Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kartofflarna
New Contributor

Rest api usage

Hi,

 

I am setting up a new 30E firewall for a small office and for once I had some time on my hands so I thought I would play around a little bit with the rest API for learning purposes since it would help out with managing other firewalls.

 

So I read through the reference guide http://docs.fortinet.com/d/fortiweb-5.5-restful-api-reference which seems pretty straight forward. However I get stuck right from the bat.

 

testing out the initial example: curl -H "Authorization: YWRtaW46" -k "https://172.22.10.74:90/api/v1.0/System/Network/StaticRoute"

But I get no response.

 

The firewall arrived with fortios v5.4.1 which I think has api v2 so I tried changing the url accordingly but with no difference

I cannot find anywhere to verify which api version my firewall is using, also I am lacking information in the reference guide on weather I have to manually enable the api or not.

 

I'm sure I'm just missing something, can someone here see any obvious signs?

3 Solutions
nelis99
New Contributor II

If anyone is interested here is a powershell call for it as well (@markonans tx for curl example to build from).

$fwaddress = "192.168.1.99"

$postParams = @{username='myadminacct';secretkey='PASSWORD'} $request = Invoke-WebRequest -Headers $headers -Uri "https://$fwaddress/logincheck" -SessionVariable fgtSession -Method POST -Body $postParams

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add('Accept','application/json') $headers.Add('Content-Type','application/json')

$request = Invoke-WebRequest -Headers $headers -Uri "https://$fwaddress/api/v2/monitor/router/ipv4/" -WebSession $fgtSession -Method GET write-host $request.Content

View solution in original post

alk0v
New Contributor

Hi, all. Next example working with FG-300 v.5.4 and PHP

 

 

$fghost = "myfg.loc"; $fglogin = "admin"; $fgpass = "supersecret";

$url = '[link]https://'.$fghost.'/logincheck';[/link]

$data = array('username'=>$fglogin,'secretkey'=>$fgpass); $post_data = http_build_query($data);

 

$curl_connection = curl_init($url);

 

curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($curl_connection, CURLOPT_POST, TRUE); curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post_data); curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($curl_connection, CURLOPT_HEADER, TRUE);

 

$response = curl_exec($curl_connection);

 

preg_match_all('/^Set-Cookie:\s*([^;]*)/mi', $response, $matches);

 

$curl_connection = curl_init('[link]https://'.$fghost.'/api/v2/cmdb/firewall/vip/');[/link] curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($curl_connection, CURLOPT_COOKIE, $matches[1][0]); $response = curl_exec($curl_connection);

echo ($responce);

 

curl_close($curl_connection);

 

View solution in original post

oheigl
Contributor II

Hi,

 

remove the GET parameter, it's not needed if you pass the API key via the header:

curl -k -o $IP-$D.conf -H "Authorization: Bearer $TOKEN" "https://$IP/api/v2/monitor/system/config/backup?scope=global"

 

Also you can have a look at the debug on the FortiGate (connect via SSH since GUI is also making API requests):

 

diag debug application httpsd -1
diag debug enable

 

And please upgrade your Firmware version, in 5.6.3 everything could be a bug 

View solution in original post

32 REPLIES 32
nbctcp
New Contributor III

Yes, you were right again

After testing myself, I can see public key appear in standard config

Sorry for my mistake statement

 

QUESTIONS:

1. what is the reason admin choose to backup using API instead of using ssh

 

STEPS:

config system admin edit "admin" set accprofile "super_admin" set vdom "root" set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhgCSKwiNYG7YDE0QUm2mefS8oq89dvms1+ArW/vRZ2j2AIl9a/NRMIK7whvUstVWD60HVWcGAlzpIYnCMZm3d82xifCJgSsi2QamWKzvHG27EPmn2KmXJTFdINcvK60tih89ebxGN3sPX3nv/LlyX5p3gmvcGyW019ipTEo5zFN0aMYSrkg5Xiuw3xFZhGYgNxRpSLNf1IwGcacTq+XMx58kic1QRNEnqgUrmIM1ODLpfaWm3ecq6NVTfa2UcIjPQXaweFpEgtViN5rtOi+z0oE7wm1RpbA+bM6vHeJHlBsigFqa/0Z9EY2DXtYwCM+IYzgXWF6zxtloAixDQrqi3w==" set password ENC SH2Ywn7CB5xxWby6HnrxVenKMvR5fb1wSqSSHEkt2KChtXxZR8X7TB0er5JQEY= next end

 

# execute backup config tftp fgt.cfg 192.168.88.10

I can see fgt.cfg has public key

config system admin edit "admin" set accprofile "super_admin" set vdom "root" set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhgCSKwiNYG7YDE0QUm2mefS8oq89dvms1+ArW/vRZ2j2AIl9a/NRMIK7whvUstVWD60HVWcGAlzpIYnCMZm3d82xifCJgSsi2QamWKzvHG27EPmn2KmXJTFdINcvK60tih89ebxGN3sPX3nv/LlyX5p3gmvcGyW019ipTEo5zFN0aMYSrkg5Xiuw3xFZhGYgNxRpSLNf1IwGcacTq+XMx58kic1QRNEnqgUrmIM1ODLpfaWm3ecq6NVTfa2UcIjPQXaweFpEgtViN5rtOi+z0oE7wm1RpbA+bM6vHeJHlBsigFqa/0Z9EY2DXtYwCM+IYzgXWF6zxtloAixDQrqi3w==" set password ENC SH2Ywn7CB5xxWby6HnrxVenKMvR5fb1wSqSSHEkt2KChtXxZR8X7TB0er5JQEY= next end

 

oheigl wrote:

I just tried a configuration backup and the certificate with the public and private key is in there, without a full configuration. The full configuration is useful to check if default values have changed or something like that, but other then that I can't see a reason why you would need it. Maybe in older FortiOS versions the keys weren't backuped, can't remember exactly.

 

Kind regards

http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
emnoc
Esteemed Contributor III

Either method good, API is better in that ssh pub/key and key checking is not madatory if you access via the HTTPS and API interface.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jeremyscline_FTNT

That is the API guide for FortiWeb, not the FortiGate.  There are FortiOS API guides on FNDN - you will need to request sponsorship from someone you know at Fortinet.  The guide for 5.4.1 is:

 

https://fndn.fortinet.net/index.php?/documents/file/9-fortios-54-rest-api-reference-541/

 

 

Labels
Top Kudoed Authors