Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Somashekara_Hanumant
Staff & Editor
Staff & Editor

Created on ‎10-09-2025 05:08 AM

Article Id 414499

Technical Tip: Automation trigger with selected field filters

Description This article describes how to configure field filters on automation-trigger with selected field filters.
Scope FortiGate.
Solution

While configuring the automation stitch, administrators can choose the field filters to trigger the event. On this example administrator is choosing ‘Remote IP’, ‘Group’ and ‘User’

 

While creating Field Filters, as such, there is no Boolean OR; only Boolean AND is available, so it has to match all the field filters to trigger the event.

 

To achieve this, the admin needs to configure below:

  • Email server.
  • Automation action.
  • Automation Trigger.
  • Automation Stitch.

 

 

Automation Action:

Go under Security Fabric -> Automation:

 

vpn_alert.jpg

 

config system automation-action

    edit "FTNT VPN Alert"

        set action-type email

        set email-to "user2@dxb-nse8.lab"

        set email-from "donotreply@fortinet.com"

        set email-subject " FTNT VPN Alert Notifications"

    next

end

 

Configuring Automation Trigger:

 automation_trigger.JPG

 

config system automation-trigger

    edit " FTNT VPN Alert-Trigger"

        set event-type event-log

        set logid 39425 39424 45081 45124 45125

            config fields

                edit 1

                    set name "remip"

                    set value "172.21.36.17"

                next

                    edit 2

                        set name "user"

                        set value "ftnt"

                    next

                        edit 3

                            set name "group"

                            set value "abcgrp"

                        next

                    end

                next

             end

 

Configuring Automation Stitch:

 

automation_stitch.JPG

 

config system automation-stitch

    edit “FTNT VPN alert – Stitch”

        set trigger "FTNT VPN Alert-Trigger"

            config actions

                edit 1

                    set action "FTNT VPN Alert"

                    set required enable

                next

            end

        next

    end

 

Connect the SSL VPN using the ‘ftnt’ user, then the automation action will be triggered and send an alert message as below;

 

From: donotreply@fortinet.com
Date: Oct 1, 2025, 3:49:37 PM
To: user2@dxb-nse8.lab
Subject: FTNT VPN Alert Notifications

date=2025-10-01 time=04:49:36 devid="FGVM01TM24005264" devname="hercules-kvm11" eventtime=1759319376354005694 tz="-0700" logid="0101039425" type="event" subtype="vpn" level="information" vd="root" logdesc="SSL VPN tunnel down" action="tunnel-down" tunneltype="ssl-web" tunnelid=1990125986 remip=172.21.36.17 srccountry="Reserved" user="ftnt" group="abcgrp" dst_host="N/A" reason="User requested termination of service" duration=99 sentbyte=0 rcvdbyte=0 msg="SSL tunnel shutdown"

 

Event logs:

 

event_log.JPG
86
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.