Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sselvam
Staff
Staff

Created on ‎05-18-2020 08:36 AM Edited on ‎07-03-2025 09:41 PM By Community Manager

Article Id 195745

Technical Tip: Creating the automation stitches

Description

 

This article describes how to configure automation stitches for the Fortinet Security Fabric.
Each automation pairs an event trigger and one or more actions, which allows for monitoring of the network and taking appropriate action when the Security Fabric detects a threat.
Use automation stitches to detect events from any source in the Security Fabric and apply actions to any destination.


 
In this example, the following automation stitches are created:
Ban a compromised host’s IP address.
Send an email alert when HA failover occurs.
 
In this example, the Security Fabric consists of an edge, an HA cluster that is the root FortiGate of the Security Fabric, and three ISFW FortiGates (Accounting, Marketing, and Sales).
Configure the automation stitches on the root FortiGate and the settings are synchronized with the other FortiGates in the Security Fabric.


Solution
To create the automation stitches:

 

  1. To create a new Automation Stitch that bans the IP address of a compromised host, go to Security Fabric -> Automation and select 'Create New'.
  2. Set FortiGate to 'All FortiGates'.
  3. Set Trigger to 'Compromised Host'. 
  4. Set Action to 'IP Ban'.

compromised host.PNG

  

Example configuration in the CLI:

 

config system automation-stitch
    edit "Compromised-IP-Banned"
        set trigger "Compromised Host"
        config actions
            edit 1
                set action "IP Ban"
                set required enable
            next
        end
    next
end

 

  1. Create a second Automation Stitch that sends an email alert when HA failover occurs.
  2. Set FortiGate to 'Edge-Primary', which is part of the only HA cluster in the Security Fabric.
  3. Set Trigger to 'HA Failover'. Under Action, edit 'Email Notification' and specify the email.Email notification.PNGemail admin.PNG
  4. Set 'Action' to 'Email Notification', select 'Apply' and select 'OK'.
     
    Example configuration in the CLI:

 

config system automation-stitch
    edit "HA-failover"
        set trigger "HA Failover"
        config actions
            edit 1
                set action "Email Notification"
                set required enable
            next
        end
        set destination "HA-failover"
    next
end

 
Testing the automation stitches: mark it in 'Block' letters'.

 

To test the Automation Stitches go to Security Fabric -> Automation, select the automation, and select 'Test Automation Stitch'. 

 
 
To test the automation for HA failover, go to Edge-Primary. In the administrative drop-down menu, select 'System' and 'Reboot'.

Set an event log message.
  
Results: in 'Block' letters.
 
  1. If the automation has simulated that blocks compromised hosts, the banned unit can no longer access the internet.
  2. When HA failover occurs or when the Automation is tested, an email similar to the one shown is sent to the email configured in the automation.
 
11167
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.