Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hörtnagl
New Contributor

Created on ‎03-27-2023 08:03 AM

Honeypot - send alert if policy ID is hit

Hello community,

I need some help configuring an alert for a specific policy ID on my FortiGate device. I have a local honeypot (in VDOM) and an IP blacklist of known command and control sites (updated every 30 minutes).
When these policyID's get ANY traffic, I want to get an alert via email or ideally a Teams webhook.
Does anyone know how to do this using FortiGate, (free) FortiAnalyzer or Cloud?


I have searched the documentation but haven't found a clear answer.
Any help would be greatly appreciated. Thanks in advance.

2835
0 Kudos
8 REPLIES 8
gfleming
Staff
Staff

Created on ‎03-28-2023 08:50 PM

If that's the only DENY policy in the VDOM you could do this with the Traffic Violation trigger in Security Fabric Automation Stitches

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/43081/triggers

Cheers,
Graham
2805
0 Kudos
Hörtnagl
New Contributor
In response to gfleming

Created on ‎04-11-2023 06:03 AM

This is not possible. We have 3 firewalls (2 Vdom's each). We only want to get an email for specific rules, the other deny rules are there but we only need the logs for forensic purposes.

2753
0 Kudos
gfleming
Staff
Staff
In response to Hörtnagl

Created on ‎04-11-2023 09:34 AM

Oh somehow I missed you were using FAZ. You can create a custom event handler for any logs that come up for that policy (filter by policy ID).

 

https://docs.fortinet.com/document/fortianalyzer/7.2.2/administration-guide/348606/creating-a-custom...

 

That should work just fine for what you want.

Cheers,
Graham
2746
0 Kudos
Hörtnagl
New Contributor
In response to gfleming

Created on ‎04-18-2023 03:34 AM

THX Graham
I tried that but I did not manage to create an event hit
But this looks definetly the most promising.
Data Selector: Set a Filter Logdevice=Fortigate, Type=Any, Subtype=Any, Logfield=Policyid equal 213 (for testing 213 writes a log everytime I ping 1.1.1.1)

2684
0 Kudos
Hörtnagl
New Contributor
In response to gfleming

Created on ‎04-18-2023 06:04 AM

BTW
if the FW rule is "accept" I get a mail after a few minutes (=event handler works)
but if I try it with a "deny" the event handler does not get triggered

2677
0 Kudos
gfleming
Staff
Staff
In response to Hörtnagl

Created on ‎04-18-2023 08:56 AM

I assume you have logging enabled on the policy even when its in deny mode?

 

Do you see the logs in FAZ for the denies?

Cheers,
Graham
2664
0 Kudos
Hörtnagl
New Contributor
In response to gfleming

Created on ‎04-19-2023 07:40 AM

Yes - loggin is on and I can see Firewall Action "deny" entries in FAZ

2652
0 Kudos
gfleming
Staff
Staff
In response to Hörtnagl

Created on ‎04-19-2023 09:09 AM

Interesting. I assume your event handler is enabled?

 

do you see the events being generated in the Event Monitor?

 

Can you show the configuration for your event handler?

Cheers,
Graham
2649
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.