├── .gitignore ├── Fortianalyzer-custom-reports ├── CPU-memory-bandwidth-and-sessions-rate-report.csv ├── CPU-memory-bandwidth-and-sessions-rate-report.dat ├── CPU-memory-bandwidth-and-sessions-rate-report.pdf ├── Logs-per-device-per-VDOM-report.dat ├── Logs-per-device-per-VDOM-report.pdf └── README.adoc ├── Fortianalyzer-handlers ├── Admin-level-user-was-added.json ├── Admin-level-user-was-deleted.json ├── CPU-threshold-exceeded.json ├── Configuring-new-handler-example.png ├── Entered-conserve-mode.json ├── Fortigate-configuration-changed-by-administrator-with-details.json ├── Fortiguard-for-Webfiltering-is-unreachable.json ├── Memory-threshold-exceeded.json ├── README.adoc ├── Send-email-alert-on-specific-policy-rule-hit.adoc ├── Send-email-alert-on-successful-admin-level-user-log-in.json └── x-email-alert-on-specific-policy-hit.png ├── Fortigate-automation-stitches ├── README.adoc ├── admin-downloaded-configuration.adoc ├── admin-level-user-logged-in-email-alert.adoc ├── admin-level-user-password-changed-email-alert.adoc ├── admin-level-user-was-created.adoc ├── backup-config-daily-to-external-server.adoc ├── backup-config-on-change.adoc ├── certificate-is-about-to-expire-warning-email-alert.adoc ├── configuration-changed-by-admin-email-alert.adoc ├── configuration-changed-by-admin-with-changes-email-alert.adoc ├── conserve-mode-on-email-alert.adoc ├── flush-vpn-tunnel-on-schedule-with-VDOMs.adoc ├── fortiguard-servers-unreachable-email-alert-with-vdoms.adoc ├── fortiguard-servers-unreachable-email-alert.adoc ├── gen-names.awk ├── high-cpu-usage-email-alert.adoc ├── interface-went-down-email-alert.adoc ├── interface-went-up-email-alert.adoc ├── reboot-email-alert.adoc ├── restart-both-ips-and-wad-processes.adoc ├── restart-ips-process-daily.adoc ├── restart-wad-process-daily.adoc ├── schedule-daily-reboot.adoc ├── schedule-reboot-once.adoc ├── schedule-weekly-reboot.adoc ├── specific-interface-went-down-email-alert.adoc └── ssl-vpn-user-login-successful-from-specific-ip-alert-by-email.adoc ├── LICENSE ├── README.adoc └── Wireshark-ready-packet-captures ├── README.adoc ├── bgp-initial-session-set-up-exchange-of-updates.pcap ├── bgp-topology-1.png └── bgp-update-message-followed-by-withdraw-msg.pcap /.gitignore: -------------------------------------------------------------------------------- 1 | # VS Code 2 | .vscode/* 3 | *.code-workspace 4 | .history 5 | .settings 6 | -------------------------------------------------------------------------------- /Fortianalyzer-custom-reports/CPU-memory-bandwidth-and-sessions-rate-report.csv: -------------------------------------------------------------------------------- 1 | "###CPU-memory-bandwidth-and-sessions-rate-chart###" 2 | "ID","epoch_time","% CPU","% Memory","setuprate","totalsession","bandwidth" 3 | " 1 ","2025-01-06 02:25:29","40","35","0","1","0/0" 4 | " 2 ","2025-01-06 02:30:26","0","49","0","7","1/0" 5 | " 3 ","2025-01-06 02:35:26","0","49","1","8","2/1" 6 | " 4 ","2025-01-06 02:40:26","0","52","2","118","28/24" 7 | " 5 ","2025-01-06 02:45:26","0","51","0","14","30/29" 8 | " 6 ","2025-01-06 02:50:26","0","51","0","14","30/28" 9 | " 7 ","2025-01-06 02:55:26","0","51","0","10","30/28" 10 | " 8 ","2025-01-06 03:00:26","0","51","1","10","30/28" 11 | " 9 ","2025-01-06 03:05:26","0","51","2","10","30/28" 12 | " 10 ","2025-01-06 03:10:26","0","51","2","10","30/28" 13 | " 11 ","2025-01-06 03:15:26","0","51","0","12","27/25" 14 | " 12 ","2025-01-06 03:20:26","0","51","0","9","30/28" 15 | " 13 ","2025-01-06 03:25:26","0","51","0","9","30/28" 16 | " 14 ","2025-01-06 03:30:27","0","51","0","9","31/29" 17 | " 15 ","2025-01-06 03:35:27","0","51","0","8","2/2" 18 | " 16 ","2025-01-06 03:40:27","0","51","0","12","5/4" 19 | " 17 ","2025-01-06 03:45:27","0","51","0","10","36/27" 20 | " 18 ","2025-01-06 03:50:26","0","51","0","12","7/6" 21 | " 19 ","2025-01-06 03:55:26","0","51","0","89","5/4" 22 | " 20 ","2025-01-06 04:00:26","0","51","4","10","31/29" 23 | " 21 ","2025-01-06 04:05:26","0","51","1","8","12/11" 24 | " 22 ","2025-01-06 04:10:26","0","51","0","9","27/25" 25 | " 23 ","2025-01-06 04:15:26","0","51","0","13","2/2" 26 | " 24 ","2025-01-06 04:20:26","0","51","0","7","3/2" 27 | " 25 ","2025-01-06 04:25:26","0","51","0","8","21/20" 28 | " 26 ","2025-01-06 04:30:26","0","51","0","9","31/29" 29 | " 27 ","2025-01-06 04:35:26","0","51","0","10","3/2" 30 | " 28 ","2025-01-06 04:40:26","0","51","0","11","2/2" 31 | " 29 ","2025-01-06 04:45:26","0","51","0","7","2/2" 32 | " 30 ","2025-01-06 04:50:26","0","51","0","13","32/29" 33 | " 31 ","2025-01-06 04:55:26","0","51","2","78","31/29" 34 | " 32 ","2025-01-06 05:00:26","0","51","0","7","3/2" 35 | " 33 ","2025-01-06 05:05:26","0","51","0","9","22/20" 36 | " 34 ","2025-01-06 05:10:26","0","51","1","9","25/20" 37 | " 35 ","2025-01-06 05:15:26","0","51","1","14","30/28" 38 | " 36 ","2025-01-06 05:20:26","0","51","1","7","0/0" 39 | " 37 ","2025-01-06 05:25:26","0","51","1","7","0/0" 40 | " 38 ","2025-01-06 05:30:27","0","51","1","6","0/0" 41 | " 39 ","2025-01-06 05:35:26","0","51","1","6","0/0" 42 | " 40 ","2025-01-06 05:40:26","0","51","1","9","0/0" 43 | " 41 ","2025-01-06 05:45:26","0","51","1","6","0/0" 44 | " 42 ","2025-01-06 05:50:26","0","51","1","8","0/0" 45 | " 43 ","2025-01-06 05:55:27","0","51","1","6","0/0" 46 | " 44 ","2025-01-06 06:00:26","0","51","1","6","0/0" 47 | " 45 ","2025-01-06 06:05:26","0","51","1","8","0/0" 48 | " 46 ","2025-01-06 06:10:26","0","51","1","4","0/0" 49 | " 47 ","2025-01-06 06:15:26","0","51","1","9","0/0" 50 | " 48 ","2025-01-06 06:20:27","0","51","1","4","0/0" 51 | " 49 ","2025-01-06 06:25:26","0","51","1","5","2/1" 52 | " 50 ","2025-01-06 06:30:26","0","51","0","3","0/1" 53 | " 51 ","2025-01-06 06:35:26","0","51","0","4","0/0" 54 | " 52 ","2025-01-06 06:40:27","0","51","0","8","1/0" 55 | " 53 ","2025-01-06 06:45:26","0","51","0","3","1/0" 56 | " 54 ","2025-01-06 06:50:26","0","52","0","7","1/1" 57 | " 55 ","2025-01-06 06:55:26","0","51","0","3","0/1" 58 | " 56 ","2025-01-06 07:00:26","0","51","2","86","32/29" 59 | " 57 ","2025-01-06 07:05:27","0","51","0","7","19/17" 60 | " 58 ","2025-01-06 07:10:27","0","52","0","7","25/24" 61 | " 59 ","2025-01-06 07:15:27","0","51","0","9","4/4" 62 | " 60 ","2025-01-06 07:20:25","0","51","0","8","4/2" 63 | " 61 ","2025-01-06 07:25:26","0","51","0","9","3/2" 64 | " 62 ","2025-01-06 07:30:26","0","51","0","7","23/20" 65 | " 63 ","2025-01-06 07:35:26","0","51","0","9","33/30" 66 | " 64 ","2025-01-06 07:40:26","0","51","0","11","6/4" 67 | " 65 ","2025-01-06 07:45:26","0","51","0","7","5/2" 68 | " 66 ","2025-01-06 07:50:26","0","51","0","10","5/3" 69 | " 67 ","2025-01-06 07:55:26","0","51","0","8","5/3" 70 | " 68 ","2025-01-06 08:00:26","0","51","0","8","4/2" 71 | " 69 ","2025-01-06 08:05:26","0","51","0","9","3/2" 72 | " 70 ","2025-01-06 08:10:26","0","51","0","8","6/4" 73 | " 71 ","2025-01-06 08:15:27","0","51","0","92","3/2" 74 | " 72 ","2025-01-06 08:20:27","0","51","0","7","28/25" 75 | " 73 ","2025-01-06 08:25:27","0","51","1","10","73/70" 76 | " 74 ","2025-01-06 08:30:27","0","51","0","8","27/25" 77 | " 75 ","2025-01-06 08:35:26","0","51","0","10","26/25" 78 | " 76 ","2025-01-06 08:40:27","0","51","1","13","26/25" 79 | " 77 ","2025-01-06 08:45:27","0","52","0","5","0/0" 80 | " 78 ","2025-01-06 08:50:26","0","51","0","9","0/0" 81 | " 79 ","2025-01-06 08:55:26","0","52","0","7","2/2" 82 | " 80 ","2025-01-06 08:57:58","41","35","0","1","0/0" 83 | " 81 ","2025-01-06 09:02:55","0","51","0","9","32/27" 84 | " 82 ","2025-01-06 09:07:55","0","50","2","10","32/29" 85 | " 83 ","2025-01-06 09:12:55","0","50","0","11","46/28" 86 | " 84 ","2025-01-06 09:17:55","0","50","0","11","45/27" 87 | " 85 ","2025-01-06 09:22:55","0","50","0","14","44/27" 88 | " 86 ","2025-01-06 09:27:55","0","50","0","11","44/28" 89 | " 87 ","2025-01-06 09:32:55","0","50","0","9","44/27" 90 | " 88 ","2025-01-06 09:37:56","1","51","0","9","19/4" 91 | " 89 ","2025-01-06 09:42:56","0","50","0","8","20/5" 92 | " 90 ","2025-01-06 09:47:56","0","50","0","13","20/5" 93 | " 91 ","2025-01-06 09:52:56","0","51","0","7","19/4" 94 | " 92 ","2025-01-06 09:57:56","0","51","0","7","19/4" 95 | " 93 ","2025-01-06 10:02:55","0","51","0","7","3922/3861" 96 | " 94 ","2025-01-06 10:07:55","0","51","0","5","6/1" 97 | " 95 ","2025-01-06 10:12:56","0","50","0","9","0/0" 98 | " 96 ","2025-01-06 10:17:56","0","50","0","6","0/0" 99 | " 97 ","2025-01-06 10:22:55","0","50","0","9","0/0" 100 | " 98 ","2025-01-06 10:27:55","0","51","0","5","0/0" 101 | " 99 ","2025-01-08 10:00:32","36","35","0","1","0/0" 102 | " 100 ","2025-01-08 10:05:29","0","50","0","7","1/0" 103 | " 101 ","2025-01-08 10:10:29","1","50","0","7","105/15" 104 | " 102 ","2025-01-08 10:15:29","0","51","0","90","31/29" 105 | " 103 ","2025-01-08 10:20:29","0","51","0","13","33/29" 106 | " 104 ","2025-01-08 10:25:29","0","54","0","13","4/2" 107 | " 105 ","2025-01-08 10:30:29","0","54","0","8","2/2" 108 | " 106 ","2025-01-08 10:35:28","0","53","0","8","5/2" 109 | " 107 ","2025-01-08 10:40:29","0","53","0","8","3/1" 110 | " 108 ","2025-01-08 10:45:29","0","53","0","7","2/1" 111 | " 109 ","2025-01-08 10:50:29","0","53","0","10","2/0" 112 | " 110 ","2025-01-08 10:55:29","0","53","0","7","2/0" 113 | " 111 ","2025-01-08 11:00:29","0","53","0","9","29/27" 114 | " 112 ","2025-01-12 01:47:31","38","35","0","0","0/0" 115 | " 113 ","2025-01-12 01:52:27","0","51","0","152","31/29" 116 | " 114 ","2025-01-12 01:57:27","0","54","0","24","4/2" 117 | " 115 ","2025-01-12 02:02:27","0","50","0","26","4/2" 118 | " 116 ","2025-01-12 02:07:27","0","51","0","23","237/231" 119 | " 117 ","2025-01-12 02:12:27","0","54","0","24","4/2" 120 | " 118 ","2025-01-12 02:17:27","0","55","0","19","9/8" 121 | " 119 ","2025-01-12 02:22:27","0","57","0","20","36/32" 122 | " 120 ","2025-01-12 02:27:27","0","55","0","19","1/0" 123 | " 121 ","2025-01-12 02:32:28","0","54","1","21","24/22" 124 | " 122 ","2025-01-12 02:37:28","0","54","0","27","38/34" 125 | " 123 ","2025-01-12 02:42:28","0","54","1","111","20/10" 126 | " 124 ","2025-01-12 02:47:28","0","54","0","141","0/0" 127 | " 125 ","2025-01-12 02:52:28","3","56","0","24","3/2" 128 | " 126 ","2025-01-12 02:57:28","0","55","0","106","0/0" 129 | " 127 ","2025-01-12 03:02:27","0","55","0","29","2/1" 130 | " 128 ","2025-01-12 03:07:27","0","55","0","24","1/6" 131 | " 129 ","2025-01-12 03:12:27","0","55","0","25","1/1" 132 | " 130 ","2025-01-12 03:17:27","0","55","0","24","1/1" 133 | " 131 ","2025-01-12 03:22:27","0","55","0","24","1/0" 134 | " 132 ","2025-01-12 03:27:27","0","55","0","23","1/1" 135 | " 133 ","2025-01-12 03:32:27","0","55","1","25","8/8" 136 | " 134 ","2025-01-12 03:37:27","0","55","2","27","9/9" 137 | " 135 ","2025-01-12 03:42:27","0","55","1","27","9/9" 138 | " 136 ","2025-01-12 03:47:27","0","55","1","25","8/8" 139 | " 137 ","2025-01-12 03:52:27","0","55","2","22","9/9" 140 | " 138 ","2025-01-12 03:57:27","0","55","1","24","9/9" 141 | " 139 ","2025-01-12 04:02:27","0","55","0","26","0/0" 142 | " 140 ","2025-01-12 04:07:27","0","55","0","18","0/0" 143 | " 141 ","2025-01-12 04:12:27","0","55","0","24","0/0" 144 | " 142 ","2025-01-12 04:17:28","0","55","0","20","0/0" 145 | " 143 ","2025-01-12 04:22:28","0","55","0","17","0/0" 146 | " 144 ","2025-01-12 04:27:28","0","55","0","19","0/0" 147 | " 145 ","2025-01-12 04:32:27","0","55","0","20","0/0" 148 | " 146 ","2025-01-12 04:37:27","0","55","0","24","0/0" 149 | " 147 ","2025-01-12 04:42:27","0","55","0","22","0/0" 150 | " 148 ","2025-01-12 04:47:27","0","55","0","22","0/0" 151 | " 149 ","2025-01-12 04:52:27","0","55","0","20","0/0" 152 | " 150 ","2025-01-12 04:57:27","0","55","0","21","0/0" 153 | " 151 ","2025-01-12 05:02:28","0","55","2","24","1/1" 154 | " 152 ","2025-01-12 05:07:27","0","55","1","21","0/0" 155 | " 153 ","2025-01-12 05:12:27","0","55","1","25","0/0" 156 | " 154 ","2025-01-12 05:17:27","0","55","1","19","0/0" 157 | " 155 ","2025-01-12 05:22:27","0","55","1","22","0/0" 158 | " 156 ","2025-01-12 05:27:27","0","55","1","20","0/0" 159 | " 157 ","2025-01-12 05:32:28","0","55","1","18","0/0" 160 | " 158 ","2025-01-12 05:37:28","0","55","1","25","0/0" 161 | " 159 ","2025-01-12 05:42:27","0","55","1","17","0/0" 162 | " 160 ","2025-01-12 05:47:27","0","55","1","17","0/0" 163 | " 161 ","2025-01-12 05:52:27","0","55","1","21","0/0" 164 | " 162 ","2025-01-12 05:57:27","0","55","1","21","0/0" 165 | " 163 ","2025-01-12 06:02:27","0","55","1","25","0/0" 166 | " 164 ","2025-01-12 06:07:27","4","55","1","24","61/77" 167 | " 165 ","2025-01-12 06:12:28","0","55","0","21","2/0" 168 | " 166 ","2025-01-12 06:17:28","0","55","0","20","0/0" 169 | " 167 ","2025-01-12 06:22:27","0","55","0","20","0/0" 170 | " 168 ","2025-01-12 06:27:27","0","55","0","21","2/0" 171 | " 169 ","2025-01-12 06:32:27","0","55","0","19","0/0" 172 | " 170 ","2025-01-12 06:37:27","0","55","0","18","0/0" 173 | " 171 ","2025-01-12 06:42:27","0","55","0","15","0/0" 174 | " 172 ","2025-01-12 06:47:27","0","55","0","16","0/0" 175 | " 173 ","2025-01-12 06:52:28","0","55","1","15","53/50" 176 | " 174 ","2025-01-12 06:57:27","0","55","0","18","0/0" 177 | " 175 ","2025-01-12 07:02:27","0","55","0","23","985/973" 178 | " 176 ","2025-01-12 07:07:27","0","55","0","16","0/0" 179 | " 177 ","2025-01-12 07:12:27","0","55","0","20","0/0" 180 | " 178 ","2025-01-12 07:17:27","0","55","0","17","1/1" 181 | " 179 ","2025-01-12 07:22:27","0","55","0","14","2/1" 182 | " 180 ","2025-01-12 07:27:27","0","55","0","18","2/1" 183 | " 181 ","2025-01-12 07:32:27","0","55","0","18","0/1" 184 | " 182 ","2025-01-12 07:37:28","0","55","0","21","0/1" 185 | " 183 ","2025-01-12 07:42:27","0","55","0","19","0/1" 186 | " 184 ","2025-01-12 07:47:28","0","55","0","15","3/1" 187 | " 185 ","2025-01-12 07:52:28","0","56","0","17","1/1" 188 | " 186 ","2025-01-12 07:57:28","0","56","0","19","1/1" 189 | " 187 ","2025-01-12 08:02:27","0","56","0","23","26/23" 190 | " 188 ","2025-01-12 08:07:27","2","57","1","19","24/14" 191 | " 189 ","2025-01-12 08:12:27","0","56","1","23","34/31" 192 | " 190 ","2025-01-12 08:17:27","0","56","2","19","20/16" 193 | " 191 ","2025-01-12 08:22:27","0","56","0","16","3/1" 194 | " 192 ","2025-01-12 08:27:28","0","56","0","15","37/28" 195 | " 193 ","2025-01-12 08:32:28","0","56","0","17","25/24" 196 | " 194 ","2025-01-12 08:37:28","0","56","0","20","31/28" 197 | " 195 ","2025-01-12 08:42:27","0","56","1","20","11/9" 198 | " 196 ","2025-01-12 08:47:28","6","56","2","16","34/26" 199 | " 197 ","2025-01-12 08:52:28","0","56","0","17","2/1" 200 | " 198 ","2025-01-12 08:57:28","0","56","0","18","28/24" 201 | " 199 ","2025-01-12 09:02:28","0","56","1","24","12/10" 202 | " 200 ","2025-01-12 09:07:28","0","56","0","23","393/386" 203 | " 201 ","2025-01-12 09:12:28","0","56","0","21","3/1" 204 | " 202 ","2025-01-12 09:17:28","0","56","0","21","3/1" 205 | " 203 ","2025-01-12 09:22:28","0","56","0","18","27/24" 206 | " 204 ","2025-01-12 09:27:28","0","56","2","23","25/29" 207 | " 205 ","2025-01-12 09:32:28","0","56","2","22","31/27" 208 | " 206 ","2025-01-12 09:37:28","0","56","0","25","32/28" 209 | " 207 ","2025-01-12 09:42:28","0","56","0","22","5/3" 210 | " 208 ","2025-01-12 09:47:28","0","57","0","21","2/2" 211 | " 209 ","2025-01-12 09:52:28","0","56","1","25","29/28" 212 | " 210 ","2025-01-12 09:57:27","0","56","0","20","0/0" 213 | " 211 ","2025-01-12 10:02:27","0","56","0","24","0/0" 214 | " 212 ","2025-01-12 10:07:27","0","56","0","22","29/28" 215 | " 213 ","2025-01-12 10:12:27","0","57","2","26","0/0" 216 | " 214 ","2025-01-12 10:17:27","14","57","2","29","128/160" 217 | " 215 ","2025-01-12 10:22:27","0","56","1","24","0/1" 218 | " 216 ","2025-01-12 10:27:27","0","57","1","27","3072/3036" 219 | " 217 ","2025-01-12 10:32:28","0","57","2","22","0/0" 220 | " 218 ","2025-01-12 10:37:28","24","58","1","26","3173/90" 221 | " 219 ","2025-01-12 10:42:28","0","56","0","22","28/25" 222 | " 220 ","2025-01-12 10:47:28","0","57","0","20","36/29" 223 | " 221 ","2025-01-12 10:52:28","0","57","0","21","4/2" 224 | " 222 ","2025-01-12 10:57:28","0","57","0","21","4/2" 225 | " 223 ","2025-01-12 11:02:28","0","56","0","25","4/2" 226 | " 224 ","2025-01-12 11:07:28","0","57","0","18","2/0" 227 | " 225 ","2025-01-12 11:12:28","0","56","0","23","0/0" 228 | " 226 ","2025-01-12 11:17:27","0","57","1","20","1/0" 229 | " 227 ","2025-01-12 11:22:27","0","57","0","21","3/0" 230 | " 228 ","2025-01-12 11:27:27","0","57","1","20","2/0" 231 | " 229 ","2025-01-12 11:32:27","0","57","0","18","2/0" 232 | " 230 ","2025-01-12 11:37:27","0","57","0","23","0/0" 233 | " 231 ","2025-01-12 11:42:28","0","56","0","20","2/0" 234 | " 232 ","2025-01-12 11:47:28","0","57","0","18","3/0" 235 | 236 | -------------------------------------------------------------------------------- /Fortianalyzer-custom-reports/CPU-memory-bandwidth-and-sessions-rate-report.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuriskinfo/Fortinet-tools/4b62cf100a7928025d5f089dfcf6c98758bfff14/Fortianalyzer-custom-reports/CPU-memory-bandwidth-and-sessions-rate-report.dat -------------------------------------------------------------------------------- /Fortianalyzer-custom-reports/CPU-memory-bandwidth-and-sessions-rate-report.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuriskinfo/Fortinet-tools/4b62cf100a7928025d5f089dfcf6c98758bfff14/Fortianalyzer-custom-reports/CPU-memory-bandwidth-and-sessions-rate-report.pdf -------------------------------------------------------------------------------- /Fortianalyzer-custom-reports/Logs-per-device-per-VDOM-report.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuriskinfo/Fortinet-tools/4b62cf100a7928025d5f089dfcf6c98758bfff14/Fortianalyzer-custom-reports/Logs-per-device-per-VDOM-report.dat -------------------------------------------------------------------------------- /Fortianalyzer-custom-reports/Logs-per-device-per-VDOM-report.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuriskinfo/Fortinet-tools/4b62cf100a7928025d5f089dfcf6c98758bfff14/Fortianalyzer-custom-reports/Logs-per-device-per-VDOM-report.pdf -------------------------------------------------------------------------------- /Fortianalyzer-custom-reports/README.adoc: -------------------------------------------------------------------------------- 1 | = Custom Fortianalyzer Reports 2 | 3 | * link:Logs-per-device-per-VDOM-report.dat[Logs per device per VDOM report for previous 7 days] and example of such report: link:Logs-per-device-per-VDOM-report.pdf[Example report PDF] 4 | 5 | The custom data-set for this report is (Log Type = Traffic): 6 | 7 | [source,sql] 8 | ---- 9 | SELECT 10 | devname, 11 | vd, 12 | policyid, 13 | count(policyid) AS number_of_logs 14 | FROM 15 | $log 16 | WHERE 17 | $filter 18 | GROUP BY 19 | devname, 20 | vd, 21 | policyid 22 | ORDER BY 23 | number_of_logs DESC 24 | ---- 25 | 26 | 27 | 28 | * link:CPU-memory-bandwidth-and-sessions-rate-report.dat[CPU memory bandwidth usage and sessions set up rate report for previous 7 days] and example report as link:CPU-memory-bandwidth-and-sessions-rate-report.pdf[PDF] and as link:CPU-memory-bandwidth-and-sessions-rate-report.csv[CSV] 29 | 30 | 31 | The custom data-set for this report is (Log Type = Event): 32 | 33 | [source,sql] 34 | ---- 35 | SELECT from_dtime(dtime) AS epoch_time, cpu, mem, setuprate, totalsession, bandwidth 36 | FROM $log 37 | WHERE $filter 38 | AND 39 | action='perf-stats' ORDER BY epoch_time 40 | ---- -------------------------------------------------------------------------------- /Fortianalyzer-handlers/Admin-level-user-was-added.json: -------------------------------------------------------------------------------- 1 | { 2 | "data": { 3 | "basic-handler": [ 4 | { 5 | "automation-stitch": 0, 6 | "content-pack-id": "", 7 | "content-pack-uuid": "", 8 | "creation-time": 0, 9 | "data-selector": "", 10 | "description": "", 11 | "enable": 1, 12 | "enable-time": 0, 13 | "handler-id": "b83_262_a3a_69a", 14 | "name": "Admin level user was added", 15 | "notification": "", 16 | "protected": 0, 17 | "rule": [ 18 | { 19 | "aggregate-expr": "COUNT(*) >= 1", 20 | "devtype": 0, 21 | "enable": 1, 22 | "eventstatus": "auto", 23 | "eventtype": null, 24 | "extrainfo": "Admin level user ${cfgobject} was created by ${user}", 25 | "extrainfo-type": 0, 26 | "filter": [ 27 | { 28 | "id": 1, 29 | "key": "logid", 30 | "oper": 0, 31 | "value": "0100044547" 32 | }, 33 | { 34 | "id": 2, 35 | "key": "action", 36 | "oper": 0, 37 | "value": "Add" 38 | }, 39 | { 40 | "id": 3, 41 | "key": "cfgpath", 42 | "oper": 0, 43 | "value": "system.admin" 44 | } 45 | ], 46 | "filter-expr": "", 47 | "filter-relation": 0, 48 | "groupby1": "devname", 49 | "groupby2": "", 50 | "groupby3": "", 51 | "indicator": null, 52 | "logtype": "event", 53 | "name": "Admin level user was created", 54 | "rule-id": "6d5_725_e49_7b0", 55 | "severity": 1, 56 | "subject": null, 57 | "tags": "", 58 | "thres-duration": 2, 59 | "utmevent": "system" 60 | } 61 | ], 62 | "template-url": "", 63 | "update-time": 0, 64 | "uuid": "", 65 | "version": 2 66 | } 67 | ] 68 | }, 69 | "data-type": "txt", 70 | "length": 1064 71 | } -------------------------------------------------------------------------------- /Fortianalyzer-handlers/Admin-level-user-was-deleted.json: -------------------------------------------------------------------------------- 1 | { 2 | "data": { 3 | "basic-handler": [ 4 | { 5 | "automation-stitch": 0, 6 | "content-pack-id": "", 7 | "content-pack-uuid": "", 8 | "creation-time": 0, 9 | "data-selector": "", 10 | "description": "", 11 | "enable": 1, 12 | "enable-time": 0, 13 | "handler-id": "20d_42b_d61_468", 14 | "name": "Admin level user was deleted", 15 | "notification": "", 16 | "protected": 0, 17 | "rule": [ 18 | { 19 | "aggregate-expr": "COUNT(*) >= 1", 20 | "devtype": 0, 21 | "enable": 1, 22 | "eventstatus": "auto", 23 | "eventtype": null, 24 | "extrainfo": "Admin level user %%cfgobject%% was created by %%user%%", 25 | "extrainfo-type": 0, 26 | "filter": [ 27 | { 28 | "id": 1, 29 | "key": "logid", 30 | "oper": 0, 31 | "value": "0100044547" 32 | }, 33 | { 34 | "id": 2, 35 | "key": "action", 36 | "oper": 0, 37 | "value": "Delete" 38 | }, 39 | { 40 | "id": 3, 41 | "key": "cfgpath", 42 | "oper": 0, 43 | "value": "system.admin" 44 | } 45 | ], 46 | "filter-expr": "", 47 | "filter-relation": 0, 48 | "groupby1": "devname", 49 | "groupby2": "", 50 | "groupby3": "", 51 | "indicator": null, 52 | "logtype": "event", 53 | "name": "Admin level user was deleted", 54 | "rule-id": "6d5_725_e49_7b0", 55 | "severity": 1, 56 | "subject": null, 57 | "tags": "", 58 | "thres-duration": 2, 59 | "utmevent": "system" 60 | } 61 | ], 62 | "template-url": "", 63 | "update-time": 0, 64 | "uuid": "", 65 | "version": 2 66 | } 67 | ] 68 | }, 69 | "data-type": "txt", 70 | "length": 1071 71 | } -------------------------------------------------------------------------------- /Fortianalyzer-handlers/CPU-threshold-exceeded.json: -------------------------------------------------------------------------------- 1 | { 2 | "data": { 3 | "basic-handler": [ 4 | { 5 | "automation-stitch": 0, 6 | "content-pack-id": "", 7 | "content-pack-uuid": "", 8 | "creation-time": 0, 9 | "data-selector": "", 10 | "description": "Once reported CPU exceeds the set limit, alert will be generated.", 11 | "enable": 1, 12 | "enable-time": 0, 13 | "handler-id": "564_38f_457_fda", 14 | "name": "CPU threshold exceeded", 15 | "notification": "", 16 | "protected": 0, 17 | "rule": [ 18 | { 19 | "aggregate-expr": "COUNT(*)>=1", 20 | "devtype": 0, 21 | "enable": 1, 22 | "eventstatus": "auto", 23 | "eventtype": null, 24 | "extrainfo": "CPU usage exceeded ${cpu}%", 25 | "extrainfo-type": 1, 26 | "filter": [ 27 | { 28 | "id": 1, 29 | "key": "logid", 30 | "oper": 0, 31 | "value": "0100040704" 32 | }, 33 | { 34 | "id": 2, 35 | "key": "cpu", 36 | "oper": 2, 37 | "value": "50" 38 | } 39 | ], 40 | "filter-expr": "", 41 | "filter-relation": 0, 42 | "groupby1": "devname-vdom", 43 | "groupby2": "", 44 | "groupby3": "", 45 | "indicator": null, 46 | "logtype": "event", 47 | "name": "CPU usage limit exceeded", 48 | "rule-id": "d3d_97c_c69_384", 49 | "severity": 2, 50 | "subject": null, 51 | "tags": "", 52 | "thres-duration": 2, 53 | "utmevent": "system" 54 | } 55 | ], 56 | "template-url": "", 57 | "update-time": 0, 58 | "uuid": "", 59 | "version": 2 60 | } 61 | ] 62 | }, 63 | "data-type": "txt", 64 | "length": 1027 65 | } -------------------------------------------------------------------------------- /Fortianalyzer-handlers/Configuring-new-handler-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuriskinfo/Fortinet-tools/4b62cf100a7928025d5f089dfcf6c98758bfff14/Fortianalyzer-handlers/Configuring-new-handler-example.png -------------------------------------------------------------------------------- /Fortianalyzer-handlers/Entered-conserve-mode.json: -------------------------------------------------------------------------------- 1 | { 2 | "data": { 3 | "basic-handler": [ 4 | { 5 | "automation-stitch": 0, 6 | "content-pack-id": "", 7 | "content-pack-uuid": "", 8 | "creation-time": 0, 9 | "data-selector": "", 10 | "description": "Alert on Fortigate entering the conserve mode due to low memory", 11 | "enable": 1, 12 | "enable-time": 0, 13 | "handler-id": "318_75a_c4e_ddb", 14 | "name": "Entered conserve mode", 15 | "notification": "", 16 | "protected": 0, 17 | "rule": [ 18 | { 19 | "aggregate-expr": "COUNT(*)>=1", 20 | "devtype": 0, 21 | "enable": 1, 22 | "eventstatus": "auto", 23 | "eventtype": null, 24 | "extrainfo": null, 25 | "extrainfo-type": 0, 26 | "filter": [ 27 | { 28 | "id": 1, 29 | "key": "logid", 30 | "oper": 0, 31 | "value": "0100022011" 32 | } 33 | ], 34 | "filter-expr": "", 35 | "filter-relation": 1, 36 | "groupby1": "devname-vdom", 37 | "groupby2": "", 38 | "groupby3": "", 39 | "indicator": null, 40 | "logtype": "event", 41 | "name": "Entered conserve mode", 42 | "rule-id": "152_ec5_ecb_d72", 43 | "severity": 0, 44 | "subject": null, 45 | "tags": "", 46 | "thres-duration": 30, 47 | "utmevent": "system" 48 | } 49 | ], 50 | "template-url": "", 51 | "update-time": 0, 52 | "uuid": "", 53 | "version": 2 54 | } 55 | ] 56 | }, 57 | "data-type": "txt", 58 | "length": 945 59 | } -------------------------------------------------------------------------------- /Fortianalyzer-handlers/Fortigate-configuration-changed-by-administrator-with-details.json: -------------------------------------------------------------------------------- 1 | { 2 | "data": { 3 | "basic-handler": [ 4 | { 5 | "automation-stitch": 0, 6 | "content-pack-id": "", 7 | "content-pack-uuid": "", 8 | "creation-time": 0, 9 | "data-selector": "", 10 | "description": "", 11 | "enable": 1, 12 | "enable-time": 0, 13 | "handler-id": "c11_384_ae1_144", 14 | "name": "Fortigate configuration changed by administrator with details", 15 | "notification": "", 16 | "protected": 0, 17 | "rule": [ 18 | { 19 | "aggregate-expr": "COUNT(*)>=1", 20 | "devtype": 0, 21 | "enable": 1, 22 | "eventstatus": "auto", 23 | "eventtype": null, 24 | "extrainfo": "${user} changed obj ${cfgobj} with ${msg}", 25 | "extrainfo-type": 1, 26 | "filter": [ 27 | { 28 | "id": 2, 29 | "key": "logid", 30 | "oper": 0, 31 | "value": "0100044547" 32 | } 33 | ], 34 | "filter-expr": "", 35 | "filter-relation": 0, 36 | "groupby1": "devname-vdom", 37 | "groupby2": "", 38 | "groupby3": "", 39 | "indicator": null, 40 | "logtype": "event", 41 | "name": "Send alert on configuration changed by admin with details", 42 | "rule-id": "ca5_422_3e9_14b", 43 | "severity": 2, 44 | "subject": null, 45 | "tags": "", 46 | "thres-duration": 30, 47 | "utmevent": "system" 48 | } 49 | ], 50 | "template-url": "", 51 | "update-time": 0, 52 | "uuid": "", 53 | "version": 2 54 | } 55 | ] 56 | }, 57 | "data-type": "txt", 58 | "length": 997 59 | } -------------------------------------------------------------------------------- /Fortianalyzer-handlers/Fortiguard-for-Webfiltering-is-unreachable.json: -------------------------------------------------------------------------------- 1 | { 2 | "data": { 3 | "basic-handler": [ 4 | { 5 | "automation-stitch": 0, 6 | "content-pack-id": "", 7 | "content-pack-uuid": "", 8 | "creation-time": 0, 9 | "data-selector": "", 10 | "description": "", 11 | "enable": 1, 12 | "enable-time": 0, 13 | "handler-id": "1ef_5ae_124_5ee", 14 | "name": "Fortiguard for Webfiltering is unreachable", 15 | "notification": "", 16 | "protected": 0, 17 | "rule": [ 18 | { 19 | "aggregate-expr": "COUNT(*)>=1", 20 | "devtype": 0, 21 | "enable": 1, 22 | "eventstatus": "auto", 23 | "eventtype": null, 24 | "extrainfo": null, 25 | "extrainfo-type": 0, 26 | "filter": [ 27 | { 28 | "id": 1, 29 | "key": "logid", 30 | "oper": 0, 31 | "value": "0100020119" 32 | } 33 | ], 34 | "filter-expr": "", 35 | "filter-relation": 1, 36 | "groupby1": "devname-vdom", 37 | "groupby2": "", 38 | "groupby3": "", 39 | "indicator": null, 40 | "logtype": "event", 41 | "name": "Fortiguard for Webfiltering is unreachable", 42 | "rule-id": "305_ddc_a5d_256", 43 | "severity": 0, 44 | "subject": null, 45 | "tags": "", 46 | "thres-duration": 30, 47 | "utmevent": "system" 48 | } 49 | ], 50 | "template-url": "", 51 | "update-time": 0, 52 | "uuid": "", 53 | "version": 2 54 | } 55 | ] 56 | }, 57 | "data-type": "txt", 58 | "length": 924 59 | } -------------------------------------------------------------------------------- /Fortianalyzer-handlers/Memory-threshold-exceeded.json: -------------------------------------------------------------------------------- 1 | { 2 | "data": { 3 | "basic-handler": [ 4 | { 5 | "automation-stitch": 0, 6 | "content-pack-id": "", 7 | "content-pack-uuid": "", 8 | "creation-time": 0, 9 | "data-selector": "", 10 | "description": "Once reported CPU exceeds the set limit, alert will be generated.", 11 | "enable": 1, 12 | "enable-time": 0, 13 | "handler-id": "4b7_fdb_a86_e75", 14 | "name": "Memory threshold exceeded", 15 | "notification": "", 16 | "protected": 0, 17 | "rule": [ 18 | { 19 | "aggregate-expr": "COUNT(*)>=1", 20 | "devtype": 0, 21 | "enable": 1, 22 | "eventstatus": "auto", 23 | "eventtype": null, 24 | "extrainfo": "", 25 | "extrainfo-type": 0, 26 | "filter": [ 27 | { 28 | "id": 1, 29 | "key": "logid", 30 | "oper": 0, 31 | "value": "0100040704" 32 | }, 33 | { 34 | "id": 2, 35 | "key": "mem", 36 | "oper": 2, 37 | "value": "75" 38 | } 39 | ], 40 | "filter-expr": "", 41 | "filter-relation": 0, 42 | "groupby1": "devname-vdom", 43 | "groupby2": "", 44 | "groupby3": "", 45 | "indicator": null, 46 | "logtype": "event", 47 | "name": "Memory usage limit exceeded", 48 | "rule-id": "d3d_97c_c69_384", 49 | "severity": 2, 50 | "subject": null, 51 | "tags": "", 52 | "thres-duration": 2, 53 | "utmevent": "system" 54 | } 55 | ], 56 | "template-url": "", 57 | "update-time": 0, 58 | "uuid": "", 59 | "version": 2 60 | } 61 | ] 62 | }, 63 | "data-type": "txt", 64 | "length": 1007 65 | } -------------------------------------------------------------------------------- /Fortianalyzer-handlers/README.adoc: -------------------------------------------------------------------------------- 1 | = Fortianalyzer Handlers collection 2 | 3 | The collection is based on the Fortigate automation stitches one, making it scalable to multiple Fortigates that send their logs to the Fortianalyzer (FAZ). 4 | As always, if you have an idea for a new Handler or find any errors - feel free to let me know. Also pay attention to predefined Handlers every FAZ comes with, they may have the functionality you need as well. 5 | 6 | I tested and am using this collection in production environment, but cannot verify every possible device & versions combination, so test before using it. 7 | 8 | The Handlers are importable into the FAZ via _FortiSOC_ or _Incidents & Events_ -> _Handlers_ -> _More_... -> _Import_. 9 | 10 | The Handlers do not contain the Notification profile, you'll have to set your own one - also done in _Incidents & Events_ -> _Handlers_ -> _Notification Profiles_. In older versions (6.4) you configure notifications directly inside the Handler. 11 | 12 | 13 | For email alerting, make sure to configure DNS and mail server settings in FAZ. 14 | 15 | E.g.: 16 | 17 | ---- 18 | config system mail 19 | edit "mx.example.yurisk.info" 20 | set from "faz@example.yurisk.info" 21 | set server "mx.example.yurisk.info" 22 | next 23 | end 24 | 25 | config system dns 26 | set primary 10.100.0.2 27 | end 28 | ---- 29 | 30 | The mail will contain the full log that triggered the Handler. 31 | 32 | Here is a GUI example, specifically of the _Send email on successful admin-level user log in_ Handler image:Configuring-new-handler-example.png[] 33 | 34 | 35 | link:Admin-level-user-was-added.json[Admin-level user was added] 36 | 37 | link:Admin-level-user-was-deleted.json[Admin-level user was deleted] 38 | 39 | link:CPU-threshold-exceeded.json[CPU threshold exceeded] 40 | 41 | link:Entered-conserve-mode.json[Entered conserve mode] 42 | 43 | link:Fortigate-configuration-changed-by-administrator-with-details.json[Fortigate configuration changed by administrator] 44 | 45 | link:Fortiguard-for-Webfiltering-is-unreachable.json[Fortiguard for Webfiltering is unreachable] 46 | 47 | link:Memory-threshold-exceeded.json[Memory threshold exceeded] 48 | 49 | link:Send-email-alert-on-successful-admin-level-user-log-in.json[Send email on successful admin-level user log in] 50 | 51 | link:Send-email-alert-on-specific-policy-rule-hit.adoc[Send email on specific security policy rule hit] -------------------------------------------------------------------------------- /Fortianalyzer-handlers/Send-email-alert-on-specific-policy-rule-hit.adoc: -------------------------------------------------------------------------------- 1 | = Send email on specific security policy rule hit 2 | 3 | This Handler will fire each time some packet(s) hit the given rule, and so may cause self-inflicted DoS on high volume rules, use with caution and set Aggregation to more agressive values. I do not provide JSON file as rule number which is the condition here, will differ in evey case. 4 | 5 | This screenshot shows what to set for Handler to fire on `Policy id` number 8 being hit. 6 | 7 | image:x-email-alert-on-specific-policy-hit.png[screenshot of Fortianalyzer handler for rule hit] 8 | -------------------------------------------------------------------------------- /Fortianalyzer-handlers/Send-email-alert-on-successful-admin-level-user-log-in.json: -------------------------------------------------------------------------------- 1 | { 2 | "data": { 3 | "basic-handler": [ 4 | { 5 | "automation-stitch": 0, 6 | "content-pack-id": "", 7 | "content-pack-uuid": "", 8 | "creation-time": 0, 9 | "data-selector": "", 10 | "description": "Sends notification on successful admin-level user log in.\n", 11 | "enable": 1, 12 | "enable-time": 0, 13 | "handler-id": "279_f5f_3b4_57b", 14 | "name": "Send email alert on successful admin-level user log in", 15 | "notification": "", 16 | "protected": 0, 17 | "rule": [ 18 | { 19 | "aggregate-expr": "COUNT(*)>=1", 20 | "devtype": 0, 21 | "enable": 1, 22 | "eventstatus": "auto", 23 | "eventtype": null, 24 | "extrainfo": null, 25 | "extrainfo-type": 0, 26 | "filter": [ 27 | { 28 | "id": 1, 29 | "key": "logid", 30 | "oper": 0, 31 | "value": "0100032001" 32 | } 33 | ], 34 | "filter-expr": "", 35 | "filter-relation": 0, 36 | "groupby1": "devname-vdom", 37 | "groupby2": "", 38 | "groupby3": "", 39 | "indicator": null, 40 | "logtype": "event", 41 | "name": "Send email alert on successful admin-level user log in", 42 | "rule-id": "ab7_725_df0_150", 43 | "severity": 2, 44 | "subject": null, 45 | "tags": "", 46 | "thres-duration": 30, 47 | "utmevent": "_any_" 48 | } 49 | ], 50 | "template-url": "", 51 | "update-time": 0, 52 | "uuid": "", 53 | "version": 2 54 | } 55 | ] 56 | }, 57 | "data-type": "txt", 58 | "length": 1006 59 | } -------------------------------------------------------------------------------- /Fortianalyzer-handlers/x-email-alert-on-specific-policy-hit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuriskinfo/Fortinet-tools/4b62cf100a7928025d5f089dfcf6c98758bfff14/Fortianalyzer-handlers/x-email-alert-on-specific-policy-hit.png -------------------------------------------------------------------------------- /Fortigate-automation-stitches/README.adoc: -------------------------------------------------------------------------------- 1 | = Collection of Fortigate Automation Stitches 2 | :toc: 3 | 4 | == Important facts 5 | * If you have VDOMs enabled, you find Automation Stitches GUI menu 6 | under the _Global_ section. 7 | * When VDOMs are enabled, any networking with external to Fortigate hosts will happen with source IP and from 8 | the _administrative_ VDOM (usually `root`). E.g. auto-backup of configuration to external server etc. It means you need to 9 | have security rules in _admin_ VDOM accordingly to allow such communication. 10 | * When using email as alert action, make sure you have configured mail server 11 | to relay these alerts. On CLI it is in `config sys email-server`, and in GUI it 12 | is in the System -> Settings. 13 | * It is recommended to configure PTR record for the sending IP of the Fortigate, 14 | as well as SPF record in the domain you're sending from, to prevent mails being 15 | marked as spam. 16 | * Trigger _Field Conditions_ - they match on either exact values or wildcards, no regex, no 17 | ranges for numeric values. Also no partial match, so you cannot match _"Interface 18 | down"_ string with a word _"down"_, unless using wildcard +++*down*+++. 19 | * Bugs are always possible, e.g. for the built-in stitch _Reboot_, even though 20 | it works and fires, the _trigger count_ stays 0. 21 | * These types of stitches have _Test automation stitch_ grayed out: 22 | ** Event Log based. 23 | ** Configuration change. 24 | ** Reboot. 25 | ** License expiration. 26 | ** HA failover. 27 | ** Scheduled. 28 | * For scheduled triggers make sure Fortigate has reliable time source, like NTP. 29 | 30 | == All about email alerts 31 | 32 | * With VDOMs enabled, the email is sent from the _administrative_ VDOM (usually 33 | _root_) with the source IP defined by the routing table. 34 | * All the fields you see in the Fortigate *raw log* are available to be included in the email message. 35 | * When sending an email as action, based on log events, the body will contain the complete log 36 | (`%%log%%`) by default, no need to do anything for that. But, if you do NOT want to include 37 | log, for privacy reasons, set the `message` parameter to anything else: 38 | 39 | ---- 40 | config sys automation-action 41 | edit "EmailWithoutBody" 42 | set action-type email 43 | set email-to "admin@yurisk.info" 44 | set email-from "fgt@yurisk.info" 45 | set email-subject "The stitch has fired" 46 | set message "This text replaces the full log in the body." 47 | next 48 | end 49 | ---- 50 | * Use specific log field surrounded with double `%` to include it in the message when the trigger is FortiOS Log Event. E.g. to include username of the admin that logged in the subject, and the source IP, and _time_ in the message body: 51 | 52 | ---- 53 | 54 | config sys automation-action 55 | edit ""AdminLoggedIn" 56 | set action-type email 57 | set email-to "admin@yurisk.info" 58 | set email-from "fgt@yurisk.info" 59 | set email-subject "Admin user %%user%% logged in" 60 | set message "Source IP: %%srcip%% 61 | Time: %%time%%" 62 | next 63 | end 64 | ---- 65 | * There is a special variable `%%results%%` that we can use in the Actions, it will be replaced with the output of the previously run command. E.g. you can create 2-step actions, 1st action runs some CLI debug on the Fortigate, the 2nd action sends the debug output by email, see example here: link:fortiguard-servers-unreachable-email-alert.adoc[Send email alert on FortiGuard servers becoming unreachable and attach debug output ]. Be aware that it will include sensitive info if presented on CLI as well. 66 | * For anything you send in the email body, there is a limit of 16 KBytes, may differ by model. 67 | * Email server for sending alerts is configured under System -> Settings, or on CLI: 68 | 69 | ---- 70 | config system email-server 71 | set reply-to "fgt@yurisk.info" // MAIL FROM field is taken from here, unless set in the stitch action 72 | set server "192.0.0.1" 73 | set authenticate enable 74 | set username "secret@yurisk.info" 75 | set password s$cr$t 76 | end 77 | ---- 78 | 79 | 80 | == Debug 81 | * *diag test app autod 2* Show all enabled stitches with their settings. 82 | * *diag test app autod 3* Show statistics for all enabled stitches, including numbers run (_hit_). 83 | * Email sending debug: *dia debug app alertmail -1*. This will show the whole mail sending session. 84 | * Reboot zeroizes the stitches statistics. 85 | * Some stitches have right click -> _Test automation stitch_ menu so that you can 86 | trigger the stitch to see if it works. The CLI analog is *diagnose automation test *. 87 | * Live debug: 88 | ** *diag debug reset* To reset any previous debug, just in case. 89 | ** *diag test app autod 1* Enable automation stitches logging. 90 | ** *diag debug cli 7* Show stitches' running log on the CLI. 91 | ** *diag debug enable* Enable debug. 92 | ** right click -> _Test automation stitch_ menu or *diagnose automation test *. 93 | * Log-based stitches have the menu _Test automation stitch_ grayed out, and we 94 | can only trigger them for testing if we input the real log on the CLI. This will 95 | also insert this log into the Fortigate logs as if it really happened. Example 96 | of such log supplied on CLI, pay attention to every quote " being escaped and 97 | log should be a single line: 98 | 99 | ---- 100 | diagnose automation test VPNTunnelUp "date=2023-02-23 time=09:27:43 101 | eventtime=1677144463207296135 tz=\"+0000\" logid=\"0101039947\" type=\"event\" 102 | subtype=\"vpn\" level=\"information\" vd=\"root\" logdesc=\"SSL VPN tunnel up\" 103 | action=\"tunnel-up\" tunneltype=\"ssl-tunnel\" tunnelid=418623311 104 | remip=185.242.6.3 tunnelip=172.19.12.1 user=\"vpnlocal\" group=\"vpnsslgrp\" 105 | dst_host=\"N/A\" reason=\"tunnel established\" msg=\"SSL tunnel established\"" 106 | ---- 107 | 108 | See for the full example: link:ssl-vpn-user-login-successful-from-specific-ip-alert-by-email.adoc[SSL VPN tunnel up with condition of remote IP address] 109 | 110 | 111 | == Automation Stitches Collection 112 | 113 | 114 | link:admin-level-user-logged-in-email-alert.adoc[Send email alert on successful admin-level user log in.] 115 | 116 | link:admin-level-user-was-created.adoc[Send email on admin-level user being created/added] 117 | 118 | link:admin-level-user-password-changed-email-alert.adoc[Send email on admin-level user password change] 119 | 120 | link:backup-config-on-change.adoc[Back up configuration when changed to external server via SFTP] 121 | 122 | link:backup-config-daily-to-external-server.adoc[Back up configuration daily to external server via SFTP] 123 | 124 | link:admin-downloaded-configuration.adoc[Send alert on Fortigate configuration being downloaded from the GUI] 125 | 126 | link:certificate-is-about-to-expire-warning-email-alert.adoc[Local TLS Certificate is about to expire email alert] 127 | 128 | link:configuration-changed-by-admin-email-alert.adoc[Send alert on Fortigate configuration changed by administrator without details] 129 | 130 | link:configuration-changed-by-admin-with-changes-email-alert.adoc[Send alert on Fortigate configuration changed by administrator with details] 131 | 132 | link:conserve-mode-on-email-alert.adoc[email alert on Fortigate entering conserve mode] 133 | 134 | link:fortiguard-servers-unreachable-email-alert-with-vdoms.adoc[Send email alert on FortiGuard servers becoming unreachable and attach debug output (with VDOMs)] 135 | 136 | link:fortiguard-servers-unreachable-email-alert.adoc[Send email alert on FortiGuard servers becoming unreachable and attach debug output (without VDOMs)] 137 | 138 | link:high-cpu-usage-email-alert.adoc[Send an email alert when CPU usage reaches the threshold] 139 | 140 | link:interface-went-down-email-alert.adoc[Any of Fortigate interfaces goes down, send an email alert] 141 | 142 | link:interface-went-up-email-alert.adoc[Any of Fortigate interfaces goes up, send an email alert] 143 | 144 | link:reboot-email-alert.adoc[Fortigate undergoing a reboot email alert] 145 | 146 | link:restart-ips-process-daily.adoc[Restart IPS process daily ] 147 | 148 | link:restart-wad-process-daily.adoc[Restart WAD process daily ] 149 | 150 | link:schedule-daily-reboot.adoc[Schedule daily reboot of Fortigate] 151 | 152 | link:schedule-reboot-once.adoc[Schedule reboot of Fortigate one time] 153 | 154 | link:schedule-weekly-reboot.adoc[Schedule weekly reboot of Fortigate] 155 | 156 | link:specific-interface-went-down-email-alert.adoc[When only a given interface goes down, send an email alert] 157 | 158 | link:ssl-vpn-user-login-successful-from-specific-ip-alert-by-email.adoc[SSL VPN tunnel up with condition of remote IP address] 159 | 160 | link:flush-vpn-tunnel-on-schedule-with-VDOMs.adoc[Flush VPN IPSec tunnel on a daily schedule] 161 | 162 | link:restart-both-ips-and-wad-processes.adoc[Restart both - IPS & WAD processes at the same time by schedule to prevent Conserve Mode] 163 | 164 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/admin-downloaded-configuration.adoc: -------------------------------------------------------------------------------- 1 | = Send alert on Fortigate configuration being downloaded from the GUI 2 | 3 | _Task_: Each time a user with admin rights downloads Fortigate configuration via GUI, send email alert. 4 | 5 | NOTE: Thanks to Craig Gauss for this stitch. 6 | 7 | 8 | 9 | * Trigger: 10 | 11 | ---- 12 | 13 | config system automation-trigger 14 | edit "Backup completed" 15 | set event-type event-log 16 | set logid 32095 17 | config fields 18 | edit 1 19 | set name "action" 20 | set value "download" 21 | next 22 | end 23 | next 24 | end 25 | 26 | 27 | ---- 28 | 29 | * Action - email alert: 30 | 31 | ---- 32 | config sys automation-action 33 | edit "ConfigDownloaded_email" 34 | set action-type email 35 | set email-to "admin@yurisk.info" 36 | set email-from "fgt@yurisk.info" 37 | set email-subject "%%log.logdesc%%" 38 | next 39 | end 40 | ---- 41 | 42 | * Stitch: 43 | 44 | ---- 45 | config system automation-stitch 46 | edit "ConfigDownload" 47 | set status disable 48 | set trigger "Backup completed" 49 | config actions 50 | edit 1 51 | set action "ConfigDownloaded_email" 52 | set required enable 53 | next 54 | end 55 | next 56 | end 57 | ---- 58 | 59 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/admin-level-user-logged-in-email-alert.adoc: -------------------------------------------------------------------------------- 1 | = Send email alert on successful admin-level user log in. 2 | 3 | *Task*: fire an email alert to _admin@yurisk.info_ each time 4 | some user with admin-level permissions logs in to this Fortigate. 5 | 6 | 7 | NOTE: Make sure you have SMTP mail server configured under `config system 8 | email-server` 9 | 10 | This alert will run on ANY user with admin-level permissions login, not 11 | just namely `admin` user. 12 | 13 | 14 | Replace _admin@yurisk.info_ and _fgt@yurisk.info_ values with your own. 15 | 16 | 17 | * Trigger, admin user logged in: 18 | 19 | ---- 20 | config system automation-trigger 21 | edit "AdminLogin" 22 | set event-type event-log 23 | set logid 32001 24 | next 25 | end 26 | ---- 27 | 28 | * Action, send email: 29 | 30 | ---- 31 | config system automation-action 32 | edit "AdminLogin_email" 33 | set action-type email 34 | set email-to "admin@yurisk.com" 35 | set email-from "fgt@yurisk.com" 36 | set email-subject "Admin user %%user%% logged in" 37 | set message "Source IP: %%srcip%% 38 | Time: %%time%%" 39 | next 40 | end 41 | ---- 42 | 43 | * Stitch: 44 | 45 | ---- 46 | config sys automation-stitch 47 | edit "AdminLogin_stitch" 48 | set trigger "AdminLogin" 49 | config actions 50 | edit 1 51 | set action "AdminLogin_email" 52 | set required enable 53 | next 54 | end 55 | next 56 | end 57 | ---- 58 | 59 | * Example email alert: 60 | 61 | ---- 62 | Subject: Admin user secretuser logged in 63 | 64 | Source IP: 82.1.2.3 65 | Time: 13:41:30 66 | ---- -------------------------------------------------------------------------------- /Fortigate-automation-stitches/admin-level-user-password-changed-email-alert.adoc: -------------------------------------------------------------------------------- 1 | = Send email alert on successful admin-level user log in. 2 | 3 | *Task*: fire an email alert to _admin@yurisk.info_ each time 4 | admin-level user's password is changed. 5 | 6 | 7 | NOTE: Make sure you have SMTP mail server configured under `config system 8 | email-server` 9 | 10 | 11 | 12 | Replace _admin@yurisk.info_ and _fgt@yurisk.info_ values with your own. 13 | 14 | 15 | * Trigger: 16 | 17 | ---- 18 | config system automation-trigger 19 | edit "AdminPasswdChanged" 20 | set event-type event-log 21 | set logid 44547 22 | config fields 23 | edit 1 24 | set name "cfgpath" 25 | set value "system.admin" 26 | next 27 | edit 2 28 | set name "cfgattr" 29 | set value "password[*]" 30 | next 31 | end 32 | next 33 | end 34 | ---- 35 | 36 | * Action to send email: 37 | 38 | ---- 39 | config system automation-action 40 | edit "AdminPassChange_email" 41 | set action-type email 42 | set email-to "admin@yurisk.com" 43 | set email-from "fgt@yurisk.com" 44 | set email-subject "Admin user %%user%% password was changed" 45 | set message "Source IP: %%ui%% 46 | Time: %%time%%" 47 | next 48 | end 49 | ---- 50 | 51 | * Stitch: 52 | 53 | ---- 54 | config sys automation-stitch 55 | edit "AdminLogin_stitch" 56 | set trigger "AdminPasswdChanged" 57 | config actions 58 | edit 1 59 | set action "AdminPassChange_email" 60 | set required enable 61 | next 62 | end 63 | next 64 | end 65 | ---- 66 | 67 | * Example email alert: 68 | 69 | ---- 70 | Subject: Admin user secretuser password was changed 71 | 72 | Source IP: GUI(82.6.18.28) 73 | Time: 12:22:08 74 | ---- -------------------------------------------------------------------------------- /Fortigate-automation-stitches/admin-level-user-was-created.adoc: -------------------------------------------------------------------------------- 1 | = Email alert on admin-level user being created in real time 2 | 3 | *Task*: fire an email alert to _admin@yurisk.info_ each time 4 | some user (not necessarily named `admin`) with admin-level permissions is being created/added in this Fortigate. 5 | 6 | 7 | NOTE: Make sure you have SMTP mail server configured under `config system 8 | email-server` 9 | 10 | 11 | 12 | Replace _admin@yurisk.info_ and _fgt@yurisk.info_ values with your own. 13 | 14 | * Trigger based on few criteria: 15 | 16 | ---- 17 | config system automation-trigger 18 | edit "AdminUserCreatedlog" 19 | set event-type event-log 20 | set logid 44547 21 | config fields 22 | edit 1 23 | set name "action" 24 | set value "Add" 25 | next 26 | edit 2 27 | set name "cfgpath" 28 | set value "system.admin" 29 | next 30 | end 31 | next 32 | end 33 | ---- 34 | 35 | * Action: 36 | 37 | ---- 38 | config system automation-action 39 | edit "Admin User Was Created" 40 | set action-type email 41 | set email-to "admin@yurisk.info" 42 | set email-from "fgt@yurisk.info" 43 | set email-subject "Admin user was created" 44 | set message "Date:%%date%% 45 | Time: %%time%% 46 | Management IP:%%ui%% 47 | Action done: %%msg%% on VDOM: %%vd%%" 48 | next 49 | end 50 | ---- 51 | 52 | * Stitch: 53 | 54 | ---- 55 | config sys automation-stitch 56 | edit "AdminUserCreated" 57 | set trigger "AdminUserCreatedlog" 58 | config actions 59 | edit 1 60 | set action "Admin User Was Created" 61 | set required enable 62 | next 63 | end 64 | next 65 | end 66 | ---- 67 | 68 | Example of the email received: 69 | 70 | ---- 71 | Date:2023-11-27 72 | Time: 16:04:42 73 | Management IP:GUI(10.12.13.11) 74 | Action done: Add system.admin deleteme4 on VDOM: root 75 | ---- 76 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/backup-config-daily-to-external-server.adoc: -------------------------------------------------------------------------------- 1 | = Back up configuration daily to external server via SFTP 2 | 3 | _Task_: Nightly (at 02:00 am) back up the Fortigate configuration to external server (10.10.10.13) via SFTP protocol. 4 | 5 | Fortigate can do back ups using TFTP (unsecure and unreliable), FTP (unsecure 6 | but reliable), and SFTP (secure and reliable) protocols. I will be using the 7 | SFTP to back up to an external server (RHEL) _10.10.10.13_. SFTP works over the 8 | SSH tunnel, so no additional configurations beyond user/SSH on the server are 9 | needed in most cases. 10 | 11 | Here: 12 | 13 | * _10.10.10.13_ Linux server with SSH open to the Fortigate. 14 | * _fgtbackup_ User on the Linux server. 15 | * _fgPW39--7_ Password of the user _fgtbaclup_ on the server. 16 | 17 | WARNING: The password for the sftp user will be stored in clear text inside the Fortigate 18 | configuration and so will be present in the backup on the server as well. I couldn't find the 19 | way to prevent this, the variations of `exe backup obfuscated-config` do not 20 | help here, so be aware. 21 | 22 | 23 | * Trigger: When Fortigate time reaches 02:00 am, run this trigger 24 | 25 | 26 | ---- 27 | condfig sys automation-trigger 28 | edit "ScheduledBackup_trigger" 29 | set trigger-type scheduled 30 | set trigger-hour 2 31 | set trigger-minute 0 32 | next 33 | end 34 | ---- 35 | 36 | 37 | 38 | * Action: run backup command on the CLI: 39 | 40 | ---- 41 | config sys automation-ation 42 | edit "ConfigBackupOnSchedule" 43 | set action-type cli-script 44 | set script " exe backup config sftp fgtconfig-%%date%%-%%time%%.conf 45 | 10.10.10.13 fgtbackup fgPW39--7" 46 | set accprofile "super_admin" 47 | next 48 | end 49 | ---- 50 | 51 | NOTE: `%%date%%` and `%%time%%` will be converted to the actual date and time 52 | when the backup is run. 53 | 54 | The result will look like this on the server: 55 | 56 | ---- 57 | # ls -1 58 | fgtconfig-2023-03-14-02:00:49.conf 59 | fgtconfig-2023-03-14-02:00:15.conf 60 | ---- 61 | 62 | This way, we can easily compare and see the changes made during this day using 63 | Linux built-tools like `diff` on the server. 64 | 65 | 66 | * Stitch to combine the above: 67 | 68 | ---- 69 | config sys automation-stitch 70 | edit "BackUpOnConfigChange" 71 | set trigger "ScheduledBackup_trigger" 72 | config actions 73 | edit 1 74 | set action "ConfigBackupOnSchedule" 75 | set required enable 76 | next 77 | end 78 | next 79 | end 80 | ---- 81 | 82 | 83 | As an option, run the backup and send email alert that configuration has 84 | been backed up: 85 | 86 | 87 | ---- 88 | config sys automation-stitch 89 | edit "BackUpOnConfigChange" 90 | set trigger "ConfigChanged_trigger" 91 | config actions 92 | edit 1 93 | set action "ScheduledBackup_trigger" 94 | set required enable 95 | next 96 | edit 2 97 | set action "BackUpRun_email" 98 | set required enable 99 | next 100 | end 101 | next 102 | end 103 | ---- 104 | 105 | 106 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/backup-config-on-change.adoc: -------------------------------------------------------------------------------- 1 | = Back up configuration when changed to external server via SFTP 2 | 3 | _Task_: When an administrator changes the configuration, back it up after she 4 | logs out of the Fortigate. 5 | 6 | Fortigate can do back ups using TFTP (unsecure and unreliable), FTP (unsecure 7 | but reliable), and SFTP (secure and reliable) protocols. I will be using the 8 | SFTP and back up to an external server (RHEL) _10.10.10.13_. SFTP works over the 9 | SSH tunnel, so no additional configurations beyond user/SSH on the server are 10 | needed in most cases. 11 | 12 | Here: 13 | 14 | * _10.10.10.13_ Linux server with SSH open to the Fortigate. 15 | * _fgtbackup_ User on the Linux server. 16 | * _fgPW39--7_ Password of the user _fgtbaclup_ on the server. 17 | 18 | WARNING: The password for the sftp user will be stored in clear text inside the 19 | configuration and so will be present in the back up on server as well. I couldn't find the 20 | way to prevent this, the variations of `exe backup obfuscated-config` do not 21 | help here, so be aware. 22 | 23 | 24 | * Trigger: when the configuration changed and admin logs out 25 | 26 | ---- 27 | config sys automation-trigger 28 | edit "ConfigChanged_trigger" 29 | set event-type config-change 30 | next 31 | end 32 | ---- 33 | 34 | 35 | * Action: run back up command on the CLI: 36 | 37 | ---- 38 | config sys automation-ation 39 | edit "ConfigBackupOnChange" 40 | set action-type cli-script 41 | set script " exe backup config sftp fgtconfig-%%date%%-%%time%%.conf 42 | 10.10.10.13 fgtbackup fgPW39--7" 43 | set accprofile "super_admin" 44 | next 45 | end 46 | ---- 47 | 48 | NOTE: `%%date%%` and `%%time%%` will be converted to the actual date and time 49 | when the back up is run. 50 | 51 | The result will look like this on the server: 52 | 53 | ---- 54 | # ls -1 55 | fgtconfig-2023-03-14-11:20:49.conf 56 | fgtconfig-2023-03-14-11:50:15.conf 57 | ---- 58 | 59 | I can easily see the changes made in each administrator session using 60 | built-tools like `diff` on the server. 61 | 62 | 63 | * Stitch to combine the above: 64 | 65 | ---- 66 | config sys automation-stitch 67 | edit "BackUpOnConfigChange" 68 | set trigger "ConfigChanged_trigger" 69 | config actions 70 | edit 1 71 | set action "ConfigBackupOnChange" 72 | set required enable 73 | next 74 | end 75 | next 76 | end 77 | ---- 78 | 79 | 80 | As an option, run the back up and send email alert that configuration has 81 | changed: 82 | 83 | 84 | ---- 85 | config sys automation-stitch 86 | edit "BackUpOnConfigChange" 87 | set trigger "ConfigChanged_trigger" 88 | config actions 89 | edit 1 90 | set action "ConfigBackupOnChange" 91 | set required enable 92 | next 93 | edit 2 94 | set action "ConfigChanged_email" 95 | set required enable 96 | next 97 | end 98 | next 99 | end 100 | ---- 101 | 102 | 103 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/certificate-is-about-to-expire-warning-email-alert.adoc: -------------------------------------------------------------------------------- 1 | = Local TLS Certificate is about to expire email alert 2 | 3 | _Task_: When local to the Fortigate certificate is about to expire (10 days 4 | ahead), send an email alert. The stitch does not care what this certificate is 5 | used for - SSL VPN, or admin GUI access. 6 | 7 | NOTE: Requires FortiOS 7.2 or newer. 8 | 9 | * Set how early before the expiration to alert, in days (the default is already 10 | set on most versions to 14 days): 11 | 12 | ---- 13 | config vpn certificate setting 14 | set cert-expire-warning 10 15 | end 16 | ---- 17 | 18 | 19 | * Trigger: 20 | 21 | ---- 22 | config system automation-trigger 23 | edit "CertToExpire_trigger" 24 | set event-type local-cert-near-expiry 25 | next 26 | end 27 | ---- 28 | 29 | 30 | * Action (email alert): 31 | 32 | ---- 33 | config system automation-action 34 | edit "CertIsAboutToExpire_alert" 35 | set action-type email 36 | set email-to "admin@yurisk.info" 37 | set email-from "fgt@yurisk.info" 38 | set email-subject "Fortigate certificate is about to expire" 39 | next 40 | end 41 | ---- 42 | 43 | * Stitch, tying all the above together: 44 | 45 | ---- 46 | config system automation-stitch 47 | edit "CertificateToExpire_stitch" 48 | set trigger "CertToExpire_trigger" 49 | config actions 50 | edit 1 51 | set action "CertIsAboutToExpire_alert" 52 | next 53 | end 54 | next 55 | end 56 | 57 | ---- 58 | 59 | 60 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/configuration-changed-by-admin-email-alert.adoc: -------------------------------------------------------------------------------- 1 | = Send alert on Fortigate configuration changed by administrator without details 2 | 3 | _Task_: Each time any configuration is being changed send an email. 4 | 5 | NOTE: This alert will only contain a message "Configuration changed" with the 6 | username and IP of the administrator, but will *not* contain what changes were 7 | made. Additionally, this stitch will fire only *after* the administrator having 8 | made changes logs out of the Fortigate. That is, if say admin session will last 9 | hours, only after logging out will we receive an alert. 10 | 11 | 12 | 13 | * Trigger: 14 | 15 | ---- 16 | config sys automation-trigger 17 | edit "ConfigChanged_trigger" 18 | set event-type config-change 19 | next 20 | end 21 | ---- 22 | 23 | * Action - email alert: 24 | 25 | ---- 26 | config sys automation-action 27 | edit "ConfigChanged_email" 28 | set action-type email 29 | set email-to "admin@yurisk.info" 30 | set email-from "fgt@yurisk.info" 31 | set email-subject "%%log.logdesc%%" 32 | next 33 | end 34 | ---- 35 | 36 | * Stitch: 37 | 38 | ---- 39 | config system automation-stitch 40 | edit "ConfigChanged" 41 | set status disable 42 | set trigger "ConfigChanged_trigger" 43 | config actions 44 | edit 1 45 | set action "ConfigChanged_email" 46 | set required enable 47 | next 48 | end 49 | next 50 | end 51 | ---- 52 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/configuration-changed-by-admin-with-changes-email-alert.adoc: -------------------------------------------------------------------------------- 1 | = Send alert on Fortigate configuration changed by administrator with details 2 | 3 | _Task_: Each time any configuration is being changed send an email that will also contain the detailed description of what changes were made. 4 | 5 | NOTE: This stitch will fire on *every* change made by the administrator and 6 | in *real-time*, each time the admin clicks on _Apply_ in GUI, or enters 7 | _end/next_ in CLI. In GUI, the log ids are 44546 and 44547 and called _Attribute configured_ and _Object attribute configured_. 8 | 9 | 10 | * Trigger: 11 | 12 | ---- 13 | config sys automation-trigger 14 | edit "ConfigChanges_trigger" 15 | set event-type event-log 16 | set logid 44546 44547 17 | next 18 | end 19 | ---- 20 | 21 | * Action - email alert: 22 | 23 | ---- 24 | config sys automation-action 25 | edit "ConfigChanged_email" 26 | set action-type email 27 | set email-to "admin@yurisk.info" 28 | set email-from "fgt@yurisk.info" 29 | set email-subject "%%log.logdesc%%" 30 | next 31 | end 32 | ---- 33 | 34 | * Stitch: 35 | 36 | ---- 37 | config system automation-stitch 38 | edit "ConfigChangedwithChanges" 39 | set trigger "ConfigChanges_trigger" 40 | config actions 41 | edit 1 42 | set action "ConfigChanged_email" 43 | set required enable 44 | next 45 | end 46 | next 47 | end 48 | ---- 49 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/conserve-mode-on-email-alert.adoc: -------------------------------------------------------------------------------- 1 | = email alert on Fortigate entering conserve mode 2 | 3 | _Task_: Send an email alert on Fortigate entering the Conserve Mode. 4 | Fortigate enters Conserve Mode when the memory usage reaches 88% by default, 5 | but can be configured by an administrator to other values under `config sys global`, 6 | `set memory-use-threshold-red`. 7 | 8 | * Create trigger for the event: 9 | 10 | ---- 11 | config system automation-trigger 12 | edit "ConserveModeOn_trigger" 13 | set event-type low-memory 14 | next 15 | ---- 16 | 17 | * Add email alert action: 18 | 19 | ---- 20 | config system automation-action 21 | edit "ConserveModeOn_action" 22 | set action-type email 23 | set email-to "admin@yurisk.info" 24 | set email-from "fgt@yurisk.info" 25 | set email-subject "Fortigate entered conserve mode" 26 | next 27 | end 28 | ---- 29 | 30 | 31 | 32 | * Create automation stitch using the 2 above: 33 | 34 | ---- 35 | config system automation-stitch 36 | edit "ConserveModeEntered_stitch" 37 | set trigger "ConserveModeOn_trigger" 38 | config actions 39 | edit 1 40 | set action "ConserveModeOn_action" 41 | set required enable 42 | next 43 | end 44 | next 45 | end 46 | ---- 47 | 48 | 49 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/flush-vpn-tunnel-on-schedule-with-VDOMs.adoc: -------------------------------------------------------------------------------- 1 | = Flush IPSec VPN tunnel on schedule with VDOMs enabled 2 | 3 | _Task_: Flush VPN IPSec tunnel by name daily at 17:10 to bypass the FortiOS 7.4.x bug on Fortigate 100F/200F of tunnel being up but no traffic passing inside it. The VPN tunnel name here is _VPN-TO-US_ (name of the Phase1 interface). 4 | 5 | NOTE: When VDOMs enabled the only difference is in the Action - before running the `flush` command, you have to enter the VDOM where the VPN tunnel is located. Without VDOMs - just remove 1st 2 lines in the action _config vdom_ and _edit _. 6 | 7 | 8 | * Create an action to run command `diagnose vpn ike gateway flush name ` 9 | 10 | ---- 11 | config sys automation-action 12 | edit "ScheduleVPNtoUSRefresh" 13 | set action-type cli-script 14 | set script "config vdom 15 | edit root 16 | diagnose vpn ike gateway flush name VPN-TO-US 17 | " 18 | set accprofile "super_admin" 19 | next 20 | end 21 | ---- 22 | 23 | * Create a daily schedule to run the stitch at 17:10 24 | 25 | ---- 26 | 27 | config sys automation-trigger 28 | edit "Daily_trigger" 29 | set trigger-type scheduled 30 | set trigger-hour 17 31 | set trigger-minute 10 32 | next 33 | end 34 | ---- 35 | 36 | 37 | * Connect trigger with action into a stitch: 38 | 39 | ---- 40 | config sys automation-stitch 41 | edit "RefreshVPNUS" 42 | set trigger "Daily_trigger" 43 | config actions 44 | edit 1 45 | set action "ScheduleVPNtoUSRefresh" 46 | set required enable 47 | next 48 | end 49 | next 50 | end 51 | ---- 52 | 53 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/fortiguard-servers-unreachable-email-alert-with-vdoms.adoc: -------------------------------------------------------------------------------- 1 | = Send email alert on FortiGuard servers becoming unreachable and attach debug output (with VDOMs) 2 | 3 | *Task*: when FortiGuard servers become unreachable for WebFiltering by 4 | Categories in real-time, run debug and send an email alert with debug results. 5 | 6 | NOTE: Make sure you have SMTP mail server configured under `config system 7 | email-server` 8 | 9 | NOTE: Change the VDOM _root_ to the administrative one on your Fortigate, if they differ (if you have no idea, leave it as is). 10 | 11 | 12 | 13 | 14 | 15 | * Trigger: 16 | 17 | ---- 18 | config system automation-trigger 19 | edit "WebFilterDown_trigger" 20 | set event-type event-log 21 | set logid 20119 22 | next 23 | end 24 | ---- 25 | 26 | * Action. We have 2 sequential actions, 1st runs CLI debug, 2nd sends the results by email. 27 | 28 | ---- 29 | config sys automation-action 30 | edit "FortiGuardDown_debug" 31 | set action-type cli-script 32 | set script " config vdom 33 | edit root 34 | exe ping service.fortiguard.net 35 | exe ping update.fortiguard.net 36 | exe ping guard.fortinet.net 37 | diagnose debug rating 38 | end 39 | config global 40 | get sys stat 41 | get sys perf stat 42 | show full system global | grep vdom 43 | " 44 | set accprofile "super_admin" 45 | next 46 | 47 | 48 | edit "WebFilterDown_email" 49 | set action-type email 50 | set email-to "admin@yurisk.info" 51 | set email-from "fgt@yurisk.info" 52 | set email-subject "FortiGuard is unreachable, see debug attached" 53 | set message "%%results%%" 54 | next 55 | end 56 | ---- 57 | 58 | 59 | 60 | 61 | * Stitch to combine all the above: 62 | 63 | ---- 64 | config system automation-stitch 65 | edit "WebFilterDown_stitch" 66 | set trigger "WebFilterDown_trigger" 67 | config actions 68 | edit 1 69 | set action "FortiGuardDown_debug" 70 | set required enable 71 | edit 2 72 | set action "WebFilterDown_email" 73 | set required enable 74 | next 75 | end 76 | next 77 | end 78 | ---- 79 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/fortiguard-servers-unreachable-email-alert.adoc: -------------------------------------------------------------------------------- 1 | = Send email alert on FortiGuard servers becoming unreachable and attach debug output (without VDOMs) 2 | 3 | *Task*: when FortiGuard servers become unreachable for WebFiltering by 4 | Categories in real-time, run debug and send an email alert with debug results. 5 | 6 | NOTE: Make sure you have SMTP mail server configured under `config system 7 | email-server` 8 | 9 | 10 | 11 | 12 | 13 | 14 | * Trigger: 15 | 16 | ---- 17 | config system automation-trigger 18 | edit "WebFilterDown_trigger" 19 | set event-type event-log 20 | set logid 20119 21 | next 22 | end 23 | ---- 24 | 25 | * Action. We have 2 sequential actions, 1st runs CLI debug, 2nd sends the results by email. 26 | 27 | ---- 28 | config sys automation-action 29 | edit "FortiGuardDown_debug" 30 | set action-type cli-script 31 | set script " exe ping service.fortiguard.net 32 | exe ping update.fortiguard.net 33 | exe ping guard.fortinet.net 34 | diagnose debug rating 35 | get sys stat 36 | get sys perf stat 37 | " 38 | set accprofile "super_admin" 39 | next 40 | 41 | edit "WebFilterDown_email" 42 | set action-type email 43 | set email-to "admin@yurisk.info" 44 | set email-from "fgt@yurisk.info" 45 | set email-subject "FortiGuard is unreachable, see debug attached" 46 | set message "%%results%%" 47 | next 48 | end 49 | ---- 50 | 51 | 52 | 53 | 54 | * Stitch to combine all the above: 55 | 56 | ---- 57 | config system automation-stitch 58 | edit "WebFilterDown_stitch" 59 | set trigger "WebFilterDown_trigger" 60 | config actions 61 | edit 1 62 | set action "FortiGuardDown_debug" 63 | set required enable 64 | edit 2 65 | set action "WebFilterDown_email" 66 | set required enable 67 | next 68 | end 69 | next 70 | end 71 | ---- 72 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/gen-names.awk: -------------------------------------------------------------------------------- 1 | # AWK script to order file names, nothing to do with Fortigate 2 | FNR==1 { print "link:"FILENAME"["$0"]"; print "" } 3 | 4 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/high-cpu-usage-email-alert.adoc: -------------------------------------------------------------------------------- 1 | = Send an email alert when CPU usage reaches the treshold 2 | 3 | _Task_: Once Fortigate CPU usage crosses the defined treshold, 90% by default 4 | but can be changed under `config sys global` `set cpu-use-threshold`, send an 5 | email alert. 6 | 7 | 8 | * Trigger: 9 | 10 | ---- 11 | config system automation-trigger 12 | edit "HighCPU_trigger" 13 | set event-type high-cpu 14 | next 15 | end 16 | ---- 17 | 18 | * Action to send email: 19 | 20 | ---- 21 | config system automation-action 22 | edit "HighCPUemail" 23 | set action-type email 24 | set email-subject "%%log.logdesc%%" 25 | next 26 | ---- 27 | 28 | * Stitch combining 2 above: 29 | 30 | ---- 31 | config system automation-stitch 32 | edit "HighCPU" 33 | set trigger "HighCPU_trigger" 34 | config actions 35 | edit 1 36 | set action "HighCPUemail" 37 | set required enable 38 | next 39 | end 40 | next 41 | end 42 | ---- 43 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/interface-went-down-email-alert.adoc: -------------------------------------------------------------------------------- 1 | = Any of Fortigate interfaces goes down, send an email alert 2 | 3 | _Task_ We want to get email alert on any of the Fortigate interfaces changing 4 | status to _down_. 5 | 6 | NOTE: We cannot create a stitch combining both _up_ and _down_ changes, 7 | need to create a stitch for each. 8 | 9 | 10 | * Trigger for interface going down: 11 | 12 | ---- 13 | config system automation-trigger 14 | edit "Interface_down_trigger" 15 | set event-type event-log 16 | set logid 20099 17 | config fields 18 | edit 1 19 | set name "status" 20 | set value "down" 21 | next 22 | end 23 | next 24 | end 25 | ---- 26 | 27 | * Action to send email alert (make sure mail server is configured in `config sys 28 | email-server`): 29 | 30 | ---- 31 | config system automation-action 32 | next 33 | edit "InterfaceDown_email" 34 | set action-type email 35 | set email-to "admin@yurisk.info" 36 | set email-from "fgt@yurisk.info" 37 | set email-subject "Interface went down" 38 | set email-subject "%%log.logdesc%%" 39 | next 40 | end 41 | ---- 42 | 43 | 44 | * Stitch itself: 45 | 46 | ---- 47 | config system automation-stitch 48 | edit "Interface_went_down_stitch" 49 | set trigger "Interface_down_trigger" 50 | config actions 51 | edit 1 52 | set action "InterfaceDown_email" 53 | set required enable 54 | next 55 | end 56 | next 57 | end 58 | ---- 59 | 60 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/interface-went-up-email-alert.adoc: -------------------------------------------------------------------------------- 1 | = Any of Fortigate interfaces goes up, send an email alert 2 | 3 | _Task_ We want to get email alert on any of the Fortigate interfaces changing 4 | status to _up. 5 | 6 | 7 | NOTE: We cannot create a stitch combining both _up_ and _down_ changes, 8 | need to create a stitch for each. 9 | 10 | * Trigger for interface going up: 11 | 12 | ---- 13 | config system automation-trigger 14 | edit "Interface_up_trigger" 15 | set event-type event-log 16 | set logid 20099 17 | config fields 18 | edit 1 19 | set name "status" 20 | set value "up" 21 | next 22 | end 23 | next 24 | end 25 | ---- 26 | 27 | * Action to send email alert (make sure mail server is configured in `config sys 28 | email-server`): 29 | 30 | ---- 31 | config system automation-action 32 | next 33 | edit "Interfaceup_email" 34 | set action-type email 35 | set email-to "admin@yurisk.info" 36 | set email-from "fgt@yurisk.info" 37 | set email-subject "Interface went up" 38 | set email-subject "%%log.logdesc%%" 39 | next 40 | end 41 | ---- 42 | 43 | 44 | * Stitch itself: 45 | 46 | ---- 47 | config system automation-stitch 48 | edit "Interface_went_up_stitch" 49 | set trigger "Interface_up_trigger" 50 | config actions 51 | edit 1 52 | set action "Interfaceup_email" 53 | set required enable 54 | next 55 | end 56 | next 57 | end 58 | ---- 59 | 60 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/reboot-email-alert.adoc: -------------------------------------------------------------------------------- 1 | = Fortigate undergoing a reboot email alert 2 | 3 | _Task_: When a user initiates reboot, send email alert with user's IP and 4 | username. 5 | 6 | NOTE: This built-in automation stitch fires *only* when an admin-level 7 | user initiates reboot via a command `exe reboot` or GUI `System -> Reboot`, 8 | not when there is unexpected power outage or someone pulls the power plug. 9 | 10 | 11 | 12 | * Trigger as reboot event: 13 | 14 | ---- 15 | config system automation-trigger 16 | edit "Reboot" 17 | set event-type reboot 18 | next 19 | end 20 | ---- 21 | 22 | 23 | * Action to send email: 24 | 25 | ---- 26 | config system automation-action 27 | edit "Reboot_email" 28 | set action-type email 29 | set email-to "admin@yurisk.info" 30 | set email-from "fgt@yurisk.info" 31 | set email-subject "%%log.logdesc%%" 32 | 33 | next 34 | end 35 | ---- 36 | 37 | 38 | 39 | 40 | 41 | * Stitch itself: 42 | 43 | ---- 44 | config system automation-stitch 45 | edit "Reboot" 46 | set trigger "Reboot" 47 | config actions 48 | edit 1 49 | set action "Reboot_email" 50 | set required enable 51 | next 52 | end 53 | next 54 | end 55 | ---- 56 | 57 | 58 | NOTE: You cannot test this stitch any other way but to reboot the Fortigate. 59 | 60 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/restart-both-ips-and-wad-processes.adoc: -------------------------------------------------------------------------------- 1 | = Restart both - IPS and WAD processes to prevent Conserve Mode 2 | 3 | _Task_: To prevent memory leak by those 2 processes, restart them weekly. 4 | 5 | 6 | * Create 2 actions to restart each process: 7 | 8 | 9 | ---- 10 | config sys automation-action 11 | edit "WADRestart" 12 | set action-type cli-script 13 | set script "diagnose test application wad 99" 14 | set accprofile "super_admin" 15 | next 16 | end 17 | ---- 18 | 19 | 20 | ---- 21 | config sys automation-action 22 | edit "IPSsRestart" 23 | set action-type cli-script 24 | set script "diagnose test application ipsmonitor 99" 25 | set accprofile "super_admin" 26 | next 27 | end 28 | ---- 29 | 30 | * Create a weekly scheduled trigger, here - each Sunday at 02:00 AM: 31 | 32 | ---- 33 | config system automation-trigger 34 | edit "Weekly_trigger" 35 | set trigger-type scheduled 36 | set trigger-frequency weekly 37 | set trigger-weekday sunday 38 | set trigger-hour 2 39 | next 40 | end 41 | ---- 42 | 43 | 44 | * Combine the above to an automation stitch: 45 | 46 | ---- 47 | config sys automation-stitch 48 | edit "ScheduleWADIPSRestart_stitch" 49 | set trigger "Weekly_trigger" 50 | config actions 51 | edit 1 52 | set action "WADRestart" 53 | set required enable 54 | next 55 | edit 2 56 | set action "IPSsRestart" 57 | set required enable 58 | next 59 | end 60 | next 61 | end 62 | ---- 63 | 64 | 65 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/restart-ips-process-daily.adoc: -------------------------------------------------------------------------------- 1 | = Restart IPS process daily 2 | 3 | _Task_: We need to restart `IPS` process daily as a workaround for its memory 4 | leaking . The process restart will happen at 02:10 at night. 5 | 6 | 7 | 8 | * Create an action of restarting ips process on CLI: 9 | 10 | ---- 11 | config sys automation-action 12 | edit "ScheduleipsRestart" 13 | set action-type cli-script 14 | set script "diagnose test application ipsmonitor 99" 15 | set accprofile "super_admin" 16 | next 17 | end 18 | ---- 19 | 20 | * Create a daily schedule (every day at 02:10 at night): 21 | 22 | ---- 23 | config system automation-trigger 24 | edit "Daily_trigger" 25 | set trigger-type scheduled 26 | set trigger-frequency daily 27 | set trigger-hour 2 28 | set trigger-minute 10 29 | next 30 | end 31 | ---- 32 | 33 | * Stitch to combine the 2 above: 34 | 35 | ---- 36 | config sys automation-stitch 37 | edit "ScheduledReboot_stitch" 38 | set status disable 39 | set trigger "Daily_trigger" 40 | config actions 41 | edit 1 42 | set action "ScheduleipsRestart" 43 | set required enable 44 | next 45 | end 46 | next 47 | end 48 | ---- 49 | 50 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/restart-wad-process-daily.adoc: -------------------------------------------------------------------------------- 1 | = Restart WAD process daily 2 | 3 | _Task_: We need to restart `wad` process daily as a workaround for its memory 4 | leaking . The process restart will happen at 02:10 at night. 5 | 6 | 7 | 8 | * Create an action of restarting WAD process on CLI: 9 | 10 | ---- 11 | config sys automation-action 12 | edit "ScheduleWADRestart" 13 | set action-type cli-script 14 | set script "diagnose test application wad 99" 15 | set accprofile "super_admin" 16 | next 17 | end 18 | ---- 19 | 20 | * Create a daily schedule (every day at 02:10 at night): 21 | 22 | ---- 23 | config system automation-trigger 24 | edit "Daily_trigger" 25 | set trigger-type scheduled 26 | set trigger-frequency daily 27 | set trigger-hour 2 28 | set trigger-minute 10 29 | next 30 | end 31 | ---- 32 | 33 | * Stitch to combine the 2 above: 34 | 35 | ---- 36 | config sys automation-stitch 37 | edit "ScheduledReboot_stitch" 38 | set status disable 39 | set trigger "Daily_trigger" 40 | config actions 41 | edit 1 42 | set action "ScheduleWADRestart" 43 | set required enable 44 | next 45 | end 46 | next 47 | end 48 | ---- 49 | 50 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/schedule-daily-reboot.adoc: -------------------------------------------------------------------------------- 1 | = Schedule daily reboot of Fortigate 2 | 3 | _Task_: Reboot Fortigate daily at 02:00 at night. 4 | 5 | 6 | * Schedule every day at 02:00 at night as a trigger: 7 | 8 | ---- 9 | condfig sys automation-trigger 10 | edit "ScheduledReboot_trigger" 11 | set trigger-type scheduled 12 | set trigger-hour 2 13 | set trigger-minute 0 14 | next 15 | end 16 | ---- 17 | 18 | * Action to actually reboot the firewall, using the command `exec reboot`: 19 | 20 | ---- 21 | config sys automation-aciton 22 | edit "ScheduledReboot" 23 | set action-type cli-script 24 | set script "exec reboot" 25 | set accprofile "super_admin" 26 | next 27 | end 28 | ---- 29 | 30 | * Stitch to tie all the above: 31 | 32 | ---- 33 | config sys automation-stitch 34 | edit "ScheduledReboot_stitch" 35 | set trigger "ScheduledReboot_trigger" 36 | config actions 37 | edit 1 38 | set action "ScheduledReboot" 39 | set required enable 40 | next 41 | end 42 | next 43 | end 44 | ---- 45 | 46 | 47 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/schedule-reboot-once.adoc: -------------------------------------------------------------------------------- 1 | = Schedule reboot of Fortigate one time 2 | 3 | _Task_: Reboot Fortigate at 02:00 at night once. 4 | 5 | 6 | 7 | * Schedule a trigger to run once on 10th of October 2023: 8 | 9 | ---- 10 | config system automation-trigger 11 | edit "ScheduledReboot_trigger" 12 | set trigger-type scheduled 13 | set trigger-frequency once 14 | set trigger-datetime 2023-10-03 02:00:00 15 | next 16 | end 17 | ---- 18 | 19 | * Action to actually reboot the firewall, using the command `exec reboot`: 20 | 21 | ---- 22 | config sys automation-aciton 23 | edit "ScheduledReboot" 24 | set action-type cli-script 25 | set script "exec reboot" 26 | set accprofile "super_admin" 27 | next 28 | end 29 | ---- 30 | 31 | * Stitch to tie all the above: 32 | 33 | ---- 34 | config sys automation-stitch 35 | edit "ScheduledReboot_stitch" 36 | set trigger "ScheduledReboot_trigger" 37 | config actions 38 | edit 1 39 | set action "ScheduledReboot" 40 | set required enable 41 | next 42 | end 43 | next 44 | end 45 | ---- 46 | 47 | 48 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/schedule-weekly-reboot.adoc: -------------------------------------------------------------------------------- 1 | = Schedule weekly reboot of Fortigate 2 | 3 | _Task_: Reboot Fortigate weekly at 02:00 at night every Sunday. 4 | 5 | 6 | * Schedule every week on Sunday at 02:00 at night as a trigger: 7 | 8 | ---- 9 | config system automation-trigger 10 | edit "ScheduledReboot_trigger" 11 | set trigger-type scheduled 12 | set trigger-frequency weekly 13 | set trigger-weekday sunday 14 | set trigger-hour 2 15 | next 16 | end 17 | ---- 18 | 19 | * Action to actually reboot the firewall, using the command `exec reboot`: 20 | 21 | ---- 22 | config sys automation-aciton 23 | edit "ScheduledReboot" 24 | set action-type cli-script 25 | set script "exec reboot" 26 | set accprofile "super_admin" 27 | next 28 | end 29 | ---- 30 | 31 | * Stitch to tie all the above: 32 | 33 | ---- 34 | config sys automation-stitch 35 | edit "ScheduledReboot_stitch" 36 | set trigger "ScheduledReboot_trigger" 37 | config actions 38 | edit 1 39 | set action "ScheduledReboot" 40 | set required enable 41 | next 42 | end 43 | next 44 | end 45 | ---- 46 | 47 | 48 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/specific-interface-went-down-email-alert.adoc: -------------------------------------------------------------------------------- 1 | = When only a given interface goes down, send an email alert 2 | 3 | _Task_ We want to get email alert only when interface _port2_ goes down. 4 | 5 | 6 | * The trigger for interface _port2_ going down: 7 | 8 | ---- 9 | config sys automation-trigger 10 | edit "Interface_down_trigger" 11 | set event-type event-log 12 | set logid 20099 13 | config fields 14 | edit 1 15 | set name "status" 16 | set value "down" 17 | next 18 | edit 2 19 | set name "msg" 20 | set value "Link monitor: Interface port2 was turned down" 21 | next 22 | end 23 | next 24 | end 25 | ---- 26 | 27 | 28 | * Action to send email alert (make sure mail server is configured in `config sys 29 | email-server`): 30 | 31 | ---- 32 | config system automation-action 33 | next 34 | edit "InterfaceDown_email" 35 | set action-type email 36 | set email-to "admin@yurisk.info" 37 | set email-from "fgt@yurisk.info" 38 | set email-subject "Interface port2 went down" 39 | set email-subject "%%log.logdesc%%" 40 | next 41 | end 42 | ---- 43 | 44 | 45 | * Stitch itself: 46 | 47 | ---- 48 | config system automation-stitch 49 | edit "Interface_went_down_stitch" 50 | set trigger "Interface_down_trigger" 51 | config actions 52 | edit 1 53 | set action "InterfaceDown_email" 54 | set required enable 55 | next 56 | end 57 | next 58 | end 59 | ---- 60 | 61 | -------------------------------------------------------------------------------- /Fortigate-automation-stitches/ssl-vpn-user-login-successful-from-specific-ip-alert-by-email.adoc: -------------------------------------------------------------------------------- 1 | = SSL VPN tunnel up with condition of remote IP address 2 | 3 | _Task_: fire an email alert to admin@yurisk.info when a user connects to 4 | the Fortigate by SSL VPN AND she/he connects from IP address 185.242.6.3 5 | The email alert will contain full body message of the log 6 | 7 | NOTE: Make sure you have SMTP mail server configured under 8 | `config system email-server` 9 | 10 | NOTE: Replace _admin@yurisk.info_, _185.242.6.3_, _fgt@yurisk.info_ with 11 | your own values. 12 | 13 | 14 | 15 | * Trigger 16 | 17 | ---- 18 | config system automation-trigger 19 | edit "TunnelisUpLog" 20 | set event-type event-log 21 | set logid 39947 22 | config fields 23 | edit 1 24 | set name "remip" 25 | set value "185.242.6.3" 26 | next 27 | end 28 | next 29 | end 30 | ---- 31 | 32 | * Action: 33 | 34 | ---- 35 | config system automation-action 36 | edit "VPNUpEmail" 37 | set action-type email 38 | set email-to "admin@yurisk.info" 39 | set email-from "fgt@yurisk.info" 40 | set email-subject "FGT AWS VPN SSL tunnel is up" 41 | next 42 | end 43 | ---- 44 | 45 | * Stitch: 46 | 47 | ---- 48 | config sys automation-stitch 49 | edit "VPNTunnelUp" 50 | set trigger "TunnelisUpLog" 51 | config actions 52 | edit 1 53 | set action "VPNUpEmail" 54 | set required enable 55 | next 56 | end 57 | next 58 | end 59 | ---- 60 | 61 | 62 | == Testing 63 | The only way to test except actually connecting by SSL VPN, is to feed the actual log 64 | that will match the condition. So, 65 | run the command below AS IS on a Fortigate CLI to trigger the stitch, as a 66 | single line: 67 | 68 | diagnose automation test VPNTunnelUp "date=2023-02-23 time=09:27:43 eventtime=1677144463207296135 tz=\"+0000\" logid=\"0101039947\" type=\"event\" subtype=\"vpn\" level=\"information\" vd=\"root\" logdesc=\"SSL VPN tunnel up\" action=\"tunnel-up\" tunneltype=\"ssl-tunnel\" tunnelid=418623311 remip=185.242.6.3 tunnelip=172.19.12.1 user=\"vpnlocal\" group=\"vpnsslgrp\" dst_host=\"N/A\" reason=\"tunnel established\" msg=\"SSL tunnel established\"" 69 | 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Yuri Slobodyanyuk 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.adoc: -------------------------------------------------------------------------------- 1 | = Fortinet-related scripts, tools, syntax highlighting files and such 2 | :toc: 3 | 4 | In this repo I collect scripts, automation stitches, various tools I find useful in my work with Fortinet products. 5 | Make sure to watch this repository to get notified on updates. Your stars on the repository as a sign that you found it useful are appreciated, thanks. 6 | 7 | == Collection of Fortigate automation stitches 8 | This collection is work in progress, and will always be. If you have an idea, or already implemented an automation 9 | stitch not in the collection, I will be glad to add it for the benefit of all of us - yuri@yurisk.info. Also, if you try some stitch from this repository and things do not work as expected - feel free to open an issue/PR with details. 10 | 11 | Disclaimer: I cannot possibly test contents of this repo on all Fortigate models and FortiOS versions, and cannot guarantee 12 | that it will work on your gear, nor can predict all possible outcomes, so test before using in production. All stitches were tested on FortiOS 7.0.x and 7.2.x, and should work as is on 7.4.x as well. 13 | 14 | https://github.com/yuriskinfo/Fortinet-tools/tree/main/Fortigate-automation-stitches#collection-of-fortigate-automation-stitches[Collection of Automation Stitches] 15 | 16 | 17 | == Collection of Fortianalyzer Handlers 18 | Mostly based on the Automation stitches above, but not completely. Allows to scale when managing multiple Fortigates and configuring auto-stitches becomes not practical. Fortianalyzer can send notification/alerts as well as notify Fortigate to run pre-configured automation stitch on the Fortigate itself. 19 | As always - please test before using in production. 20 | 21 | https://github.com/yuriskinfo/Fortinet-tools/tree/main/Fortianalyzer-handlers[Fortianalyzer Handlers collection] 22 | 23 | == Packet captures done on Fortinet equipment 24 | 25 | Collection of .pcap packet captures done on Fortinet products (mostly on Fortigates, but not all). TO illustrate labs/experiments I write about in my blog and to have collection for all to use to learn about networking in general (BGP on Fortigate is the same BGP as on Cisco/Juniper/etc.) and Fortinet-specific products in particular. 26 | 27 | 28 | https://github.com/yuriskinfo/Fortinet-tools/tree/main/Wireshark-ready-packet-captures[Wireshark-ready packet captures] 29 | 30 | 31 | == Custom Fortianalyzer Reports Collection 32 | 33 | https://github.com/yuriskinfo/Fortinet-tools/tree/main/Fortianalyzer-custom-reports[Fortianalyzer-custom-reports] -------------------------------------------------------------------------------- /Wireshark-ready-packet-captures/README.adoc: -------------------------------------------------------------------------------- 1 | = Wireshark-ready packet captures 2 | :toc: 3 | 4 | == Description 5 | 6 | I collect here packet captures done on Fortinet equipment of different kinds, mostly on Fortigates, but not only. 7 | 8 | 9 | == BGP 10 | 11 | Topology for the packet capture: 12 | 13 | image::bgp-topology-1.png[] 14 | 15 | Capture was done on FGT1. 16 | 17 | FGT1: 13.13.13.1 18 | 19 | FGT-BGP: 13.13.13.13 20 | 21 | NOTE: Disable rule colorization or it will be all red - limiations of virtual environment sniffing. 22 | 23 | link:bgp-initial-session-set-up-exchange-of-updates.pcap[] - After BGP start, session is being established. First TCP port 179 connection is set up. The BGP OPEN messages are sent by both peers, then peers exchange UPDATE messages listing their routes (NLRIs). 24 | 25 | 26 | link:bgp-update-message-followed-by-withdraw-msg.pcap[] First packet is from FGT-BGP (13.13.13.13) with UPDATE message telling the peer of new route available (8.8.8.8/32). 2nd packet is the same FGT-BGP tells FGT1 about the route withdrawal (8.8.8.8/32). -------------------------------------------------------------------------------- /Wireshark-ready-packet-captures/bgp-initial-session-set-up-exchange-of-updates.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuriskinfo/Fortinet-tools/4b62cf100a7928025d5f089dfcf6c98758bfff14/Wireshark-ready-packet-captures/bgp-initial-session-set-up-exchange-of-updates.pcap -------------------------------------------------------------------------------- /Wireshark-ready-packet-captures/bgp-topology-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuriskinfo/Fortinet-tools/4b62cf100a7928025d5f089dfcf6c98758bfff14/Wireshark-ready-packet-captures/bgp-topology-1.png -------------------------------------------------------------------------------- /Wireshark-ready-packet-captures/bgp-update-message-followed-by-withdraw-msg.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuriskinfo/Fortinet-tools/4b62cf100a7928025d5f089dfcf6c98758bfff14/Wireshark-ready-packet-captures/bgp-update-message-followed-by-withdraw-msg.pcap --------------------------------------------------------------------------------