In a FortiGate FortiSwitch-FortiLink integration, the REST API is required for communication with FortiNAC and must be configured.

FortiNAC performs several API call request towards FortiGate Device and if the REST API is not presented, the FortiGate response with status = 401.

In the CLI, logs, and output.master, the following error will appear:

PollThread-trap3 request status = 401, response =
HttpResponseProxy{HTTP/1.1 401 Unauthorized

If the request fails with a status 401 or 403 while using an API token, FortiNAC will automatically revoke the token and raise an Event REST API Failure, with the message 'REST API failure for device FW-FortiGate with message request exception invalid API Token when connecting to 10.5.30.25'.

FortiNAC executes the GET requests in the following format:

Executing request GET /api/v2/monitor/user/device/query?filter=is_online%3D%3Dtrue&access_token=t9xjpyapz8obyrfs5rb39djw3cxt4i6g&vdom=* HTTP/1.1

INFO yams - pool-13-thread-1 request uri = https://10.5.30.25:10443/api/v2/monitor/user/device/query

INFO yams - pool-13-thread-1 request details = https://10.5.30.25:10443/api/v2/monitor/user/device/query?filter=is_online==true&access_token=*****&vdom=* 

Starting with FortiGate v7.4.5, API requests no longer accept the access_token as a URL parameter by default. This update follows modern security best practices to avoid exposing sensitive credentials in URLs.

In order to use the access_token as a URL parameter, FortiGate configuration must be adjusted to allow this behavior. The following commands enable the option:

config system global

    set rest-api-key-url-query enable

end

Related documents:

FortiGate Endpoint Management Integration - FortiNAC-F documentation
Technical Tip: Configuring FortiGate v7.4.5+ to allow access_token in URL Parameters