Technical Tip: Getting Revision History for FortiGates and reverting them using FortiManager API Calls

Description

 

This article describes how to use FortiManager REST API Calls to extract FortiGate's Revision history, view its configuration, and revert to a specific revision if needed.

 

Scope

 

FortiManager-VM, FortiManager.

 

Solution

 

Prerequisites:

• Make sure that the FortiManager administrator profile will have JSON Read/write access as below:

 

• To make the API requests from the tool chosen, it is necessary to have a session ID. A login operation is required to get this session ID. This session ID can be used in all subsequent FortiManager JSON API requests.

 

In the below example, the REST API Calls will be demonstrated in Postman:

 

POST: https://x.x.x.x/jsonrpc     x.x.x.x : FMG IP

 

Request:

 

{

  "id": 1,

  "method": "exec",

  "params": [

    {

      "data": [

        {

          "passwd": "",

          "user": "admin"

        }

      ],

      "url": "sys/login/user"

    }

  ],

  "session": null,

}

 

Response:

 

{

    "result": [

        {

            "status": {

                "code": 0,

                "message": "OK"

            },

            "url": "sys/login/user"

        }

    ],

    "session": "1RlvZuWZA31a+t7oBhWAeBpmtmtmv1yI+0btMGseNQEqY+/zdydc5CHDh3y2GgWZJyivguCOommQ4H1TfB1Kpw==",

    "id": 1

}

 

Getting the Revision History of FortiGate:

 

1. After obtaining the Session ID, the next step is creating the request for getting the Revision history of the managed FortiGate as below:

 

Request:

 

{

  "id": 1,

  "jsonrpc": "1.0",

  "method": "exec",

  "params": [

    {

      "data": {

        "device": "gargamel-fmg-esx22"

      },

      "url": "/deployment/get/device/revision"

    }

  ],

  "session": "1RlvZuWZA31a+t7oBhWAeBpmtmtmv1yI+0btMGseNQEqY+/zdydc5CHDh3y2GgWZJyivguCOommQ4H1TfB1Kpw==",

  "verbose": 1

}

 

 

Response:

 

    "result": [

        {

            "data": {

                "base_ver": 2,

                "revinfo": [

                    {

                        "comments": "Retrieve",

                        "error": "",

                        "extra_info": "",

                        "instime": "2023-12-06 15:19:32",

                        "instusr": "admin",

                        "modtime": "2023-12-06 15:19:32",

                        "modusr": "admin",

                        "revision": 2,

                        "status": 10,

                        "tag": ""

                    },

                    {

                        "comments": "",

                        "error": "",

                        "extra_info": "",

                        "instime": "2023-12-06 14:58:39",

                        "instusr": "admin",

                        "modtime": "2023-12-06 14:58:39",

                        "modusr": "admin",

                        "revision": 1,

                        "status": 10,

                        "tag": ""

                    }

                ]

            },

            "status": {

                "code": 0,

                "message": "OK"

            },

            "url": "/deployment/get/device/revision"

        }

    ],

    "id": 1

}

 

2. The above output shows 2 revision histories for the FortiGate, as highlighted in the device with the hostname 'gargamel-fmg-esx22'.
3. In the FortiManager GUI, enter the Device Manager and 'double-click' on the desired FortiGate. Under the Configuration & Installation pane, select the revision to check the current existing revisions for the FortiGate.

 

Reverting the Revision history of a FortiGate: 

 

1. To revert to Revision#1 instead of Revision#2, use the following request:

 

Request:

 

{

  "id": 1,

  "jsonrpc": "1.0",

  "method": "exec",

  "params": [

    {

      "data": {

        "device": " gargamel-fmg-esx22",

        "revision": 1

      },

      "url": "/deployment/revert"

    }

  ],

  "session": "1RlvZuWZA31a+t7oBhWAeBpmtmtmv1yI+0btMGseNQEqY+/zdydc5CHDh3y2GgWZJyivguCOommQ4H1TfB1Kpw==",

  "verbose": 1

}

 

Response:

 

{

    "result": [

        {

            "status": {

                "code": 0,

                "message": "OK"

            },

            "url": "/deployment/revert"

        }

    ],

    "id": 1

}

 

2. To validate that the revert has taken effect successfully, in FortiManager GUI, go under Device Manager, 'Double-click' on the FortiGate, in Configuration & Installation Pane, select 'Revision' and Revision#1 is the one selected now as below:

Getting the complete FortiGate configuration for a certain Revision:

• To extract the FortiGate Configuration for a certain revision, below is the REST API Request for it.
• In this example, the FortiGate config file will be extracted for Revision#1.
• The Response will produce the full FortiGate configuration.

 

Request:

 

{

  "id": 1,

  "jsonrpc": "1.0",

  "method": "exec",

  "params": [

    {

      "data": {

        "device": "weepy-fmg-esx37",

        "revision": 1

      },

      "url": "/deployment/checkout/revision"

    }

  ],

  "session": "1RlvZuWZA31a+t7oBhWAeBpmtmtmv1yI+0btMGseNQEqY+/zdydc5CHDh3y2GgWZJyivguCOommQ4H1TfB1Kpw==",

  "verbose": 1

}

 

Response:

 

result": [
       {
           "data": {
               "content": "#config-version=FGVM64-7.00-FW-build1255-........................\n",
               "revision": 1
           },
           "status": {
               "code": 0,
               "message": "OK"
           },
           "url": "/deployment/checkout/revision"
       }
   ],
   "id": 1
}

 

Troubleshooting:

 

The following commands can be used in the FortiManager CLI to debug the REST API calls:

 

diagnose debug service httpd 255

diagnose debug service main 255