Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JairCandia
New Contributor

Created on ‎11-30-2023 09:04 AM

Automation stitch cli script variables

Hi Community,

 

I am trying to create an automation stitch to create an object and added it to a Deny group when somebody try access VPN SSL with admin or root user.

 

For this I created a Handler at FortiAnalyzer to alert when detects this users attempt

 

image.png

 

 

 

 

 

 

 

 

So I created this Stitch

image.png

 

 

image.png

 

 

 

 

 

 

 

image.png

 

 

 

 

 

 

 

 

 

 

 

 

 

Everything works, but when I debug we can see that the variable %%remip%% is not working

image.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I also tryed including commands "config vdom   edit vdom"  but neither works.

 

Any idea?

Thank you in advance!

JC
JC
Labels:
1290
0 Kudos
7 REPLIES 7
distillednetwork
Contributor III

Created on ‎12-01-2023 02:23 PM

does it not work with %%log.remip%% ?

1239
0 Kudos
JairCandia
New Contributor
In response to distillednetwork

Created on ‎12-04-2023 07:45 AM

no, then I tried with %%log.remip%% and its the same

JC
JC
1149
0 Kudos
mle2802
Staff
Staff

Created on ‎12-02-2023 07:14 AM

Hi @JairCandia,

Please refer to this article for more information https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-SSL-VPN-Failed-Logins-with-an-automa...

Regards,
Minh

1216
distillednetwork
Contributor III
In response to mle2802

Created on ‎12-03-2023 10:01 AM

This is helpful, but with what @JsairCandia is trying to do, it doesn't appear that you can have multiple usernames in the filter for the failed login events.

1174
0 Kudos
JairCandia
New Contributor
In response to distillednetwork

Created on ‎12-06-2023 09:15 AM Edited on ‎12-06-2023 09:17 AM

Thats right, I want to block multiple user with only one Stitch.

From a FortiOS Event Log its possible ( I have it working now) but I need to create a new Stitch for every user.

image.png

 

image.png

 

 

 

 

JC
JC
1066
0 Kudos
Debbie_FTNT
Staff
Staff

Created on ‎12-05-2023 12:46 AM

The issue might be the involvement of FortiAnalyzer.

The KB shared by Minh demonstrates that %%log.remip%% works when both the log and stitch are on FortiGate; in your case, the log is sent to FortiAnalyzer, which has an event handler to then trigger an automation stitch, instead of the FortiGate detecting the log itself (including all its fields and values) and triggering the stitch.

I believe because it is up to FortiAnalyzer to trigger the stitch, it is not aware of the %%remip%% or %%log.remip%% variable in the stitch, and thus the remote IP is never shared with the FortiGate. The FortiGate on the other hand is not aware of the log, as the stitch is triggered by the Event Handler, not an actual log message.

I'm not certain if variables CAN be used when having FortiAnalyzer trigger the automation stitch, instead of a log message on FortiGate itself.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1126
JairCandia
New Contributor
In response to Debbie_FTNT

Created on ‎12-06-2023 05:46 AM

Hi Debbie,

Thank you for your thoughts. Sounds like thats the reason, but I dont know then why we have the FortiAnalyzer Event Handler trigger option.  =S

JC
JC
1081
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.