Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
HernandezA
Staff
Staff

Created on ‎07-27-2025 02:15 PM Edited on ‎07-27-2025 02:20 PM By Moderator

Article Id 403139

Technical Tip: Configure a playbook to use an event related to the FortiGate change status and send the event report to a specific email

Description This article describes the configuration steps to create a playbook that will run a report about system events when a FortiGate Interface changes its status.
Scope FortiAnalyzer, FortiGate.
Solution

General information:

 

  • FortiGate VM, version 7.4.7 Build2731.
  • FortiAnalyzer VM version 7.4.7 Build2685.

 

Pre-requisites:

  1. Register FortiGate into FortiAnalyzer (connection status UP).

 

A_Pre_Req.jpg

 

  1. Verify the status connector Fabric View -> Automation -> Connectors -> FortiOS Connector (Green/UP).

B_Pre_Req.jpg

 

  1. Confirm event logs are being received Log View -> FortiGate -> Event: All Types.

C_Pre_Req.jpg

Configuration steps:

 

  1. Configure Mail Server settings under System Settings -> Advanced -> Mail Server -> Create New. Refer to Technical Tip: How to set up Email Notifications with notification.fortinet.net.

 

Configure_mail_server.jpg

 

  1. Create a report that will be executed. In this example, the report will be created from a template available in FortiAnalyzer (Security Events and Incidents Summary). Note that the administrator can use the best report for specific information needs, which means a report can be chosen from a template or a customized report. Go to Reports -> Report Definitions -> Templates -> Security Events and Incidents Summary -> Create Report. 

    After report creation, ensure the options 'Extended Log Filtering' and 'Enable Auto-Cache' are enabled. These are essential. Link the playbook in the steps after, and select 'Apply'.

 

Create_a_report.jpg

Final_Basic_Report_Settings.jpg

 

  1. Create an Output profile to link with the report notification options. Go to Reports -> Advance Settings -> Output Profile -> Create -> Configure settings according needs. In this example, PDF format will be used for email generated reports. Select the Email server configured in point 1, and use the sender and destination email addresses. 

    Return to Report settings and check the 'Enable notification' box, then select the Output profile was configured in point 3. Reports -> Report Definitions -> Edit Report created -> Check 'Enable notification' -> Select Output Profile.

 

Output_Profile.jpg

 

  1. In summary, the report settings should at least have enabled the options like the following picture. (The last 3 points can be reviewed in Technical Tip: How to configure email server on FortiAnalyzer to receive reports over email).

  2. Configure an Event handler according to requirements. This example will use a handler cloned from a default basic handler called 'Default-NOC-Interface-Events' due to it already containing the Rule that is needed to identify when an interface of FortiGate changes from UP to Down and vice versa. Go to Incident & Events -> Handlers -> Basic Handlers -> Default-NOC-Interface-Events -> Select Handler and Clone.

Cloned_Basic_Handler.jpg

 

  1. When cloning the Event Handler, the administrator needs to name the new rule and ensure the status is Enabled, then select 'OK' and ensure the 'Automation stitch' option is Enabled.

Settings_of_Cloned_Basic_Handler.jpg

 

  1. Create a new playbook under Fabric View -> Automation -> Playbook -> Create New -> 'New Playbook created from scratch'.
    1. In this example, it will be used for the trigger 'EVENT_TRIGGER', and will configure the condition to begin the flow. In this case, 'Any of the following conditions' was used. Basic Handler Name was selected, along with Equal to, and the Name of Handler that was configured in step 6.
      EVENT TRIGGER -> 'Any of the following conditions' -> Selected Basic Handler Name -> Equal to -> Name of Handler: TEST _interface_handler_playbook_Default-NOC-Interface-Events -> Save.

     

EVENT_TRIGGER.jpg

 

  1. Create a New connector step extending the point in the EVENT TRIGGER and select the FortiAnalyzer option.
  2. Set the Name of the connector, verify the Connector option is 'Local Connector', confirm the Action is 'run report', select the report that was configured in previous steps, choose the Time Period, and select OK. In this example, no filter is used.

 

FAZ_connector_run_report.jpg

 

  1. Save the playbook.

Testing the playbook.

 

  1. Go to FortiGate and select an interface that can be turned off/on to generate the event. In this example, port2.

 

FGT interface_ONoff.jpg

 

  1. Go to FortiGate Events in FortiAnalyzer and confirm the events were received. Log View > FortiGate > verify interface-stat-change action.


InterfaceEVENTLOgs.jpg

 

  1. Verify the Event Monitor has registered the events. Go to Incident & Events -> Event Monitor -> All Events.


VERIFICATIO_EVENT_monitor.jpg

 

  1. Verify Playbook status and execution result. Go to Fabric -> Automation -> Playbook Monitor.


VeriFy_Playbook_execution.jpg

 

  1. Confirm the Report was executed.


Report Execution validation.jpg

 

  1. Confirm E-Mail reception in the email application used by the configured receiver.


Verify_Emailbox_confirm_report_reception.jpg
112
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.