Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
achowdhury
Staff
Staff

Created on ‎07-09-2020 08:49 AM

Article Id 195217

Technical Tip: FortiGate REST API access using PKI group

Description
This article provides a basic guideline to access FortiGate using REST API access with a PKI group.

For detailed documents and tools, join https://fndn.fortinet.net

Solution
FortiGate REST API:

1) Configure api-user , reference link: https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/883891/system-api-user

Example:
# config system api-user
    edit "API"
        set api-key ENC SH2V23PfJqBVpwCrvWlbMMnMw+TAZ8iuw01scTpQkiw0+bwDi/Zxf2qxM7+zyQ=
        set accprofile "API"
        set vdom "root"
        set peer-auth enable
        # config trusthost
            edit 1
                set ipv4-trusthost 10.191.47.0 255.255.255.0
            next
        end
        set peer-group "TEST" ---> this is the important step
    next
end
2) How to login to FortiGate via curl.
# curl --key ./<user private key> --cert <user certificate> -v --cacert <CA certtificate> https://<FQDN>/api/v2/cmdb/firewall/address/?access_token=<put the token after generation> --tlsv1.2
3) Example of the output via curl, if successful:
# curl --key ./useKeyr.pem --cert ./user.crt -v --cacert /etc/ssl/certs/Fortinet_CA https://FGVM020000158352/api/v2/cmdb/firewall/address/?access_token=t9t4sm6qpwHr8qGpyb3xy9ybts1t8r --tlsv1.2
* Server certificate:
* subject: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=FortiGate; CN=FGVM020000158352; emailAddress=support@fortinet.com
* start date: Oct 23 11:04:36 2019 GMT
* expire date: Jan 19 03:14:07 2056 GMT
* common name: FGVM020000158352 (matched)
* issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority; CN=fortinet-subca2001; emailAddress=support@fortinet.com
* SSL certificate verify ok.
> GET /api/v2/cmdb/firewall/address/?access_token=t9t4sm6qpwHr8qGpyb3xy9ybts1t8r HTTP/1.1
> Host: FGVM020000158352
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 08 Jul 2020 11:53:10 GMT
< Server: Apache
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-ancestors 'self'
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=0
< X-UA-Compatible: IE=Edge
< Cache-Control: no-cache, must-revalidate
< ETag: 2a3997e13943e98865004c368a65a8de
< Content-Length: 7940
< Content-Type: application/json
<
{
"http_method":"GET",
"revision":"2a3997e13943e98865004c368a65a8de",
"results":[
{
"name":"FABRIC_DEVICE",
"q_origin_key":"FABRIC_DEVICE",
"uuid":"70ce8e32-b7a7-51ea-c80b-1fc1e86bfcfc",
"subnet":"0.0.0.0 0.0.0.0",
"type":"ipmask",
"sub-type":"sdn",
"clearpass-spt":"unknown",
"start-mac":"00:00:00:00:00:00",
"end-mac":"00:00:00:00:00:00",
"country":"",
"cache-ttl":0,
"sdn":"",
"fsso-group":[
],

4351
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.