| The following scenario explains how to configure a firewall policy at a specific time and delete it again.   Configure a deny policy with an Automation Stitch to block traffic after working hours and allow it again when the FortiGate is in production.   
Configure an Automation Stitch to add a Deny Firewall Policy.   config system automation-stitch edit "Add_Deny_Policy" set trigger "Add_Deny_Policy" config actions edit 1 set action "Deny_Policy" set required enable next end next end   
Configure a 'Trigger' to be run every day after the time 17:00 (Working Hours).   config system automation-trigger edit "Add_Deny_Policy" set description "Create a new policy that will deny all the traffic after hour 17:00"set trigger-type scheduled
 set trigger-frequency daily
 set trigger-hour 17
 set trigger-minute 0
 next end   
Configure the 'Action' for creating the Deny_Policy 8.   config system automation-action edit "Deny_Policy" set action-type cli-scriptset minimum-interval 1
 set script "config firewall policy
 config firewall policy edit 8 set name "Deny_policy"set uuid 4536ec5c-588d-51ef-add9-d94bdc4cb17d
 set srcintf "port1"
 set dstintf "port10"
 set srcaddr "all"
 set dstaddr "all"
 set schedule "always"
 set service "ALL"
 set logtraffic disable
 next end next end set execute-security-fabric enable set accprofile "super_admin" next   
   
Check if the scheduled Automation Stitch for Add_Deny_Policy has been run:   diag test application autod 3alert mail log count: 0
 stitch: Add_Deny_Policy (scheduled) local hit: 1 relayed to: 0 relayed from: 0    last trigger:Mon Aug 21 17:00:00 2024
 last relay:
 next scheduled trigger:Tue Aug 22 17:00:00 2024
 actions:
 Deny_Policy:
 done: 1 relayed to: 0 relayed from: 0
 last trigger:Mon Aug 21 17:00:00 2024
 last relay:
   Notice that the Automation Stitch Add_Deny_Policy has been triggered on 21 Aug at 17:00, and the next action will be on 22 Aug at 17:00.   
       5. Disable the Deny_Policy 8 during the production time with another Automation Stitch.
 
 
Configure an Automation Stitch to disable the Deny Firewall Policy.   config system automation-stitch edit "Disable the Deny_Policy" set trigger "Delete the deny_Policy" config actions edit 1 set action "Delete the Deny_Policy" set required enable next end next end   
Configure a 'Trigger' to be run every day at the time 08:00 (Working Hours).   config system automation-trigger edit "Delete the deny_Policy" set description "Delete the Deny Policy at 08:00 every day."set trigger-type scheduled
 set trigger-hour 8
 set trigger-minute 0
 next end   
Configure the 'Action' to Disable the Deny_Policy 8.   config system automation-action edit "Delete the Deny_Policy" set description "Delete the Deny policy at 08:00"set action-type cli-script
 set script "config firewall policy
 delete 8 next set accprofile "super_admin" next   
   
Check if the scheduled Automation Stitch for disabling the Deny_Policy has been run:   diagnose test application autod 3alert mail log count: 0
   stitch: Disable the Deny_Policy (scheduled) local hit: 1 relayed to: 0 relayed from: 0last trigger:Mon Aug 21 08:00:00 2024
 last relay:
 next scheduled trigger:Tue Aug 22 08:00:00 2024
 actions:
 Delete the Deny_Policy:
 done: 1 relayed to: 0 relayed from: 0
 last trigger:Mon Aug 21 08:00:00 2024
 last relay:
   
The Automation Stitch for disabling the Deny_Policy has been triggered on 21 Aug at 08:00, and the next action will be on 22 Aug at 08:00.   
   
To display all settings for all the Automation Stitches, run the following command:   diagnose test application autod 2csf: disabled root: no sync connection: connecting
 version:0 sync time:
 total stitches activated: 3
 stitch: Add_Deny_Policydestinations: all
 trigger: Add_Deny_Policy
 local hit: 10 relayed to: 0 relayed from: 0actions:
 Deny_Policy type:cli-script interval:1
 delay:0 required:yes
 script:config firewall policy
 edit 8 set name "Deny_policy"set uuid 4536ec5c-588d-51ef-add9-d94bdc4cb17d
 set srcintf "port1"
 set dstintf "port10"
 set srcaddr "all"
 set dstaddr "all"
 set schedule "always"
 set service "ALL"
 set logtraffic disable
 next end stitch: Disable the Deny_Policy
 destinations: all
 trigger: Delete the deny_Policy
 local hit: 10 relayed to: 0 relayed from: 0actions:
 Delete the Deny_Policy type:cli-script interval:0
 delay:0 required:yes
 script:config firewall policy
 delete 8
 next
 stitch: Firmware upgrade notification
 destinations: all
 trigger: Auto Firmware upgrade
 type:logid
 logids:
   
To display statistics for all Automation Stitches, run the following command:   diagnose test application autod 3alert mail log count: 0
 stitch: Add_Deny_Policy (scheduled) local hit: 10 relayed to: 0 relayed from: 0last trigger:Wed Aug 21 02:35:12 2024
 last relay:
 next scheduled trigger:Thu Aug 22 02:35:00 2024
 actions:
 Deny_Policy:
 done: 10 relayed to: 0 relayed from: 0
 last trigger:Wed Aug 21 02:35:12 2024
 last relay:
 stitch: Disable the Deny_Policy (scheduled)
 local hit: 10 relayed to: 0 relayed from: 0last trigger:Wed Aug 21 02:39:12 2024
 last relay:
 next scheduled trigger:Thu Aug 22 02:39:00 2024
 actions:
 Delete the Deny_Policy:
 done: 10 relayed to: 0 relayed from: 0
 last trigger:Wed Aug 21 02:39:12 2024
 last relay:
 stitch: Firmware upgrade notification
 local hit: 0 relayed to: 0 relayed from: 0last trigger: last relay:
 actions:
 Email Notification:
 done: 0 relayed to: 0 relayed from: 0
 last trigger: last relay:
 logid to stitch mapping:id:0 (scheduled stitches) local hit: 20 relayed hits: 0
 Add_Deny_Policy
 Disable the Deny_Policy
   
To stop all the Automation Stitches, run the following command:   execute auto-script stopall No script is running diagnose debug reset |