- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Issues with automation triggers running both inter...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issues with automation triggers running both interface down and up at the same time
Has anyone ever had issues with the automation triggers being duplicated? For example I have two triggers, interface down, and interface up, connected to two different stitches. Whenever I down an interface to test, it runs both the interface down, and the interface up automations. I contacted support about this previously and they just had me shut off the automation then start it again, it didn't do it again immediately so they considered it solved.
config system automation-trigger
edit "Network Down"
set description "Default automation trigger configuration for when a network connection goes down."
set event-type event-log
set logid 20099
config fields
edit 1
set name "status"
set value "DOWN"
next
edit "Network Up"
set event-type event-log
set logid 20099
config fields
edit 1
set name "status"
set value "UP"
next
end
edit "ALARM - Interface Down"
set trigger "Network Down"
config actions
edit 2
set action "Default Email"
set required enable
next
edit 3
set action "Send INTF Alarm Test"
set delay 15
set required enable
next
end
next
edit "ALARM - Interface Up"
set trigger "Network Up"
config actions
edit 2
set action "Default Email"
set required enable
next
edit 3
set action "CLEAR INTF Alarm"
set delay 15
set required enable
next
end
next
Labels:
- Labels:
-
FortiGate
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@brandonb
Please try this as i have already tested and it doesn't trigger both but only once at a time:
config system automation-stitch
edit "Interface Down"
set trigger "Interface down"
config actions
edit 1
set action "Email Notification"
set required enable
next
end
next
edit "Interface UP"
set trigger "Interface UP"
config actions
edit 1
set action "Email Notification"
set required enable
next
end
next
end
config system automation-trigger
edit "Interface down"
set event-type event-log
set logid 20099
config fields
edit 1
set name "status"
set value "DOWN"
next
end
next
edit "Interface UP"
set event-type event-log
set logid 20099
config fields
edit 1
set name "status"
set value "UP"
next
end
next
end
Regards,
Created on 12-04-2023 08:27 AM Edited on 12-04-2023 08:28 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I deleted all of my existing stitches and triggers and recreated based on your reply.
I enabled debugging
fw0-1 # diagnose debug enable
fw0-1 # diagnose debug application autod -1
Debug messages will be on for 30 minutes.
fw0-1 # pid:3473-__handle_msg()-271: Subscriber:4 received package. pubid:1 pkgid:417
pid:3473-__pkg_open()-170: Subscriber:4 processing package id:417 from pubisher:1
pid:3473-__handle_pkg_logs()-215: Subscriber:4 processing package size:37070 logs:47 pickup:2
pid:3473-miglog_subscr_pkg_close()-89: close package size:37070 logs:47
__action_email_hdl()-173: email action (Default Email) is called.
from:
to:[myemail];
subject:Interface status changed
__action_email_hdl()-173: email action (Default Email) is called.
from:
to:[myemail];
subject:Interface status changed
The debug shows it being called twice; and I received 4 emails total. This is a HA pair.
Email 1:
date=2023-12-04 time=10:20:20 devid="FG4H0FT923902847" devname="fw0-2" eventtime=1701706820238803877 tz="-0600" logid="0100020099" type="event" subtype="system" level="warning" vd="root" logdesc="Interface status changed" action="interface-stat-change" status="DOWN" msg="Link monitor: Interface Alarm Test was turned down"
Email 2:
date=2023-12-04 time=10:20:21 devid="FG4H0FT923902847" devname="fw0-2" eventtime=1701706820740794568 tz="-0600" logid="0100020099" type="event" subtype="system" level="warning" vd="root" logdesc="Interface status changed" action="interface-stat-change" status="UP" msg="Link monitor: Interface Alarm Test was turned up"
Email 3:
date=2023-12-04 time=10:20:19 devid="FG4H0FT923902840" devname="fw0-1" eventtime=1701706819753337116 tz="-0600" logid="0100020099" type="event" subtype="system" level="warning" vd="root" logdesc="Interface status changed" action="interface-stat-change" status="UP" msg="Link monitor: Interface Alarm Test was turned up"
Email 4:
date=2023-12-04 time=10:20:19 devid="FG4H0FT923902840" devname="fw0-1" eventtime=1701706819257377805 tz="-0600" logid="0100020099" type="event" subtype="system" level="warning" vd="root" logdesc="Interface status changed" action="interface-stat-change" status="DOWN" msg="Link monitor: Interface Alarm Test was turned down"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I deleted all of my existing stitches and triggers and recreated based on your reply.
I enabled debugging
fw0-1 # diagnose debug enable
fw0-1 # diagnose debug application autod -1
Debug messages will be on for 30 minutes.
fw0-1 # pid:3473-__handle_msg()-271: Subscriber:4 received package. pubid:1 pkgid:417
pid:3473-__pkg_open()-170: Subscriber:4 processing package id:417 from pubisher:1
pid:3473-__handle_pkg_logs()-215: Subscriber:4 processing package size:37070 logs:47 pickup:2
pid:3473-miglog_subscr_pkg_close()-89: close package size:37070 logs:47
__action_email_hdl()-173: email action (Default Email) is called.
from:
to:[myemail];
subject:Interface status changed
__action_email_hdl()-173: email action (Default Email) is called.
from:
to:[myemail];
subject:Interface status changed
So by all appearances it only sent once. But my email tells a different story. This is a HA pair, so it sends the UP and DOWN immediately for each member of the HA.
Email 1:
date=2023-12-04 time=10:20:20 devid="FG4H0FT923902847" devname="fw0-2" eventtime=1701706820238803877 tz="-0600" logid="0100020099" type="event" subtype="system" level="warning" vd="root" logdesc="Interface status changed" action="interface-stat-change" status="DOWN" msg="Link monitor: Interface Alarm Test was turned down"
Email 2:
date=2023-12-04 time=10:20:21 devid="FG4H0FT923902847" devname="fw0-2" eventtime=1701706820740794568 tz="-0600" logid="0100020099" type="event" subtype="system" level="warning" vd="root" logdesc="Interface status changed" action="interface-stat-change" status="UP" msg="Link monitor: Interface Alarm Test was turned up"
Email 3:
date=2023-12-04 time=10:20:19 devid="FG4H0FT923902840" devname="fw0-1" eventtime=1701706819753337116 tz="-0600" logid="0100020099" type="event" subtype="system" level="warning" vd="root" logdesc="Interface status changed" action="interface-stat-change" status="UP" msg="Link monitor: Interface Alarm Test was turned up"
Email 4:
date=2023-12-04 time=10:20:19 devid="FG4H0FT923902840" devname="fw0-1" eventtime=1701706819257377805 tz="-0600" logid="0100020099" type="event" subtype="system" level="warning" vd="root" logdesc="Interface status changed" action="interface-stat-change" status="DOWN" msg="Link monitor: Interface Alarm Test was turned down"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm guessing i'm going to have to go a different direction for alarming as automations isn't doing what I need it to and is a little too hit and miss to be useful in production.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey brandonb,
just out of curiosity - did you (or anyone else) check what event logs are generated?
Because the email snippets you posted show both an interface down log AND an interface up log.
If this is correct, and FortiGate DOES generate both logs (an interface down and an interface up log) at the same time, then of course the automation stitches trigger - they are each configured to act on an event log, and both event logs are generated, so two logs (and thus two stitches triggering two mails) per device.
In that case, you can reconfigure the stitches as much as you like, but the underlying issue is the log messages being generated, the stitches only do exactly what they are supposed to, trigger when a log is observed.
The question then becomes why is both an interface-down and an interface-up log generated at the same time?
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Related Posts
- Scheduled Automation 452 Views
- Automation Email not working 1091 Views
- Collection of Fortigate automation stitches 672 Views
- Blocking Low and Slow botnet authentication... 1696 Views
Labels
-
FortiGate
6,535 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.