Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
deacs
New Contributor II

Authentication FortiAnalyzer API

Hi all,

 

I am trying to fetch raw logs using the FortiAnalyzer SOAP API and the searchFazLog API method, but I am unable to authenticate: I keep getting the -101 error code and "Invalid user/password or adom" error message. I have tried authenticating using local account credentials as wel as a domain account credentials, both without any success (these creds work when logging in via the web interface). I have also tried adding the HTTP basic authentication header, no game unfortunately.

 

We are currently using FAZ 5.2 (https://docs.fortinet.com/uploaded/files/2091/fortianalyzer_admin_520.pdf)

 

Here is the example of my request and the response: [link]https://pastebin.com/Tr57D2Lv[/link]

 

Can anybody point me in the right direction, as I'm sure I'm missing something trivial.

 

Cheers,

deacs

1 Solution
deacs
New Contributor II

brazz@fortinet.com wrote:

So I assume we need to have a Super_Admin profile to perform this task.

Confirmed! The user must be a Super_Admin to be able to authenticate using the FAZ API.

 

Fantastic, I finally know what's potting. Thanks a million for your guys' help!

View solution in original post

5 REPLIES 5
Gabe_FTNT
Staff
Staff

Hi deacs

 

I haven't tested with FAZ 5.2 (only 6.0), but I can only get this error, if I deliberately put wrong user credentials into the request.

I'm using a local user with super_user admin profile for all ADOMs in my setup.

I checked whether "set rpc-permit read" needs to be set for the user in CLI (config system admin user), but that's not the case for the SOAP API.

 

Regards,

Gabe

Gabriel Kälin, Systems Engineer Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: gkaelin@fortinet.com | T: +41 79 882 80 98
brazz_FTNT

Hey, 

 

I do not have any access to 5.2.0 yet , but I just did a test with my devices (6.0.2) and I got below result. 

 

Request:

 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:r20="http://r200806.ws.fmg.fortinet.com/">
<soapenv:Header/>
<soapenv:Body>
<r20:searchFazLog>
<!--Optional:-->
<servicePass>
<!--Optional:-->
<userID>admin</userID>
<!--Optional:-->
<password></password>
</servicePass>
<!--Optional:-->
<adom>test</adom>
<!--Optional:-->
<content>logs</content>
<!--Optional:-->
<format>rawFormat</format>
<!--Optional:-->
<deviceName></deviceName>
<!--Optional:-->
<vdom></vdom>
<logType>traffic</logType>
<!--Optional:-->
<searchCriteria></searchCriteria>
<maxNumMatches>30</maxNumMatches>
<startIndex>1</startIndex>
<checkArchive>0</checkArchive>
<!--Optional:-->
<DLPArchiveType>0</DLPArchiveType>
<!--Optional:-->
<compression>tar</compression>
</r20:searchFazLog>
</soapenv:Body>
</soapenv:Envelope>

 

 

 

Result:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://jaxb.dev.java.net/array" xmlns:ns3="http://r200806.ws.fmg.fortinet.com/">

<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<ns3:searchFazLogResponse>
<errorMsg>
<errorCode>0</errorCode>
<errorMsg>searchFazLog successfully</errorMsg>
</errorMsg>
<totalResultsFound>300</totalResultsFound>
<matchesReturned>30</matchesReturned>
<startIndex>1</startIndex>
<logs>
<data>
<logEntry>date=2018-10-04 time=15:02:29 idseq=245935346670370822 bid=53641921 dvid=1463 itime=1538690910 euid=3 epid=150290 dsteuid=0 dstepid=150291 logflag=3 logver=60 proto=6 vrf=32 logid=0000000013 type=traffic subtype=forward level=notice action=accept policyid=1 sentbyte=2000 rcvdbyte=1000 sessionid=10033 srcport=10033 dstport=20 trandisp=noop duration=10 sentpkt=0 rcvdpkt=0 utmaction=block srcip=1.1.1.1 dstip=2.2.2.2 service=tcp/20 app=tcp/20 appcat=unscanned srcintf=dmz dstintf=internal srcintfrole=dmz dstintfrole=undefined dstcountry=France devtype=iPad osname=Apple osversion=ver mastersrcmac=01:01:01:01:01:01 srcmac=01:01:01:01:01:01 srccountry=Australia countssh=1 policytype=policy srcserver=0 dstdevtype="Android Phone" dstosname=Android dstosversion=ver masterdstmac=02:02:02:02:02:02 dstmac=02:02:02:02:02:02 dstserver=0 eventtime=1538690549 dstdevcategory=None devcategory=None devid=FWF60E4Q16025790 vd=5 devname=BBBBBBB utmref=BAQAAAAEAAABxBQAAEOW8aXs92m4BAAAAAF6Ptls=</logEntry>
</data>
<data>
<logEntry>date=2018-10-04 time=15:02:29 idseq=245935346670370820 bid=53641924 dvid=1463 itime=1538690910 euid=3 epid=150290 dsteuid=0 dstepid=150291 logflag=1 logver=60 proto=6 vrf=32 logid=0000000013 type=traffic subtype=forward level=notice action=accept policyid=1 sentbyte=2000 rcvdbyte=1000 sessionid=10032 srcport=10032 dstport=20 trandisp=noop duration=10 sentpkt=0 rcvdpkt=0 utmaction=allow srcip=1.1.1.1 dstip=2.2.2.2 service=tcp/20 app=tcp/20 appcat=unscanned srcintf=dmz dstintf=internal srcintfrole=dmz dstintfrole=undefined dstcountry=France devtype=iPad osname=Apple osversion=ver mastersrcmac=01:01:01:01:01:01 srcmac=01:01:01:01:01:01 srccountry=Australia countssh=1 policytype=policy srcserver=0 dstdevtype="Android Phone" dstosname=Android dstosversion=ver masterdstmac=02:02:02:02:02:02 dstmac=02:02:02:02:02:02 dstserver=0 eventtime=1538690549 dstdevcategory=None devcategory=None devid=FWF60E4Q16025790 vd=5 devname=BBBBBBB utmref=BAQAAAAEAAABxAwAAEOW8aXs92m4BAAAAAF6Ptls=</logEntry>
</data>
<data>
<logEntry>date=2018-10-04 time=15:02:29 idseq=245935346670370868 bid=53641590 dvid=1463 itime=1538690606 euid=3 epid=150290 dsteuid=0 dstepid=150291 logflag=3 logver=60 proto=6 vrf=32 logid=0000000013 type=traffic subtype=forward level=notice action=accept policyid=1 sentbyte=2000 rcvdbyte=1000 sessionid=30016 srcport=30016 dstport=20 trandisp=noop duration=10 sentpkt=0 rcvdpkt=0 utmaction=block srcip=1.1.1.1 dstip=2.2.2.2 service=tcp/20 app=tcp/20 appcat=unscanned srcintf=dmz dstintf=internal srcintfrole=dmz dstintfrole=undefined dstcountry=France threattyps="{\"Malicious Websites\"}" devtype=iPad osname=Apple osversion=ver mastersrcmac=01:01:01:01:01:01 srcmac=01:01:01:01:01:01 srccountry=Australia crscore=60 craction=4196352 countweb=1 hostname=www.abcd.com catdesc="Malicious Websites" policytype=policy srcserver=0 dstdevtype="Android Phone" dstosname=Android dstosversion=ver masterdstmac=02:02:02:02:02:02 dstmac=02:02:02:02:02:02 dstserver=0 eventtime=1538690549 threats={www.abcd.com} threatlvls={3} threatcnts={1} threatwgts={60} dstdevcategory=None devcategory=None devid=FWF60E4Q16025790 vd=5 devname=BBBBBBB utmref=BAQAAAAEAAAB3MwAAEOW8abs42m4BAAAAAC6Otls=</logEntry>
</data>
<data>
<logEntry>date=2018-10-04 time=15:02:28 idseq=245935346670370848 bid=53641599 dvid=1463 itime=1538690606 euid=16499 epid=101 dsteuid=0 dstepid=101 logflag=3 logver=60 proto=6 vrf=32 logid=0000000010 type=traffic subtype=forward level=notice action=deny policyid=100 sentbyte=200 rcvdbyte=400 sessionid=90151 srcport=900 dstport=800 duration=20 srcip=172.16.78.32 dstip=1.1.1.32 service=tcp/800 user="test user" app=tcp/800 appcat=unscanned srcintf=unknown-0 dstintf=unknown-0 srcintfrole=undefined dstintfrole=undefined wanoptapptype=cifs wanin=400 wanout=300 lanin=200 lanout=100 dstcountry=Australia threattyps={blocked-connection} srccountry=Reserved crscore=30 craction=131072 crlevel=high policytype=proxy-policy eventtime=1538690549 authserver="test server" threats={blocked-connection} threatlvls={3} threatcnts={1} threatwgts={30} devid=FWF60E4Q16025790 vd=5 devname=BBBBBBB</logEntry>
</data>

 

 

 

</logs>
</ns3:searchFazLogResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

 

 

 I was getting that error though, the problem in my side was due to the admin certificate. try creating a new super admin user and try again . 

 

Please keep me posted. 

 

 

Cheers

deacs
New Contributor II

Thanks for your replies guys!

 

FortiGabe wrote:

I'm using a local user with super_user admin profile for all ADOMs in my setup.

brazz@fortinet.com wrote:

 I was getting that error though, the problem in my side was due to the admin certificate. try creating a new super admin user and try again.

 

I have only tried using a read-only local user (without super-admin privileges), as I only need to read logs and not change any configurations. Could you guys please try authenticating with the API using a local read-only account (due to bureaucracy reasons I am unable to try a super-admin just yet). Or can the API only be used by the admin user?

 

@brazz_FTNT I see in your request body that your password field is empty. Did you empty it before posting to the forum or was it empty when sending the request and did you use a Authorization header to send the username and password to the server? Also, you could please post the whole API url that you called?

 

Your guys' help is really appreciated!

 

 

brazz_FTNT

Hey,

 

I have only tried using a read-only local user (without super-admin privileges), as I only need to read logs and not change any configurations. Could you guys please try authenticating with the API using a local read-only account (due to bureaucracy reasons I am unable to try a super-admin just yet). Or can the API only be used by the admin user?

 

I have tested with other Admin Profiles {Restricted_User and Standard_User} and I have got below result (like your case)

 

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://jaxb.dev.java.net/array" xmlns:ns3="http://r200806.ws.fmg.fortinet.com/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<ns3:searchFazLogResponse>
<errorMsg>
<errorCode>-101</errorCode>
<errorMsg>Invalid user/password or adom</errorMsg>
</errorMsg>
<totalResultsFound>0</totalResultsFound>
<matchesReturned>0</matchesReturned>
<startIndex>0</startIndex>
<logs/>
</ns3:searchFazLogResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

 

 

 

So I assume we need to have a Super_Admin profile to perform this task. 

 

 

 

I see in your request body that your password field is empty. Did you empty it before posting to the forum or was it empty when sending the request and did you use a Authorization header to send the username and password to the server?

 

It was my test and I have not changed the factory setting config on my devices.

 

Please let me know if you find this helpful. 

 

Cheers

 

deacs
New Contributor II

brazz@fortinet.com wrote:

So I assume we need to have a Super_Admin profile to perform this task.

Confirmed! The user must be a Super_Admin to be able to authenticate using the FAZ API.

 

Fantastic, I finally know what's potting. Thanks a million for your guys' help!

Top Kudoed Authors