|
The following scenario explains how to configure a firewall policy at a specific time and delete it again.
Configure a deny policy with an Automation Stitch to block traffic after working hours and allow it again when the FortiGate is in production.
- Configure an Automation Stitch to add a Deny Firewall Policy.
config system automation-stitch
edit "Add_Deny_Policy"
set trigger "Add_Deny_Policy"
config actions
edit 1
set action "Deny_Policy"
set required enable
next
end
next
end
- Configure a 'Trigger' to be run every day after the time 17:00 (Working Hours).
config system automation-trigger
edit "Add_Deny_Policy"
set description "Create a new policy that will deny all the traffic after hour 17:00"
set trigger-type scheduled
set trigger-frequency daily
set trigger-hour 17
set trigger-minute 0
next
end
- Configure the 'Action' for creating the Deny_Policy 8.
config system automation-action
edit "Deny_Policy"
set action-type cli-script
set minimum-interval 1
set script "config firewall policy
config firewall policy
edit 8
set name "Deny_policy"
set uuid 4536ec5c-588d-51ef-add9-d94bdc4cb17d
set srcintf "port1"
set dstintf "port10"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic disable
next
end
next
end
set execute-security-fabric enable
set accprofile "super_admin"
next
- Check if the scheduled Automation Stitch for Add_Deny_Policy has been run:
diag test application autod 3
alert mail log count: 0
stitch: Add_Deny_Policy (scheduled)
local hit: 1 relayed to: 0 relayed from: 0
last trigger:Mon Aug 21 17:00:00 2024
last relay:
next scheduled trigger:Tue Aug 22 17:00:00 2024
actions:
Deny_Policy:
done: 1 relayed to: 0 relayed from: 0
last trigger:Mon Aug 21 17:00:00 2024
last relay:
Notice that the Automation Stitch Add_Deny_Policy has been triggered on 21 Aug at 17:00, and the next action will be on 22 Aug at 17:00.
5. Disable the Deny_Policy 8 during the production time with another Automation Stitch.
- Configure an Automation Stitch to disable the Deny Firewall Policy.
config system automation-stitch
edit "Disable the Deny_Policy"
set trigger "Delete the deny_Policy"
config actions
edit 1
set action "Delete the Deny_Policy"
set required enable
next
end
next
end
- Configure a 'Trigger' to be run every day at the time 08:00 (Working Hours).
config system automation-trigger
edit "Delete the deny_Policy"
set description "Delete the Deny Policy at 08:00 every day."
set trigger-type scheduled
set trigger-hour 8
set trigger-minute 0
next
end
- Configure the 'Action' to Disable the Deny_Policy 8.
config system automation-action
edit "Delete the Deny_Policy"
set description "Delete the Deny policy at 08:00"
set action-type cli-script
set script "config firewall policy
delete 8
next
set accprofile "super_admin"
next
- Check if the scheduled Automation Stitch for disabling the Deny_Policy has been run:
diagnose test application autod 3
alert mail log count: 0
stitch: Disable the Deny_Policy (scheduled)
local hit: 1 relayed to: 0 relayed from: 0
last trigger:Mon Aug 21 08:00:00 2024
last relay:
next scheduled trigger:Tue Aug 22 08:00:00 2024
actions:
Delete the Deny_Policy:
done: 1 relayed to: 0 relayed from: 0
last trigger:Mon Aug 21 08:00:00 2024
last relay:
- The Automation Stitch for disabling the Deny_Policy has been triggered on 21 Aug at 08:00, and the next action will be on 22 Aug at 08:00.
- To display all settings for all the Automation Stitches, run the following command:
diagnose test application autod 2
csf: disabled root: no sync connection: connecting
version:0 sync time:
total stitches activated: 3
stitch: Add_Deny_Policy
destinations: all
trigger: Add_Deny_Policy
local hit: 10 relayed to: 0 relayed from: 0
actions:
Deny_Policy type:cli-script interval:1
delay:0 required:yes
script:config firewall policy
edit 8
set name "Deny_policy"
set uuid 4536ec5c-588d-51ef-add9-d94bdc4cb17d
set srcintf "port1"
set dstintf "port10"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic disable
next
end
stitch: Disable the Deny_Policy
destinations: all
trigger: Delete the deny_Policy
local hit: 10 relayed to: 0 relayed from: 0
actions:
Delete the Deny_Policy type:cli-script interval:0
delay:0 required:yes
script:config firewall policy
delete 8
next
stitch: Firmware upgrade notification
destinations: all
trigger: Auto Firmware upgrade
type:logid
logids:
- To display statistics for all Automation Stitches, run the following command:
diagnose test application autod 3
alert mail log count: 0
stitch: Add_Deny_Policy (scheduled)
local hit: 10 relayed to: 0 relayed from: 0
last trigger:Wed Aug 21 02:35:12 2024
last relay:
next scheduled trigger:Thu Aug 22 02:35:00 2024
actions:
Deny_Policy:
done: 10 relayed to: 0 relayed from: 0
last trigger:Wed Aug 21 02:35:12 2024
last relay:
stitch: Disable the Deny_Policy (scheduled)
local hit: 10 relayed to: 0 relayed from: 0
last trigger:Wed Aug 21 02:39:12 2024
last relay:
next scheduled trigger:Thu Aug 22 02:39:00 2024
actions:
Delete the Deny_Policy:
done: 10 relayed to: 0 relayed from: 0
last trigger:Wed Aug 21 02:39:12 2024
last relay:
stitch: Firmware upgrade notification
local hit: 0 relayed to: 0 relayed from: 0
last trigger: last relay:
actions:
Email Notification:
done: 0 relayed to: 0 relayed from: 0
last trigger: last relay:
logid to stitch mapping:
id:0 (scheduled stitches) local hit: 20 relayed hits: 0
Add_Deny_Policy
Disable the Deny_Policy
- To stop all the Automation Stitches, run the following command:
execute auto-script stopall
No script is running
diagnose debug reset
|
