Fabric connector event trigger
With the Fabric Connector Event trigger, any supported Fabric connector is able to trigger an automation stitch on the FortiGate based on a specific event defined on the Fabric connector. Currently, only FortiDeceptor 4.1 and later supports this trigger for the Insider Threat, Notify Ban, and Notify Unban events.
In the following example, an authorized FortiDeceptor in the Security Fabric deploys a decoy called ubuntu16 configured with SSH, SAMBA, HTTP, and HTTPS services.
This example assumes the Security Fabric is already configured. Refer to Configuring the root FortiGate and downstream FortiGates and FortiDeceptor for detailed configuration steps. On the root FortiGate, the Allow downstream device REST API access option must be enabled (set downstream-access enable
). The minimum permission required for the selected Administrator profile is Read/Write for User & Device (set authgrp read-write
).
Three stitches are configured, one for each FortiDeceptor trigger type:
Stitch name |
Fabric connector event trigger |
Actions |
---|---|---|
fortideceptor_threat |
Insider threat |
Email and IP ban |
fortideceptor_ban |
Notify ban |
Email and IP ban |
fortideceptor_unban |
Notify unban |
Email and CLI script |
To configure stitches with the Fabric connector event trigger in the GUI:
-
Configure the triggers:
-
Go to Security Fabric > Automation, select the Trigger tab, and click Create New.
-
In the Security Fabric section, click Fabric Connector Event and enter the following:
Name
fdc_Insider_Threat
Description
Insider_Threat
Connector
Select the FortiDeceptor connector
Event Name
Insider Threat
-
Click OK.
-
Repeat these steps to create two more triggers with the following settings:
Name
fdc_Notify_Ban
Description
Notify_Ban
Connector
Select the FortiDeceptor connector
Event Name
Notify Ban
Name
fdc_Notify_Unban
Description
Notify_Unban
Connector
Select the FortiDeceptor connector
Event Name
Notify Unban
-
-
Configure the actions (the default IP Ban action will be added later to the stitch):
-
Go to Security Fabric > Automation, select the Action tab, and click Create New.
-
In the Notifications section, click Email and enter the following:
Name
email_log
To
Enter an email address
Subject
CSF stitch alert
-
Click OK.
-
Repeat these steps to create a CLI Script (in the General section) action with the following settings:
Name
fdc_unban
Script
diagnose user banned-ip delete src4 %%log.srcip%%
Administrator profile
super_admin
-
-
Configure the fortideceptor_threat stitch:
-
Go to Security Fabric > Automation, select the Stitch tab, and click Create New.
-
Enter the name, fortideceptor_threat.
-
Click Add Trigger. Select fdc_Insider_Threat and click Apply.
-
Click Add Action. Select email_log and click Apply.
-
Click Add Action. Select IP Ban and click Apply.
-
Click the Add delay located between both actions. Enter 5 and click OK.
-
Click OK.
-
-
Configure the fortideceptor_ban stitch:
-
Go to Security Fabric > Automation, select the Stitch tab, and click Create New.
-
Enter the name, fortideceptor_ban.
-
Click Add Trigger. Select fdc_Notify_Ban and click Apply.
-
Click Add Action. Select email_log and click Apply.
-
Click Add Action. Select IP Ban and click Apply.
-
Click the Add delay located between both actions. Enter 5 and click OK.
-
Click OK.
-
-
Configure the fortideceptor_unban stitch:
-
Go to Security Fabric > Automation, select the Stitch tab, and click Create New.
-
Enter the name, fortideceptor_unban.
-
Click Add Trigger. Select fdc_Notify_Unban and click Apply.
-
Click Add Action. Select email_log and click Apply.
-
Click Add Action. Select fdc_unban and click Apply.
-
Click the Add delay located between both actions. Enter 5 and click OK.
-
Click OK.
-
To configure stitches with the Fabric connector event trigger in the CLI:
- Configure the triggers:
config system automation-trigger edit "fdc_Insider_Threat" set description "Insider_Threat" set event-type fabric-event set serial "FDC-VMTM210000**" set fabric-event-name "insider_threat" next edit "fdc_Notify_Ban" set description "Notify_Ban" set event-type fabric-event set serial "FDC-VMTM210000**" set fabric-event-name "notify_ban" next edit "fdc_Notify_Unban" set description "Notify_Unban" set event-type fabric-event set serial "FDC-VMTM210000**" set fabric-event-name "notify_unban" next end
- Configure the actions:
config system automation-action edit "IP Ban" set action-type ban-ip next edit "fdc_unban" set action-type cli-script set script "diagnose user banned-ip delete src4 %%log.srcip%%" set output-size 10 set timeout 0 set accprofile "super_admin" next edit "email_log" set action-type email set email-to "*******@fortinet.com" set email-subject "CSF stitch alert" next end
- Configure the stitches:
config system automation-stitch edit "fortideceptor_threat" set trigger "fdc_Insider_Threat" config actions edit 1 set action "email_log" set required enable next edit 2 set action "IP Ban" set delay 5 set required enable next end next edit "fortideceptor_ban" set trigger "fdc_Notify_Ban" config actions edit 1 set action "email_log" set required enable next edit 2 set action "IP Ban" set delay 5 set required enable next end next edit "fortideceptor_unban" set trigger "fdc_Notify_Unban" config actions edit 1 set action "email_log" set required enable next edit 2 set action "fdc_unban" set delay 5 set required enable next end next end
Verification
A device with IP 172.16.200.33 uses SSH to access the decoy (ubuntu16) deployed in the FortiDeceptor. The FortiDeceptor will detect the attacker IP 172.16.200.33, automatically quarantine it, and send the insider threat notification to the FortiGate. This notification will trigger the fortideceptor_threat stitch due to the insider threat event trigger, so an email alert is sent and the attacker IP (172.16.200.33) is banned.
In FortiDeceptor, if the attacker IP (172.16.200.33) is manually blocked or unblocked, the FortiDeceptor will send out the internal block or unblock notification to FortiGate (see Quarantine Status for more details). This notification will trigger the fortideceptor_ban or fortideceptor_unban stitch due the notify ban or unban event trigger. An email alert is sent, and based on the event, the IP is banned or the CLI script runs to unban the IP.
To view the quarantine details in FortiDeceptor:
- Go to Fabric > Quarantine Status.
- Automatic quarantine:
- Manual block or unblock:
To confirm that the stitch was triggered in the FortiOS GUI:
- Go to Security Fabric > Automation and select the Stitch tab.
- Triggered insider threat:
- Triggered notify ban or unban:
To view the quarantined IP details in the FortiOS CLI:
# diagnose user banned-ip list src-ip-addr created expires cause 172.16.200.33 Wed Jan 5 15:57:41 2022 indefinite Administrative
If the IP is unbanned by the stitch, the list will be empty:
# diagnose user banned-ip list src-ip-addr created expires cause