Skip to main content
Pascal-Olivier
Pascal-Olivier
Visitor III
October 14, 2025
Solved

API v2 backup returns 401 on single FortiGate while working on 24 others

  • October 14, 2025
  • 1 reply
  • 1247 views

Hi everyone,

 

Looking for help with a strange API authentication issue on one specific FortiGate.

 

Setup:

  • 25 FortiGate firewalls managed via automated backup script
  • Using API v2 endpoint: /api/v2/monitor/system/config/backup?scope=global
  • Same API user (BACKUP-SUPER_ADMIN) configured on all devices

Problem: One firewall (let's call it FW-TEST) consistently returns HTTP 401 Unauthorized, while the exact same script works perfectly on the other 24 devices.

 

What I've tried:

  • Regenerated API token multiple times
  • Verified user permissions (identical to working firewalls)
  • Manual test with Postman: same 401 error
  • GUI login with same account: works fine
  • Compared API settings between working and non-working FW: no differences found

Question: Has anyone encountered a situation where one FortiGate rejects API authentication while others with identical config work fine? Could there be hidden settings or firmware-specific quirks that affect API token validation?

 

Using FortiOS version if you know it, all devices on same version.

 

Any insights appreciated!

 

Thanks

Best answer by Pascal-Olivier

Thank you very much for your help!

I was then able to get the following logs:

[httpsd 903 - 1760533621 info] fweb_debug_init[610] -- New GET request for "/api/v2/monitor/system/config/backup" from "10.X.X.X:35924" [httpsd 903 - 1760533621 info] fweb_debug_init[612] -- User-Agent: "PostmanRuntime/7.48.0" [httpsd 903 - 1760533621 info] fweb_debug_init[614] -- Handler "api_monitor_v2-handler" assigned to request [httpsd 903 - 1760533621 warning] _extract_key_param[97] -- REST API key in URL parameters is disabled. [httpsd 903 - 1760533621 warning] _extract_key_param[97] -- REST API key in URL parameters is disabled. [httpsd 903 - 1760533621 info] fweb_debug_final[487] -- Completed GET request for "/api/v2/monitor/system/config/backup" (HTTP 401 Unauthorized)


Then I found the problem — the parameter set rest-api-key-url-query was disabled.

You need to enable it:

config system global set rest-api-key-url-query enable end

That solved the problem!


It’s still strange that this was the only firewall that needed that parameter activated — perhaps a new requirement of the 50G version?


Anyway, have a great day everyone!

 

1 reply

distillednetwork
distillednetwork
Explorer II
October 14, 2025

You can try to run a debug on the non-working firewall while you test the API and see what the output is:

 

(global) # diagnose debug reset
 (global) # diagnose debug enable
 (global) # diagnose debug application httpsd -1

    Pascal-Olivier
    Pascal-OlivierAuthorAnswer
    Visitor III
    October 15, 2025

    Thank you very much for your help!

    I was then able to get the following logs:

    [httpsd 903 - 1760533621 info] fweb_debug_init[610] -- New GET request for "/api/v2/monitor/system/config/backup" from "10.X.X.X:35924" [httpsd 903 - 1760533621 info] fweb_debug_init[612] -- User-Agent: "PostmanRuntime/7.48.0" [httpsd 903 - 1760533621 info] fweb_debug_init[614] -- Handler "api_monitor_v2-handler" assigned to request [httpsd 903 - 1760533621 warning] _extract_key_param[97] -- REST API key in URL parameters is disabled. [httpsd 903 - 1760533621 warning] _extract_key_param[97] -- REST API key in URL parameters is disabled. [httpsd 903 - 1760533621 info] fweb_debug_final[487] -- Completed GET request for "/api/v2/monitor/system/config/backup" (HTTP 401 Unauthorized)


    Then I found the problem — the parameter set rest-api-key-url-query was disabled.

    You need to enable it:

    config system global set rest-api-key-url-query enable end

    That solved the problem!


    It’s still strange that this was the only firewall that needed that parameter activated — perhaps a new requirement of the 50G version?


    Anyway, have a great day everyone!

     

    Terms & ConditionsAccessibility statement