A brute force attack started. The FortiGate IPS rule triggered. Automation Stitch fired and sent an email. Your phone was on silent. Nobody found out until morning.
FortiGate is one of the most widely deployed enterprise firewalls in the world. The Automation Stitch feature provides a powerful event-action engine — but voice phone calls are not among the default action options.
What Is FortiGate Automation Stitch?
Automation Stitch is the mechanism that automatically triggers an action when a specific event occurs on FortiGate. It consists of two components: a Trigger and an Action.
Supported trigger examples:
- IPS Signature match
- FortiOS Event Log entries
- CPU or memory threshold exceeded
- VPN tunnel down
- Interface down
- Compromised Host detected
Supported default action options:
- Send email
- Run CLI script
- Webhook (HTTP POST)
- IP ban
- Quarantine
Can FortiGate Send a Voice Alert?
Not by default — but yes, via Webhook Action.
The Webhook Action in Automation Stitch sends an HTTP POST request to an external service when an event fires. When that request is pointed at the Alertalk API, your defined numbers are called and the event details are read out using AI-powered TTS.
How it works: FortiGate Trigger → Automation Stitch → Webhook Action → Alertalk API → Phone Call
Which FortiGate Events Need Voice Notification?
| Event | Severity | Why Voice? |
|---|---|---|
| IPS attack detected | High | Active attack, response needed within minutes |
| Brute force attempt | High | Risk of credential compromise |
| VPN tunnel down | Medium-High | Remote access lost |
| Compromised Host detected | Critical | Active threat inside the network |
| Interface down | Medium | Service disruption risk |
| High CPU usage | Medium | DDoS or resource exhaustion |
Some of these can wait until morning. But IPS detections, brute force attempts and Compromised Host events are active security incidents — they require immediate attention.
Why Is Email Not Enough?
In security events, time is critical. Waiting for an email notification while an attack is active means allowing the incident to progress.
In environments without a SOC team — which covers most SMBs and mid-size organizations — the first person to notice a nighttime security alarm should not be the customer. A voice call closes that gap.
FortiGate also generates a high volume of logs in daily operation. Email notifications eventually cause alert fatigue — teams start ignoring them. When voice calls are reserved only for genuinely critical events, that problem disappears.
Who Is This For?
System administrators, network security teams and MSP companies running FortiGate deployments benefit most from this setup. For organizations without a 24/7 SOC, voice alerts provide a critical layer for catching nighttime security events.
In enterprise environments this gap can be addressed with FortiAnalyzer and SIEM integration — but those solutions require additional licensing, complex setup and significant cost. With Automation Stitch and Alertalk, the same core outcome can be achieved much faster and at a fraction of the cost.
Setting Up Alertalk with FortiGate
The setup on the FortiGate side is a single Automation Stitch configuration. You add the Alertalk endpoint as a Webhook Action, select your trigger, and activate the stitch. For the step-by-step guide with screenshots:
FortiGate Integration Documentation
The guide covers:
- Creating a webhook key in Alertalk
- Defining the Automation Action in FortiGate
- Configuring the trigger and creating the stitch
- Verifying with a test trigger