Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hklb
Contributor II

XML API

Hi,

 

is anyone has experience with XML API ? 

 

I don't know why, but all my request are not able to execute because I have an error "<errorCode>11</errorCode><errorMsg>No permission for the resource</errorMsg>".

 

This is what I done :

1) create user with super_admin profile

2) enable web service on interface

3) download wsdl from fortimanager

4) create a request as : URL : [link]https://fmgIP:8080/FortiManagerWSxml[/link]

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:r20="http://r200806.ws.fmg.fortinet.com/">
   <soapenv:Header/>
   <soapenv:Body>
      <r20:addCliGlobalSystemAdminUser>
            <!--Optional:-->
  <servicePass>
            <!--Optional:-->
   <userID>fmg</userID>
            <!--Optional:-->
   <password>fmg</password>
  </servicePass>
         <path>
            <!--Optional:-->
            <user>toto</user>
            <!--Optional:-->
            <option>?</option>
         </path>
         <!--1 or more repetitions:-->
         <data>
            <!--Zero or more repetitions:-->
            <hidden>0</hidden>
            <!--Zero or more repetitions:-->
            <pager-number>?</pager-number>
            <!--Zero or more repetitions:-->
            <mobile-number>?</mobile-number>
            <!--Zero or more repetitions:-->
            <phone-number>?</phone-number>
            <!--Zero or more repetitions:-->
            <email-address>?</email-address>
            <!--Zero or more repetitions:-->
            <first-name>?</first-name>
            <!--Zero or more repetitions:-->
            <last-name>?</last-name>
            <!--Optional:-->
            <rpc-permit>none</rpc-permit>
            <!--Optional:-->
            <two-factor-auth>disable</two-factor-auth>
            <!--Zero or more repetitions:-->
            <ca>?</ca>
            <!--Zero or more repetitions:-->
            <subject>?</subject>
            <!--Optional:-->
            <force-password-change>disable</force-password-change>
            <!--Zero or more repetitions:-->
            <password-expire>?</password-expire>
            <!--Zero or more repetitions:-->
            <radius-group-match>?</radius-group-match>
            <!--Optional:-->
            <radius-adom-override>disable</radius-adom-override>
            <!--Optional:-->
            <radius-accprofile-override>disable</radius-accprofile-override>
            <!--Optional:-->
            <wildcard>disable</wildcard>
            <!--Zero or more repetitions:-->
            <ssh-public-key3>?</ssh-public-key3>
            <!--Zero or more repetitions:-->
            <ssh-public-key2>?</ssh-public-key2>
            <!--Zero or more repetitions:-->
            <ssh-public-key1>?</ssh-public-key1>
            <!--Zero or more repetitions:-->
            <group>?</group>
            <!--Zero or more repetitions:-->
            <tacacs-plus-server>?</tacacs-plus-server>
            <!--Zero or more repetitions:-->
            <ldap-server>?</ldap-server>
            <!--Zero or more repetitions:-->
            <radius_server>?</radius_server>
            <!--Optional:-->
            <user_type>local</user_type>
            <!--Zero or more repetitions:-->
            <description>?</description>
            <!--Optional:-->
            <restrict-access>disable</restrict-access>
            <!--Zero or more repetitions:-->
            <profileid>Restricted_User</profileid>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost10>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost10>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost9>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost9>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost8>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost8>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost7>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost7>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost6>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost6>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost5>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost5>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost4>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost4>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost3>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost3>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost2>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost2>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost1>::/0</ipv6_trusthost1>
            <!--Zero or more repetitions:-->
            <trusthost10>255.255.255.255 255.255.255.255</trusthost10>
            <!--Zero or more repetitions:-->
            <trusthost9>255.255.255.255 255.255.255.255</trusthost9>
            <!--Zero or more repetitions:-->
            <trusthost8>255.255.255.255 255.255.255.255</trusthost8>
            <!--Zero or more repetitions:-->
            <trusthost7>255.255.255.255 255.255.255.255</trusthost7>
            <!--Zero or more repetitions:-->
            <trusthost6>255.255.255.255 255.255.255.255</trusthost6>
            <!--Zero or more repetitions:-->
            <trusthost5>255.255.255.255 255.255.255.255</trusthost5>
            <!--Zero or more repetitions:-->
            <trusthost4>255.255.255.255 255.255.255.255</trusthost4>
            <!--Zero or more repetitions:-->
            <trusthost3>255.255.255.255 255.255.255.255</trusthost3>
            <!--Zero or more repetitions:-->
            <trusthost2>255.255.255.255 255.255.255.255</trusthost2>
            <!--Zero or more repetitions:-->
            <trusthost1>0.0.0.0 0.0.0.0</trusthost1>
            <!--Optional:-->
            <change-password>disable</change-password>
            <!--Zero or more repetitions:-->
            <password>titi</password>
            <!--Zero or more repetitions:-->
            <userid>?</userid>
            <!--Zero or more repetitions:-->
            <dashboard>
               <!--Optional:-->
               <diskio-period>1hour</diskio-period>
               <!--Optional:-->
               <diskio-content-type>util</diskio-content-type>
               <!--Optional:-->
               <time-period>1hour</time-period>
               <!--Zero or more repetitions:-->
               <num-entries>10</num-entries>
               <!--Optional:-->
               <res-cpu-display>average</res-cpu-display>
               <!--Optional:-->
               <res-period>10min</res-period>
               <!--Optional:-->
               <res-view-type>history</res-view-type>
               <!--Optional:-->
               <log-rate-period>?</log-rate-period>
               <!--Optional:-->
               <log-rate-topn>5</log-rate-topn>
               <!--Optional:-->
               <log-rate-type>device</log-rate-type>
               <!--Optional:-->
               <widget-type>?</widget-type>
               <!--Zero or more repetitions:-->
               <tabid>0</tabid>
               <!--Optional:-->
               <status>open</status>
               <!--Zero or more repetitions:-->
               <refresh-interval>300</refresh-interval>
               <!--Zero or more repetitions:-->
               <column>0</column>
               <!--Zero or more repetitions:-->
               <name>?</name>
               <!--Zero or more repetitions:-->
               <moduleid>0</moduleid>
            </dashboard>
            <!--Zero or more repetitions:-->
            <dashboard-tabs>
               <!--Zero or more repetitions:-->
               <name>?</name>
               <!--Zero or more repetitions:-->
               <tabid>0</tabid>
            </dashboard-tabs>
            <!--Zero or more repetitions:-->
            <meta-data>
               <!--Zero or more repetitions:-->
               <fieldvalue>?</fieldvalue>
               <!--Optional:-->
               <status>enabled</status>
               <!--Optional:-->
               <importance>optional</importance>
               <!--Zero or more repetitions:-->
               <fieldlength>0</fieldlength>
               <!--Zero or more repetitions:-->
               <fieldname>?</fieldname>
            </meta-data>
            <!--Zero or more repetitions:-->
            <restrict-dev-vdom>
               <!--Zero or more repetitions:-->
               <dev-vdom>?</dev-vdom>
            </restrict-dev-vdom>
            <!--Zero or more repetitions:-->
            <policy-package>
               <!--Zero or more repetitions:-->
               <policy-package-name>?</policy-package-name>
            </policy-package>
            <!--Zero or more repetitions:-->
            <app-filter>
               <!--Zero or more repetitions:-->
               <app-filter-name>?</app-filter-name>
            </app-filter>
            <!--Zero or more repetitions:-->
            <ips-filter>
               <!--Zero or more repetitions:-->
               <ips-filter-name>?</ips-filter-name>
            </ips-filter>
            <!--Zero or more repetitions:-->
            <web-filter>
               <!--Zero or more repetitions:-->
               <web-filter-name>?</web-filter-name>
            </web-filter>
            <!--Zero or more repetitions:-->
            <adom-exclude>
               <!--Zero or more repetitions:-->
               <adom-name>?</adom-name>
            </adom-exclude>
            <!--Zero or more repetitions:-->
            <adom>
               <!--Zero or more repetitions:-->
               <adom-name>all_adoms</adom-name>
            </adom>
         </data>
         <session>?</session>
      </r20:addCliGlobalSystemAdminUser>
   </soapenv:Body>
</soapenv:Envelope>

5) it return this error :

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://jaxb.dev.java.net/array" xmlns:ns3="http://r200806.ws.fmg.fortinet.com/">
   <SOAP-ENV:Header/>
   <SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
      <ns3:addCliGlobalSystemAdminUserResponse>
         <status>
            <errorCode>11</errorCode>
            <errorMsg>No permission for the resource</errorMsg>
         </status>
      </ns3:addCliGlobalSystemAdminUserResponse>
   </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

 

Is anyone can help me ?

 

Lucas

1 Solution
ffischer
New Contributor III

had the same issues...

 

you have to enable the  user logging into tha API 

for using the XML-SOAP API..

 

config sys admin user   edit scriptuser     set rpc-permit read-write end

 

I did not find it in the API Docs, but it is  documented in FortiManager - CLI Reference.

 quite hard to find...

 

 

View solution in original post

6 REPLIES 6
hklb
Contributor II

I tested with legacy operation wdsl file and it works fine, so user/password and access to FMG is correct..

 

Is there some options to enable to be able to use other request as legacy operations ?

 

 

ffischer
New Contributor III

had the same issues...

 

you have to enable the  user logging into tha API 

for using the XML-SOAP API..

 

config sys admin user   edit scriptuser     set rpc-permit read-write end

 

I did not find it in the API Docs, but it is  documented in FortiManager - CLI Reference.

 quite hard to find...

 

 

hklb
Contributor II

Hi,

 

Yes, I already do that.. but same result...

 

Is it work for you with "rpc-permit read-write" ?

 

Thanks

ergotherego
Contributor II

We were not able to use the API with a service account (remote user) even with rpc RW enabled. We ended up having to use the local admin account. So maybe try that?

ffischer
New Contributor III

Yes this works for me with FMGR 5.4.2 I created a new scriptuser named scrusr

I suppose assigning the the "Super_User" profile

to the script user is necessary as well

(OK... I did not test without...)   config system admin user     edit "scrusr"         set password ENC <deleted>         set profileid "Super_User"             set adom "all_adoms"             set policy-package "all_policy_packages"         set description "Script User"             config meta-data                 edit "Contact Email"                 next                 edit "Contact Phone"                 next             end         set rpc-permit read-write             config dashboard                ........<deleted>             end     next end

avremy

for those that struggled with this, you need to use the execSysLoginUser operation to get a session code and then use it in all the following requests until it expires

request: 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:r20="http://r200806.ws.fmg.fortinet.com/">
<soapenv:Header/>
<soapenv:Body>
  <r20:execSysLoginUser>
    <data>
      <user>user</user>
      <passwd>password</passwd>
    </data>
  </r20:execSysLoginUser>
</soapenv:Body>
</soapenv:Envelope>

 

response:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
                   xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                   xmlns:ns1="http://jaxb.dev.java.net/array" xmlns:ns3="http://r200806.ws.fmg.fortinet.com/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  <ns3:execSysLoginUserResponse>
    <status>
      <errorCode>0</errorCode>
      <errorMsg>OK</errorMsg>
    </status>
    <session>e3zuodiMYmQIWzH36zT9+EVAFooHR8iYqUebs+94U68zORiAbkd4d6BqCr9ml9IMq3ymZtBa8pvVLjKjhEnx4g==</session>
  </ns3:execSysLoginUserResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

 

then an example authenticated request would look like this:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:r20="http://r200806.ws.fmg.fortinet.com/">
   <soapenv:Header/>
   <soapenv:Body>
      <r20:getSysStatus>
 <session>e3zuodiMYmQIWzH36zT9+EVAFooHR8iYqUebs+94U68zORiAbkd4d6BqCr9ml9IMq3ymZtBa8pvVLjKjhEnx4g==</session>      </r20:getSysStatus>
   </soapenv:Body>
</soapenv:Envelope>

 

Hope this helps someone 

Avremy