Skip to main content
psalian
Staff & Editor
psalian
Staff & Editor
August 30, 2018

Technical Tip: How to configure email alerts for device configuration, policy package changes, and status updates on FortiManager

  • August 30, 2018
  • 0 replies
  • 17130 views

Description

 

This article describes how to configure an event handler that sends email notifications whenever configuration changes or policy package status changes occur on FortiManager.

 

 

Scope

 

 

FortiManager on-premises.


Solution

 

On a FortiManager running firmware versions prior to v7.4.0:

 

  1. Enable FortiAnalyzer Features.

 

Email notifications rely on event handlers, which are part of the FortiAnalyzer feature set. This feature must be enabled first in FortiManager.

 

It can be enabled from the GUI under Dashboard -> System Information -> FortiAnalyzer Features.

 

systeminfo6.png

 

Alternatively, it can be enabled from the CLI with the following commands:

 

config system global

    set faz-status enable

end

 

  1. Under System Settings -> Event logs, events will be seen when config status or policy status is changed.

 

Both events will be logged under separate log types. For policy changes, refer to the following image:

 policychange3.png

 

For configuration changes, refer to the following image:

 

config_changes3.png

 

  1. Configure the email server: Alerts will be sent using this email server.

 

Configure it under System Settings -> Mail Server.

 

mailserver2.png
 
  1. Create an event handler for both conditions.
 
Under Event Management -> Event Handler list, select 'Create new'.

 

 

eventhandler2.png

 

The event handler for policy status changes can be configured as shown below:

 

 

eventhandlerpolicy2.png

 

  1. When there is an event log generated for the status changes and when it matches the events configured in the event handler, there is an email sent with details about the event to the email addresses configured in the notification section.

In a FortiMnager running firmware version v7.4.0 and above (follow steps 1 to 3 from the previous setup, then proceed with the following):

 

  1. Clone the Default Event Handler:
Locate the Local Device Event Handler. Clone it then rename the cloned handler as desired:

 

Clone.jpg
  1. Modify the Event Handler Rules: Edit the cloned handler then either modify the existing rule or delete it and create a new one.

  2. Configure the rule as follows: Select Refine Your Logs, select any one of the filters, then remove any existing log filters. Under Log Filter by Text, enter 'subtype=scply'.

 

Rule.jpg

Explanation:

  • scply: Records policy package status changes.
  • objcfg: Records configuration changes.

 

Example of event logs with the subtype 'scply':

 

Event_Logs_Example.jpg

Example of event logs with the subtype 'objcfg':

 

cfg.jpg

  1. Configure the notification profile:

After saving the rule, return to the Basic Event Handler settings and select a Notification Profile that will be used with the configured mail server. If no notification profile exists, use the (+) button to create a new one:

 

Create_Notification_Profile.jpg

 

Select Send Alert Email and fill in the required email details, then save the profile:

 

Fill_Up_Notification_Profile.jpg

Apply it to the event handler and save the handler settings.

 

At this point, the event handler is configured so email alerts will be sent whenever:

  • A configuration change occurs in the device database.
  • A configuration change occurs in the policy package database.
  • A configuration or policy package status change is recorded.
    Terms & ConditionsAccessibility statement