help with fortigate automation

Posted by Sa77if@reddit | sysadmin | View on Reddit | 3 comments

I am trying to set automation to send email whenever WAN link is down

The email notification is fixed, I tested it with failed admin login and I received the email successfully

this is my automation for network down:
Trigger:

FortiOS Event Log

event: Interface link status changed

field: status, value: down

Action: i used the same email notification used in admin login

I can see the log when interface changes as follows:

Log Description Interface status changed
Action interface-stat-change
Status DOWN

Security Level Warning Event Message

Link monitor: Interface port1 was turned down

and no email sent !

Thanks in advanced

[-]

Advanced_Vehicle_636@reddit

What's performing the function of sending you the email? The FortiGate itself? If so, that's never going to work unless you have SDWAN or BGP. A FortiGate that has lost it's WAN connection isn't capable of sending emails to external servers.

You would need to either enable SDWAN/BGP or tie the monitoring into something that isn't reliant on a dead WAN connection to send your email. (ie: FortiMonitor, or a SaaS-based application like Zabbix, Nagios, or equivalent). At which point one of two things could trigger an outage notification:

An interface status changed (UP -> DOWN)
A lack of data from the API/SNMP/etc (which would also indicate the loss of WAN connection/firewall crash)

[-]

Sa77if@reddit (OP)

I have sd-wan, I wouldn’t expect email to be sent otherwise

[-]

Advanced_Vehicle_636@reddit

Fair enough. You didn't specify whether you were using SDWAN. I had a look at my own FortiGate. There are a couple things to note

There is a difference between Event ID 20090 (Interface Link Status Changed) and Event ID 20099 (Interface Status Changed).
Just for sake of argument, make sure your casing matches.

For you specifically... you have your event trigger set to "Interface link status changed". The event value in your logs is "Interface status changed". They are different events. That's why your test isn't working.

Your trigger could probably be both. It's also worth noting how those lines are actually attached and how they might fail. For example, the FortiGate I use at my house is PPPoE authenticated. If I had SDWAN (and wanted a notification), I could use 20006 (LOG_ID_PPP_LINK_DOWN) or possibly 29003 (LOG_ID_PPPD_AUTH_FAIL).

Where does this translate for you? Event ID 22930 might be useful in alerting you to SDWAN health issues (very broad - this could be "online" but failing SLAs like jitter, ping, etc.) 22931 will fire on up/down transitions. 22939 might also be used. (These are SD-WAN specific IDs for FortiOS 7.4.11). There are probably others.

22931 - LOG_ID_EVENT_VWL_SLA_INFO_WARNING | FortiGate / FortiOS 7.4.11 | Fortinet Document Library

Are you trying to solve for a recent outage? If so, (and assuming you still have the outage logs) look at what event IDs actually fired that might make more sense.