FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 286200
Description This article describes how to ban IP using an event handler from FortiAnalyzer and send a notification to FortiGate to Ban IP.
Scope Fortianalyzer (event handler) and FortiGate (automation stitch).

This article will focus on the user's failure to log in via SSL VPN, configure the event handler from FortiAnalyzer, and configure automation stitch from FortiGate.


  1. Create an event handler from FortiAnalyzer:


Screenshot 2023-11-24 141723.png


  1. Create a stitch from FortiGate: Stitch // Trigger under Security fabric -> Automation -> New -> Add Trigger -> New -> FortiAnalyzer Event Handler -> OK.


Screenshot 2023-11-24 141330.png


  1. Choose the event handler created from FortiAnalyzer.


Screenshot 2023-11-24 141546.png


Under Action -> New -> choose IP Ban.


Screenshot 2023-11-24 142201.png


The automation stitch will show as below:


Screenshot 2023-11-24 142435.png


In CLI, it will appear as below:


reve-kvm05 # config system automation-stitch

preve-kvm05 (automation-stitch) # edit "TataSSLVPN"

preve-kvm05 (TataSSLVPN) # show
config system automation-stitch
    edit "TataSSLVPN"
        set trigger "tutuSSLVPN"
            config actions
                edit 1
                    set action "IPBan"
                    set required enable


Screenshot 2023-11-24 142638.png


To ensure stitch running, the SSL VPN user needs to use an invalid password // username.


Screenshot 2023-11-24 143140.png


From FortiAnalyzer, ensure the event handler is triggered under FortiSoC -> Event Monitor -> All Events.


Screenshot 2023-11-24 143337.png


The automation will display it as a trigger.


Screenshot 2023-11-27 104925.png


Run: 'diagnose user banned-ip ?' to check if the listed IP has been IP.


Screenshot 2023-11-27 110041.png


Below is the debug list related to automation stitches if having automation issues:


preve-kvm05 # diag test app autod 0
1. Enable/disable log dumping
2. Show automation settings.
3. Show automation statistics.
4. Show plugin statistics.
5. Show running stitches.
6. Show subscriber statistics.
7. Show migsock info.

Related articles:

Technical Tip: How to implement Indicators Of Compromised (IOC) Automation Stitch between FortiGate,...

Technical Tip: Use FortiGate automation stitches for alert emails