| Description |
This article describes how to enable, configure, and install automation stitches using FortiManager.
In most scenarios, log-related triggers and automations are configured on the FortiAnalyzer side, as it serves as the centralized log collection point.
In certain cases, automation stitches can be deployed directly to end devices through FortiManager.
|
| Solution |
- Enable the automation features.
By default, automation stitches are not visible in the FortiManager graphical user interface. Enable them by following the path below.
Device Manager -> Device & Groups -> Select managed device -> Feature Visibility.
 Dashboard
In 'Security Fabric', select 'Automation Trigger', 'Automation Stitch', and 'Automation Action' checkboxes.
 Feature Visibility pop-up
When enabled, the features are visible under the 'Security Fabric' tab.
 Enabled Automation Features
-
Create an Automation Trigger.
- Select Security Fabric -> Automation Trigger -> Create New.
 Create trigger
- Fill in the 'Name' (required) and 'Description field'.
 trigger config
- In the 'Type' field, select 'FortiOS Event Log'.
- The 'Event' field in FortiManager differs from FortiOS configuration. Only numeric event IDs are used.
In this example, event ID '32001' is used, which corresponds to the 'Admin login successful' event.
A complete list of event IDs is available in the FortiOS Log Message Reference.
-
Create an Automation Action:
- Select Security Fabric: Automation Trigger -> Automation Action -> Create New.
 create action
- Fill in the 'Name' (required) and 'Description field'.
 action-config
- In the 'Type' field, select 'Slack Notification'.
- In the 'URL' field, paste the Slack Incoming Webhook URL.
- In the 'Message' field, enter the desired text.
The default message context is %%log%%. Below is an example of the log message received in Slack.
 slack-log-message
- The message can be customized, for example: 'User %%log.user%% logged in to device SN %%log.devid%% from source IP %%log.srcip%% at %%log.time%%.'.
The resulting message viewed in Slack is shown below.
 slack-formatted
- For formatting, use the Enter key to create new lines or spaces for alignment.
-
Create an Automation Stitch:
- Select Security Fabric: Automation Action -> Automation Stitch -> Create New.
 create new stitch
- Fill in the 'Name' (required), select 'Enabled', 'Sequential', and fill in the 'Description' field.
 stitch-config
- In the 'Trigger' field, select the trigger created in section 2.
- In the 'Action' field, select the action created in section 3.
- Select 'OK'.
-
Install the configuration on the FortiGate devices.
- Select Install Wizard and follow the standard 'Install Device Settings' procedure.
 install-config
-
Test the configuration by logging in to the FortiGate device and verifying that the Slack notification is received.
-
For troubleshooting, use the following FortiGate debug commands on the end device:
FGT-01 # diagnose debug app autod -1
FGT-01 # diagnose debug enable
For additional troubleshooting options, refer to the relevant KB article:
Technical Tip: Diagnose automation stiches
|
