| Description |
This article describes the configuration of Automation Stitches within a security fabric and provides an overview of how to confirm the correct execution in the fabric. |
| Scope | FortiAnalyzer, FortiGate with CSF. |
| Solution |
This document assumes that FortiAnalyzer and FortiGate have been configured successfully for:
For reference on how to set these up, see the following documents:
When configuring the stitch within the security fabric, the following elements must be selected.
The configuration above triggers the automation stitch in both F2 and F9. In this scenario, F2 is the root while F9 is downstream. After the stitch is triggered, these elements can be reviewed to confirm:
On the GUI of the ROOT FortiGate:
Note that non-root devices cannot see the automation window. It will show the following:
In the CLI:
total stitches activated: 3 stitch: Stich1
(id:304)severity=medium (id:null)tag=tag1 <----- Event Handler Tag (if configured). local hit: 1 relayed to: 3 relayed from: 2 <----- Increments upon trigger.
In the non-root FortiGate (F9), the counters also increment:
F9 # diagnose test application autod 2 csf: enabled root: no sync connection: connected version:1747921654 sync time:Thu May 22 09:55:22 2025
total stitches activated: 3
stitch: Stich1 destinations: Stich1; trigger: HANDLER type:faz event field ids: (id:null)triggername=Handler1ZZZ (id:304)severity=medium (id:null)tag=tag1
local hit: 0 relayed to: 0 relayed from: 1 <----- Counters increment. actions: BAN-test-IP type:cli-script interval:0 delay:0 required:yes
Counter explanation:
In the automation, the Stitch is configured to fail when there is a failed authentication 3 times within 1 minute. The switch gets triggered in the following way.
|
