Exploring Event Notification Configuration for FortiGate Devices
FortiOS includes a built-in automation framework that lets you define event-driven workflows directly on the firewall. This post walks through a practical configuration using email alerts, FortiExplorer push notifications, and automated quarantine actions.
FortiOS automation is built from triggers, actions, and stitches working together.
Email alerts, mobile push notifications, and host quarantine can all be handled from the firewall itself.
The same action can be reused across multiple events, which keeps alerting logic cleaner and easier to maintain.
How the Three Objects Work Together
Before looking at the configuration, it helps to understand the relationship between the three FortiOS automation objects.
- automation-trigger watches for a specific event, such as a WAN link going down, a reboot, or a log entry matching a particular log ID
- automation-action defines what happens when the event fires, such as sending an email, pushing a FortiExplorer notification, or quarantining a host
- automation-stitch binds one trigger to one or more actions and controls whether the workflow is enabled or disabled
Email Actions
The following actions define email notifications. The subject lines use FortiOS substitution variables such as %%devname%%, %%log.logdesc%%, %%date%%, and %%time%%.
Default Email
A general-purpose action used as a fallback for events that do not have a dedicated email action.
config system automation-action
edit "Default Email"
set action-type email
set email-to "techitteam@example.com"
set email-subject "%%devname%% %%log.logdesc%% %%date%% %%time%%"
next
endWAN Network Down / Up Emails
Dedicated email actions for WAN state changes with subject lines designed to stand out quickly in an inbox.
config system automation-action
edit "Network Down WAN Email"
set action-type email
set email-to "techitteam@example.com"
set email-subject "%%devname%% WAN Network DOWN %%date%% %%time%%"
next
edit "Network Up WAN Email"
set action-type email
set email-to "techitteam@example.com"
set email-subject "%%devname%% WAN Network UP %%date%% %%time%%"
next
endBasic Event Emails
Simple email actions prepared for events that are configured but currently disabled.
config system automation-action
edit "Network Down_email"
set action-type email
set email-subject "Network Down"
next
edit "HA Failover_email"
set action-type email
set email-subject "HA Failover"
next
edit "Reboot_email"
set action-type email
set email-subject "Reboot"
next
endFortiExplorer Push Notification Actions
In addition to email, several events are configured to push notifications directly to the FortiExplorer mobile app. This is useful when administrators need immediate phone alerts instead of waiting to notice an email.
config system automation-action
edit "FortiAnalyzer Connection Down_ios-notification"
set action-type fortiexplorer-notification
next
edit "License Expired Notification_ios-notification"
set action-type fortiexplorer-notification
next
edit "Security Rating Notification_ios-notification"
set action-type fortiexplorer-notification
next
endQuarantine Actions
Compromised hosts can be quarantined automatically with two related actions: one at the FortiGate level and one directed to FortiClient on the endpoint.
config system automation-action
edit "Compromised Host Quarantine_quarantine"
set action-type quarantine
next
edit "Compromised Host Quarantine_quarantine-forticlient"
set action-type quarantine-forticlient
next
endTriggers
Triggers define what event causes a stitch to fire. Log-based triggers match on a log ID and can also filter on specific fields inside the log entry.
WAN Link State (Log ID 20099)
Log ID 20099 is the FortiOS link monitor event. The filters distinguish between WAN-down and WAN-up conditions.
config system automation-trigger
edit "Network Down WAN"
set event-type event-log
set logid 20099
config fields
edit 1
set name "msg"
set value "Link monitor: Interface wan was turned down"
next
end
next
edit "Network Up WAN"
set event-type event-log
set logid 20099
config fields
edit 1
set name "status"
set value "UP"
next
edit 2
set name "msg"
set value "Link monitor: Interface wan was turned up"
next
end
next
endAdmin Login (Log ID 32001)
Fires when a successful administrator login is recorded.
config system automation-trigger
edit "Admin Login"
set event-type event-log
set logid 32001
config fields
edit 1
set name "action"
set value "login"
next
edit 2
set name "status"
set value "success"
next
end
next
endFortiAnalyzer Connection Down (Log ID 22902)
Fires when the FortiGate loses connectivity to FortiAnalyzer, which matters because offloaded logging may stop working.
config system automation-trigger
edit "FortiAnalyzer Connection Down"
set event-type event-log
set logid 22902
next
endBuilt-in Event Triggers
FortiOS also provides event types that do not require explicit log IDs.
config system automation-trigger
edit "HA Failover"
set event-type ha-failover
next
edit "Reboot"
set event-type reboot
next
edit "License Expired Notification"
set event-type license-near-expiry
set license-type any
next
edit "Security Rating Notification"
set event-type security-rating-summary
next
edit "Incoming Webhook Call"
set event-type incoming-webhook
next
endStitches — Connecting Triggers to Actions
Stitches bind triggers to actions and determine whether each workflow is active. Several of the examples below are deliberately configured but disabled.
config system automation-stitch
edit "FortiAnalyzer Connection Down"
set trigger "FortiAnalyzer Connection Down"
config actions
edit 1
set action "FortiAnalyzer Connection Down_ios-notification"
next
end
next
edit "License Expired Notification"
set trigger "License Expired Notification"
config actions
edit 1
set action "License Expired Notification_ios-notification"
next
end
next
edit "Security Rating Notification"
set trigger "Security Rating Notification"
config actions
edit 1
set action "Security Rating Notification_ios-notification"
next
end
next
edit "Compromised Host Quarantine"
set status disable
set trigger "Compromised Host Quarantine"
config actions
edit 1
set action "Compromised Host Quarantine_quarantine"
next
edit 2
set action "Compromised Host Quarantine_quarantine-forticlient"
next
end
next
edit "Reboot"
set status disable
set trigger "Reboot"
config actions
edit 1
set action "Default Email"
next
end
next
edit "HA Failover"
set status disable
set trigger "HA Failover"
config actions
edit 1
set action "HA Failover_email"
next
end
next
endSummary of Active vs. Disabled Stitches
| Stitch | Action Type | Status |
|---|---|---|
| FortiAnalyzer Connection Down | FortiExplorer push notification | Enabled |
| License Expired Notification | FortiExplorer push notification | Enabled |
| Security Rating Notification | FortiExplorer push notification | Enabled |
| Reboot | Email (Default Email) | Disabled |
| HA Failover | Disabled | |
| Compromised Host Quarantine | Quarantine + FortiClient quarantine | Disabled |
Key Log IDs Referenced
| Log ID | Event |
|---|---|
| 20099 | Link monitor interface status change (WAN up/down) |
| 22902 | FortiAnalyzer connection lost |
| 32001 | Administrator login |
Frequently Asked Questions
These are the practical questions people usually have when they first start building FortiGate automation workflows.
What is the simplest way to think about FortiOS automation?
Think of it as three linked parts: a trigger detects an event, an action defines the response, and a stitch connects the two.
Why separate triggers, actions, and stitches instead of combining everything?
Because the separation makes the configuration more reusable. One action, such as a default email alert, can be shared by several triggers.
What is the benefit of FortiExplorer push notifications?
They give administrators immediate mobile alerts without requiring them to notice an email first.
Why keep some stitches disabled?
Disabled stitches let you keep a prepared workflow ready for later without removing the configuration. That is useful for testing, staged rollout, or conditional operational needs.
Why are log IDs important in FortiGate automation?
Because log IDs identify the event type you want to react to. Once you know the correct log ID, you can build a trigger and refine it with field filters.
What is the difference between a general email action and a dedicated one?
A general action works as a reusable fallback, while a dedicated action gives one event a clearer subject line or recipient setup.
When should quarantine actions be enabled?
Usually only after careful validation. Automated quarantine can be valuable, but it should be trusted only after you are confident the triggering conditions are accurate enough.
What is the practical starting point for monitoring a new FortiGate event?
First identify the relevant FortiOS log ID, then build a trigger around it, then choose the action or actions that should run when it fires.
Conclusion
The FortiGate automation framework covers a wide range of operational needs inside one reusable model, from email alerts on WAN events to mobile push notifications and automated quarantine.
The trigger-action-stitch design keeps each concern separate and reusable. The same email action can support multiple events, and individual stitches can be enabled or disabled without deleting the surrounding configuration.
For new events, the starting point is usually the same: identify the right FortiOS log ID, decide what fields matter, and then connect the trigger to the response you actually want.
Comments