Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
omorenomartin
Staff
Staff

Created on ‎09-02-2024 02:06 AM Edited on ‎09-02-2024 02:43 AM

Article Id 337897

Technical Tip: Behavior of automation stitch on a HA cluster and use of automation-destination

Description This article describes how an automation stitch behaves by default when configured on the primary node of an HA cluster, and how to modify this conduct with automation-destination.
Scope FortiGate.
Solution

When configuring an automation stitch on the primary node of a High Availability (HA) cluster, this configuration will be synchronized with the secondaries, and by default, all nodes will execute the stitch if it gets triggered.

 

This behavior is appropriate for most case scenarios where there is a need to execute the same action on all nodes, but there are cases where a diagnose or execute command is only needed on specific devices.

 

All Stitches are created with the initial 'FortiGate(s)' value 'All FortiGates'. The option is only selectable when the device acts as the root of the Security Fabric.

 

Security Fabric -> Fabric Connectors: 

 

omorenomartin_2-1725031539131.png

 

Security Fabric -> Automation -> Create New:

 

omorenomartin_0-1725030773286.png

 

Note: If the 'Security Fabric role' is set as 'Standalone', the initial value is still 'All FortiGates' but it is not selectable via GUI.

 

Automation-destination allows the specification of an individual/group of serial numbers within the HA/Fabric in which to execute the configured stitch to provide more granularity.

 

Examples:

 

config system automation-destination

    edit "Primary"

        set destination "FGT60FTKXXXXXXXX"  <-- Primary Device SN.

    next

    edit "Secondary"

        set destination "FGT60FTKXXXXXXXX"  <-- Secondary Device SN.

    next

    edit "Branches"

        set destination "FGT80FTKXXXXXXXX" "FGT40FTKXXXXXXXX"  <-- Branches SNs.

    next

end

 

If specific devices are selected in GUI when FortiGate is the root of the Security Fabric:

 

omorenomartin_3-1725032421948.png

 

FortiOS generates a new entry within 'config system automation-destination' with the name of the stitch and the serial numbers of the selected devices:

 

config system automation-destination

    edit "Kill_Process"

        set destination "FGVM02TMXXXXXXXX" "FGVM02TMXXXXXXXX"

    next

end

 

And references it on the automation-stitch under 'set destination':

 

config system automation-stitch

    edit "Kill_Process"

        set trigger "Midnight"

            config actions

                edit 1

                    set action "Kill_Process"

                    set required enable

                next

            end

        set destination "Kill_Process"

    next

end

 

Selecting a Security Fabric device on the GUI references the whole cluster in the configuration.

 

If there is a necessity to execute the stitch in a secondary node only, the appropriate procedure is to create the CLI entry with the specific serial number within 'config system automation-destination', and then reference that configuration as the 'set destination' of the stitch under 'config system automation-stitch'.
302
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.