Created on 06-08-2018 07:06 AM Edited on 12-20-2021 08:15 AM By Anonymous
Description
1. Create login/device association2. Create Rule from Event3. Create Remediation script4. Create Incident Policy containing Rule + Remediation script
Solution
Here is a step by step guide.1. Create login/device associationCreate a SSH credential for the device (Enable SNMP on the device)1.1 Go to Admin > Credentials1.2 Click ADD and Create a SSH account1.3. Associate the device (IP) to new account created1.4 Once associate, test the login connectivity.1.5. Now Login is associated to the device, create rules from the Event.
2. Create Rule from Event
2.1 Go to Analytics > Real-time search or Historical search2.2 Fill out the Filter Criteria for the device2.3 Once done, create a rule2.4 Fill out Pattern Conditions, Notification Frequency etc…2.5 Edit Actions (This will generate Incident view)
2.6 Create a script to associate to the device.
3. Create Remediation script.
3.1 Clone existing Script3.2 Edit the script
3.3 Example of script /root/test
#!/bin/bashsudo reboot
3.4 Alternatively replace the line by command directly like:cmd = ("check_ssh --host %s --port 22 --timeout 30 --user %s --passwd '%s' --cmd 'sudo reboot'") % (3.5 Create the incident notification.4. Create Incident Policy containing Rule + Remediation script
4.1 Create a notification
4.2 Select the script and enforce to the device IP it needs to be associated with.
4.3 Additionally email notification can be added when a event is triggered.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.