FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 190277



This article describes how to configure FortiGate to automatically respond to various trigger events. This article is for FortiOS 7.0 and 7.2 - the automation workflow was redesigned to be more efficient and clearer for the user.



Automation stitches, actions, and triggers have separate dialogs and are no longer part of the main automation stitch dialog like in previous FortiOS versions (6.2, 6.4).

1) When creating a stitch, selecting 'Add Trigger' or 'Add Action' displays a list of available triggers and actions, and also the option to create new ones.



2) Once the stitch is configured, a process diagram of the trigger, actions, and delays is displayed.




Notice the 'Action execution' options - it allows to choose if additional actions are executed in a specific order ('Sequential') or simultaneously ('Parallel'). If you choose 'Sequential', it is possible to configure a delay between actions in seconds ('Add delay' button). However, if one of the actions fails, then the next actions will not be executed and the automation stitch will stop.

To configure a trigger or update an existing one:

Select a trigger from the list, e.g. 'Network Down' and add events to which automation will react when executing the stitch:

- Select 'Link monitor status' if the link monitor is configured;
- Select 'Routing information changed' if SD WAN is configured with performance SLA;
- Select 'Interface status changed' if the physical status of the uplink should be monitored.
It is possible to add additional field filters for the automation to be triggered at specific values, however, it should match across the chosen events.


Not all the triggers can be edited if based on some singular FortiOS event, e.g. reboot or failover.

The trigger can be also configured as a recurring schedule (hourly, daily, etc) for a specific action:




Other possible triggers:




To configure an action or update an existing one:

One of the most widespread actions is sending an email to the administrator after a specific event has happened. To configure it, select 'Default Email' on the Action page and specify the recipient(s) and subject:


Another popular activity is running a CLI script - for example, it can be used to restart a process if automation gets triggered by 'High CPU' or 'Conserve Mode' triggers. To configure it, chose 'Create New' on the Action page and find 'CLI Script':


The commands can be either specified manually or recorded in the console widget.
Other possible actions:


Enhancements in automation stitches in FortiOS 7.2.0-7.2.1 and up:
New automation triggers were added:
- Local Certificate Expiry - specify the certificate name to execute.
- Separate triggers based on Event logs, such as Virus Logs, SSH logs, IPS Logs, Webfilter violations, etc.
- Schedule-based trigger allows now to configure a one-time action, not only recurrent.
Example of CLI configuration:
Default automation stitch to send an email when a network goes down
# config system automation-stitch
    edit "Network Down"
        set status enable
        set trigger "Network Down"
            # config actions
                edit 1
                    set action "Default Email"
Default automation trigger for when a network connection goes down
# config system automation-trigger
    edit "Network Down"
        set event-type event-log
        set logid 22922 22921 -> ID of the Event logs chosen for this trigger.
Default automation action to send an email:
# config system automation-action
    edit "Default Email"
        set action-type email
        set email-from <Email sender name>
        set email-to <email-address>
        set email-subject <subject-name>
        set minimum-interval <seconds> -> default value is 0.