Skip to main content
aguerriero
aguerriero
Explorer
June 27, 2025
Solved

Set app control or ips in firewall via API does not work 7.2.12

  • June 27, 2025
  • 6 replies
  • 1869 views

The below code works for both a get or put and I get back status 200. the issue I have is that nothing in application-list or ips-sensor gets created on post or updated on put. 

If I create the policy then add the IPS and APP through the webui to something... and then run the put it doesnt update the values. In all cases I get a status 200. 

{   "policyid": "{{ rule_id }}",   "status": "enable",   "name": "{{ rule_name }}",   "srcintf": [     {% for iface in srcintf %}     { "name": "{{ iface.name }}" }{% if not loop.last %},{% endif %}     {% endfor %}   ],   "dstintf": [     {% for iface in dstintf %}     { "name": "{{ iface.name }}" }{% if not loop.last %},{% endif %}     {% endfor %}   ],   "action": "accept",   "srcaddr": [     {     "name": "100.119.64.0_24"     }   ],   "dstaddr": [     {% for addr in ip_address %}     { "name": "{{ addr.name }}" }{% if not loop.last %},{% endif %}     {% endfor %}   ],   "service": [     {% for svc in service %}     { "name": "{{ svc.name }}" }{% if not loop.last %},{% endif %}     {% endfor %}   ],   "http-policy-redirect": "disable",   "ssh-policy-redirect": "disable",     "ztna-policy-redirect": "disable",   "profile-type": "single",   "profile-protocol-options": "default",   "ssl-ssh-profile": "certificate-inspection",   "ips-sensor": "g-default",   "application-list": "g-CF_APP_CONTROL",   "logtraffic": "utm",   "np-acceleration": "enable",   "nat": "disable",   "schedule": "always" }
Best answer by aguerriero

It was a simple boneheaded mistake. When making the jinja template I cut out 

"utm-status": "enable"

The call works just fine for POST and PUT operations for update. Lucky thing I didn't spend any time on upgrading firewalls or deploying test firewalls. 

6 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
June 30, 2025

Hello aguerriero, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
filiaks1
filiaks1
Explorer III
June 30, 2025

Have you tried this on the latest fortigate version 7.6.3 as this could be an old bug?

 

 

Also you mean to update the firewall policy rule through API with new profiles or to modify the attached profile's values? 

 

Outside of that you can try doing this though cli script that can be triggered as a workaound:

 

Solved: Restart Fortigate http/gui processes automatically... - Fortinet Community

    filiaks1
    filiaks1
    Explorer III
    June 30, 2025

    Just as a note on 7.6.3 the PUT for firewall policy app or ips change works. I used the nice API Preview option as well. By the default the root vdom is selected , so if needed add a query parameter that fixes this as shown in the links below with the "  ?format="name|comment" " parameter.

     

     

    Using APIs | FortiGate / FortiOS 7.6.3 | Fortinet Document Library

     

    Add options for API Preview, Edit in CLI, and References | FortiGate / FortiOS 7.0.0 | Fortinet Document Library

     

     

    Screenshot 2025-06-30 165657.png

     

    Screenshot 2025-06-30 164418.png

     

     

     

    filiaks1
    filiaks1
    Explorer III
    July 1, 2025

    As a note when I send the full API request not just the needed changes I saw simillar issue. Just send te config changes or open a case.

     

    Screenshot 2025-07-01 232305.png

     

      aguerriero
      aguerrieroAuthor
      Explorer
      July 2, 2025

      That didn't work for me. I get a 200 response and nothing changed. 

      filiaks1
      filiaks1
      Explorer III
      July 3, 2025

      If you follow my 2 responses on 7.6.3 sending just the changes work and sending the full config I get 200 response and nothing is changed like you did.

        filiaks1
        filiaks1
        Explorer III
        July 5, 2025

        Some extra info while you wait for the staff recommendations as I also play with the API for my own needs and I saw a mistake when I was copying from the API preview as fortinet seems to have made this for the hidden endpoint "/jsonrpc" that should be not used directly :) If I copy just the JSON in data object even if it is not only changes it works fine, so on newer versions it is ok.

         

         

        From the picture below I need to copy only the things in "data" and when I click copy to clipboard.

        Screenshot 2025-07-05 220615.png

         

         

        For your version maybe see the old way of authentication with X-CSRFToken that can be collected from " /logincheck?username=admin&secretkey=xxxxx " with a POST request and empty json body as it is a cookie that you after that use as a header value for X-CSRFToken.  Forti has also the way at Authentication | FortiPortal 7.2.0 | Fortinet Document Library but it seems worse to me and who knows maybe that will be workaround for you as maybe the new API token option still has issues on your version.

         

         

        aguerriero
        aguerrieroAuthorAnswer
        Explorer
        July 5, 2025

        It was a simple boneheaded mistake. When making the jinja template I cut out 

        "utm-status": "enable"

        The call works just fine for POST and PUT operations for update. Lucky thing I didn't spend any time on upgrading firewalls or deploying test firewalls. 

        Terms & ConditionsAccessibility statement