Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
farhanahmed
Staff
Staff

Created on ‎12-07-2025 09:11 PM

Article Id 421990

Technical Tip: How to log in to FortiManager/FortiAnalyzer using API with CSRF cookies

Description

This article describes how to log in to FortiManager/FortiAnalyzer using API with CSRF cookies.
Scope FortiManager, FortiAnalyzer (tested with v7.4.8 and v7.6.4).
Solution
  1. Log in to FortiManager/FortiAnalyzer using the POST request 'https://{{host}}/cgi-bin/module/flatui_auth' with the following query (using Postman in this example, any other tool can be used):


{
    "url": "/gui/userauth",
    "method": "login",
    "params": {
        "username": "{{ADMIN_USER}}",
        "secretkey": "{{PASSWORD}}",
        "logintype": 0
    }
}

 

  1. This will set the cookies for the session, particularly the 'HTTP_CSRF_TOKEN'. This token is then used for a subsequent query to maintain the session:

 

FMG_login_cookies.gif

 

  1. In Postman under the 'Scripts' tab of the query (Post-Response - though in older Postman versions, it may be under 'Tests'), use the script below to set a variable 'csrf_token' - the script is using the 'HTTP_CSRF_TOKEN' value from the cookies and setting it as a variable 'csrf_token':


const csrfToken = pm.cookies.get("HTTP_CSRF_TOKEN");

pm.environment.set("csrf_token", csrfToken);

 

ll.png

 

Afterwards, run the login request again to that the 'csrf_token' variable gets populated.

 

  1. For any subsequent API Requests, under the 'header' tab, add a new entry and use the variable {{csrf_token}}:

    Key:  XSRF-TOKEN | Value: {{csrf_token}}

ll.png

 

  1. To log out, create a new POST request with URL: 'https://{{host}}/p/logout-api/'. Body the request should be empty and in header, along with the XSRF-Token, also set the 'Referer' key with value set to 'https://{{host}}'.

    Key:  XSRF-TOKEN | Value: {{csrf_token}}
    Key:  Referer | Value: https://{{host}}

    logout.png

 

  • Attached is the API collection, which can be imported into Postman (tested with v11.74.5).
  • Under the 'Variables' tab of the collection, the following variables are required:
    • host: IP address of FortiManager/FortiAnalyzer.
    • ADMIN: Admin user.
    • PASSWORD: Admin user password.

 

Note:

  • After logging in, if the session list is checked, it shows the login is via GUI and not using API. This is because it is using the HTTP_CSRF_TOKEN to log in instead of the API session.
  • This method of login might change in future firmware releases.


Related documents:

Technical Tip: Using FortiManager API

Fortinet Development Network (FNDN) - FortiManager

 

Login_Using_CSRF.postman_collection.zip
49
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.