Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum this December to earn your exclusive Holiday Badge! Become a member today.
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
- Fortinet Community
- Knowledge Base
- FortiManager
- Technical Tip: Using FortiManager API
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes about FortiManager API. FortiManager HTTPs API is JSON-RPC.
Unlike the more famous REST API, JSON-RPC does not pass any information in URL or HTTP Method. Additionally, the Status code in HTTP response does not generally relate to result of the API call.
Solution
Usage
Every request is POST request to /jsonrpc URL. There are no authorization headers. Full request is sent inside the HTTP Body, which is JSON formatted. JSON request usually has following five fields:
methodAction that is to be taken by FortiManager. This is commonlyget,set,put,delete, etc. depending on what is being configured.paramsUsually further structured, specifying all details of what configuration is to be read, created or updated and how exactly.sessionAuthorization token returned by login function (see below). All requests must have it except of login request.verboseWhen used (and enabled), values normally refering by numbers to internal constants are returned as human readable names instead of those numbers.idOnly used to pair requests and response. It can be anything in the request and FortiManager will use the same ID in its response. This is useful when more requests are sent over the same HTTP(s) connection without waiting for previous response, because in such case responses may come in different order.
More examples & testing
Following sections contain few very basic examples. Much more complex examples grouped by areas with direct test options can be found in our public Postman collection.
The best way is to fork the FortiManager collection and also the default environment into the private workspace where users can edit it. The environment parameters must be updated to match the network and FortiManager user's credentials (+ allowing API access for that user).
Requests can then be called directly from web browser with help of Postman Agent or from Postman application running locally on the computer. If users are missing some example, feel free to send message to @oholecek_FTNT.
Login and logout
To obtain session key for futher requests, login function must be called first. Session key is valid for configured API idle timeout [System Settings → Admin → Admin Settings → Idle Timeout (API)] or until explicit logout.
By default no user is allowed to use this API. To allow it, either Read or Read-Write must be selected in user's JSON API Access setting [System Settings → Admin → Administrators → ... → Edit].
It is important to log out when all work is done, especially when long idle timeout is set. Otherwise it can happen that all 32 slots (per user) are used and FortiManager reject this user from logins until users timeout or are manually deleted by administrator [System Settings → Dashboard → Current Administrators → ... → Delete].
Example of login request
Details of expected parameters for login request are described on FNDN. Function name in this case is /sys/login/user and method exec. The most important keys in params object are data with user and passwd.
{
"id": 1,
"method": "exec",
"params": [{
"data": {
"user": "apiuser",
"passwd": "apipassword"
},
"url": "/sys/login/user"
}]
}with response:
{
"id": 1,
"result": [{
"status": {
"code": 0,
"message": "OK"
},
"url": "/sys/login/user"
}],
"session": "TxMw/zbjw+tVZ/JL3bhmYg0vTUpVguYHIQesJXpye4j2vvsqtZaSgKWa+0iLqug+3/074jq8QqmI/KOx4GHkwQ=="
}Test call can be done with cURL tool:
curl --location --request POST 'https://10.0.0.100/jsonrpc' \
--header 'Content-Type: application/json' \
--data-raw '{
"id": 1,
"method": "exec",
"params": [{
"data": {
"user": "apiuser",
"passwd": "apipassword"
},
"url": "/sys/login/user"
}]
}'
Example of logout request
Details of expected parameters for login request are described on FNDN. Function name in this case is
/sys/logout and method exec. The only key in params object is url. The request must contain the right session key which is being terminated.{
"id": 1,
"method": "exec",
"params": [{
"url": "/sys/logout"
}],
"session": "TxMw/zbjw+tVZ/JL3bhmYg0vTUpVguYHIQesJXpye4j2vvsqtZaSgKWa+0iLqug+3/074jq8QqmI/KOx4GHkwQ=="
}with response:
{
"id": 1,
"result": [{
"status": {
"code": 0,
"message": "OK"
},
"url": "/sys/logout"
}]
}
Retrieve FortiManager status
Status request doesn't expect any parameters (except
url) as can be seen on FNDN. In response it returns FortiManager's basic operation parameters. Description of each field from the response can be found on the same FNDN page.{
"method": "get",
"params": [
{
"url": "/sys/status"
}
],
"session": "TxMw/zbjw+tVZ/JL3bhmYg0vTUpVguYHIQesJXpye4j2vvsqtZaSgKWa+0iLqug+3/074jq8QqmI/KOx4GHkwQ==",
"verbose": 1,
"id": 1
}with response:
{
"id": 1,
"result": [
{
"data": {
"Admin Domain Configuration": "Enabled",
"BIOS version": "04000002",
"Branch Point": "0254",
"Build": "0254",
"Current Time": "Tue Sep 13 17:15:22 CEST 2022",
"Daylight Time Saving": "Yes",
"FIPS Mode": "Disabled",
"HA Mode": "Stand Alone",
"Hostname": "vm30",
"License Status": "Valid",
"Major": 7,
"Max Number of Admin Domains": 105,
"Max Number of Device Groups": 10000,
"Minor": 0,
"Offline Mode": "Disabled",
"Patch": 3,
"Platform Full Name": "FortiManager-VM64",
"Platform Type": "FMG-VM64",
"Release Version Information": " (GA)",
"Serial Number": "FMGVMSTM11111111",
"TZ": "Europe/Brussels",
"Time Zone": "(GMT+1:00) Brussels, Copenhagen, Madrid, Paris.",
"Version": "v7.0.3-build0254 220202 (GA)",
"x86-64 Applications": "Yes"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/sys/status"
}
]
}
Handling errors
As mentioned at the beginning, with FortiManager API the HTTP response status code doesn't say anything about the status of the request. Error status must be checked by looking into
status field of the response JSON body. If the code is 0 (as in the response example above) it was executed successfully and returned data is valid. Otherwise the error reason can be found in message field as in following example when attempted to get information about non-existing ADOM:{
"method": "get",
"params": [
{
"url": "/pm/pkg/adom/not-existing"
}
],
"session": "TxMw/zbjw+tVZ/JL3bhmYg0vTUpVguYHIQesJXpye4j2vvsqtZaSgKWa+0iLqug+3/074jq8QqmI/KOx4GHkwQ==",
"verbose": 1,
"id": 1
}with response:
{
"id": 1,
"result": [
{
"status": {
"code": -6,
"message": "Invalid url"
},
"url": "/pm/pkg/adom/not-existing"
}
],
"session": 1793
}
Labels:
12834
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2023 Fortinet, Inc. All Rights Reserved.