Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ux_guy_FTNT
New Contributor

Automation: What will you automate?

FortiOS 6 provides automation capabilities allowing us to create events based on any event ID in the OS. For those unfamiliar

What have you already setup, what WILL you setup?

8 REPLIES 8
emnoc
Esteemed Contributor III

probably  cfg-changes. This is a  most have and all orgs meeting compliance need chg management alerts.

 

ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ux_guy_FTNT

@emnoc got it, so configuration changes as the trigger. What service will you use for the action, and what do you think the content should be?

emnoc
Esteemed Contributor III

When we had syslog-ng we where doing "Delete" as trigger. So probably something similar and for  policy and address objects. Other might want system.admin 

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
seadave
Contributor III

I'm running 6.0.3 and I can't get this to work.  For example, right now we have email alerts configured to send us any config changes via the "Email Alert Settings", works fine.

 

I tried to setup an automation:

 

config system automation-trigger edit "FEN - ConfigtoEmail" set trigger-type event-based set event-type config-change next end config system automation-action edit "FEN - ConfigtoEmail_email" set action-type email set email-to "user@company.com" (using example here but we have valid email configured) set email-subject "Config Change" set minimum-interval 0 next end config system automation-stitch edit "FEN - ConfigtoEmail" set status enable set trigger "FEN - ConfigtoEmail" set action "FEN - ConfigtoEmail_email" next end

 

When we right click and choose "Test" we get the red "Error triggering automation stitch" message.

 

The dependencies for automation are not well defined.  What are we missing?  I have telemetry enabled on the LAN interface but there is NO upstream Fortigate.  As mentioned above traditional mail alerts work fine.  Do we need to disable those?

emnoc
Esteemed Contributor III

I would not thing so, do you have any extended debugs that could be enable ?

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
seadave
Contributor III

Kind of gave up for now.  What was odd is we did finally get one alert via the automation feature, as compared to many more via Syslog before we turned it off.  Seems to be an evolving feature.  We'll do some more testing.  I'm all ears if you have some specific diag commands. 

 

Some additional documentation on this feature and what you need to have enabled to support it in addition to any conflicts (does having existing email alerts via the traditional settings cause an issue?) would be nice.

thuynh_FTNT

Hi Seadave, sorry for the delay and please dont give up on us :P So the main thing here is the behaviour of this "config-change" trigger: it only triggers __after__ the current admin logouts. This was designed to avoid multiple emails if the admin is making a lot of changes during the same login session. However, the expectation is not clear so it causes confusion. We will look into improving it.

>When we right click and choose "Test" we get the red "Error triggering automation stitch" message. This is actually a known bug in 6.0.3 where the "test" action does not work from the GUI (M0506270). This has been fixed in 6.2.0 and we will fix it in 6.0 as well. You can still test the automation stitch via CLI with the following command:

 

diagnose automation test [stitch name] [log] You need to provide a sample log to be used for the test. For example:

diag automation test Configuration_Change_Notification "date=2019-05-23 time=20:49:51 logid=\"0100032102\" type=\"event\" subtype=\"system\" level=\"alert\" vd=\"root\" eventtime=1558669791 logdesc=\"Configuration changed\" user=\"thuynh\" ui=\"https(10.100.55.254)\" msg=\"Configuration is changed in the admin session\"" automation test is done. stitch:Configuration_Change_Notification

In addition, you can use the following command to review the automation history:

diagnose test application autod 1. Enable/disable log dumping 2. Show automation settings. 3. Show automation statistics.

diagnose test application autod 3 stitch: Configuration_Change_Notification local hit: 1 relayed to: 1 relayed from: 1 last trigger:Thu May 23 20:49:52 2019 last relay:Thu May 23 20:49:52 2019 actions: Configuration_Change_Notification_email: done: 1 relayed to: 1 relayed from: 1 last trigger:Thu May 23 20:49:52 2019 last relay:Thu May 23 20:49:52 2019

>The dependencies for automation are not well defined.  What are we missing?  I have telemetry enabled on the LAN interface but there is NO upstream Fortigate.  As mentioned above traditional mail alerts work fine.  Do we need to disable those?

No, what you have should work. This feature is independent of the traditional email alert.  >Some additional documentation on this feature and what you need to have enabled to support it in addition to any conflicts (does having existing email alerts via the traditional settings cause an issue?) would be nice. Yes, we will look into improving the documentation here. In general the automation feature should work as long as you can configure them and any special dependency would be reflected on the GUI. We do have some cookbook available for 6.0 and 6.2 automation. Please take a look and let us know if you have any feedbacks. https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/545415/automation-stitches https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/139441/automation-stitches

seadave

It does appear to work for us now.  I will dig into this in more detail as I look forward to using this feature.  We just upgraded to 6.0.5.

Labels
Top Kudoed Authors