Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Mrinmoy
Staff
Staff

Created on ‎11-23-2023 09:01 AM Edited on ‎02-20-2025 05:06 AM By Staff

Article Id 285814

Technical Tip: Configure an automation stitch to get an email alert for admin login failures

Description This article describes how to configure an automation stitch to provide email alerts when admin login failures appear in the logs.
Scope FortiOS v6.4 or above.
Solution

Create an Automation stitch under Security Fabric -> Automation -> Stitch -> Create New.

 

1.png

 

Give it a name and configure a trigger as per the screenshot below:

 

2.png

 

Configure an action as per the screenshot below:

 

3.png

 

Now test the stitch by entering the wrong user ID or password. Check the status from the firewall and check for an email.

 

4.png


The CLI part after configuration is as follows:

Stitch:

 

config system automation-stitch

    edit "Login-Failure"

        set trigger "Admin-Login"

            config actions

                edit 1

                    set action "Login-Failed"
                    set required enable

                next

end


Trigger:

 

config system automation-trigger

    edit "Admin-Login"

        set event-type event-log
        set logid 32002

    next

end

 

Action:

 

config system automation-action

    edit "Login-Failed"

        set action-type email
        set email-to "abc@xyz.com"
        set email-subject "Admin Login-Failed"

    next

end

 

To test the Automation Stitch run the below command:

 

diagnose automation test Login-Failure 0100032002

automation test failed(2). stitch:Login-Failure

 

Log: The email will contain the following log:


date=2023-11-23 time=08:34:40 devid="FGT61FTKXXXXXXX" devname="FGT" eventtime=1700757280632505080 tz="-0800" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="https(209.87.240.230)" method="https" srcip=209.87.240.230 dstip=10.0.0.30 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from https(209.87.240.230) because of invalid password"

 

2422
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.