• In the FortiGate, the REST API logs are not displayed by default. The configuration mentioned below enables the logging for REST API logs.

config log setting
    set rest-api-set enable
    set rest-api-get enable
end

• Once the configuration is enabled the REST API logs can be viewed under Log and Report -> Events -> REST API Events.
• To update the dynamic address object FortiNAC sends the REST API message via the POST method with the URL as '/api/v2/monitor/firewall/address-fabric/update'.
• REST API Event logs on the FortiGate show that the REST API request failed due to the '401 Unauthorized' Error.

• For further troubleshooting following debugs can be executed in the FortiGate which helps to collect more information.

diagnose debug console timestamp enable
diagnose debug application httpsd -1
diagnose debug cli 8
diagnose debug application fcnacd -1
diagnose debug application csf -1
diagnose endpoint filter show-large-data yes
diag debug enable

• The debug output shows that FortiGate is receiving the REST API request to update the dynamic address and it is sending the '401 Unauthorized' response back.

2024-08-09 13:25:14 <62866-M> 10 nstd_rest_query_hd()-542: REST query data len=431
POST /api/v2/monitor/firewall/address-fabric/update HTTP/1.1
Accept: application/json
Content-Type: application/json
X-CSF-SN: XXXXXXXXXXX
X-ADMIN-NAME: YYYYYYY
User-Agent: FortiNAC CSF
Host: 127.0.0.1
Content-Length: 192

2024-08-09 13:25:17 <62866-M> 10 nstd_recv_reply_hd()-274: REST reply path len=34 packet#:0 rhdr.stat:0
ZZZZZZZZZ:XXXXXXXXXXX
2024-08-09 13:25:17 <62866-M> 10 nstd_recv_reply_hd()-281: REST reply data len=746
HTTP/1.1 401 Unauthorized
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Content-Length: 503
Content-Type: text/html; charset=iso-8859-1

• The debug also shows the reason for the failure. Once the FortiGate receives the REST API request it tries to process the same request and generates the response for the POST request. During this FortiGate debugs print the reason for failure in case it is not able to process the request packet. Below mentioned debug output points to the reason for not processing the REST API request packet by the Firewall.

2024-08-09 13:25:14 [httpsd 13993 - 1707432914 info] fweb_debug_init[428] -- New POST request for "/api/v2/monitor/firewall/address-fabric/update" from "127.0.0.1:6998"
2024-08-09 13:25:14 [httpsd 13993 - 1707432914 info] fweb_debug_init[430] -- User-Agent: "FortiNAC CSF"
2024-08-09 13:25:14 [httpsd 13993 - 1707432914 info] fweb_debug_init[432] -- Handler "api_monitor_v2-handler" assigned to request
2024-08-09 13:25:14 [httpsd 13993 - 1707432914 info] aps_is_miglog_request[552] -- Checking if REST request came from miglog
2024-08-09 13:25:14 [httpsd 13993 - 1707432914 info] authorize_csf_admin[219] -- Read only header value: 0
2024-08-09 13:25:14 [httpsd 13993 - 1707432914 error] authorize_csf_admin[269] -- Access for requests from downstream devices is disabled. --> Log pointing to the reason for failure.
2024-08-09 13:25:14 [httpsd 13993 - 1707432914 info] fweb_debug_final[318] -- Completed POST request for "/api/v2/monitor/firewall/address-fabric/update" (HTTP 401 Unauthorized)

• The above-mentioned log indicates that the option 'Allow downstream device REST API access' is not enabled in the security fabric setting. This option must be enabled to use certain supported devices (such as FortiDeceptor, FortiMonitor, and FortiNAC) and the Fabric event trigger.
  See the Administration Guide for more information. Permission for the API can be given to specific fabric connectors as well. This can be achieved by the below-mentioned setting.

config system csf
    config fabric-connector
        edit <FNAC_SN>
            set accprofile <fnac_override_profile>
        next
    end
end