Configuration.

1. Automation Trigger: Specify log event ID, and it is possible to filter for specific interfaces here, for example: WAN1.
2. Automation Action: Specify the Action taken by the FortiGate in the event of a specific event trigger.
3. Automation stitch: Bind automation trigger and stitch.

CLI configuration.

Note:

Event ID 22922 is for the link monitor configured here. It is possible to change it as per the requirement.

Note:

The email server config is not mentioned here; refer to docs.fortinet.com for the email server config.

GUI configuration:

Navigate to Security Fabric -> Automation -> Action and select 'Create New'.

Select 'Email':

Enter the Email address where to receive an email alert:

Select Trigger and select 'Create New':

Name the trigger and add the Link monitor status under the event:

Note that in the Field filters, must to be add the interface that will be monitored.

Select Stitch and then select 'Create new'.

Add the trigger that was created in the above steps.

Add the action (Email), which was created in the above steps.

The Configuration is now complete:

Example configuration in the CLI: 

config system automation-action
    edit "Email_from_fortigate"
        set action-type email
        set email-to "test@fortinet.com"
        set email-subject "WAN link down"
    next
end

config system automation-trigger
    edit "wan link down"
        set event-type event-log
        set logid 22922
            config fields
                edit 1
                    set name "interface"
                    set value "wan1"
                next
            end
    next
end

config system automation-stitch
    edit "WAN_Link_down"
        set trigger "wan link down"
            config actions
                edit 1
                    set action "Email_from_fortigate"
                    set required enable
                next
            end
    next
end

Note:

GUI Test Automation Stitch would be greyed out for that. Refer to this article: Technical Tip: 'Test Automation Stitch' button is greyed out when trying to test a newly created aut....

To correctly trigger the automation stitch, it is necessary to have set a link-monitor configuration that generates the FortiOS event log, for example:

config system link-monitor

    edit 1
        set srcintf wan1
        set server 8.8.8.8
        set protocol ping
        set update-cascade-interface disable
        set update-static-route disable
        set update-policy-route disable

end

With this, when the link-monitor status is down, an event ID 22922 is generated by the system, which will trigger an email configured in the automation action.

Notes:

• Starting with v7.4.4, the default email server has been switched from notification.fortinet.net to fortinet-notifications.com. This default server is only available to registered devices with an active FortiCare support contract. The reply-to field in the source email is automatically updated to DoNotReply@fortinet-notifications.com for all servers, including custom ones.
  
  
• The alert mail will get triggered when only the event is generated in system events.

To filter events based on log parameters, follow the steps in this article:
Technical Tip: Filtering automation stitch triggers for FortiGate events based on log parameters

Related articles:

• Technical Tip: How to enable the email alerts when the Interface is down and up
• Troubleshooting Tip: Alert mail queries
• Technical Tip: How to configure alert email settings
• Technical Tip: Link-Monitor Explained