Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Andre_Viljoen
New Contributor

API POST /system/config/restore Upload from File - http status 403

From the FortiOS/FortiAPI/FNDN it seems to be possible to restore a config file to a fortigate and restart the fortigate with such restored file. I am trying this with a POST to /api/v2/monitor/system/config/restore.

I get a response Code 403 when I try this from Postman.

FortiOS: 7.0.9

Model: FGT-40F
I am using a valid generated API Key with config as follows:

config system accprofile
    edit "api_write"
        set secfabgrp read-write
        set ftviewgrp read-write   
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wifi read-write
    next
end

config system api-user
    edit "api_write_admin"
        set api-key ENC SH2JXxKQuhKAlikfQE.......2cTiq17Xw4jiogpKc=
        set accprofile "api_write"
        set vdom "root"
        config trusthost
            edit 1
                set ipv4-trusthost 192.168.2.0 255.255.255.0
            next
        end
    next
end

 

Is there something wrong with my API key configuration or what would cause me to get the response 403?

I also successfully use the same API key to create and delete various configurations, but only the /system/config/restore gives me the response 403.
I can provide more information if required.
Thank you so much

A
A
5 REPLIES 5
gfleming
Staff
Staff

There are some custom permissions you can set for various categories. See here for more info: https://docs.fortinet.com/document/fortigate/7.2.4/cli-reference/2620/config-system-accprofile

 




config sysgrp-permission
  set cfg read-write
Cheers,
Graham
hdupreez
New Contributor

Thanks I just tried that, but still get the https 403 error.
I went further and also set every other parameter to read-write.

Still the 403 error.

G4ZACEGP-LB-AND-JDAL~-01 (api_write) # sh
config system accprofile
    edit "api_write"
        set secfabgrp read-write
        set ftviewgrp read-write
        set authgrp read-write
        set sysgrp custom
        set netgrp read-write
        set loggrp read-write
        set fwgrp read-write
        set vpngrp read-write 
        set utmgrp read-write
        set wifi read-write
        config sysgrp-permission
             set admin read-write
             set upd read-write
             set cfg read-write
             set mnt read-write
        end
    next
end

Any further thoughts or advice is appreciated?

gfleming

I thought I had this figured out but am hitting errors. Will post back later today.

Cheers,
Graham
gfleming
Staff
Staff

OK appears for POST, PUT and DELETE you need to use CSRF token instead of API Key. I still haven't quite figured this out but perhaps this will help you:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-About-REST-API/ta-p/195425

Cheers,
Graham
hdupreez
New Contributor

SOLVED:
I went in CLI and changed the accprofile to super_admin. (NOTE: This is not possible in the GUI, only CLI)

config system api-user
    edit "api_write_admin"
        set accprofile "api_write"
    next

end

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors