- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Automation stitch cli script variables
Hi Community,
I am trying to create an automation stitch to create an object and added it to a Deny group when somebody try access VPN SSL with admin or root user.
For this I created a Handler at FortiAnalyzer to alert when detects this users attempt
So I created this Stitch
Everything works, but when I debug we can see that the variable %%remip%% is not working
I also tryed including commands "config vdom edit vdom" but neither works.
Any idea?
Thank you in advance!
- Labels:
-
FortiAnalyzer
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
does it not work with %%log.remip%% ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no, then I tried with %%log.remip%% and its the same
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @JairCandia,
Please refer to this article for more information https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-SSL-VPN-Failed-Logins-with-an-automa...
Regards,
Minh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is helpful, but with what @JsairCandia is trying to do, it doesn't appear that you can have multiple usernames in the filter for the failed login events.
Created on 12-06-2023 09:15 AM Edited on 12-06-2023 09:17 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats right, I want to block multiple user with only one Stitch.
From a FortiOS Event Log its possible ( I have it working now) but I need to create a new Stitch for every user.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue might be the involvement of FortiAnalyzer.
The KB shared by Minh demonstrates that %%log.remip%% works when both the log and stitch are on FortiGate; in your case, the log is sent to FortiAnalyzer, which has an event handler to then trigger an automation stitch, instead of the FortiGate detecting the log itself (including all its fields and values) and triggering the stitch.
I believe because it is up to FortiAnalyzer to trigger the stitch, it is not aware of the %%remip%% or %%log.remip%% variable in the stitch, and thus the remote IP is never shared with the FortiGate. The FortiGate on the other hand is not aware of the log, as the stitch is triggered by the Event Handler, not an actual log message.
I'm not certain if variables CAN be used when having FortiAnalyzer trigger the automation stitch, instead of a log message on FortiGate itself.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Debbie,
Thank you for your thoughts. Sounds like thats the reason, but I dont know then why we have the FortiAnalyzer Event Handler trigger option. =S