FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pkavin
Staff
Staff
Article Id 208461
Description This article describes why some automation stitches would not give an option to test it from the GUI as the 'Test Automation Stitch' button would be greyed out.
Scope FortiGate.
Solution

FortiGate gives an option to configure automation stitches which helps to automate the activities between the different components in the Security Fabric, decreasing the response times to security events.

 

Events from any source in the Security Fabric can be monitored, and action responses can be set up to any destination.

 

An automation stitch consists of two parts, the trigger and the actions.

The trigger is the condition or event on the FortiGate that activates the action, for example, a specific log, or a failed log-in attempt.

 

The action is what FortiGate does in response to the trigger.

 

'Test Automation Stitch' is an option on FortiGate to test the new automation stitches created on FortiGates as shown below:

 

config_change.jpg

 

Sometimes, depending on the trigger or condition of the automation stitch, it could show 'Test Automation Stitch' greyed out as shown below:

 

pkavin_2-1649109690698.jpeg

 

When FortiOS Event Log is selected as the trigger, the 'Test Automation Stitch' button will be greyed out and the automation stitch test from the CLI will also fail as shown below:

 

diagnose automation test test_event_log3
automation test failed(2). stitch:test_event_log3

 

This is expected behavior as the Automation Stitch needs the actual log to be passed in addition to the stitched name.

 

If no log is included in the command it will fail.

So, the GUI is greyed out.

 

The only way to test the event log trigger in the automation stitch is to use the CLI and supply the actual log to the FortiGate as shown below:

 

diagnose automation test test_event_log3 "logid=\"0100032001\" type=\"event\" subtype=\"system\" level=\"information\" vd=\"root\" eventtime=1555443953642472388 logdesc=\"Admin login successful\" sn=\"1555443953\" user=\"admin\" ui=\"telnet(10.10.78.78)\" method=\"telnet\" srcip=10.10.78.78 dstip=10.10.78.12 action=\"login\" status=\"success\" reason=\"none\" profile=\"super_admin\" msg=\"Administrator admin logged in successfully from telnet(10.10.78.78)\""

automation test is done. stitch:test_event_log3

 

For example, actual logs can easily be supplied in this way.

 

  • A sample event log to supply:

date=2023-08-24 time=13:23:36 eventtime=1692858215320659380 tz="+0700" logid="0100022109" type="event" subtype="system" level="warning" vd="root" logdesc="Temperature too high" action="ipmc-sensor-monitor" status="failure" msg="TMP 4 Temperature temperature is too high: 40000.00 (75.0 celsius degree)"

 

  • CLI command to supply the event log above:

 

diagnose log test-text "0100022109" "warning" "logdesc=\"Temperature too high\" action=\"ipmc-sensor-monitor\" status=\"failure\" msg=\"TMP 4 Temperature temperature is too high: 40000.00 (75.0 celsius degree)\""

 

Below are the other triggers that will show an option the button 'Test Automation Stitch' in the GUI that does not need a FortiAnalyzer connection:

 

  • Security Rating Summary.
  • Configuration Change.
  • Reboot.
  • License Expiry.
  • HA Failover.
  • Antivirus & IPS database Update.
  • Schedule.
  • Incoming Webhook (the 'Test Automation Stitch' button would not be greyed out for this trigger, but depending on the configuration, the test might not be complete successfully).