Description | This article describes how to use automation stitches to automatically send alert emails for events related to IP lease changes for interfaces in DHCP mode or PPPoE. |
Scope | FortiGate. |
Solution |
In some situations, it is required to receive an alert through email when the FortiGate interface in DHCP or PPPoE mode changes IP (even if FortiDDNS is in use).
For interfaces in DHCP mode: First, the automation-trigger needs to be created that will be triggered when these two conditions are met, an event with logid 26004 is generated in the firewall, and the content of the field msg contains the value '*interface wan1 gets a DHCP lease*'.
config system automation-trigger
edit "interface_event_wan1"
set event-type event-log
set logid 26004
config fields
edit 1
set name "msg"
set value "*interface wan1 gets a DHCP lease*"
next
end
next
end
The second step is to create the automation-action - the action to be run when the automation-trigger is triggered.
In this case, it will be an email alert in which the body (message) will contain the contents of the field msg (%%log.msg%%) of the log generated by the firewall.
config system automation-action
edit "action_email_wan"
set action-type email
set email-to "dst@email.com"
set email-from "src@email.com"
set email-subject "wan IP has changed"
set message "%%log.msg%%"
next
end
Example of a log with event ID 26004 (DHCP client lease granted):
date=2024-11-07 time=18:00:33 eventtime=1730995233928995461 tz="+0200" logid="0100026004" type="event" subtype="system" level="information" vd="root" logdesc="DHCP client lease granted" msg="interface wan1 gets a DHCP lease, ip:192.168.24.2, mask:255.255.255.0, gateway:192.168.24.1, lease expires:Thu Nov 7 18:05:29 2024" The last step is to aggregate these two (automation-trigger and automation-action) together.
In this example, when the trigger 'interface_event_wan1' is triggered, the action 'action_email_wan' runs, sending an alert email with the new IP in the message body.
config system automation-stitch
edit "Interface_change_stitch_wan1"
set trigger "interface_event_wan1"
config actions
edit 1
set action "action_email_wan"
set required enable
next
end
next
end
For interfaces in PPPoE mode:
Create the automation-trigger that will be triggered when these two conditions are met, an event with logid 29010 is generated in the firewall, and the content of the field value contains the value 'PPPoE status report'.
config system automation-trigger
edit "interface_event_pppoe"
set event-type event-log
set logid 29010
config fields
edit 1
set name "msg"
set value "PPPoE status report"
next
end
next
end
The second step is to create the automation-action - the action to be run when the automation-trigger is triggered.
In this case, it will be an email alert in which the body (message) will contain the contents of the field assigned (%%log.assigned%%) of the log generated by the firewall.
config system automation-action
edit "action_email_pppoe"
set action-type email
set email-to "dst@email.com"
set email-from "src@email.com"
set email-subject "PPPoE IP has changed"
set message "The new IP is %%log.assigned%%"
next
end
Example of a log with event ID 29010 (PPPoE status report):
date=2024-11-07 time=18:00:50 eventtime=1730995250378746881 tz="+0200" logid="0100029010" type="event" subtype="system" level="notice" vd="root" logdesc="PPPoE status report" gateway=172.31.176.254 assigned=172.31.176.18 mtu=1492 msg="PPPoE status report"
The last step is to aggregate these two (automation-trigger and automation-action) together.
In this example, when the trigger 'interface_event_pppoe' is triggered, the action 'action_email_pppoe' is run, sending an alert email with the new IP in the message body.
config system automation-stitch
edit "Interface_change_stitch_pppoe"
set trigger "interface_event_pppoe"
config actions
edit 1
set action "action_email_pppoe"
set required enable
next
end
next
end
Related article: Technical Tip: Use FortiGate automation stitches for alert emails |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.