Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
iyotov
Staff
Staff

Created on ‎12-11-2025 02:16 PM Edited on ‎12-22-2025 03:42 AM By Community Manager

Article Id 419896

Technical Tip: How to trigger automation stitch on FortiGate using FortiAnalyzer Event Handler

Description

 

This article describes the specifics of using a FortiAnalyzer Event Handler to trigger Automation Stitch on FortiGate connected to FortiAnalyzer.

The feature allows for a more complex trigger logic, based on the logs received on FortiAnalyzer from the logging FortiGate.

 

Scope

 

FortiAnalyzer, FortiGate.

 

Solution

  1. Prerequisites.

The FortiGate should have reliable (TCP transmission) enabled, and the upload-option should be set to realtime to ensure a stable OFTP connection to FortiAnalyzer:

 

config log fortianalyzer setting
    set status enable
    set server "your.FortiAnalyzer.address"
    set serial "your.FortiAnalyzer.Serial.Number"
    set upload-option realtime
    set reliable enable
end


On the FortiAnalyzer side, the device should be registered/authorized and show as 'green' in the FortiOS connector status:

 

2025-11-20 17_47_59-FortiAnalyzer - FAZ-193 - Incidents & Events - Automation - Active Connectors — .png

 

  1. FortiAnalyzer configuration:

Both Basic and Correlation handler types can be used, as long as they have the Automation Stitch option enabled:

 

2025-11-20 18_05_11-FortiAnalyzer - FAZ-193 - Incidents & Events - Event Handlers - Event Handlers —.png

 

  1. FortiGate configuration:

The FortiAnalyzer Event Handlers, with the Automation Stitch option enabled, can then be selected as a trigger on the FortiGate.
Go to the FortiGate GUI -> Security Fabric -> Automation -> Trigger tab, and create a new trigger with the FortiAnalyzer Event Handler type:


2025-11-20 18_14_59-FortiGate - FGT-14 — Mozilla Firefox.png
Then select the FortiAnalyzer Event Handler from the menu:

 

2025-11-20 18_17_29-FortiGate - FGT-14 — Mozilla Firefox.png


Optional:
The two options, Event severity and Event tag, are additional conditions to match. They can be used, for example, to match only events generated by one specific rule of a Basic Event Handler with two or more rules.


The screenshot below demonstrates how these values correlate on the FortiGate and FortiAnalyzer side:

 

2025-11-21 18_11_32-Presentation1 - PowerPoint.png
Note: If Event severity and/or Event tag are enabled but the event contains no matching values, the automation stitch on the FortiGate will not be triggered.


These options are not intended for the Correlation Handlers. Although they can be technically used, the Tags and Severity of the correlation handlers are global for the whole handler. So, every event generated by the selected handler would have the same tags and severity, which makes them redundant and harder to manage in this scenario.


As a rule of thumb, if a Correlation Handler is selected in the automation trigger, keep Event severity and/or Event tag disabled.

Once the Trigger has been created, it can be used in an automation stitch:

 

2025-11-21 18_39_01-FortiGate - FGT-14 — Mozilla Firefox.png

 

In this example, the event flow would look like this:

  • The endpoint behind the FortiGate connects to an IP address from a monitored destination country.
  • The FortiGate generates a traffic log and sends it to FortiAnalyzer.
  • FortiAnalyzer scans the traffic log from the FortiGate and matches a rule of the selected Event Handler.
  • The Event Handler generates an Event containing the parameters of the triggering log record, as well as the Severity and Tags added by the FortiAnalyzer Event Handler.
  • The Events counter of the Event Handler is incremented, confirming that the handler was matched and the event was generated:


2025-11-21 19_13_09-FortiAnalyzer - FAZ-193 - Incidents & Events - Event Handlers - Event Handlers —.png

 

  • FortiAnalyzer sends a notification with the event details to the FortiGate via the existing OFTP connection (see 'Prerequisites' above).
  • FortiGate matches the configured Trigger and checks the Event Severity and Tags (if configured).
  • If all conditions are matched, the FortiGate triggers the automation stitch and executes the configured actions.
  • The Trigger Count of the stitch is incremented:

 

2025-11-21 18_57_04-FortiGate - FGT-14 — Mozilla Firefox.png

 

If the FortiGate action is not executed (Troubleshooting):

  1. Check whether the Trigger Count of the Automation Stitch has incremented on the FortiGate:
    • Yes: Create a FortiGate Support Ticket.
    • No: Proceed to step 2.

  2. Check whether the 'Events' counter of the Event Handler has incremented on the FortiAnalyzer side:
    • Yes:
      • Check the prerequisites at the beginning of this article.
      • Check if the correct handler is selected in the trigger of the automation stitch.
      • Disable Event severity and/or Event tag, if enabled, and try again.
      • If it all looks OK but the issue persists, create a FortiAnalyzer Support Ticket.
    • No: Proceed to step 3.

  3. Check if there is a log present under FortiAnalyzer -> Log View that is expected to trigger the Event Handler, but did not.
    • Yes:
      • Check if the log field name and value of the log match exactly the ones configured in the rules of the Event Handler.
      • Check the other conditions of the event handler, defined under 'Define Event Conditions' of the handler or its rules.
      • If the log is present and the configured conditions look right, create a FortiAnalyzer Support Ticket.
    • No: If there is no matching log in FortiAnalyzer, check the FortiGate configuration and/or open a FortiGate Support ticket.

 

Related document:

FortiAnalyzer event handler trigger

371
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.