Actions
The following table outlines the available actions. Multiple actions can be added to an automation stitch. Actions can be reorganized in the Edit Automation Stitch page by dragging and dropping the actions in the diagram.
|
Category |
Action |
Description |
|---|---|---|
|
Security Response |
||
|
|
Access Layer Quarantine |
This option is only available for Compromised Host triggers. Quarantine the MAC address on access layer devices (FortiSwitch and FortiAP). |
|
|
FortiClient Quarantine |
This option is only available for Compromised Host triggers. Use FortiClient EMS to block all traffic from the source addresses that are flagged as compromised hosts. Quarantined devices are flagged on the Security Fabric topology views. |
|
|
FortiNAC Quarantine |
This option is only available for Compromised Host and Incoming Webhook triggers. Use FortiNAC to quarantine a client PC and disable its MAC address. |
|
|
VMware NSX Security Tag |
This option is only available for Compromised Host triggers. If an endpoint instance in a VMware NSX environment is compromised, the configured security tag is assigned to the compromised endpoint. See VMware NSX security tag action and VMware NSX-T security tag action for details. |
|
|
IP Ban |
This option is only available for Compromised Host triggers. Ban the IP address specified in the automation trigger event. |
|
Notifications |
||
|
|
Send a custom email message to the selected recipients. At least one recipient and an email subject must be specified. The email body can use parameters from logs or previous action results. Wrapping the parameter with %% will replace the expression with the JSON value for the parameter, for example: %%results.source%% is the source property from the previous action. Replacement messages can be enabled in the email body to create branded email alerts. See Replacement messages for email alerts for details. |
|
|
|
FortiExplorer Notification |
Send push notifications to FortiExplorer. The FortiProxy must be registered to FortiCare on the mobile app that will receive the notification. |
|
|
Slack Notification |
Send a notification to a Slack channel. See Slack Notification action for details. |
|
|
Microsoft Teams Notification |
Send a notification to channels in Microsoft Teams. See Microsoft Teams Notification action for details. |
|
Cloud Compute |
||
|
|
AWS Lambda |
AWS Lambda functions can be called when an automation stitch is triggered. See AWS Lambda action for details. |
|
|
Azure Function |
Azure functions can be called when an automation stitch is triggered. See Azure Function action for details. |
|
|
Google Cloud Function |
Google Cloud functions can be called when an automation stitch is triggered. See Google Cloud Function action for details. |
|
|
AliCloud Function |
AliCloud functions can be called when an automation stitch is triggered. See AliCloud Function action for details. |
|
General |
||
|
|
CLI Script |
Run one or more CLI scripts. See CLI script action for details, and Execute a CLI script based on CPU and memory thresholds for an example. |
|
|
Webhook |
Send an HTTP request using a REST callback. See Webhook action for details, and Slack integration webhook and Microsoft Teams integration webhook for examples. |
|
|
Alert |
Generate a FortiProxy dashboard alert. This option is only available in the CLI. |
|
|
Disable SSID |
Disable the SSID interface. This option is only available in the CLI. |