This KB describes the REST API.
The REST API can be used to retrieve, create, update and delete configuration settings, to retrieve system logs and statistics, and to perform basic administrative actions such as reboot and shut down through programming script.
There are two ways that user can authenticate against the API :
1) Session-based authentication
The authentication is valid per login session. The user needs to send a login request to obtain authentication cookie and CSRF token to be used for subsequent requests. The user then needs to send a logout request to invalidate the authentication cookie and CSRF token.
The CSRF token is available in the session csrftoken cookie, which must be included in the request header under X-CSRFTOKEN.
Note: The HTTP (POST/PUT/DELETE) method require CSRF tokens. Read requests HTTP (GET) do not require CSRF tokens.
How to get CSRF token from the fortigate firewall:
HTTP POST Request:
The fortigate will respond back with 3 cookies variable APSCOOKIE_9538334086037707851, ccsrftoken and ccsrftoken_9538334086037707851.
Example: In each HTTP request, the client must send the X-CSRFTOKEN in header.
2) Token-based authentication
The authentication is done via a single API token. This token is only generated when creating an API admin. The user must store this token in a safe place because it cannot be retrieved again. The user can however regenerate the token at any time. Each API request must include the token in order to be authenticated as the associated API admin
Create API admin:
HTTP GET Request through access-token:
Sample output:Supported HTTP methods:
The FortiOS REST APIs support the following HTTP methods:
Retrieve a resource or collection of resources.
Create a resource or execute actions.
Update a resource.
Delete a resource or collection of resources.