Description
This article explains additional info required when implementing automated webhook stitches for API Calls to Fortigate to trigger CLI script action.
Scope
FortiOS 6.4.x.
Solution
Automation webhook stitches are API calls to FortiGate intended to trigger an action.
Follow the step-by-step guide here:
Automation webhook stitches | FortiGate / FortiOS 6.4.0 (fortinet.com)
Consider the following key points in this article to successfully configure this feature.
This is the curl template, which can be obtained from the 'sample cURL request' field in FortiGate:
curl -k -X POST -H 'Authorization: Bearer <API key>' --data '{ "srcip": "1.1.1.1", "mac":"11:11:11:11:11:11", "fctuid": "A8BA0B12DA694E47BA4ADF24F8358E2F"}' https://10.191.36.160:4435/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20shut...
It is not necessary to change anything in the box field as changes will not be saved. Instead, replace the following parameters:
- <API key> -- replace this with the key you get when you create API user
- "srcip": "1.1.1.1" --- replace this with your source IP from API call initiator
- "mac":"11:11:11:11:11:11" -- replace this with mac from API call initiator, make sure this is the mac address the firewall can identify.
An example modified cURL call:
curl -k -X POST -H 'Authorization: Bearer c38m0h8p33Qfqy8t0ppg1Nmx41r7nm' --data '{ "srcip": "10.191.47.254", "mac":"00:09:0f:09:64:1b", "fctuid": "A8BA0B12DA694E47BA4ADF24F8358E2F"}' https://10.191.36.160:4435/api/v2/monitor/system/automation-stitch/webhook/Incoming%20Webhook%20shut...
Important note:
This 'Incoming Webhook Quarantine' cannot be tested using 'Test Automation Stitch' despite how the confirmation 'Successfully triggered automation stitch' will appear:
Relevant documentation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Automated-script-execution/ta-p/193685
