Fortigate Config Change Notification

Whenever changes are made in configuration, Fortigate posts notification at Slack channel.

Fortigate automation is composed of three elements:

  1. automation trigger … available trigger -HA Failover, Config change, Log, IOC, High CPU, Conserve mode
  2. automation action … available action -Email, IP Ban, AWS lambda, Webhook
  3. automation stitch … Combination of trigger and action

I create GoogleCloudFunction which will do:

  1. Receive webhook from Fortigate
  2. Post message at Slack channel

1. Create a program for Google Cloud Function

In order to create Google Cloud Function, I need to create three files locally.

  • requirements.txt … Additional libraries to be added for runtime.
  • slack.py … Utility python code which act as an interface for Slack
  • main.py … Receive the request, and post the message to Slack using slack.py

Once created, compress them into one zip file. I name it “archive.zip” here.

2. Deploy Google Cloud Function

From Console, navigate to Cloud Function and deploy a new function. Note I set an environmental variables for “SLACK_TOKEN”, which you have to get your own token to post the message in Slack. The other environmental variables can be any value you want.

Check if there is no error log is recorded, and confirm the deployment is ready.

3. Configure Fortigate for notification

Again please note this function is only available for FortiOS6.0 or later, and as usual these new features change a lot from version to the version. Please check the appropriate manual before configuration.


Test

It’s time to test. You can log in to Fortigate either via ssh or via web. Once you made changes, you need to log out (or you can wait for timeout). This is because Fortigate only logs configuration changes after the current session termination.

Fortigateでコンフィグ変更があったら自動的にSlackに通知してくれます。この機能はFortiOS6.0以降で実装されたautomationを使用しています。