Description

This article describes how to create an Event handler in FortiAnalyzer for Policy deletion in FortiGate and send an email to the administrator.
When FortiGate sends logs to a FortiManager with FortiAnalyzer features enabled, it is possible to use the same event handler.

Solution

1. Create a mail server.
   
   Login to FortiAnalyzer, navigate to System setting -> Mail server, and select 'Create new'.
   
   After, enter the mail server details.

 

3. Login to FortiAnalyzer, navigate to Incident and Event -> Event Handler list, and select 'Create new'.
   
   Enter the details as per the following screenshot, and on the same page, enter the email notification details:
    
   To: Destination Email address.
   From: Source Email address which is present in the mail server.
   Mail Server: Created in 1.
   Generic text: cfgpath=firewall.policy.
   Log Description: Object configured.
   Action: Delete.

 

4. Troubleshooting.

If the email notification is not received, run the debug flow below and collect information for TAC support.

diagnose debug application fazmaild 255
diagnose debug enable

To stop the debug flow:

diagnose debug disable

diagnose debug reset

For FortiManager / FortiAnalyzer 7.6 or above flow capture:

diagnose debug application fazmaild 8
diagnose debug enable

To stop the debug flow:

diagnose debug disable

diagnose debug reset

Related articles:

• Technical Tip: How to configure email alerts for configuration changes on FortiGate using FortiAnaly...
• Technical Tip: How create event handler in FortiAnalzyer for policy change in FortiGate
• Technical Tip: Setting up a FortiAnalyzer event handler with a specific time schedule
• Technical Tip: How to set up Email Notifications with notification.fortinet.net
• Troubleshooting Tip: How to understand the email SMTP issues and its causes
• Troubleshoot: FortiAnalyzer unable resolve DNS to mail server