Technical Tip: How to Ban IP using event handler + automation stitch

This article will focus on the user's failure to log in via SSL VPN, configure the event handler from FortiAnalyzer, and configure automation stitch from FortiGate.

1. Create an event handler from FortiAnalyzer:

2. Create a stitch from FortiGate: Stitch // Trigger under Security fabric -> Automation -> New -> Add Trigger -> New -> FortiAnalyzer Event Handler -> OK.

3. Choose the event handler created from FortiAnalyzer.

Under Action -> New -> choose IP Ban.

The automation stitch will show as below:

In CLI, it will appear as below:

reve-kvm05 # config system automation-stitch

preve-kvm05 (automation-stitch) # edit "TataSSLVPN"

preve-kvm05 (TataSSLVPN) # show
config system automation-stitch
    edit "TataSSLVPN"
        set trigger "tutuSSLVPN"
            config actions
                edit 1
                    set action "IPBan"
                    set required enable
                next
            end
        next
    end

To ensure stitch running, the SSL VPN user needs to use an invalid password // username.

From FortiAnalyzer, ensure the event handler is triggered under FortiSoC -> Event Monitor -> All Events.

The automation will display it as a trigger.

Run: 'diagnose user banned-ip ?' to check if the listed IP has been IP.

Below is the debug list related to automation stitches if having automation issues:

preve-kvm05 # diag test app autod 0
1. Enable/disable log dumping
2. Show automation settings.
3. Show automation statistics.
4. Show plugin statistics.
5. Show running stitches.
6. Show subscriber statistics.
7. Show migsock info.

Related articles:

Technical Tip: How to implement Indicators Of Compromised (IOC) Automation Stitch between FortiGate,...

Technical Tip: Use FortiGate automation stitches for alert emails