Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sselvam
Staff
Staff

Created on ‎05-18-2020 08:36 AM Edited on ‎01-30-2024 02:37 AM By Community Manager

Article Id 195745

Technical Tip: Creating the automation stitches

Description

 

This article describes how to configure automation stitches for the Fortinet Security Fabric.
Each automation pairs an event trigger and one or more actions, which allows for monitoring of the network and taking appropriate action when the Security Fabric detects a threat.
Use automation stitches to detect events from any source in the Security Fabric and apply actions to any destination.


 
In this example, the following automation stitches are created:
Ban a compromised host’s IP address.
Send an email alert when HA failover occurs.
 
In this example, the Security Fabric consists of an edge, an HA cluster that is the root FortiGate of the Security Fabric, and three ISFW FortiGates (Accounting, Marketing, and Sales).
Configure the automation stitches on the root FortiGate and the settings are synchronized with the other FortiGates in the Security Fabric.


Solution
To create the automation stitches:

 

  1. To create a new automation that bans the IP address of a compromised host, go to Security Fabric -> Automation and select 'Create New'.
  2. Set FortiGate to 'All FortiGates'.
  3. Set Trigger to 'Compromised Host'. Set the IOC level threshold to 'High'.
  4. Set Action to 'IP Ban'.


 
  1. Create a second automation that sends an email alert when HA failover occurs.
  2. Set FortiGate to 'Edge-Primary', which is part of the only HA cluster in the Security Fabric.
  3. Set Trigger to 'HA Failover'. Set 'Action to Email'.
  4. Set the Email subject and email address.
     
     
Testing the automation stitches: mark it in 'Block' letters'.
 
  1. If the FortiOS version is 6.0.2 or higher, to test the automation stitches go to Security Fabric -> Automation, select the automation, and select 'Test Automation Stitch'.
 
 
  1. If the FortiOS version is 6.0.0 or 6.0.1, use the following instructions to test the automation stitches.
    Instead of testing the automation that blocks compromised hosts, the following steps simulate its effects by manually blocking the IP address of a PC on the network. Go to Security Fabric -> Physical Topology and locate a PC on the network.
    Select the PC and select 'Ban IP'.
      

     
  2. Set Ban Type to 'Temporary'. Set Duration to 30 minutes.
     
     
     
  1. To test the automation for HA failover, go to Edge-Primary. In the administrative drop-down menu, select 'System' and 'Reboot'.

  2. Set an event log message.
  
Results: in 'Block' letters.
 
  1. If the automation has simulated that blocks compromised hosts, the banned unit can no longer access the internet.
  2. When HA failover occurs or when the Automation is tested, an email similar to the one shown is sent to the email configured in the automation.
 
6745
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.