New Member

Solved

FortiGate 60E REST API

Forum|Forum|6 years ago
September 27, 2019
1 reply
25228 views

Hi there,

i want to reboot my FortiGate 60E via the REST-API. Im using this endpoint:

doing this Request(obviously already authenticated):


curl -k -i -H "Accept: application/json" -X POST "https://ip:port/api/v2/monitor/system/os/reboot" --cookie cookie.txt

But I receive a Forbidden:

{
  "http_method":"POST",
  "status":"error",
  "http_status":403,
  "vdom":"root",
  "path":"system",
  "name":"os",
  "action":"reboot",
  "serial":"serial",
  "version":"v6.0.5",
  "build":268
}

How do I reboot the FortiGate via REST API?

PS: Im trying this with a user who has RW permission on all Categorys

Thank you!

Best answer by emnoc

Btw just tested and it works for me using the CSRFTOKEN also ;)

supports-MacBook-Pro:Downloads ken$ cat fgtcookies # Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk. #HttpOnly_192.168.1.99 FALSE / TRUE 0 APSCOOKIE_79100365 "Era%3D0%26Payload%3DBqjjbe7htCOsFsYzarB2IEMxijyyM0neq8nLlRqdPhTTvad7eL0LZpsb161uxmQC%0AsYzlEA9fitnCbWPkYrtdAXttq3v+u7JbmALCfl5T+ALAE1e1dgquZbFA7iWbn%2FRX%0AjMI7Pvc0zLzCbKRaSWynEw4C2gQXazjG9tdCsTkjydzANRRwh6uulPiNj%2F83T8bg%0Al3DihIFtCw8WjHnA%2F+xK2Q%3D%3D%0A%26AuthHash%3DCA4eiUKEM0zcXjGIij0hoUdQwG4A%0A"192.168.1.99 FALSE / TRUE 0 ccsrftoken_79100365 "FB4B8AD9C51C5E5CBEBECD63EE2457A9"192.168.1.99 FALSE / TRUE 0 ccsrftoken "FB4B8AD9C51C5E5CBEBECD63EE2457A9" supports-MacBook-Pro:Downloads ken$ curl -X POST -s -b fgtcookies -k -H "Content-Type: application/json" -H "X-CSRFTOKEN: FB4B8AD9C51C5E5CBEBECD63EE2457A9" https://192.168.1.99/api/..onitor/system/os/rebootsupports-MacBook-Pro:Downloads ken$ ping 8.8.8.8PING 8.8.8.8 (8.8.8.8): 56 data bytesRequest timeout for icmp_seq 0Request timeout for icmp_seq 1Request timeout for icmp_seq 2 I use my admin account so that profile show be able to reboot the appliance. Cookies were grabbed on the logincheck by using this approach http://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html YMMV but I didn't have any issues once I had the right URI in either case e.g /api/v2/monitor/system/os/reboot vrs /api/v2/monitor/system/dashboard/reboot I still think your profile is not correct for sysgrp and the action:reboot, just my hunch and this might lead into the 4xx status codes that are coming back. Ken Felix

emnoc

New Member

Try a prof_admin profile. RW probably does work for that cmd level.

Ken Felix

hermgermAuthor

New Member

Im using a super_admin profile, still not working. Also prof_admin getting the same response.

emnoc

New Member

FWIW . I tried the following with an api_user based on some older API_REFERENCE

Socket1 $curl -X POST -k -H "Authorization: Bearer jx67dQm6r8nd4qQQhptr3rnjhbHdzx"

"https://192.168.1.99/api/v2/monitor/system/dashboard/reboot?access_token=jx67dQm6r8nd4qQQhptr3rnjhbHdzx"

{

"path":"system",

"name":"dashboard",

"action":"reboot",

"serial":"FWF50xxxxxxxxx",

"version":"v6.0.0",

"build":76,

"status":"error",

"http_status":404

}Socket1 $

It failed also. I haven't seen a working example on API reboot. The 404 tells me this entry point is not valid. In your status.code 403 seems to be authentication-related.

Do you have a api_user ?

Do other calls work?

e.g API_USER using a authorization header ( the token )

curl -k -H "Authorization: Bearer jx67dQm6r8nd4qQQhptr3rnjhbHdzx" "https://192.168.1.99/api/v2/monitor/system/dhcp?"

{

"http_method":"GET",

"results":[

{

"ip":"192.168.1.113",

"mac":"bc:98:df:d3:eb:15",

"vci":"android-dhcp-9",

"expire_time":1570263781,

"status":"leased",

"interface":"internal",

"type":"ipv4",

"reserved":false,

"server_mkey":1

},

{

"ip":"192.168.1.112",

"mac":"78:31:c1:d5:52:d0",

"hostname":"supports-MBP",

"expire_time":1570263602,

"status":"leased",

"interface":"internal",

"type":"ipv4",

"reserved":false,

"server_mkey":1

},

{output snipped}

Socket1 $curl -k -H "Authorization: Bearer jx67dQm6r8nd4qQQhptr3rnjhbHdzx" "https://192.168.1.99/api/v2/monitor/firewall/policy"

{

"http_method":"GET",

"results":[

{

"policyid":0,

"active_sessions":0,

"bytes":0,

"packets":0

},

{

"policyid":1,

"uuid":"4642baea-885e-51e9-6881-43df12c629e1",

"active_sessions":26,

"bytes":121036518,

"packets":156639,

"last_used":1569665902,

"first_used":1569607211,

"hit_count":3847,

"session_last_used":1569665899,

"session_first_used":1569607211,

"session_count":25

},

{

"policyid":2,

"uuid":"47cd84ec-ce3d-51e9-2d18-6ba8026ba89f",

"active_sessions":23,

"bytes":3673664328,

"packets":4089520,

"last_used":1569665899,

"first_used":1569607211,

"hit_count":9610,

"session_last_used":1569665899,

"session_first_used":1569607211,

"session_count":23

},

{output snipped}

Socket1 $curl -k -H "Authorization: Bearer jx67dQm6r8nd4qQQhptr3rnjhbHdzx" "https://192.168.1.99/api/v2/monitor/router/statistics"

{

"http_method":"GET",

"results":{

"total_lines":8,

"total_lines_ipv4":8,

"total_lines_ipv6":0

},

"vdom":"root",

"path":"router",

"name":"statistics",

"status":"success",

"serial":"xxxxxxxxx",

"version":"v6.0.0",

"build":76

Do you have any API reference pdf ?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded