FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 195425

This KB describes the REST API.

The REST API can be used to retrieve, create, update and delete configuration settings, to retrieve system logs and statistics, and to perform basic administrative actions such as reboot and shut down through programming script.

There are two ways that user can authenticate against the API :
-Session-based authentication
-Token-based authentication

1) Session-based authentication

The authentication is valid per login session. The user needs to send a login request to obtain authentication cookie and CSRF token to be used for subsequent requests. The user then needs to send a logout request to invalidate the authentication cookie and CSRF token.

The CSRF token is available in the session csrftoken cookie, which must be included in the request header under X-CSRFTOKEN.

Note: The HTTP (POST/PUT/DELETE) method require CSRF tokens. Read requests HTTP (GET) do not require CSRF tokens.

How to get CSRF token from the fortigate firewall:
HTTP POST Request:
Fortigate-IP/logincheck username=AdminUser&secretkey=AdminPassword&ajax=1

HTTP Response:
The fortigate will respond back with 3 cookies variable APSCOOKIE_9538334086037707851, ccsrftoken and ccsrftoken_9538334086037707851.

Example: In each HTTP request, the client must send the X-CSRFTOKEN in header.
2) Token-based authentication

The authentication is done via a single API token. This token is only generated when creating an API admin. The user must store this token in a safe place because it cannot be retrieved again. The user can however regenerate the token at any time. Each API request must include the token in order to be authenticated as the associated API admin

Create API admin:
Sample output:

Supported HTTP methods:

The FortiOS REST APIs support the following HTTP methods:

HTTP Method



Retrieve a resource or collection of resources.


Create a resource or execute actions.


Update a resource.


Delete a resource or collection of resources.