success" }
{ "name": "Access Layer Quarantine", "status": "success" }

 
Related article:
Technical Tip: FortiGate automation stitch repeatedly triggered by system log
      Terms & ConditionsAccessibility statement