Technical Tip: Configuring an automation stitch to send e-mail alerts when any administrator downloads a configuration backup from the GUI
| Description | This article describes how to use the automation-stitch functionality to send an alert e-mail if any administrator downloads a backup of the configuration file via GUI. This can help auditing to track down who may have obtained the full configuration backup. |
| Scope | FortiGate. |
| Solution | Review the SMTP server settings under config system email-server as described in the following article: Technical Tip: How to configure SMTP using custom server and port on FortiGate.
config system automation-trigger edit "Config Backup completed" set event-type event-log set logid 32095 config fields edit 1 set name "action" set value "download" next end next end
config system automation-stitch edit "Config-Download-GUI" set trigger "Config Backup completed" config actions edit 1 set action "ConfigDownloadedGUI_email" set required enable next end next end
Once triggered, the 'System Events' logs should show the following logs:
Select the log entry to get more details:
date=2024-09-25 time=10:58:26 eventtime=1727276306518412481 tz="-0400" logid="0100032095" type="event" subtype="system" level="warning" vd="root" logdesc="Admin performed an action from GUI" user="admin" ui="GUI(172.25.181.194)" action="download" status="success" msg="System config file has been downloaded by user admin via GUI(172.25.181.194)"
If the automation stitch does not work as expected, use the following debug command to troubleshoot the issue.
diagnose debug reset
Open a new CLI window and run the automation stitch using execute auto-script start <script_name> or, in the GUI, right-click the automation stitch and select Test Automation Stitch.
After, collect the debug output and disable the debug processes using the following commands: diagnose debug disable |
