Technical Tip: Configuring an automation stich to send e-mail alerts when any administrator downloads a configuration backup from the GUI

Kush_Patel · ‎09-25-2024

Description

This article describes how to use the automation-stitch functionality to send an alert e-mail if any administrator downloads a backup of the configuration file via GUI. This can help auditing to track down who may have obtained the full configuration backup.

Scope

FortiGate.

Solution

Review the SMTP server settings under config system email-server as described in the following article: Technical Tip: How to configure SMTP using custom server and port on FortiGate.

A trigger needs to be configured as shown below, search for Event ID ‘32095’ and this event will be pulled in the search section.

config system automation-trigger

edit "Config Backup completed"

set event-type event-log

set logid 32095

config fields

edit 1

set name "action"

set value "download"

Configure an Automation Action to send an email when the above event is triggered.

config system automation-action

    edit "ConfigDownloadedGUI_email"

        set action-type email

        set email-to "example@gmail.com"

        set email-subject "%%log.logdesc%%"

    next

end
Configure an Automation Stitch using the above configured trigger and automation action.

config system automation-stitch

edit "Config-Download-GUI"

set trigger "Config Backup completed"

config actions

edit 1

set action "ConfigDownloadedGUI_email"

set required enable

Once triggered, the 'System Events' logs should show the following logs:

Select the log entry to get more details:

date=2024-09-25 time=10:58:26 eventtime=1727276306518412481 tz="-0400" logid="0100032095" type="event" subtype="system" level="warning" vd="root" logdesc="Admin performed an action from GUI" user="admin" ui="GUI(172.25.181.194)" action="download" status="success" msg="System config file has been downloaded by user admin via GUI(172.25.181.194)"