Technical Tip: Retrieve Application and IPS signatures using API Calls in FortiManager

mrafat · ‎03-20-2024

Description

This article describes how to Retrieve Application and IPS signatures using API calls.

Scope

FortiManager-VM, FortiManager appliances.

Solution

Prerequisites:

Get the session ID needed for the upcoming requests as per the below article:

Technical Tip: Using FortiManager API.

Now that the Session ID is obtained, complete the request for retrieving the IPS Signature.
Below is the Request and expected response, where:

The ADOM is: root.

Request:

{

"id": "1",

"method": "get",

"params": [

{

"url": "pm/config/adom/root/_rule/list"

}

],

"session": "49eUkdSQlcuILrwX/7I1vQSfLAU6GWpekp4iyh0TdPcqJ21mGapKtNaPyk3a+iJkyF13dVRJGy0QuqVSiUD5tg=="

}

Response:

{

"result": [

{

"data": [

{

"action": "block",

"application": "SCADA",

"cve": "",

"cve_lf": "",

"database": 4,

"date": "20220502",

"group": "SCADA",

"location": "server,client",

"log": "",

"log-packet": "",

"name": "10-Strike.LANState.Local.Buffer.Overflow.Exploit",

"os": "Windows",

"rate-count": "",

"rate-duration": "",

"rate-mode": "",

"rate-track": "",

"rev": "13518",

"rule-id": 47306,

"service": "TCP,HTTP,FTP,SMTP,POP3,IMAP,NNTP",

"severity": "medium",

"status": "enable",

"vuln_type": "Buffer Errors"

},..etc

To retrieve the application Signatures from the below FortiManager is the API Request:

Request:

{

"id": "1",

"method": "get",

"params": [

{

"url": "pm/config/adom/root/obj/_application/list"

}

],

"session": "49eUkdSQlcuILrwX/7I1vQSfLAU6GWpekp4iyh0TdPcqJ21mGapKtNaPyk3a+iJkyF13dVRJGy0QuqVSiUD5tg=="

}

Response:

{

"result": [

{

"data": [

{

"behavior": "",

"casi": "",

"cat-id": "21",

"category": "Email",

"database": 1,

"id": 16554,

"language": "Chinese",

"name": "126.Mail",

"parameter": "",

"popularity": "4",

"protocol": "1.TCP,9.HTTP,26.SSL",

"require_ssl_di": "No",

"risk": "3",

"shaping": "",

"technology": "1.Browser-Based",

"vendor": "9.Netease",

"weight": ""

},

{

"behavior": "5.Excessive-Bandwidth",

"casi": "",

"cat-id": "5",

"category": "Video/Audio",

"database": 1,

"id": 38614,

"language": "Chinese",

"name": "1kxun",

"parameter": "",

"popularity": "4",

"protocol": "1.TCP,9.HTTP,26.SSL",

"require_ssl_di": "No",

"risk": "3",

"shaping": "",

"technology": "2.Client-Server",

"vendor": "0.Other",

"weight": ""

},…etc

Note that the message output is truncated here for better visibility of the article.

Troubleshooting:

The following commands can be used on the FortiManager CLI to debug the API Calls:

diagnose debug service httpd 255

diagnose debug service main 255

Related articles:

Technical Tip: Retrieve Application and IPS signatures using API Calls in FortiManager

You are leaving our website