Fortigate Automation and Devops
FortiOS 6.0 introduces Automation Stitches as part of the Security Fabric. Automation Stitches can be used to automate certain actions in response to certain triggers. In addition, Automation Stitches can automate activities between the different components in the Fortinet Security Fabric. This new feature can drastically decrease the response times to security events, operation tasks, and network problems.
This article is a part of the series of Fortinet technical articles. In brief, the main configuration components of an automation stitch (Trigger and Action) are reviewed. The configuration methodology is presented and tested via indicative configuration examples. Finally, we will discuss how Indeni can significantly simplify operations and eliminate service outages in parallel with the deployment of automation to the Fortinet Security Fabric.
Are you a network administrator, system engineer, software engineer, Indeni Knowledge Expert (IKEs), or tech geek? If yes, then read on! This article is for you!
FortiGate Automation Stitches Methodology
An automation stitch consists of two main tasks, the trigger and the actions. The trigger is the condition or event on the FortiGate that activates the action. For instance, a trigger could be a specific log message such as BGP neighbor status change. The action is what the FortiGate does in response to a trigger, e.g. send an email message or run a command script. Finally, it should be considered that automation stitches can only be created on the root FortiGate in a Security Fabric.
Creating Automation Stitches
The creation of an automation stitch requires a trigger event as well as a response action or actions to be selected. Most automation stitches support the option to be triggered with a false positive, e.g. create a fake log message to be able to simulate and test it. The following default automation stitches are included in FortiOS:
- Compromised Host Quarantine
- Incoming Webhook Quarantine
- HA Failover
- Network Down
- Reboot
- FortiAnalyzer Connection Down
- License Expired Notification
- Security Rating Notification
Triggers
A large number of available pre-configured triggers is supported. List of security fabric triggers:re included in FortiOS:
- Compromised Host
- Security Rating Summary
- FortiAnalyzer Event Handler
- Fabric Connector Event
- FortiGate Cloud-Based IOC
List of system triggers:
- Reboot
- HA Failover
- Conserve Mode
- Configuration Change
- License Expiry
- AV & IPS DB Update
- High CPU
Finally, triggers can be set also for the next cases. In particular, the FortiOS Log Event is common since multiple event log id can be used, e.g. OSPF status change or link status log messages.
- FortiOS Event Log
- Incoming Webhook
- Schedule (very helpful for common operation tasks like configuration backups)
Actions
Multiple actions can be configured for an automation stitch.
Available actions for the Security category:
- Access Layer Quarantine
- FortiClient Quarantine
- FortiNAC Quarantine
- VMware NSX Security Tag
- IP Ban