Alert emails are used to notify administrators about events on the FortiGate device, allowing a quick response to any issues.

There are two methods that can be used to configure email alerts:

The FortiGate has a default SMTP server,, that provides secure mail service with SMTPS. It is used for all emails that are sent by the FortiGate, including alert emails, automation stitch emails, and FortiToken Mobile activations. You can also configure a custom email service.

To configure a custom email service in the GUI:
  1. Go to System > Settings.

  2. In the Email Service section, enable Use custom settings.

  3. Configure the following settings:

    SMTP Server

    Enter the address or name of the SMTP server, such as


    If required, select Specify and enter a specific port number. The default is port 465.


    If required by the email server, enable authentication.

    If enabled, enter the Username and Password.

    Security Mode

    Set the security mode: None, SMTPS, or STARTTLS.

    Default Reply To

    Optionally, enter the reply to email address, such as [email protected].

    This address will override the from address that is configured for an alert email.

  4. Click Apply.

To configure a custom email service in the CLI:
config system email-server
    set reply-to "[email protected]"
    set server ""
    set port 465
    set authenticate enable
    set username "fortigate"
    set password **********
    set security smtps

Automation stitches

Automation stitches can be configured to send emails based on a variety of triggers, giving you control over the events that cause an alert, and who gets alerted. For more information, see Automation stitches.

In this example, the default mail service sends an email to two recipients when there is a configuration change or an Admin login failed event occurs.

To configure the automation stitch in the GUI:
  1. On the root FortiGate, go to Security Fabric > Automation and click Create New.

  2. Enter a name for the stitch, such as Admin Fail.

  3. In the Trigger section, select FortiOS Event Log.

  4. Click in the Event field, and in the slide out pane, search for and select Admin login failed.

  5. In the Action section, select Email.

  6. Configure the Email settings:

    1. In the To field, click the plus icon, then enter the two email recipients’ addresses, such as [email protected] and [email protected].

    2. Enter the Email subject, such as Admin log in failed.

    3. Edit the Email body as required. By default, the email body will include all the fields from the log event that triggered the stitch.

  7. Click OK.

  8. Create a second stitch, selecting Configuration Change as the trigger.

To configure the automation stitch in the CLI:
  1. Create automation actions to send the email messages:

    config system automation-action
        edit "Config Change_email"
            set action-type email
            set email-to "[email protected]" "[email protected]"
            set email-subject "Configuration Change Detected"
        edit "Admin Fail_email"
            set action-type email
            set email-to "[email protected]" "[email protected]"
            set email-subject "Admin log in failed"
  2. Create the automation triggers:
    config system automation-trigger
        edit "Config Change"
            set event-type config-change
        edit "Admin Fail"
            set event-type event-log
            set logid 32002
  3. Create the automation stitches:

    config system automation-stitch
        edit "Config Change"
            set trigger "Config Change"
            set action "Config Change_email"
        edit "Admin Fail"
            set trigger "Admin Fail"
            set action "Admin Fail_email"

Alert emails

When configuring an alert email, you can define the threshold when an issue becomes critical and requires attention. When the threshold is reached, an email is sent to up to three recipients on the configured schedule to notify them of the issue.

In this example, the FortiGate is configured to send email messages to two addresses, [email protected] and [email protected], every two minutes when multiple intrusions, administrator log in or out events, or configuration changes occur.

To configure an alert email in the GUI:
  1. Go to Log & Report > Email Alert Settings and enable Enabled.

  2. Configure the following:


    Enter the name in the From field of the message: [email protected].


    Enter the two addresses that the message is sent to: [email protected] and [email protected]

    Alert parameter

    Send the alert based on specific events (category), as opposed to the severity (threshold).


    Set the interval between messages to 2 minutes.


    Enable Intrusion detected (IPS-logs).


    Enable Administrator login/logout (admin-login-logs) and Configuration change (configuration-changes-logs).

  3. Click Apply.

To configure an alert email in the CLI:
config alertemail setting
    set username [email protected]
    set mailto1 [email protected]
    set mailto2 [email protected]
    set filter-mode category
    set email-interval 2
    set IPS-logs enable
    set configuration-changes-logs enable
    set admin-login-logs enable

For more information on the available CLI commands, see Configure alert email settings.