Description

This article describes how to configure an Automation Stitch to execute a packet capture in a desired time (for example, overnight). This automation stitch triggers an action to use a Sniffer on a interface, host and port in a desired time and then triggers a second action to stop the Sniffer after 1 hour.

Scope

FortiGate.

Solution

Configure the Automation Stitch in the CLI:

Action:

config sys automation-action
     edit "Sniffer"
          set action-type cli-script
          set script "diagnose sniffer packet <Interface> \'host <HOST_NAME> and port <PORT_NAME>\' 6 0 l"
          set accprofile "super_admin"
     next
     edit "Sniffer_Stop"
          set action-type cli-script
          set script "# exec auto-script stop Sniffer"
          set accprofile "super_admin"
     next
     edit "Send-to-email"
          set action-type email
          set email-to "xxxxx@mail.com"
          set email-subject "Packet_Capture"
          set minimum-interval 300
          set message "%%results%%"
     next
end

Trigger:

config system automation-trigger
     edit "Sniffer"
          set trigger-type scheduled
     next
     edit "Sniffer_Stop"
          set trigger-type scheduled
          set trigger-hour 1
     next
end

Automation stitch:

config system automation-stitch
     edit "Sniffer"
          set trigger "Sniffer"

config actions
     edit 1
          set action "Sniffer"
          set required enable
     next
     edit 2
          set action "Send-to-email"
          set required enable
     next

end

next

edit "Sniffer_Stop"

set trigger "Sniffer_Stop"

config actions
     edit 1
          set action "Sniffer_Stop"
          set required enable
     next

end

next

end

Replace the variables <Interface>, <HOST_NAME> and <PORT_NAME> with the appropriate values.