Description
This article describes how to use automation stitches to automatically send alert emails for specific events.
For more information:
- The Administration Guide for Automation Stitches is available: Creating automation stitches,
- The Administration Guide for Email alerts is available: Email alerts.
Scope
FortiGate.
Solution
FortiOS v6.0 introduces Automation Stitches as part of the Security Fabric. Automation Stitches can be used to automate certain actions in response to certain triggers.
This includes sending alert emails in response to specific events and allows for far more granular log-based alerting that alerts emails configured under Log & Report.
Automation stitches for alert emails can be configured as follows:
- Create a new Automation Stitch: Go to Security Fabric -> Automation and select ‘Create New’.
- Assign a name, select Trigger ‘Event Log’, and Action ‘Email’. Optionally, decide which FortiGates in the fabric should have the Automation stitch.
-
Select the proper event log that should trigger the alert, and select where the email should be sent (and with what subject) as well as a 'from' email which can be any string in email address format (example firewall01@fortinet.com), then save. When selecting the automation trigger option as event logs, the Event log ID must match the logs of FortiGate then only automation stitch will trigger for an action.
Note:
When using an external email server, the 'email-from' section needs to be configured precisely under the specific automation-action which can be any valid email address to send the email correctly on automation stitch, or else, this will result in failed action. Refer to this Technical Tip: 'email-from' option under automation-action for automation stitch when using customer... for more details.
-
The FortiGate will now send an email when the trigger event log is generated.
Note:
For the alert email to be sent when the Automation stitch is triggered, an Email server needs to be configured under System -> Advanced. On how to configure this, check the ‘To configure email server’ section Alert email. Starting from FortiOS v6.4.11, 'System -> Advanced' was removed and Email Server settings were moved to "System -> Settings" as mentioned in the Release notes.
From CLI:
config system automation-trigger
edit <trigger-name>
set trigger-type event-based
set event-type event-log
edit <trigger-name>
set trigger-type event-based
set event-type event-log
set logid <id>
next
end
next
end
config system automation-action
edit <action-name>
set action-type email
set email-from <Email sender name>
set email-to <email-address>
set email-subject <subject-name>
set minimum-interval <seconds>
next
end
set action-type email
set email-from <Email sender name>
set email-to <email-address>
set email-subject <subject-name>
set minimum-interval <seconds>
next
end
config system automation-stitch
edit <stitch-name>
set trigger <trigger-name>
config actions
edit 1
set action <action-name>
set required enable
next
end
next
end
Note: The email automation script has to be applied to the VDOM which the user wants to monitor. For instance, if automation-stitch is in the VDOM root, the user to apply the email scripts under the VDOM root
Related documents:
