Skip to main content
Hatibi
Staff & Editor
Hatibi
Staff & Editor
April 1, 2026

Technical Tip: Modify logical network access value through REST API

  • April 1, 2026
  • 0 replies
  • 170 views
Description This article describes how to use REST API in order to modify the Access Value for a Logical Network assigned to a specific Device Model configuration.
Scope FortiNAC-F.
Solution

To work with FortiNAC-F REST API, it is first required to generate an API token and test the first API request.

 

Documentation:

  1. Generate an API token.
  2. Your First API request.

 

Logical networks can be associated with multiple device models. For example, a Logical Network called '802.1x access' can be associated to Switch A where it contains Access VLAN 10 and to another Switch B with Access VLAN 20.

When retrieving the Logical Network attributes by REST API Get requests, FortiNAC will return multiple entries with same Logical network name but with different 'elementID' which corresponds to the Devices where this logical network is configured.

As such, it is first required to identify the 'elementID' equivalent to the DBID of the device whose Logical network requires modification.

 

In the following steps, the 'Curl' command in the windows command line is used to perform GET and POST REST API requests. Python is installed in order to format and structure the response from FortiNAC API endpoint in a json readable structure.

 

  1. Initially, print the network devices attributes with the following request:

C:\Users\xxx>curl -k --location --request GET "https://10.10.10.6:8443/api/v2/device/domaindeviceinfo" --header "Authorization: Bearer xxxxxxx" --header "Accept: application/json" | python -m json.tool
.

.

.
{
"status": "success",
"errorMessage": null,
"results": [
{
"id": 28,
"name": "Firewall",
"img": "icons/16/domain_16.gif",
"devices": [
{
"id": 486,
"name": "FP421ETF18006779",
"img": "icons/device/generated/wap_16.png"
},
{
"id": 502,
"name": "S108EP5918010780",
"img": "icons/16/fortiswitch_16.png"
},
{
"id": 426,
"name": "fortiGateLab.fortilab.local",
"img": "icons/16/fortigate_16.png"
}
]
}

 

Figure 1. Network Inventory View corresponding to REST API responseFigure 1. Network Inventory View corresponding to REST API response

 

The API response will provide information of the Container and the devices under it. It also gives the 'id' which is the DBID of each device. With any standard modeled switch, this information would have been enough in order to continue with the Logical network modification step. However, when integrating with FortiGate, the logical network is configured on the VDOM level. 

 

To identify the VDOM DBID, apply the following request:

 

C:\Users\xxx>curl -k --location --request GET "https://10.10.10.6:8443/api/v2/device" --header "Authorization: Bearer xxxxxxxxxx" --header "Accept: application/json" | python -m json.tool

 

This command will print all device details. The following attributes from the response will help in identifying the VDOM object:

 

{
"landscape": 91769544454,
"state": 0,
"elementClass": 55,
"role": null,
"name": "root",
"type": "VDOM",
"protocol": "SnmpV1",
"status": 0,
"parent": "",
"suffix": "0",
"packedVersion": 1.8,
"notes": null,
"description": "fortiGateLab.fortilab.local:VDOM root",
"group": "VDOM",

.

.

.

"domainName": "28",
"dbid": 427,
"identification": "427",
"creationEvent": null,
.

.

.
],
"sysOid": "VDOM",
"longSuffix": 0,
"versionPacked": 1.8,
"auditObjectName": "fortiGateLab.fortilab.local:VDOM root",
"auditObjectType": {
"auditTableName": "ELEMENTSAudit",
"mysqlTableName": "ELEMENTS",
"idnameQuery": "select id,name from ELEMENTS where id in"
},
"lastChangeMask": 0,
"lockKeys": [
"427"
],
"auditObj": null,
"yamsEventTag": null,
"lastModifiedBy": "SYSTEM",
"lastModifiedDate": "2026-03-20T12:41:12Z",
"id": 427,
"physicalAddress": null,
"typeOfElement": "noConnection",
"requestString": "10.10.10.1",
"addAuditSummary": "[]",
"deviceType": null
}
],

 

After collecting the DBID of the root VDOM, it is possible to proceed and identify the logical network associated with it.

 

  1. Collect logical network configuration.

 

C:\Users\xxxx>curl -k --location --request GET "https://10.10.10.6:8443/api/v2/policy/logical-network-configuration" --header "Authorization: Bearer xxxxxxxxxxx" --header "Accept: application/json" | python -m json.tool

 

This command will print all logical network IDs. As noted before, the same Logical network name will appear in multiple entries due to its association with different network devices.

 

{
"name": " ",
"note": null,
"taskID": null,
"access": "VLAN_90",
"accessAction": 2,
"alias": false,
"sendGroupsToFirewall": false,
"radiusAttributeGroupId": null,
"guid": -1,
"globalModifiedDate": "2024-06-06T10:40:12.000+00:00",
"firewallGroups": [],
"elementId": 427,
"rfc5176MessageType": "",
"rfc5176AttributeGroup": null,
"radiusResponseValues": "{\"logicalNetworkAttrs\":[],\"deviceDefaultAttrs\":[{\"NAS-Port-Id\":\"[%AUTH%]\"},{\"Tunnel-Medium-Type\":\"[IEEE-802]\"},{\"Tunnel-Private-Group-Id\":\"[%ACCESS_VALUE%]\"},{\"Tunnel-Type\":\"[VLAN]\"}],\"deviceDefaultAttrGroupName\":\"RFC_Vlan\",\"logicalNetworkAttrGroupName\":null}",
"accessActionStr": "2",
"lastModifiedBy": "SYSTEM",
"lastModifiedDate": "2026-03-20T13:13:31Z",
"id": 36,
"requestedTags": null,
"logicalNetworkID": 3,
"logicalNetworkName": "802.1x_Access",
"tags": []
},

 

By using "elementID"= 427, which refers to the root VDOM, and "logicalNetworkName": "802.1x_Access", it is possible to properly identify the Logical network object where modification is required.

This Logical network Object has "id": 36

 

  1. Modify Logical Network attributes using POST REST API method.

 

In the last step, it is possible to modify the Access Value of the Logical network from the Old value: "access": "VLAN_90" to a new Value "access": "VLAN_80" using the following request where the "id":36 refers to the Logical network that will be modified.

 

curl -k --location --request POST "https://10.10.10.6:8443/api/v2/policy/logical-network-configuration/36" --header "Authorization: Bearer xxxxxxxxxxx" --header "Accept: application/json" \

-d '{
"name": " ",
"note": null,
"taskID": null,
"access": "VLAN_80",
"accessAction": 2,
"alias": false,
"sendGroupsToFirewall": false,
"radiusAttributeGroupId": null,
"guid": -1,
"globalModifiedDate": "2024-06-06T10:40:12.000+00:00",
"firewallGroups": [],
"elementId": 427,
"rfc5176MessageType": "",
"rfc5176AttributeGroup": null,
"radiusResponseValues": "{\"logicalNetworkAttrs\":[],\"deviceDefaultAttrs\":[{\"NAS-Port-Id\":\"[%AUTH%]\"},{\"Tunnel-Medium-Type\":\"[IEEE-802]\"},{\"Tunnel-Private-Group-Id\":\"[%ACCESS_VALUE%]\"},{\"Tunnel-Type\":\"[VLAN]\"}],\"deviceDefaultAttrGroupName\":\"RFC_Vlan\",\"logicalNetworkAttrGroupName\":null}",
"accessActionStr": "2",
"lastModifiedBy": "SYSTEM",
"lastModifiedDate": "2026-03-20T13:13:31Z",
"id": 36,
"requestedTags": null,
"logicalNetworkID": 3,
"logicalNetworkName": "802.1x_Access",
"tags": []
}'

 

The change can be validated either through the FortiNAC GUI in the model configuration of the respective device, or through the following API request which retrieves only data for Logical network ID 36:

 

C:\Users\xxxx>curl -k --location --request GET "https://10.10.10.6:8443/api/v2/policy/logical-network-configuration/36" --header "Authorization: Bearer xxxxxxxxxxx" --header "Accept: application/json" | python -m json.tool

 

Documentation:

FortiNAC-F REST API guide: Introduction.
    Terms & ConditionsAccessibility statement