Rest API error when creating a firewall policy on a Fortigate 5.4.6

jrodriguez · ‎11-21-2018

Hello,

I'm trying to use the Fortigate REST API to add various objets on our 1500D. It works quite fine except for adding new firewall policies. The firewall throws a 405 error when posting (POST) a request on this API URL (/api/v2/cmdb/firewall/policy/?vdom=VDOMNAME)

Here are the details :

JSON request :

{
                'action': 'accept',
                'srcintf':[
                        {
                                'name':'IFNAME02',
                        }
                ],
                'dstintf':[
                        {
                                'name':'IFNAME01',
                        }
                ],
                'srcaddr':[
                        {
                                'name':'all',
                        }
                ],
                'dstaddr':[
                        {
                                'name':'all',
                        }
                ],
                'service':[
                        {
                                'name':'ALL',
                        }
                ],
                'status':'enable',
                'schedule':'always',
                'nat':'disable',
                'logtraffic':'utm',
        }

And the error :

405 Method Not Allowed

{

"http_method": "POST",

"status": "error",

"http_status": 405,

"vdom": "VDOMNAME",

"path": "firewall",

"name": "policy",

"action": "accept",

"serial": "FG1K",

"version": "v5.4.6",

"build": 1165

}

If I remove the parameter "action" in my JSON data, the policy is created but with a default deny value, which is not what I want.

Any ideas ?

Regards.

jrodriguez · ‎11-22-2018

Hello,

If it can help someone, I've found the error cause in the FortiOS 5.4 REST API Reference Guide. Here are the explaination from the guide :

Limitation If the body data has the same name as some reserved URL parameters, such as name, path, or action, the request would fail due to the conflict. For example, firewall policy has 'name' and 'action' attribute which conflict with the reserved URL parameter 'name' and 'action'. POST/PUT with normal method would fail with 405 error. A workaround is to enclosed all object data in a 'json' keyword so the API can correctly identify object data.

This would work :
{'json':{'name':"test_policy", 'srcintf': [{"name":"port1"}], 'dstintf': [{"name":"port2"}],'srcaddr': [{"name":"all"}], 'dstaddr': [{"name":"all"}],'action':"accept",'status': "enable",'schedule':"always",'service':[{'name':"ALL"}], 'nat':"disable"}}

Regards.

emnoc · ‎11-22-2018

That goods new news and glad you found out the issue. I alway like to get exit policy for the structure and craft the right json attribute keyvalue and add { POST } items . It can be challenging modifying items also, so I would test the right syntax when you make modifications. Here's a post on what I just wrote up on my blog, and forum user contacted me about some API issues a few months and I decided to write a small snippet on it.

http://socpuppet.blogspot...api-to-add-delete.html

PCNSE

NSE

StrongSwan

xxddpac · ‎02-12-2019

hi, can show me your python code ?

I creat a address objects return 403 error using rest api

thanks!!