FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Mrinmoy
Staff
Staff
Article Id 285814
Description This article describes how to configure an automation stitch to provide email alerts when admin login failures appear in the logs.
Scope FortiOS v6.4 or above.
Solution

Create an Automation stitch under Security Fabric -> Automation -> Stitch -> Create New.

 

1.png

 

Give it a name and configure a trigger as per the screenshot below:

 

2.png

 

Configure an action as per the screenshot below:

 

3.png

 

Now test the stitch by entering the wrong user ID or password. Check the status from the firewall and check for an email.

 

4.png


The CLI part after configuration is as follows:

Stitch:

 

config system automation-stitch

    edit "Login-Failure"

        set trigger "Admin-Login"

            config actions

                edit 1

                    set action "Login-Failed"
                    set required enable

                next

end


Trigger:

 

config system automation-trigger

    edit "Admin-Login"

        set event-type event-log
        set logid 32002

    next

end

 

Action:

 

config system automation-action

    edit "Login-Failed"

        set action-type email
        set email-to "abc@xyz.com"
        set email-subject "Admin Login-Failed"

    next

end

 

To test the Automation Stitch run the below command:

 

diagnose automation test Login-Failure 0100032002

automation test failed(2). stitch:Login-Failure

 

Log: The email will contain the following log:


date=2023-11-23 time=08:34:40 devid="FGT61FTKXXXXXXX" devname="FGT" eventtime=1700757280632505080 tz="-0800" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="https(209.87.240.230)" method="https" srcip=209.87.240.230 dstip=10.0.0.30 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from https(209.87.240.230) because of invalid password"