Technical Tip: How to check why automation stitch is not working as expected

gmanea · ‎11-02-2021

Description

FortiGate automation stitch comprises of two parts: a trigger and an action.

There are various triggers that can be used, including a predefined schedule.

This descrbes a way to debug the automation stitch and thus help the user to find the cause of the problem.

Solution

Debugging the automation stitch is done in command line with the following commands:

FortiGate # diag test app autod 0
1. Enable/disable log dumping
2. Show automation settings.
3. Show automation statistics.
4. Show plugin statistics.
5. Show running stitches.

These are the available options for this process, and they can provide valuable information about why the automation stitch failed to work.
For example, we can see which automation is active:

FortiGate # diag test app autod 2
csf: disabled root:no
version:0 sync time:
total stitches activated: 1

stitch: backup
destinations: all
trigger: backup

local hit: 0 relayed to: 0 relayed from: 0
actions:
backup type:cli-script interval:0
delay:0 required:yes
script:execute backup config ftp /Backup/backup.cfg 192.168.1.253 testuser testpassword

Or it is posible to see if the statistics for this process:

FortiGate # diag test app autod 4

action plugin stats:
email:
flags:1
stats: total:0 cur:0 done:0 drop:0
ios-notification:
flags:1
stats: total:172 cur:0 done:172 drop:0
alert:
flags:0
stats: total:0 cur:0 done:0 drop:0

Most importantly, to troubleshoot the automation stitch process, it is necessary to stop all running scripts, reset any debug that may be running, then enable log dumping and cli debug for automation stitch.
This is writing to console the commands taken once the automation stitch is triggered.

FortiGate # exec auto-script stopall
No script is running.
FortiGate # diag debug reset
FortiGate # diag test app autod 1
autod log dumping is enabled
FortiGate # diag debug cli 7
Debug messages will be on for 30 minutes.
FortiGate # diag debug enable

Now, it is possible trigger the automation in the CLI as follows (or GUI: select the automation to test -> Test Automation Stitch).

The command line will reveal the 'behind the scenes' actions leading to the problem experienced.

For example, in this case it shows a connectivity failure (because indeed, no such IP exists on this test network):

FortiGate # exec auto-script start backup <----- In this case, the name of the script is 'backup'.

FortiGate # auto_stitch_stats()-103: Request stitch(all) statistics
0: config system auto-script
0: edit "autod.0"
0: set script "execute backup config ftp /Backup/backup.cfg 192.168.1.253 testuser testpassword"
0: end
__action_cli_script_open()-182: cli script action:backup is called. svc ctx:0x6142378
accprof:super_admin script:
execute backup config ftp /Backup/backup.cfg 192.168.1.253 testuser testpassword

5: execute backup config ftp /Backup/backup.cfg 192.168.1.253 testuser testpassword
__cli_script_close()-122: cli script:
autod.0
output:
########## script name: autod.0 ##########

========== #1, 2021-10-25 14:32:02 ==========
FortiGate $ execute backup config ftp /Backup/backup.cfg 192.168.1.253 testuser testpassword
Please wait...

Connect to ftp server 192.168.1.253 ...
Send config file to ftp server via vdom root failed.
Command fail. Return code 5
__action_cli_script_close()-209: cli script action is done.

Related articles.
https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/139441/automation-stitches
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/139441/automation-stitches
Related Articles
Technical Tip: How to send automated backups of the configuration from a FortiGate with an automatio...
Technical Tip: Programming a daily restart (reboot)
Technical Tip: Use FortiGate automation stitches for alert emails