Collection

I collected some Fortigate automation stitches I use in production systems to either alert me in real time on outstanding events, or run debug/maintenance action without manual intervention. The collection is here https://github.com/yuriskinfo/Fortinet-tools/tree/main/Fortigate-automation-stitches#automation-stitches-collection

Important facts

  • If you have VDOMs enabled, you find Automation Stitches GUI menu
    under the Global section.

  • When VDOMs are enabled, any networking with external to Fortigate hosts will happen with source IP and from
    the administrative VDOM (usually root). E.g. auto-backup of configuration to external server etc. It means you need to
    have security rules in admin VDOM accordingly to allow such communication.

  • When using email as alert action, make sure you have configured mail server
    to relay these alerts. On CLI it is in config sys email-server, and in GUI it
    is in the System → Settings.

  • It is recommended to configure PTR record for the sending IP of the Fortigate,
    as well as SPF record in the domain you’re sending from, to prevent mails being
    marked as spam.

  • Trigger Field Conditions – they match on either exact values or wildcards, no regex, no
    ranges for numeric values. Also no partial match, so you cannot match “Interface
    down”     string with a word “down”, unless using wildcard *down*.

  • Bugs are always possible, e.g. for the built-in stitch Reboot, even though
    it works and fires, the trigger count stays 0.

  • These types of stitches have Test automation stitch grayed out:

    • Event Log based.

    • Configuration change.

    • Reboot.

    • License expiration.

    • HA failover.

    • Scheduled.

  • For scheduled triggers make sure Fortigate has reliable time source, like NTP.

All about email alerts

  • With VDOMs enabled, the email is sent from the administrative VDOM (usually
    root) with the source IP defined by the routing table.

  • All the fields you see in the Fortigate raw log are available to be included in the email message.

  • When sending an email as action, based on log events, the body will contain the complete log
    (%%log%%) by default, no need to do anything for that. But, if you do NOT want to include
    log, for privacy reasons, set the message parameter to anything else:

config sys automation-action
    edit "EmailWithoutBody"
        set action-type email
        set email-to "admin@yurisk.info"
        set email-from "fgt@yurisk.info"
        set email-subject "The stitch has fired"
        set message "This text replaces the full log in the body."
    next
end

  • Use specific log field surrounded with double % to include it in the message when the trigger is FortiOS Log Event. E.g. to include username of the admin that logged in the subject, and the source IP, and time in the message body:

config sys automation-action
    edit ""AdminLoggedIn"
        set action-type email
        set email-to "admin@yurisk.info"
        set email-from "fgt@yurisk.info"
        set email-subject "Admin user %%user%% logged in"
        set message  "Source IP: %%srcip%%
Time: %%time%%"
    next
end

  • There is a special variable %%results%% that we can use in the Actions, it will be replaced with the output of the previously run command. E.g. you can create 2-step actions, 1st action runs some CLI debug on the Fortigate, the 2nd action sends the debug output by email, see example here: Send email alert on FortiGuard servers becoming unreachable and attach debug output . Be aware that it will include sensitive info if presented on…


Source link

Author: Yuri Slobodyanyuk

Article used for cyber security disclosure.