Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
yderek
Staff
Staff

Created on ‎05-01-2025 11:07 PM

Article Id 390206

Technical Tip: Configuration change alert email sent both from HA Primary and secondary

Description This article describes when the configuration change automation alert is configured and triggered, and when an email is received from both the Primary and Secondary units.
Scope FortiGate.
Solution
  1. In a FortiGate HA environment, when automation stitches are configured to send an alert email when there is any configuration change on the firewall
  2. Configuration below

 

config system automation-trigger

    edit "Config Change"
        set event-type event-log
        set logid 44546 32172 32174 22804 22805 44547 44545
    next
end

 

config system automation-action

    edit "Email Notification"
        set description <----- Send a custom email notification to the FortiCare email address registered on this device.
        set action-type email
        set forticare-email enable
        set email-subject "%%log.logdesc%%"
    next

 

config system automation-stitch

    edit "Config Change Email"
        set trigger "Config Change"
            config actions
                edit 1
                    set action "Config Change Alert"
                    set required enable
                next
            end

 

For details on how to configure the automation alert email, refer to this KB article: Technical Tip: Use FortiGate automation stitches for alert emails 

 

  1. Once the configuration change has occurred on the firewall, two emails have been received, one from the Primary device, followed by another email same content, with the Secondary device serial number, see example below and screenshot 

 

date=2025-04-28 time=23:49:55 devid="FGVM010000137934" devname="FGVM010000137934" eventtime=1745909395651268351 tz="-0700" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="ha_daemon" action="Delete" cfgtid=156041243 uuid="0b7d630e-248b-51f0-67a7-190c989b53d4" cfgpath="firewall.address" cfgobj="none" msg="Delete firewall.address none"

 

date=2025-04-28 time=23:49:55 devid="FGVM010000137911" devname="FGVM010000137911" eventtime=1745909394668896417 tz="-0700" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(10.254.1.254)" action="Delete" cfgtid=128647268 uuid="0b7d630e-248b-51f0-67a7-190c989b53d4" cfgpath="firewall.address" cfgobj="none" msg="Delete firewall.address none"

 

email1.jpg

email2.png

 

Conclusion 

This is an expected behaviour. When a configuration change at the Primary firewall, it will sync the configuration to the secondary device, and the same configuration event will be triggered; hence, the email will be generated from the secondary.
416
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.