Skip to main content
Hyjaal
Hyjaal
Explorer
May 6, 2024
Solved

Fortigate - Add an ip address with API

  • May 6, 2024
  • 1 reply
  • 3882 views

Hi,

 

I'm trying to add ip addresses to my Fortigate but I'm getting an HTTP Forbidden.

Here are the commands I run:
curl -k -i -X POST https://X.X.X.X/logincheck -d "username=apiuser&secretkey=apiuser" --dump-header header.txt -c cookies.txt
curl -k -i -X POST https://X.X.X.X/api/v2/cmdb/firewall/address -d "{'name':'test','subnet':'1.1.1.1/32' }" -b header.txt

 

My user apiuser has the profile super_admin.

 

Do you know why I'm getting an HTTP/1.1 403 Forbidden?

 

Thank you in advance.

 

All the best,
Hyjaal

Best answer by Hyjaal

Hello,

 

I just found my answer :)

 

Here are the commands:

curl -k -c fgtcookies -d username=apiuser -d secretkey=apiuser https://X.X.X.X/logincheck


token=$(grep token fgtcookies | awk -F '"' '{print $2}')

 

curl -s -b fgtcookies -k -X POST -H "Content-Type: application/json" -d "{'name':'test','subnet':'1.1.1.1/32' }" -H "X-CSRFTOKEN: $token" https://X.X.X.X/api/v2/cmdb/firewall/address

 

curl -k -i -X GET https://X.X.X.X/logout -b fgtcookies

 

 

This method allows you to create hosts.For example, I was able to create 3 hosts :
test1 1.1.1.1/32
test2 1.1.1.2/32
test3 1.1.1.3/32

 

 

Hyjaal

1 reply

ozkanaltas
ozkanaltas
Valued Contributor III
May 6, 2024

Hello @Hyjaal ,

 

For Fortigate doesn't need to api-username on the request. 

 

Can you try it like that? 

 

curl -k -i -X POST https://X.X.X.X/api/v2/cmdb/firewall/address?access_token=<YOUR_API_KEY> -d "{'name':'test','subnet':'1.1.1.1/32' }"

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-About-REST-API/ta-p/195425

    Hyjaal
    HyjaalAuthor
    Explorer
    May 6, 2024

    Hello @ozkanaltas,

     

    I don't have an API KEY as I use session cookies.

     

    apiuser is an administrator account and not REST API Admin, I don't know if it makes a difference.

     

    I don't see myself generating an API KEY on each of my Fortigates (~500devices)

     

    If I can't use session cookies, is there a cli command to generate the token?

     

    Have a nice day,
    Hyjaal

    ozkanaltas
    ozkanaltas
    Valued Contributor III
    May 6, 2024

    Hello @Hyjaal ,

     

    Can you try your request with "cookies.txt"?

     

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-REST-API-Access-FortiGate/ta-p/196540 

     

    This will generate 2 files:  headers.txt:   It contains all information about the authentication. This file will be needed for GET commands cookies.txt:   It contain the cookie generated for the authentication. This file will be needed for POST commands

     

     

    If you want to create the rest API user and key via cli you can follow this document.

     

    https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/399023/rest-api-administrator

     

     

      Terms & ConditionsAccessibility statement