Skip to main content
Robzi
Robzi
New Member
January 21, 2025
Solved

Fortigate API - Filter by network mask on /api/v2/log/disk/traffic/forward/system endpoint

  • January 21, 2025
  • 3 replies
  • 2229 views

Dear community,

 

 anybody using Fortigate API to retrieve log traffic with this endpoint : 

/api/v2/log/disk/traffic/forward/system?filter=srcip==10.227.108.88&rows=10

 I can get logs for a specific source or destination IP, but do you know anyway to get logs for a network ( example : 10.0.0.0/8) ?

 

Running version :

"version":"v7.2.10",
"build":1706

 

Thanks in advance for your help ;) 

 

Looking the FortiDev documentation, only available filters are the following, but they didn't make the trick to filter on network after several test : 

filter
array[string]
 
(query)

Filtering multiple key/value pairs
Operator | Description
== | Case insensitive match with pattern.
!= | Does not match with pattern (case insensitive).
=@ | Pattern found in object value (case insensitive).
!@ | Pattern not found in object value (case insensitive).
<= | Value must be less than or equal to pattern.
< | Value must be less than pattern.
.>= | Value must be greater than or equal to pattern.
.> | Value must be greater than pattern.
Logical OR using , | Separate filters using commas ','
Logical AND using & | Filter strings can be combined to create logical AND queries by including multiple filters in the request.
Combining AND and OR | You can combine AND and OR filters together to create more complex filters.

Best answer by pminarik

Looking at 7.2 GUI, I see a filter set to destination = 10.1.0.0/24 translated to dstip=@"10.1.0.0-10.1.0.255" , can you try that?

3 replies

funkylicious
SuperUser
funkylicious
SuperUser
January 21, 2025

Hi,

In theory, you should be able to use 10.0.0.0/8 supernet with the srcip filter, srcip=10.0.0.0/8 .

You would need to escape the / character and maybe add some quotes or double quotes for it.

At least in logs I can search in the GUI with something like that.

"jack of all trades, master of none"
Robzi
RobziAuthor
New Member
January 21, 2025

Thanks for your reply @funkylicious !

I get you idea, inspiring from GUI but looks like API is going on his own way : 

 

Several tests giving me random result (no matching the network) : 

 

Double quote, reverse-slash and double equal : 

curl -k "https://XXXXX/api/v2/log/memory/traffic/forward?filter=srcip=="10.227.13.0\/24"&rows=10&access_token=xxxxxxx"

 

Doublequote, reverse-slash and simple equal :

curl -k "https://XXXXX/api/v2/log/memory/traffic/forward?filter=srcip="10.227.13.0\/24"&rows=10&access_token=xxxxxxx"

 

Doublequote, reverse-slash and simple equal :

curl -k "https://XXXXX/api/v2/log/memory/traffic/forward?filter=srcip="10.227.13.0/24"&rows=10&access_token=xxxxxxx"

 

Without quote and simple "equal"

curl -k "https://XXXXX/api/v2/log/memory/traffic/forward?filter=srcip=10.227.13.0/24&rows=10&access_token=xxxxxxx"

pminarik
Staff
pminarikAnswer
Staff
January 21, 2025

Looking at 7.2 GUI, I see a filter set to destination = 10.1.0.0/24 translated to dstip=@"10.1.0.0-10.1.0.255" , can you try that?

Robzi
RobziAuthor
New Member
January 24, 2025

Thanks @pminarik , it made the trick !!! 

 

For 15 rows of the log result, filtering on "srcip"

 

curl -k "https://XXXXXXXXXXX/api/v2/log/memory/traffic/forward?filter=srcip=@"10.65.0.0-10.65.0.255"&rows=15&access_token=XXXXXXXXXXXXXXX" | jq '.results[].srcip'


"10.65.0.6"
"10.65.0.5"
"10.65.0.5"
"10.65.0.4"
"10.65.0.5"
"10.65.0.5"
"10.65.0.5"
"10.65.0.5"
"10.65.0.5"
"10.65.0.3"
"10.65.0.4"
"10.65.0.6"
"10.65.0.4"
"10.65.0.3"
"10.65.0.46"

Terms & ConditionsAccessibility statement