Hi
I have configured email setting on fortigate and created a snitch,Trigger and action for sending admin login failure to my gmail account but it does not work. here is my configuration:
config system email-server
set type custom
set reply-to "itcuoka@gmail.com"
set server "smtp.gmail.com"
set port 587
set source-ip 0.0.0.0
set source-ip6 ::
set authenticate enable
set validate-server disable
set username "itcuoka@gmail.com"
set password ENC KMGGpKG6YFSg3M3v4JuNq+4ugOkNNAjuqgdy53MmtXDIRpBDkwnR98Rpjkaig==
set security starttls
set ssl-min-proto-version default
set interface-select-method auto
end
config system automation-action
edit "Email_Tupa"
set description ''
set action-type email
set forticare-email disable
set email-to "terfi@gmail.com"
set email-from ''
set email-subject "Fortigate Alerts"
set minimum-interval 0
set message "%%log%%"
set replacement-message disable
next
end
config alertemail setting
set username "itcuoka@gmail.com"
set mailto1 ''
set mailto2 ''
set mailto3 ''
set filter-mode category
set email-interval 5
set IPS-logs disable
set firewall-authentication-failure-logs disable
set IPsec-errors-logs disable
set PPP-errors-logs disable
set sslvpn-authentication-errors-logs disable
set antivirus-logs disable
set webfilter-logs disable
set configuration-changes-logs disable
set violation-traffic-logs disable
set admin-login-logs disable
set FSSO-disconnect-logs disable
set ssh-logs disable
end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @rezafathi ,
Thank you for contacting the Fortinet Forum portal.
-Additional steps along with my colleague's suggestions. Under the alert email settings enable admin-login-logs and firewall-authentication-failure-logs.
config alertemail setting
set IPS-logs disable
set firewall-authentication-failure-logs disable
set IPsec-errors-logs disable
set PPP-errors-logs disable
set sslvpn-authentication-errors-logs disable
set antivirus-logs disable
set webfilter-logs disable
set configuration-changes-logs disable
set violation-traffic-logs disable
set admin-login-logs disable
set FSSO-disconnect-logs disable
set ssh-logs disable
end
-Please make sure the below settings as well from the article admin login failure.
article :
Best regards,
Manasa.
If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.
Hi
Thanks. Why should i disable all logs in cli?
As suggested earlier please enable them , which ever settings you need as alert
config alertemail setting
set IPS-logs disable
set firewall-authentication-failure-logs enable
set IPsec-errors-logs disable
set PPP-errors-logs disable
set sslvpn-authentication-errors-logs disable
set antivirus-logs disable
set webfilter-logs disable
set configuration-changes-logs disable
set violation-traffic-logs disable
set admin-login-logs enable
set FSSO-disconnect-logs disable
set ssh-logs disable
end
I enabled those settings but i can not get email.
Could you enable some debugs, and send test email. We can verify if email is been sending or not:
diag debug console timestamp enable
diag debug app forticldd -1
diag debug app alert -1
diag fortitoken debug enable
diag debug enable
@akanibek wrote:Could you enable some debugs, and send test email. We can verify if email is been sending or not:
diag debug console timestamp enable
diag debug app forticldd -1
diag debug app alert -1
diag fortitoken debug enable
diag debug enable
I got this,...
Created on 12-31-2023 12:53 AM Edited on 12-31-2023 01:04 AM
Here is the output:
2023-12-31 12:16:43 [667] fds_https_stop_server: 154.52.17.92:443
2023-12-31 12:16:43 [206] __ssl_data_ctx_free: Done
2023-12-31 12:16:43 [1094] ssl_free: Done
2023-12-31 12:16:43 [198] __ssl_cert_ctx_free: Done
2023-12-31 12:16:43 [1104] ssl_ctx_free: Done
2023-12-31 12:16:43 [1085] ssl_disconnect: Shutdown
2023-12-31 12:16:43 [572] fds_https_timeout: Connection timed out, svr=log-controller
2023-12-31 12:16:43 [240] fds_svr_default_on_error: log-controller: ip=154.52.17.92:443, reason=4
2023-12-31 12:16:43 [257] fds_svr_default_on_error: log-controller: Conn failes 1/3
2023-12-31 12:16:43 [139] fds_svr_default_pickup_server: log-controller: 154.52.17.92:443
2023-12-31 12:16:43 [3479] fds_handle_request: Received cmd 116 from pid-6080, len 0
2023-12-31 12:16:43 [522] fds_send_reply: Sending 72 bytes data.
2023-12-31 12:16:43 [3479] fds_handle_request: Received cmd 116 from pid-6080, len 0
2023-12-31 12:16:43 [522] fds_send_reply: Sending 72 bytes data.
2023-12-31 12:16:45 [667] fds_https_stop_server: 154.52.17.92:443
2023-12-31 12:16:45 [139] fds_svr_default_pickup_server: log-controller: 154.52.17.92:443
2023-12-31 12:16:45 [614] fds_https_start_server: server: 154.52.17.92:443
2023-12-31 12:16:45 [615] fds_https_start_server: source-ip: 0.0.0.0:0
2023-12-31 12:16:45 [115] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
2023-12-31 12:16:45 [115] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory_Backup.cer, root ca Fortinet_CA_Backup, idx 1
2023-12-31 12:16:45 [484] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
2023-12-31 12:16:45 [504] ssl_ctx_use_builtin_store: Enable CRL checking.
2023-12-31 12:16:45 [511] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
2023-12-31 12:16:45 [814] ssl_ctx_create_new: SSL CTX is created
2023-12-31 12:16:45 [841] ssl_new: SSL object is created
2023-12-31 12:16:45 [908] ssl_set_hostname: Set hostname 'fortinet-ca2.fortinet.com'
2023-12-31 12:16:45 [93] https_create: proxy server 0.0.0.0 port:0
2023-12-31 12:16:45 [194] ssl_add_ftgd_hostname_check: Add hostname checking 'logctrl1.fortinet.com'
2023-12-31 12:16:45 [573] __tcps_tcp_start_connect: sockfd=14, server=154.52.17.92:443, use_harelay=0, use_proxy=0
2023-12-31 12:16:45 [577] __tcps_tcp_start_connect: ret=-1
2023-12-31 12:16:45 [582] __tcps_tcp_start_connect: errno=115(Operation now in progress)
2023-12-31 12:16:45 [869] tcps_connect: 154.52.17.92:443 -- ret 0, state 0x0(Intialized) -> 0x11(Connecting)
2023-12-31 12:16:45 [869] tcps_connect: 154.52.17.92:443 -- ret 0, state 0x11(Connecting) -> 0x12(SSL-Connecting)
2023-12-31 12:16:45 [707] __ssl_info_callback: before SSL initialization
2023-12-31 12:16:45 [707] __ssl_info_callback: SSLv3/TLS write client hello
2023-12-31 12:16:45 [869] tcps_connect: 154.52.17.92:443 -- ret 1, state 0x12(SSL-Connecting) -> 0x12(SSL-Connecting)
2023-12-31 12:17:00 [3479] fds_handle_request: Received cmd 117 from pid-6080, len 4
2023-12-31 12:17:00 [3319] fds_check_request: Image list was updated within 86400 secs.
2023-12-31 12:17:00 [522] fds_send_reply: Sending 2388 bytes data.
2023-12-31 12:17:13 [3479] fds_handle_request: Received cmd 116 from pid-6096, len 0
2023-12-31 12:17:13 [522] fds_send_reply: Sending 72 bytes data.
2023-12-31 12:17:13 [3479] fds_handle_request: Received cmd 116 from pid-6096, len 0
2023-12-31 12:17:13 [522] fds_send_reply: Sending 72 bytes data.
2023-12-31 12:17:30 [3479] fds_handle_request: Received cmd 117 from pid-6096, len 4
2023-12-31 12:17:30 [3319] fds_check_request: Image list was updated within 86400 secs.
2023-12-31 12:17:30 [522] fds_send_reply: Sending 2388 bytes data.
2023-12-31 12:17:43 [3479] fds_handle_request: Received cmd 116 from pid-6096, len 0
2023-12-31 12:17:43 [522] fds_send_reply: Sending 72 bytes data.
2023-12-31 12:17:43 [3479] fds_handle_request: Received cmd 116 from pid-6096, len 0
2023-12-31 12:17:43 [522] fds_send_reply: Sending 72 bytes data.
2023-12-31 12:17:45 [667] fds_https_stop_server: 154.52.17.92:443
2023-12-31 12:17:45 [206] __ssl_data_ctx_free: Done
2023-12-31 12:17:45 [1094] ssl_free: Done
2023-12-31 12:17:45 [198] __ssl_cert_ctx_free: Done
2023-12-31 12:17:45 [1104] ssl_ctx_free: Done
2023-12-31 12:17:45 [1085] ssl_disconnect: Shutdown
2023-12-31 12:17:45 [572] fds_https_timeout: Connection timed out, svr=log-controller
2023-12-31 12:17:45 [240] fds_svr_default_on_error: log-controller: ip=154.52.17.92:443, reason=4
2023-12-31 12:17:45 [257] fds_svr_default_on_error: log-controller: Conn failes 2/3
2023-12-31 12:17:45 [139] fds_svr_default_pickup_server: log-controller: 154.52.17.92:443
2023-12-31 12:17:47 [667] fds_https_stop_server: 154.52.17.92:443
2023-12-31 12:17:47 [139] fds_svr_default_pickup_server: log-controller: 154.52.17.92:443
2023-12-31 12:17:47 [614] fds_https_start_server: server: 154.52.17.92:443
2023-12-31 12:17:47 [615] fds_https_start_server: source-ip: 0.0.0.0:0
2023-12-31 12:17:47 [115] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
2023-12-31 12:17:47 [115] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory_Backup.cer, root ca Fortinet_CA_Backup, idx 1
2023-12-31 12:17:47 [484] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
2023-12-31 12:17:47 [504] ssl_ctx_use_builtin_store: Enable CRL checking.
2023-12-31 12:17:47 [511] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
2023-12-31 12:17:47 [814] ssl_ctx_create_new: SSL CTX is created
2023-12-31 12:17:47 [841] ssl_new: SSL object is created
2023-12-31 12:17:47 [908] ssl_set_hostname: Set hostname 'fortinet-ca2.fortinet.com'
2023-12-31 12:17:47 [93] https_create: proxy server 0.0.0.0 port:0
2023-12-31 12:17:47 [194] ssl_add_ftgd_hostname_check: Add hostname checking 'logctrl1.fortinet.com'
2023-12-31 12:17:47 [573] __tcps_tcp_start_connect: sockfd=14, server=154.52.17.92:443, use_harelay=0, use_proxy=0
2023-12-31 12:17:47 [577] __tcps_tcp_start_connect: ret=-1
2023-12-31 12:17:47 [582] __tcps_tcp_start_connect: errno=115(Operation now in progress)
2023-12-31 12:17:47 [869] tcps_connect: 154.52.17.92:443 -- ret 0, state 0x0(Intialized) -> 0x11(Connecting)
2023-12-31 12:17:47 [869] tcps_connect: 154.52.17.92:443 -- ret 0, state 0x11(Connecting) -> 0x12(SSL-Connecting)
2023-12-31 12:17:47 [707] __ssl_info_callback: before SSL initialization
2023-12-31 12:17:47 [707] __ssl_info_callback: SSLv3/TLS write client hello
2023-12-31 12:17:47 [869] tcps_connect: 154.52.17.92:443 -- ret 1, state 0x12(SSL-Connecting) -> 0x12(SSL-Connecting)
2023-12-31 12:18:00 [3479] fds_handle_request: Received cmd 117 from pid-6096, len 4
2023-12-31 12:18:00 [3319] fds_check_request: Image list was updated within 86400 secs.
2023-12-31 12:18:00 [522] fds_send_reply: Sending 2388 bytes data.
2023-12-31 12:18:13 [3479] fds_handle_request: Received cmd 116 from pid-6096, len 0
2023-12-31 12:18:13 [522] fds_send_reply: Sending 72 bytes data.
2023-12-31 12:18:13 [3479] fds_handle_request: Received cmd 116 from pid-6096, len 0
2023-12-31 12:18:13 [522] fds_send_reply: Sending 72 bytes data.
fds_handle_request: Received cmd 117 from pid-6096, len 4
2023-12-31 12:18:30 [3319] fds_check_request: Image list was updated within 86400 secs.
2023-12-31 12:18:30 [522] fds_send_reply: Sending 2388 bytes data.
2023-12-31 12:18:43 [3479] fds_handle_request: Received cmd 116 from pid-6096, len 0
2023-12-31 12:18:43 [522] fds_send_reply: Sending 72 bytes data.
2023-12-31 12:18:43 [3479] fds_handle_request: Received cmd 116 from pid-6096, len 0
2023-12-31 12:18:43 [522] fds_send_reply: Sending 72 bytes data.
2023-12-31 12:18:47 [667] fds_https_stop_server: 154.52.17.92:443
2023-12-31 12:18:47 [206] __ssl_data_ctx_free: Done
2023-12-31 12:18:47 [1094] ssl_free: Done
2023-12-31 12:18:47 [198] __ssl_cert_ctx_free: Done
2023-12-31 12:18:47 [1104] ssl_ctx_free: Done
2023-12-31 12:18:47 [1085] ssl_disconnect: Shutdown
2023-12-31 12:18:47 [572] fds_https_timeout: Connection timed out, svr=log-controller
2023-12-31 12:18:47 [240] fds_svr_default_on_error: log-controller: ip=154.52.17.92:443, reason=4
2023-12-31 12:18:47 [257] fds_svr_default_on_error: log-controller: Conn failes 3/3
2023-12-31 12:18:47 [280] fds_svr_default_on_error: log-controller: req-id=112, num_try=1, read=0, reason=4
2023-12-31 12:18:47 [55] fds_lctrl_join_done: Join task was not successful.
2023-12-31 12:18:47 [92] fds_lctrl_set_next_join: Join task will be attempted in 60 seconds.
2023-12-31 12:18:47 [466] fds_free_tsk: cmd=112; req.noreply=0
2023-12-31 12:18:47 [188] fds_svr_default_task_xmit: try to get IPs for log-controller
2023-12-31 12:18:47 [258] fds_resolv_addr: resolve 'logctrl1.fortinet.com'
2023-12-31 12:18:47 [189] fds_get_addr: name=logctrl1.fortinet.com, id=49104, cb=0xc7ba10
2023-12-31 12:18:47 [52] dns_parse_resp: DNS resp-id=49104
2023-12-31 12:18:47 [105] dns_parse_resp: DNS logctrl1.fortinet.com -> 154.52.17.92
2023-12-31 12:18:47 [1358] fds_svr_add_server: Server 'log-controller' addr '154.52.17.92' is added.
2023-12-31 12:18:47 [139] fds_svr_default_pickup_server: log-controller: 154.52.17.92:443
2023-12-31 12:18:47 [52] dns_parse_resp: DNS resp-id=49104
I also enabled the default settings for email server and here is the debug output for that:
2023-12-31 14:55:06 mail_info:
from:notification.fortinet.net user:(null)
2023-12-31 14:55:06 _init_mail_info: no user
2023-12-31 14:55:06 mail_info:
reverse path:(null)
user name:(null)
2023-12-31 14:55:06 to[0]:rezayert12@gmail.com
2023-12-31 14:55:06 to[1]:
2023-12-31 14:55:06 to[2]:
2023-12-31 14:55:06 <==_init_mail_info
2023-12-31 14:55:06 create session
2023-12-31 14:55:06 resolve notification.fortinet.net to 1 IP
2023-12-31 14:55:06 ==> send mail
2023-12-31 14:55:06 connecting to 208.91.114.151 port 465
2023-12-31 14:55:06 send mail 0x9b51bd0 session 0x9b52130
2023-12-31 14:56:09 failed to connect
2023-12-31 14:56:09 session_io_event: creating ssl structure for session 0x9b52130
2023-12-31 14:56:09 create_ssl: 0x7fed4f58a000
2023-12-31 14:56:09 error in SSL_connect (null)
2023-12-31 14:56:09 _session_on_destroy
2023-12-31 14:56:09 <== send mail failed, m = 0x9b51bd0 s = 0x9b52130
2023-12-31 14:56:29 create session
2023-12-31 14:56:29 resolve notification.fortinet.net to 1 IP
2023-12-31 14:56:29 ==> send mail
2023-12-31 14:56:29 connecting to 208.91.114.151 port 465
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1529 | |
1027 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.