Description

This article describes the 'Severity' field and possible configuration options for the filter-mode set in the 'configure alertemail setting'.

Scope

FortiGate.

Solution

To configure email alerts on FortiGate, refer to Technical Tip: How to configure alert email settings

With the following configuration, FortiGate is expected to send email alerts when logs with Severity Level 'Alert' or above are generated on the unit. 

FortiGate # config alertemail setting
FortiGate (setting) # set filter-mode threshold
FortiGate (setting) # set severity alert
FortiGate (setting) # end

FortiGate # get alertemail setting
username : xxx@gmail.com
mailto1 : xxx@gmail.com
mailto2 :
mailto3 :
filter-mode : threshold <--
emergency-interval : 1
alert-interval : 2
critical-interval : 3
error-interval : 5
warning-interval : 10
notification-interval: 20
information-interval: 30
debug-interval : 60
severity : alert  <---

The severity specified under 'config alertmail settings' corresponds to the 'Level' field in the log, as shown below. Additionally, the 'Severity' field in the log refers to the severity of the 'Signature' that is allowed or blocked, rather than the severity of the log message itself.

date=2024-08-13 time=09:27:20 devname=FortiWiFi-61E devid=FWF61xxx eventtime=1707845240979445762 tz="-0800" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.0.0.201 srccountry="Reserved" dstip=89.238.73.97 dstcountry="Germany" srcintf="internal2" srcintfrole="undefined" dstintf="ToHome" dstintfrole="undefined" sessionid=21765569 action="dropped" proto=6 service="HTTPS" policyid=50 poluuid="d7571fc6-b3e2-51ee-ecdd-b6458334f765" policytype="policy" attack="Eicar.Virus.Test.File" srcport=46058 dstport=443 hostname="secure.eicar.org" url="/eicarcom2.zip" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" httpmethod="GET" referralurl="https://www.eicar.org/" direction="incoming" attackid=29844 profile="high_security" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=133421170 msg="file_transfer: Eicar.Virus.Test.File"

The possible configuration options for filter-mode are shown below.

FortiGate # config alertemail setting

FortiGate (setting) # set filter-mode

category     Filter based on category.

threshold    Filter based on severity.

FortiGate (setting) # end

• With filter-mode= threshold, only the severity field can be configured to trigger email alerts.
• With filter-mode= category, logs of certain categories can be configured to trigger email alerts.

FortiGate# config alertemail setting
FortiGate# get

filter-mode         : category <--

IPS-logs            : disable

firewall-authentication-failure-logs: disable

HA-logs             : disable

IPsec-errors-logs   : disable

FDS-update-logs     : disable

PPP-errors-logs     : disable

sslvpn-authentication-errors-logs: disable

antivirus-logs      : disable

webfilter-logs      : disable

configuration-changes-logs: disable

violation-traffic-logs: disable

admin-login-logs    : disable

FDS-license-expiring-warning: disable

log-disk-usage-warning: disable

FSSO-disconnect-logs: disable

ssh-logs            : disable

Currently, Threshold and Category filters cannot be used simultaneously to generate email alerts for specific categories and severities. For instance, it is not possible to configure email alerts solely for IPS Events with an Alert level severity.

Troubleshooting tip:

If the alert email is not triggering or not receiving the desired mail, run the commands below:

diagnose debug reset
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug application alertmail -1

Related article:

Troubleshooting Tip: Email alert