| Description |
This article describes the reason why API error 403 in a multi-VDOM environment occurs. When an API client sends a request with a URL '/api/v2/monitor/system/status' and a parameter 'vdom=<VDOM name>' to retrieve VDOM-specific status information, a FortiGate sometimes refuses the request, returning API error 403. API error 403 indicates an API server received a request from an API client but refused to process it.
root@ted:/home/ted/Desktop# curl -k -X GET "https://<FGT IP>:443/api/v2/monitor/system/status?vdom=vd1&access_token=<api token>" -H "accept: application/json"
{
"http_method":"GET",
"status":"error",
"http_status":403, <----- Indicates the API server received the request but refused.
"vdom":"vd1",
"path":"system",
"name":"status",
"action":""
If the API client sends it again with a parameter 'global=1', then the FortiGate returned status information for root VDOM only.
root@ted:/home/ted/Desktop# curl -k -X GET "https://<FGT IP>:443/api/v2/monitor/system/status?global=1&access_token=<api token>" -H "accept: application/json"
[{
"http_method":"GET",
"results":{
"model_name":"FortiGate",
"model_number":"VM64",
"model":"FGVM64",
"hostname":"FGVM02",
"log_disk_status":"available"
},
"vdom":"root", <----- Returned root VDOM's status information only.
"path":"system",
"name":"status",
"action":"",
"status":"success",
"serial":"FGVM02",
"version":"v7.2.9",
"build":1688
}]
|
| Solution |
Add VDOMs, such as 'vd1', and 'vd2' into 'api_admin' in api-user account. Edit Admin Profiles for REST API Admin with read-write Permissions.
config system api-user
edit "api_admin"
set comments ''
set api-key ENC SH2G6Yh2pzV2x2CfbTyEnJo+yMfEKn3QXCXvOO4/A+m3JEwtGrE8MDPyUkAhHs=
set accprofile "api_prof"
set vdom "root" "vd1" "vd2" ---> add vdom vd1, vd2
set schedule ''
set cors-allow-origin ''
set peer-auth disable
next
end
Accordingly, VDOMs added to the user account and Admin Profiles with read-write Permissions, the API server will return status information for root, vd1, and vd2 VDOMs.
root@ted:/home/ted/Desktop# curl -k -X GET "https://<FGT IP>:443/api/v2/monitor/system/status?global=1&access_token=<api token>" -H "accept: application/json"
[{
"http_method":"GET",
"results":{
"model_name":"FortiGate",
"model_number":"VM64",
"model":"FGVM64",
"hostname":"FGVM02",
"log_disk_status":"available"
},
"vdom":"root", <----- Returned root VDOM's status information.
"path":"system",
"name":"status",
"action":"",
"status":"success",
"serial":"FGVM02",
"version":"v7.2.9",
"build":1688
},
{
"http_method":"GET",
"results":{
"model_name":"FortiGate",
"model_number":"VM64",
"model":"FGVM64",
"hostname":"FGVM02",
"log_disk_status":"available"
},
"vdom":"vd1", <----- Returned vd1 VDOM's status information.
"path":"system",
"name":"status",
"action":"",
"status":"success",
"serial":"FGVM02",
"version":"v7.2.9",
"build":1688
},
{
"http_method":"GET",
"results":{
"model_name":"FortiGate",
"model_number":"VM64",
"model":"FGVM64",
"hostname":"FGVM02",
"log_disk_status":"available"
},
"vdom":"vd2", <----- Returned vd2 VDOM's status information.
"path":"system",
"name":"status",
"action":"",
"status":"success",
"serial":"FGVM02",
"version":"v7.2.9",
"build":1688
}]
|
