Hi,
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creating-automation-stitches/ta-p/190594 https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/351998 |
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Martyy,
Thank you for reaching out. Fortigate does not have such network analyzer capability. Automation stitch trigger in this case would have relied on fortios logs however there are no logs to record when a client device is offline. There are logs for managed switch and access points failure or down as far as most granular level of these logs. If these endpoint boxes have forticlient agents that are managed by forticlient EMS server there are logs for failed registration that can be used although it does not mean the device is offline.
I recommend looking into using a network analyzer server for this task as this is the type of application such server is used for. We do have FortiNAC which offers this kind of capability in addition to more advanced features and capabilities in terms of security, device identification, auditing, and integration with fortigate and other vedors. If you are interested in such product I would recommend reaching out to your reseller or Fortinet customer service for demo, trials, quotes, etc. Here is a reference from FortiNAC documentation:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/5bf21617-1bf0-11ec-8c53-005056...
Example for device status:
https://docs.fortinet.com/document/fortinac-f/7.2.0/fortigate-endpoint-management-integration/138440...
Thank you,
saleha
Hi Martyy,
Thank you for reaching out. Fortigate does not have such network analyzer capability. Automation stitch trigger in this case would have relied on fortios logs however there are no logs to record when a client device is offline. There are logs for managed switch and access points failure or down as far as most granular level of these logs. If these endpoint boxes have forticlient agents that are managed by forticlient EMS server there are logs for failed registration that can be used although it does not mean the device is offline.
I recommend looking into using a network analyzer server for this task as this is the type of application such server is used for. We do have FortiNAC which offers this kind of capability in addition to more advanced features and capabilities in terms of security, device identification, auditing, and integration with fortigate and other vedors. If you are interested in such product I would recommend reaching out to your reseller or Fortinet customer service for demo, trials, quotes, etc. Here is a reference from FortiNAC documentation:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/5bf21617-1bf0-11ec-8c53-005056...
Example for device status:
https://docs.fortinet.com/document/fortinac-f/7.2.0/fortigate-endpoint-management-integration/138440...
Thank you,
saleha
If you can use one of the probing methods supported by FortiGate's link-monitor (e.g. ping) to monitor the desired device, then you can certainly do it!
As some of the options are CLI-only, I will just give you the CLI snippets below.
The expected flow of events is:
# link monitor
config system link-monitor
edit "monitor-device-1"
set srcintf "<interface that has connectivity to target device>"
set server "<target device ip>"
set interval 1000 # probing interval in ms
set failtime 3 # how many failed probes needed to switch to 'dead'
set recoverytime 3 # how many successful probes needed to switch to 'alive'
set update-policy-route disable # we want no changes to routing
set service-detection enable # ditto, for monitoring only
next
end
# automation trigger
config system automation-trigger
edit "link-monitor-down"
set description "Trigger on \'Link monitor status warning\' log message if matching the configured link-monitor name"
set event-type event-log
set logid 22932
config fields
edit 1
set name "name"
set value "monitor-device-1" # name of the link-monitor object above
next
end
next
end
# automation action
config system automation-action
edit "email-on-monitor-fail"
set action-type email
set email-to "<recipient email>"
set email-from "<sender-email>"
set email-subject "Device Detected Down"
set minimum-interval 120
set message "FIY: %%log.name%% is down." #using the link-monitor name as a variable here, optional.
next
end
#automation stitch
config system automation-stitch
edit "Email on link-monitor failure"
set trigger "link-monitor-down"
config actions
edit 1
set action "email-on-monitor-fail"
set required enable
next
end
next
end
The link monitor state can be checked with diagnose sys link-monitor status <monitor-name>. Once it's all set up (including making sure email delivery works, not covered here!), you should get an email as soon as the monitor fails.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.