Technical Tip: API error 403 about the refused request in multi-VDOM environment
| Description | This article describes the reason why API error 403 in a multi-VDOM environment occurs. When an API client sends a request with a URL '/api/v2/monitor/system/status' and a parameter 'vdom=<VDOM name>' to retrieve VDOM-specific status information, a FortiGate sometimes refuses the request, returning API error 403. API error 403 indicates an API server received a request from an API client but refused to process it.
root@ted:/home/ted/Desktop# curl -k -X GET "https://<FGT IP>:443/api/v2/monitor/system/status?vdom=vd1&access_token=<api token>" -H "accept: application/json"
{ "http_method":"GET",
If the API client sends it again with a parameter 'global=1', then the FortiGate returned status information for root VDOM only.
root@ted:/home/ted/Desktop# curl -k -X GET "https://<FGT IP>:443/api/v2/monitor/system/status?global=1&access_token=<api token>" -H "accept: application/json"
[{ "http_method":"GET", }, |
| Scope | FortiGate. |
| Solution | Add VDOMs, such as 'vd1', and 'vd2' into 'api_admin' in api-user account. Edit Admin Profiles for REST API Admin with read-write Permissions.
config system api-user edit "api_admin" set comments '' next end
Accordingly, VDOMs added to the user account and Admin Profiles with read-write Permissions, the API server will return status information for root, vd1, and vd2 VDOMs.
root@ted:/home/ted/Desktop# curl -k -X GET "https://<FGT IP>:443/api/v2/monitor/system/status?global=1&access_token=<api token>" -H "accept: application/json"
"model_name":"FortiGate", }, "model_name":"FortiGate", }, "model_name":"FortiGate", },
|