Skip to main content
farhanahmed
Staff
farhanahmed
Staff
December 8, 2025

Technical Tip: How to log in to FortiManager/FortiAnalyzer using API with CSRF cookies

  • December 8, 2025
  • 0 replies
  • 379 views
Description

This article describes how to log in to FortiManager/FortiAnalyzer using API with CSRF cookies.
Scope FortiManager, FortiAnalyzer (tested with v7.4.8 and v7.6.4).
Solution
  1. Log in to FortiManager/FortiAnalyzer using the POST request 'https://{{host}}/cgi-bin/module/flatui_auth' with the following query (using Postman in this example, any other tool can be used):


{
    "url": "/gui/userauth",
    "method": "login",
    "params": {
        "username": "{{ADMIN_USER}}",
        "secretkey": "{{PASSWORD}}",
        "logintype": 0
    }
}

 

  1. This will set the cookies for the session, particularly the 'HTTP_CSRF_TOKEN'. This token is then used for a subsequent query to maintain the session:

 

FMG_login_cookies.gif

 

  1. In Postman under the 'Scripts' tab of the query (Post-Response - though in older Postman versions, it may be under 'Tests'), use the script below to set a variable 'csrf_token' - the script is using the 'HTTP_CSRF_TOKEN' value from the cookies and setting it as a variable 'csrf_token':


const csrfToken = pm.cookies.get("HTTP_CSRF_TOKEN");

pm.environment.set("csrf_token", csrfToken);

 

ll.png

 

Afterwards, run the login request again to that the 'csrf_token' variable gets populated.

 

  1. For any subsequent API Requests, under the 'header' tab, add a new entry and use the variable {{csrf_token}}:


Key:  XSRF-TOKEN | Value: {{csrf_token}}

 

ll.png

 

  1. To log out, create a new POST request with URL: 'https://{{host}}/p/logout-api/'. Body the request should be empty and in the header, along with the XSRF-Token, also set the 'Referer' key with value set to 'https://{{host}}'.


Key:  XSRF-TOKEN | Value: {{csrf_token}}
Key:  Referer | Value: https://{{host}}


logout.png

 

  • Attached is the API collection, which can be imported into Postman (tested with v11.74.5).
  • Under the 'Variables' tab of the collection, the following variables are required:
    • host: IP address of FortiManager/FortiAnalyzer.
    • ADMIN: Admin user.
    • PASSWORD: Admin user password.

 

Notes:

  • After logging in, if the session list is checked, it shows the login is via GUI and not using API. This is because it is using the HTTP_CSRF_TOKEN to log in instead of the API session.
  • This method of login might change in future firmware releases.


Related documents:

Technical Tip: Using FortiManager API

Fortinet Development Network (FNDN) - FortiManager
Terms & ConditionsAccessibility statement