Skip to main content
Iamyourjoy33
Iamyourjoy33
Explorer
November 14, 2025
Question

Configure automation-stitch to detect user trying to log to FortiGate GUI

  • November 14, 2025
  • 2 replies
  • 624 views

Dear Everyone,

 

Currently we are configuring automation-stitch to send alert to our platform for anonymous login to FortiGate GUI.

 

I tried to configure the trigger with specific condition.

- if user A try to access to dashboard and failed login for more than 3 times, automation-stitch must consider this is bruteforce attack.

- if user B try to access to dashboard and failed login for under 3 times, the automation-stitch must also trigger this alert but consider it is not bruteforce attack.

 

Kindly provide me some ideas regarding to this.

 

Thank you.

Joy

2 replies

esalija
Staff
esalija
Staff
November 14, 2025

Hi @Iamyourjoy33 

 

To configure an automation stitch for different conditions based on failed login attempts, you can follow these steps:

  1. Define Event Handlers: Create two separate event handlers in FortiAnalyzer for each condition.

    • For User A, set the condition to trigger when there are more than 3 failed login attempts within a specific time frame.
    • For User B, set the condition to trigger on any failed login attempt, regardless of the count.

  2. Configure Automation Stitch:

    • Create an automation stitch for each event handler.
    • For User A's stitch, configure the action to label it as a brute force attack.
    • For User B's stitch, configure the action to label it as a non-brute force alert.

  3. Set Up Actions:

    • Define the actions for each stitch, such as sending an alert to your platform.
    • Use CLI scripts or other available actions to execute the desired response.

  4. Test the Configuration:

    • Simulate failed login attempts for both User A and User B to ensure the automation stitches trigger correctly and send the appropriate alerts.

  5. Monitor and Adjust:

    • Monitor the system to ensure the automation stitches are functioning as expected.
    • Adjust the conditions or actions if necessary to better fit your security requirements.

By setting up separate event handlers and automation stitches for each user condition, you can effectively manage and respond to different types of login attempts.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Automation-Stitch-using-Event-Handlers-from/ta-p/393536

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-an-automation-stitch-to-get-an-email/ta-p/285814

 

Best regards,

Erlin

    Iamyourjoy33
    Iamyourjoy33Author
    Explorer
    November 18, 2025

    Hi @esalija thanks for responding.

      Yurisk
      SuperUser
      Yurisk
      SuperUser
      November 17, 2025

      If you are using just Fortigate - you cannot achieve such functionality, as automation stitches have no "memory", they can fire but each failed login will be new for them. You do have more capabilities if you also have Fortianalyzer receiving the logs from the FGT, as @esalija already described them.

        Iamyourjoy33
        Iamyourjoy33Author
        Explorer
        November 18, 2025

        Thanks for your message, this is what i want really to know

        Terms & ConditionsAccessibility statement