Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
princes
Staff
Staff

Created on ‎05-09-2025 05:08 AM Edited on ‎06-25-2025 11:23 PM By Moderator

Article Id 391166

Technical Tip: Trigger CLI script through an automation stitch for BGP event logs

Description This article describes how to trigger an automation stitch with CLI commands when an BGP event is triggered.
Scope All supported versions of FortiOS.
Solution
  1. Configure BGP on FortiGate: BGP configuration.
  2. Create an automation stitch under Security Fabric -> Automation, as explained in Creating automation stitches - FortiGate administration guide.

 

Screenshot 2025-05-09 170917.png

   

  1. Create a trigger with the 'BGP neighbor status changed' event:

 

Screenshot 2025-05-09 171151.png

 

Note:

The log ID of this event should match that of the triggered event; then, only automation stitch will trigger the configured action.

 

  1. Create a CLI script like the following, which marks the interface port4 as down:

 

Screenshot 2025-05-09 171444.png

 

Note:

If the following event log is seen in the general system event logs, make sure the cli script has super_admin access as explained below.

 

User delete the result of script autod.10 from autod

 

Screenshot 2025-05-09 171856.png

 

Similarly, any number of stitches can be triggered with different event IDs. The result of the script can be verified with the following logs:

 

Screenshot 2025-05-09 172144.png

 

After the above event was triggered, the interface port4 was marked as down by the CLI script:

 

Screenshot 2025-05-09 172334.png

 

Screenshot 2025-05-09 172508.png

 

Interface port4 was marked as down:

 

 

Screenshot 2025-05-09 172605.png


Note:
Event trigger 'BGP neighbor status changed' is shown every time a BGP peer is down, for example:

 

date=2025-06-25 time=16:26:52 eventtime=1750894012430389982 tz="-0700" logid="0103020300" type="event" subtype="router" level="warning" vd="root" logdesc="BGP neighbor status changed" msg="BGP: %BGP-5-ADJCHANGE: VRF 0 neighbor 172.16.30.2 Down BGP Notification FSM-ERR"

 

If a specific BGP neighbor down event is necessary (in this case, when BGP peer 172.16.30.2 is down) to trigger the automation-stitch, a filter can be applied under 'edit Automation Trigger':

ScreenHunter 1301.png

As it is shown in the above image, the limit for the field filter value is 63 characters, and because of this restriction, an option is to set the message in the following way:

 

"msg="BGP: %BGP-5-ADJCHANGE: VRF 0 neighbor 172.16.30.2 Down BGP*"


This will execute the automation-stitch every time the specific BGP peer 172.16.30.2 is down:

 

FGT-HUBDC1 (BGP_peer_DOWN) # show
config system automation-trigger
    edit "BGP_peer_DOWN"
        set description "BGP peer DOWN"
        set event-type event-log
        set logid 20300
            config fields
                edit 1
                    set name "message"
                    set value "BGP: %BGP-5-ADJCHANGE: VRF 0 neighbor 172.16.30.2 Down BGP*"
                next
            end
    next
end


ScreenHunter 1302.png

 

Related documents:

Technical Tip: Use FortiGate automation stitches for alert emails

Automation stitches

 

 

531
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.