Creating the Automation stitches
-
To create a new Automation that bans the IP address of a compromised host, go to Security Fabric > Automation and select Create New.
-
Set FortiGate to All FortiGates.
-
Set Trigger to Compromised Host. Set IOC level threshold to High.
-
Set Action to IP Ban.
-
Create a second Automation that sends an email alert when HA failover occurs.
-
Set FortiGate to Edge-Primary, which is part of the only HA cluster in the Security Fabric.
-
Set Trigger to HA Failover. Set Action to Email.
-
Set the Email subject and email address.