Skip to main content
sselvam
Staff
sselvam
Staff
May 18, 2020

Technical Tip: Creating the automation stitches

  • May 18, 2020
  • 0 replies
  • 12518 views

Description

 

This article describes how to configure automation stitches for the Fortinet Security Fabric.
Each automation pairs an event trigger and one or more actions, which allows for monitoring of the network and taking appropriate action when the Security Fabric detects a threat.
Use automation stitches to detect events from any source in the Security Fabric and apply actions to any destination.


 

In this example, the following automation stitches are created:

  • Ban a compromised host’s IP address.
  • Send an email alert when HA failover occurs.
 
In this example, the Security Fabric consists of an edge, an HA cluster that is the root FortiGate of the Security Fabric, and three ISFW FortiGates (Accounting, Marketing, and Sales).
Configure the automation stitches on the root FortiGate and the settings are synchronized with the other FortiGates in the Security Fabric.

 

Scope

 

FortiGate.


Solution


To create the automation stitches:

  1. To create a new Automation Stitch that bans the IP address of a compromised host, go to Security Fabric -> Automation and select 'Create New'.
  2. Set FortiGate to 'All FortiGates'.
  3. Set Trigger to 'Compromised Host'. 
  4. Set Action to 'IP Ban'.

compromised host.PNG

  

Example configuration in the CLI:

 

config system automation-stitch
    edit "Compromised-IP-Banned"
        set trigger "Compromised Host"
        config actions
            edit 1
                set action "IP Ban"

                set delay <0-3600s>           <----- Optional.
                set required enable
            next
        end
    next
end

 

Note:

Delay can also be configured between the automation-stitch action. Once the automation-stitch is triggered, it will implement the set action after the delay timer. If multiple actions are in place, the set delay per action will be implemented depending on the action sequence.

 

  1. Create a second Automation Stitch that sends an email alert when HA failover occurs.
  2. Set FortiGate to 'Edge-Primary', which is part of the only HA cluster in the Security Fabric.
  3. Set Trigger to 'HA Failover'. Under Action, edit 'Email Notification' and specify the email.
Email notification.PNGemail admin.PNG
 

Set 'Action' to 'Email Notification', select 'Apply' and select 'OK'.

 

Example configuration in the CLI:

 

config system automation-stitch
    edit "HA-failover"
        set trigger "HA Failover"
        config actions
            edit 1
                set action "Email Notification"
                set required enable
            next
        end
        set destination "HA-failover"
    next
end

 
Testing the automation stitches: mark it in 'Block' letters'. To test the Automation Stitches, go to Security Fabric -> Automation, select the automation, and select 'Test Automation Stitch'. 
 
 
To test the automation for HA failover, go to Edge-Primary. In the administrative drop-down menu, select 'System' and 'Reboot'.

Set an event log message.
  
Results: in 'Block' letters.
 
  1. If the automation has simulated that the blocks compromised hosts, the banned unit can no longer access the internet.
  2. When HA failover occurs or when the Automation is tested, an email similar to the one shown is sent to the email configured in the automation.
 
Terms & ConditionsAccessibility statement