Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jhelder
Staff
Staff

Created on ‎05-08-2023 10:32 PM Edited on ‎03-13-2025 06:03 AM By Community Manager

Article Id 255674

Technical Tip: Using automation stitches to Enable/Disable IPV4 Firewall Policy based on SD-WAN logs

Description

This article is a solution when there is an SD-WAN, and the user wants to allow the traffic to use only a specific link, when this link is down, the firewall should drop the packets instead of allowing them to go to the SD-WAN default policy.

 

In this example, there is a VoIP subnet that should use the wan1 internet link, and when this link is down, the traffic should be dropped and not use the default SD-WAN policy.

In this scenario, two automation stitches and two firewall policies will be used, but depending on the setup it is possible to accomplish the same with one stitch and one policy.
Scope

FortiGate, SD-WAN, Automation stitches.
Solution

To achieve this objective, it will be necessary to implement two distinct firewall policies and two automation stitches. It is presumed that the SD-WAN configuration has already been completed.

 

  1. Set two IPv4 firewall policies. The first one to block the traffic coming from the VoIP subnet, and should be disabled by default, and the second to allow this traffic:

 

kb1.PNG

 

Create two automation stitches, the first one will verify based on the SD-WAN logs when the wan1 link is down, and based on this, will enable the BlockVoIP policy. The configuration for the first stitch will be: 

For the trigger, it is possible to select the Event (SD-WAN SLA information warning) and for the filters, it is possible to define the interface followed by the name and the new value that should be dead, as can be verified below:

 

kb2.PNG

 

With this configuration, every time the SD-WAN interface is down will trigger this stitch.

 

It is now necessary to define the action, that should enable the policy BlockVoIP, which in this scenario is policy id 1 and this policy should always come before that the policy allows.

 

To enable this policy, it is possible to utilize a script by navigating to the 'Add Action' section and selecting the 'CLI Script' option. From there, a new script can be created:

 

kb3.PNG

And this is the stitch in the end:

 

kb4.PNG

 

The configuration for the second stitch will be: 

 

Another automation stitch will be needed to verify when the wan1 link is operating/up again and to disable the BlockVoIP policy.

 


The trigger for this automation stitch will be the Event 'SD-WAN SLA notification', the filters will be the same interface and new value, but the new value key will be alive because it is wanted to verify that the link is back:

 

kb7.PNG

 

And just create a new action the same way done before, but this one will disable the policy:

 kb8.PNG

 

Depending on the policy setup, it is possible to accomplish the same thing just with one automation stitch that disables the policy that allows this traffic, so the traffic will match the default deny implicitly.

If it requires to only scheduling a Firewall policy disable once a week or daily below script:

 

For instance below automation script helps schedule disabling firewall policy daily at 3:00 pm and enabling back at 3:05pm .

 

Create schedule trigger:

 

Disabling Firewall policy:

 

config system automation-trigger
    edit "policydisable"
        set description ''
        set trigger-type scheduled
        set trigger-frequency daily    <----- Frequency of the action
        set trigger-hour 15            <----- Hour of the triggered action.
        set trigger-minute 0           <----- Minute of the triggered action.
    next
end

 

Enabling firewall policy:

 

config system automation-trigger
    edit "policyenable"
        set description ''
        set trigger-type scheduled
        set trigger-frequency daily
        set trigger-hour 15
        set trigger-minute 5
    next
end

 

Create a CLI script for action:

 

config system automation-action
    edit "enablepolicy"
                set description ''
        set action-type cli-script
        set minimum-interval 0
        set script

 

config firewall policy
     edit 1                    <----- Adjust firewall policy ID according to requirements
        set status enable
end


        set output-size 10
        set timeout 0
        set execute-security-fabric disable
        set accprofile "super_admin"
    next
end

 

Disable firewall policy:

 

config system automation-action
    edit "disablepolicy"
        set description ''
        set action-type cli-script
        set minimum-interval 0
        set script

 

config firewall policy
    edit 1      <----- Adjust firewall policy ID according to requirements.
    set status disable
end


        set output-size 10
        set timeout 0
        set execute-security-fabric disable
        set accprofile "super_admin"
    next
end

 

Create Automation stitch using the trigger and action created earlier:

Disabling firewall policy:

 

config system automation-stitch
    edit "disablepolicy"
        set trigger "policydisable"


config actions
    edit 1
        set action "disablepolicy"
        set required enable
next
end
next
end

 

Enabling firewall policy :

 

config system automation-stitch
    edit "enablepolicy"
        set trigger "policyenable"

 

config actions
    edit 1
        set action "enablepolicy"
        set required enable
    next
end
next
end

 

1365
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.