Visitor III

Solved

XML API

Forum|Forum|9 years ago
March 3, 2017
2 replies
14156 views

Hi,

is anyone has experience with XML API ?

I don't know why, but all my request are not able to execute because I have an error "<errorCode>11</errorCode><errorMsg>No permission for the resource</errorMsg>".

This is what I done :

1) create user with super_admin profile

2) enable web service on interface

3) download wsdl from fortimanager

4) create a request as : URL : [link]https://fmgIP:8080/FortiManagerWSxml[/link]

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:r20="http://r200806.ws.fmg.fortinet.com/">
   <soapenv:Header/>
   <soapenv:Body>
      <r20:addCliGlobalSystemAdminUser>
            <!--Optional:-->
  <servicePass>
            <!--Optional:-->
   <userID>fmg</userID>
            <!--Optional:-->
   <password>fmg</password>
  </servicePass>
         <path>
            <!--Optional:-->
            <user>toto</user>
            <!--Optional:-->
            <option>?</option>
         </path>
         <!--1 or more repetitions:-->
         <data>
            <!--Zero or more repetitions:-->
            <hidden>0</hidden>
            <!--Zero or more repetitions:-->
            <pager-number>?</pager-number>
            <!--Zero or more repetitions:-->
            <mobile-number>?</mobile-number>
            <!--Zero or more repetitions:-->
            <phone-number>?</phone-number>
            <!--Zero or more repetitions:-->
            <email-address>?</email-address>
            <!--Zero or more repetitions:-->
            <first-name>?</first-name>
            <!--Zero or more repetitions:-->
            <last-name>?</last-name>
            <!--Optional:-->
            <rpc-permit>none</rpc-permit>
            <!--Optional:-->
            <two-factor-auth>disable</two-factor-auth>
            <!--Zero or more repetitions:-->
            <ca>?</ca>
            <!--Zero or more repetitions:-->
            <subject>?</subject>
            <!--Optional:-->
            <force-password-change>disable</force-password-change>
            <!--Zero or more repetitions:-->
            <password-expire>?</password-expire>
            <!--Zero or more repetitions:-->
            <radius-group-match>?</radius-group-match>
            <!--Optional:-->
            <radius-adom-override>disable</radius-adom-override>
            <!--Optional:-->
            <radius-accprofile-override>disable</radius-accprofile-override>
            <!--Optional:-->
            <wildcard>disable</wildcard>
            <!--Zero or more repetitions:-->
            <ssh-public-key3>?</ssh-public-key3>
            <!--Zero or more repetitions:-->
            <ssh-public-key2>?</ssh-public-key2>
            <!--Zero or more repetitions:-->
            <ssh-public-key1>?</ssh-public-key1>
            <!--Zero or more repetitions:-->
            <group>?</group>
            <!--Zero or more repetitions:-->
            <tacacs-plus-server>?</tacacs-plus-server>
            <!--Zero or more repetitions:-->
            <ldap-server>?</ldap-server>
            <!--Zero or more repetitions:-->
            <radius_server>?</radius_server>
            <!--Optional:-->
            <user_type>local</user_type>
            <!--Zero or more repetitions:-->
            <description>?</description>
            <!--Optional:-->
            <restrict-access>disable</restrict-access>
            <!--Zero or more repetitions:-->
            <profileid>Restricted_User</profileid>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost10>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost10>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost9>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost9>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost8>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost8>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost7>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost7>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost6>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost6>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost5>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost5>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost4>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost4>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost3>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost3>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost2>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost2>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost1>::/0</ipv6_trusthost1>
            <!--Zero or more repetitions:-->
            <trusthost10>255.255.255.255 255.255.255.255</trusthost10>
            <!--Zero or more repetitions:-->
            <trusthost9>255.255.255.255 255.255.255.255</trusthost9>
            <!--Zero or more repetitions:-->
            <trusthost8>255.255.255.255 255.255.255.255</trusthost8>
            <!--Zero or more repetitions:-->
            <trusthost7>255.255.255.255 255.255.255.255</trusthost7>
            <!--Zero or more repetitions:-->
            <trusthost6>255.255.255.255 255.255.255.255</trusthost6>
            <!--Zero or more repetitions:-->
            <trusthost5>255.255.255.255 255.255.255.255</trusthost5>
            <!--Zero or more repetitions:-->
            <trusthost4>255.255.255.255 255.255.255.255</trusthost4>
            <!--Zero or more repetitions:-->
            <trusthost3>255.255.255.255 255.255.255.255</trusthost3>
            <!--Zero or more repetitions:-->
            <trusthost2>255.255.255.255 255.255.255.255</trusthost2>
            <!--Zero or more repetitions:-->
            <trusthost1>0.0.0.0 0.0.0.0</trusthost1>
            <!--Optional:-->
            <change-password>disable</change-password>
            <!--Zero or more repetitions:-->
            <password>titi</password>
            <!--Zero or more repetitions:-->
            <userid>?</userid>
            <!--Zero or more repetitions:-->
            <dashboard>
               <!--Optional:-->
               <diskio-period>1hour</diskio-period>
               <!--Optional:-->
               <diskio-content-type>util</diskio-content-type>
               <!--Optional:-->
               <time-period>1hour</time-period>
               <!--Zero or more repetitions:-->
               <num-entries>10</num-entries>
               <!--Optional:-->
               <res-cpu-display>average</res-cpu-display>
               <!--Optional:-->
               <res-period>10min</res-period>
               <!--Optional:-->
               <res-view-type>history</res-view-type>
               <!--Optional:-->
               <log-rate-period>?</log-rate-period>
               <!--Optional:-->
               <log-rate-topn>5</log-rate-topn>
               <!--Optional:-->
               <log-rate-type>device</log-rate-type>
               <!--Optional:-->
               <widget-type>?</widget-type>
               <!--Zero or more repetitions:-->
               <tabid>0</tabid>
               <!--Optional:-->
               <status>open</status>
               <!--Zero or more repetitions:-->
               <refresh-interval>300</refresh-interval>
               <!--Zero or more repetitions:-->
               <column>0</column>
               <!--Zero or more repetitions:-->
               <name>?</name>
               <!--Zero or more repetitions:-->
               <moduleid>0</moduleid>
            </dashboard>
            <!--Zero or more repetitions:-->
            <dashboard-tabs>
               <!--Zero or more repetitions:-->
               <name>?</name>
               <!--Zero or more repetitions:-->
               <tabid>0</tabid>
            </dashboard-tabs>
            <!--Zero or more repetitions:-->
            <meta-data>
               <!--Zero or more repetitions:-->
               <fieldvalue>?</fieldvalue>
               <!--Optional:-->
               <status>enabled</status>
               <!--Optional:-->
               <importance>optional</importance>
               <!--Zero or more repetitions:-->
               <fieldlength>0</fieldlength>
               <!--Zero or more repetitions:-->
               <fieldname>?</fieldname>
            </meta-data>
            <!--Zero or more repetitions:-->
            <restrict-dev-vdom>
               <!--Zero or more repetitions:-->
               <dev-vdom>?</dev-vdom>
            </restrict-dev-vdom>
            <!--Zero or more repetitions:-->
            <policy-package>
               <!--Zero or more repetitions:-->
               <policy-package-name>?</policy-package-name>
            </policy-package>
            <!--Zero or more repetitions:-->
            <app-filter>
               <!--Zero or more repetitions:-->
               <app-filter-name>?</app-filter-name>
            </app-filter>
            <!--Zero or more repetitions:-->
            <ips-filter>
               <!--Zero or more repetitions:-->
               <ips-filter-name>?</ips-filter-name>
            </ips-filter>
            <!--Zero or more repetitions:-->
            <web-filter>
               <!--Zero or more repetitions:-->
               <web-filter-name>?</web-filter-name>
            </web-filter>
            <!--Zero or more repetitions:-->
            <adom-exclude>
               <!--Zero or more repetitions:-->
               <adom-name>?</adom-name>
            </adom-exclude>
            <!--Zero or more repetitions:-->
            <adom>
               <!--Zero or more repetitions:-->
               <adom-name>all_adoms</adom-name>
            </adom>
         </data>
         <session>?</session>
      </r20:addCliGlobalSystemAdminUser>
   </soapenv:Body>
</soapenv:Envelope>

5) it return this error :

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://jaxb.dev.java.net/array" xmlns:ns3="http://r200806.ws.fmg.fortinet.com/">
   <SOAP-ENV:Header/>
   <SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
      <ns3:addCliGlobalSystemAdminUserResponse>
         <status>
            <errorCode>11</errorCode>
            <errorMsg>No permission for the resource</errorMsg>
         </status>
      </ns3:addCliGlobalSystemAdminUserResponse>
   </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Is anyone can help me ?

Lucas

Best answer by ffischer

had the same issues...

you have to enable the user logging into tha API

for using the XML-SOAP API..

config sys admin user edit scriptuser set rpc-permit read-write end

I did not find it in the API Docs, but it is documented in FortiManager - CLI Reference.

quite hard to find...

hklbAuthor

Visitor III

I tested with legacy operation wdsl file and it works fine, so user/password and access to FMG is correct..

Is there some options to enable to be able to use other request as legacy operations ?

ffischerAnswer

New Member

had the same issues...

you have to enable the user logging into tha API

for using the XML-SOAP API..

config sys admin user edit scriptuser set rpc-permit read-write end

I did not find it in the API Docs, but it is documented in FortiManager - CLI Reference.

quite hard to find...

hklbAuthor

Visitor III

Hi,

Yes, I already do that.. but same result...

Is it work for you with "rpc-permit read-write" ?

Thanks

ergotherego

New Member

We were not able to use the API with a service account (remote user) even with rpc RW enabled. We ended up having to use the local admin account. So maybe try that?

ffischer

New Member

Yes this works for me with FMGR 5.4.2 I created a new scriptuser named scrusr

I suppose assigning the the "Super_User" profile

to the script user is necessary as well

(OK... I did not test without...) config system admin user edit "scrusr" set password ENC <deleted> set profileid "Super_User" set adom "all_adoms" set policy-package "all_policy_packages" set description "Script User" config meta-data edit "Contact Email" next edit "Contact Phone" next end set rpc-permit read-write config dashboard ........<deleted> end next end

avremy

New Member

for those that struggled with this, you need to use the execSysLoginUser operation to get a session code and then use it in all the following requests until it expires

request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:r20="http://r200806.ws.fmg.fortinet.com/">
<soapenv:Header/>
<soapenv:Body>
  <r20:execSysLoginUser>
    <data>
      <user>user</user>
      <passwd>password</passwd>
    </data>
  </r20:execSysLoginUser>
</soapenv:Body>
</soapenv:Envelope>

response:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
                   xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                   xmlns:ns1="http://jaxb.dev.java.net/array" xmlns:ns3="http://r200806.ws.fmg.fortinet.com/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  <ns3:execSysLoginUserResponse>
    <status>
      <errorCode>0</errorCode>
      <errorMsg>OK</errorMsg>
    </status>
    <session>e3zuodiMYmQIWzH36zT9+EVAFooHR8iYqUebs+94U68zORiAbkd4d6BqCr9ml9IMq3ymZtBa8pvVLjKjhEnx4g==</session>
  </ns3:execSysLoginUserResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

then an example authenticated request would look like this:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:r20="http://r200806.ws.fmg.fortinet.com/">
   <soapenv:Header/>
   <soapenv:Body>
      <r20:getSysStatus>
 <session>e3zuodiMYmQIWzH36zT9+EVAFooHR8iYqUebs+94U68zORiAbkd4d6BqCr9ml9IMq3ymZtBa8pvVLjKjhEnx4g==</session>      </r20:getSysStatus>
   </soapenv:Body>
</soapenv:Envelope>

Hope this helps someone

Avremy

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded