Fortinet black logo

Handbook

Actions

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:151575
Download PDF

Actions

There are two types of actions you can select when creating an automation:

Main actions

Action

Description

Email

Use this action to send a custom email notification.

You must enter an email address and subject line.

FortiExplorer Notification

Use this action to send push notifications to FortiExplorer.

For the push to be successful, the FortiGate must be registered with FortiExplorer app on the iOS device you want to receive notifications on.

AWS Lambda

Use this action to invoke Amazon Web Services Lambda.

For the API Gateway, enter your URL and the other parameters (ID, region, stage, and path) are filled automatically. If you need to manually enter these parameters, you must use the CLI.

For the API Key, enter the same API key that you configured in your AWS API Gateway.

For the HTTP header, enter the name and value you want. For example, "x-notification-source" and "Fortinet."

Webhook

Use this action to send data to another application using a REST callback.

To configure a webhook, set Protocol to HTTP or HTTPS. Set Method to POST, PUT, GET, PATCH, or DELETE. Set the URI and Port.

For HTTP Body enter the text you want (up to 1023 characters). For example,{"trigger":"reboot"}.

Compromised host actions
Action Description
Access Layer Quarantine Use this action to impose a dynamic quarantine on multiple endpoints based on the access layer.
Quarantine FortiClient via EMS

Use this action to use FortiClient EMS to block all traffic from the source addresses flagged as compromised hosts. Quarantined devices are flagged on the Security Fabric Physical and Logical topology views.

Go to Monitor > Quarantine Monitor to view quarantined IP addresses. Addresses are automatically removed from the quarantine after a configurable period of time.

IP Ban

Use this action to block all traffic from the source addresses flagged by the IOC. Go to Monitor > Quarantine Monitor to view banned IP addresses. Banned IP addresses can only be removed from the list by administrator intervention.

Avoiding repeat event notifications

The Minimum interval establishes the amount of time, in seconds, before you receive a repeat alert notification about the same event. This helps avoid receiving multiple alerts on your phone every few minutes for the same offense. When the interval has elapsed, a collated report detailing the activities during that time frame will be sent.

For example, if you were configuring an alert for high CPU usage, and you set the Minimum interval to 86400s (1 day) then you receive one alert when the CPU usage went above 90% and you would not get another alert notification for the same event until the next day. When the 86400s (1 day) elapses, you receive a notification with a summary that let's you know how many times the CPU usage exceeded 90% in the past day. See CPU and memory thresholds for information on customizing the CPU and memory use thresholds.

Related Videos

sidebar video

Fortinet Security Fabric 6.0.0 Series - Part 3: Compromised Hosts Management

  • 880 views
  • 5 years ago
sidebar video

Fortinet Security Fabric 6.0.0 Series - Part 6: Automation

  • 1,379 views
  • 5 years ago
sidebar video

Fortinet Security Fabric 6.0.0 Series - Part 7: Automation: AWS Lambda and Gener

  • 865 views
  • 5 years ago

Actions

There are two types of actions you can select when creating an automation:

Main actions

Action

Description

Email

Use this action to send a custom email notification.

You must enter an email address and subject line.

FortiExplorer Notification

Use this action to send push notifications to FortiExplorer.

For the push to be successful, the FortiGate must be registered with FortiExplorer app on the iOS device you want to receive notifications on.

AWS Lambda

Use this action to invoke Amazon Web Services Lambda.

For the API Gateway, enter your URL and the other parameters (ID, region, stage, and path) are filled automatically. If you need to manually enter these parameters, you must use the CLI.

For the API Key, enter the same API key that you configured in your AWS API Gateway.

For the HTTP header, enter the name and value you want. For example, "x-notification-source" and "Fortinet."

Webhook

Use this action to send data to another application using a REST callback.

To configure a webhook, set Protocol to HTTP or HTTPS. Set Method to POST, PUT, GET, PATCH, or DELETE. Set the URI and Port.

For HTTP Body enter the text you want (up to 1023 characters). For example,{"trigger":"reboot"}.

Compromised host actions
Action Description
Access Layer Quarantine Use this action to impose a dynamic quarantine on multiple endpoints based on the access layer.
Quarantine FortiClient via EMS

Use this action to use FortiClient EMS to block all traffic from the source addresses flagged as compromised hosts. Quarantined devices are flagged on the Security Fabric Physical and Logical topology views.

Go to Monitor > Quarantine Monitor to view quarantined IP addresses. Addresses are automatically removed from the quarantine after a configurable period of time.

IP Ban

Use this action to block all traffic from the source addresses flagged by the IOC. Go to Monitor > Quarantine Monitor to view banned IP addresses. Banned IP addresses can only be removed from the list by administrator intervention.

Avoiding repeat event notifications

The Minimum interval establishes the amount of time, in seconds, before you receive a repeat alert notification about the same event. This helps avoid receiving multiple alerts on your phone every few minutes for the same offense. When the interval has elapsed, a collated report detailing the activities during that time frame will be sent.

For example, if you were configuring an alert for high CPU usage, and you set the Minimum interval to 86400s (1 day) then you receive one alert when the CPU usage went above 90% and you would not get another alert notification for the same event until the next day. When the 86400s (1 day) elapses, you receive a notification with a summary that let's you know how many times the CPU usage exceeded 90% in the past day. See CPU and memory thresholds for information on customizing the CPU and memory use thresholds.