Technical Tip: Existing API Users on FortiGate Encounter 403 Error 'Wrong vdom' During Authentication
| Description | This article describes an issue where the existing API users on FortiGate are unable to make API calls to the device with the HTTP 403 error 'Wrong vdom' post firmware upgrade to v7.4.5. |
| Scope | FortiGate v7.4.5. |
| Solution | API login fails with 403 error 'wrong vdom' after performing an upgrade to FortiOS v7.4.5 on non-vdom mode. The following debug logs illustrate the error: diagnose debug application httpsd -1 diagnose debug application nodejs -1 diagnose debug enable 2024-10-03 18:11:39 [httpsd 2634 - 1727979099 info] fweb_debug_init[531] -- New GET request for "/api/v2/monitor/sase-ui/state" from "10.8.145.30:49194" [node Web Request - 1727979100 info] - New GET reqest for "/api/v2/monitor/sase-ui/state" from "10.8.145.30:49194" [node Web Request - 1727979100 info] - User-Agent: "python-requests/2.31.0" [node Web Request - 1727979100 info] - Checking request content. [node Web Request - 1727979100 info] - Setting forwarded VDOM header to "root" [node Web Request - 1727979100 info] - Proxying HTTP/1.0 request to httpsd. 2024-10-03 18:11:39 [httpsd 2634 - 1727979099 info] fweb_debug_init[533] -- User-Agent: "python-requests/2.31.0" 2024-10-03 18:11:39 [httpsd 2634 - 1727979099 info] fweb_debug_init[535] -- Handler "api_monitor_v2-handler" assigned to request 2024-10-03 18:11:39 [httpsd 2634 - 1727979099 info] api_access_check_for_api_key[657] -- Wrong vdom. 2024-10-03 18:11:39 [httpsd 2634 - 1727979099 warning] _lock_out_check_and_lock_out[416] -- Failed api-key login attempt from 10.8.145.30. (2/3 attempts within 240s). 2024-10-03 18:11:39 [httpsd 2634 - 1727979099 info] fweb_debug_final[355] -- Completed GET request for "/api/v2/monitor/sase-ui/state" (HTTP 403 Forbidden) [node Web Request - 1727979100 warn] - Completed request for "/api/v2/monitor/sase-ui/state" (HTTP 403). Under the api-user configuration on FortiGate, the 'set vdom' command is missing after the upgrade to v7.4.5. Configuration in v7.4.4: config system api-user edit "90962c8250ce4b70bd51b5c8cbe74df" set api-key ENC ******* set accprofile "*******" set vdom "root" config trusthost edit 1 set ipv4-trusthost 10.0.0.0 255.0.0.0 next end config system api-user (api-user) # edit test new entry 'test' added (test) # set comments Comment. api-key Admin user password. *accprofile Admin user access profile. vdom Virtual domains. <--- schedule Schedule name. cors-allow-origin Value for Access-Control-Allow-Origin on API responses. Avoid using '*' if possible. peer-auth Enable/disable peer authentication. Configuration in v7.4.5: config system api-user edit "90962c8250ce4b70bd51b5c8cbe74df" set api-key ENC ******* set accprofile "*******" config trusthost edit 1 set ipv4-trusthost 10.0.0.0 255.0.0.0 next end config system api-user (api-user) # edit test new entry 'test' added (test) # set comments Comment. api-key Admin user password. *accprofile Admin user access profile. schedule Schedule name. cors-allow-origin Value for Access-Control-Allow-Origin on API responses. Avoid using '*' if possible. peer-auth Enable/disable peer authentication. This issue has been resolved in v7.4.6, and v7.4.7. Workaround: Create a new API user and use the new API key to log in to FortiGate. |