FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spoojary
Staff
Staff
Article Id 403075
Description This article describes how to create alerts based on when a user disconnects from an IPsec dial-up VPN. It provides a step-by-step guide on how to set up notifications for VPN disconnections, allowing users to monitor and troubleshoot VPN connection issues.
Scope FortiGate, FortiClient.
Solution

Sometimes an alert is needed when an IPsec dial-up user is disconnecting from the VPN.

 

To create an alert:

 

Select Security Fabric -> Automation -> Trigger -> Create New.

 

spoojary_0-1753283093914.png

 

Event to be chosen: IPsec connection status changed.

 

When using this log as a trigger condition, this will trigger on any IPsec tunnels going through a connection change. If the alerts are desired only for a specific tunnel, it is possible to add a filter to the trigger to only act on the desired tunnel name using the example below.

 

spoojary_1-1753283182705.png

 

After creating a trigger, an Action can be chosen:

 

spoojary_1-1753208443511.png

 

spoojary_2-1753208467881.png

 

Once the steps above have been completed, navigate to Select Stitch -> Create New.

spoojary_3-1753208583617.png

 

Logs Generated when A user connects or disconnects from the VPN:

 

spoojary_4-1753208744105.png

 

Make sure the email server is also right under System -> Settings -> Email Service:

 

spoojary_6-1753208922955.png

 

Alert Email received:

date=2025-07-22 time=15:13:42 devid="FGVM4XXXXXXXX" devname="FGVM4XXXXXXX" eventtime=1753222422448179593 tz="-0700" logid="0101037138" type="event" subtype="vpn" level="notice" vd="root" logdesc="IPsec connection status changed" msg="IPsec connection status change" action="tunnel-up" remip=172.16.0.2 locip=192.168.16.135 remport=500 locport=500 outintf="port2" srccountry="Reserved" cookies="c99940a897c297bd/52c2d9a16a3964b0" user="172.16.0.2" group="N/A" useralt="N/A" eapuser="localuser" eapauthgroup="localgroup" assignip=10.212.134.200 vpntunnel="ipsec-dialup_0" tunnelip=10.212.134.200 tunnelid=755159287 tunneltype="ipsec" duration=0 sentbyte=0 rcvdbyte=0 nextstat=0 fctuid="1AEC0F84EAFE4F21BCCBB012AA3F36BA" advpnsc=0