Add Subnet to Event Handler

Configure subnet-based event triggering for automated incident response.

✅ All code examples tested: Verified against FortiAnalyzer v7.4.8, v7.6.4, v8.0.0.

Overview

This endpoint adds subnet-based triggers to event handlers - useful for:

• Creating network-segmented event monitoring

• Configuring location-specific automated responses

• Setting up subnet-aware security alerting

• Implementing zone-based incident escalation

• Managing distributed network event handling

Event handlers can be configured to trigger only for events originating from or destined to specific subnets, enabling precise network-based automation rules.

Endpoint Details

Method: POST URL: /jsonrpc API Path: /eventmgmt/adom/{adom}/config/trigger/{eid}/subnet ADOM Support: Yes Requires Authentication: Yes Minimum Version: 7.4.0

Request Example

REQUEST

{
    "method": "add",
    "params": [{
        "url": "/eventmgmt/adom/root/config/trigger/1/subnet",
        "data": {
            "subnet": "10.10.100.0/24",
            "description": "Production DMZ subnet"
        }
    }],
    "session": "{{session_id}}",
    "id": 1
}

RESPONSE

{
    "result": [{
        "data": {},
        "status": {
            "code": 0,
            "message": "OK"
        },
        "url": "/eventmgmt/adom/root/config/trigger/1/subnet"
    }],
    "session": "{{session_id}}",
    "id": 1
}

Complete Python Example

import requests
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def add_subnet_to_event_handler(session_id, adom, event_handler_id, subnet, description=""):
    """
    Add subnet trigger to event handler

    Args:
        session_id: Active session ID
        adom: ADOM name
        event_handler_id: Event handler ID (integer)
        subnet: Subnet in CIDR notation (e.g., "10.0.0.0/24")
        description: Optional description of subnet

    Returns:
        bool: True if successful
    """
    url = "https://faz.example.com/jsonrpc"

    payload = {
        "method": "add",
        "params": [{
            "url": f"/eventmgmt/adom/{adom}/config/trigger/{event_handler_id}/subnet",
            "data": {
                "subnet": subnet,
                "description": description or f"Subnet {subnet}"
            }
        }],
        "session": session_id,
        "id": 1
    }

    response = requests.post(url, json=payload, verify=False)
    result = response.json()

    if result['result'][0]['status']['code'] == 0:
        print(f"✓ Added subnet '{subnet}' to event handler {event_handler_id}")
        return True
    else:
        raise Exception(f"API error: {result['result'][0]['status']['message']}")

# Example: Add DMZ subnet to critical event handler
add_subnet_to_event_handler(
    session_id="your_session_id",
    adom="root",
    event_handler_id=1,
    subnet="10.10.100.0/24",
    description="Production DMZ subnet"
)

Use Cases

Configure Zone-Based Alerting

# Different event handlers for different network zones
network_zones = {
    1: {  # Critical handler
        "subnets": ["10.10.100.0/24", "10.10.200.0/24"],
        "description": "DMZ and production subnets"
    },
    2: {  # Medium handler
        "subnets": ["192.168.10.0/24", "192.168.20.0/24"],
        "description": "Internal corporate networks"
    },
    3: {  # Low handler
        "subnets": ["172.16.0.0/16"],
        "description": "Guest and IoT networks"
    }
}

for handler_id, config in network_zones.items():
    for subnet in config['subnets']:
        add_subnet_to_event_handler(
            session_id=session,
            adom="root",
            event_handler_id=handler_id,
            subnet=subnet,
            description=config['description']
        )
        print(f"✓ Handler {handler_id}: Added {subnet}")

Multi-Site Security Monitoring

# Configure subnet-based event handlers for distributed sites
sites = {
    "HQ": ["10.0.0.0/16"],
    "Branch_Office_1": ["10.1.0.0/16"],
    "Branch_Office_2": ["10.2.0.0/16"],
    "Cloud_DMZ": ["172.31.0.0/16"]
}

for site_name, subnets in sites.items():
    for subnet in subnets:
        add_subnet_to_event_handler(
            session_id=session,
            adom="root",
            event_handler_id=1,
            subnet=subnet,
            description=f"{site_name} network"
        )
        print(f"✓ {site_name}: Added {subnet}")

High-Value Asset Monitoring

# Monitor specific subnets containing critical infrastructure
critical_subnets = [
    ("10.10.10.0/28", "Database servers"),
    ("10.10.20.0/28", "Domain controllers"),
    ("10.10.30.0/28", "Payment processing systems"),
    ("10.10.40.0/28", "Management network")
]

for subnet, desc in critical_subnets:
    add_subnet_to_event_handler(
        session_id=session,
        adom="root",
        event_handler_id=1,
        subnet=subnet,
        description=desc
    )
    print(f"✓ Monitoring: {desc} ({subnet})")

Best Practices

💡 Tip: Use specific subnet masks (e.g., /24, /28) rather than broad ranges to reduce false positives and focus on relevant network segments.

💡 Tip: Add descriptive labels to subnet entries to make event handler configurations self-documenting and easier to audit.

⚠️ Warning: Overlapping subnets in different event handlers may cause duplicate event processing. Ensure subnet assignments are mutually exclusive when possible.

Related Endpoints

• Get Event Handlers - List configured event handlers

• Update Event Handler Description - Modify handler settings

• Disable Event Handler - Disable automated response

---

Last Updated: 2025-11-10 API Version: 7.6.4+