Hi,

i have two Fortigate 200F (v7.0.9 build 0444) devices where GET request with access_token is working only for one of them. access_token is generated in GUI for API user. I checked rights and they are same.

Scenario:
Working Device1:

curl -X GET -g -k --noproxy '*' https://[ipv6]/api/v2/monitor/system/status?access_token=123445664785dadadasdad

{

  "http_method":"GET",

  "results":{

    "model_name":"FortiGate",

    "model_number":"200F",

    "model":"FG200F",

    "hostname":"Device1,

    "log_disk_status":"not_available"

  }

Not working Device2:

curl -X GET -g -k --noproxy '*' https://[ipv6]:8443/api/v2/monitor/system/status?access_token=asdasdasdasda5dasdadad8adsd

<title>429 Too Many Requests</title>

</head><body>

<h1>Too Many Requests</h1>

<p>The user has sent too many requests

in a given amount of time.</p>

<p>Additionally, a 429 Too Many Requests

error was encountered while trying to use an ErrorDocument to handle the request.</p>

</body></html>

however, if i create access_token with POST request using user with ADMIN rights:

curl -X POST -g -k --noproxy '*' -d '{"username":"myuser","secretkey":"hidden","ack_pre_disclaimer":true,"request_key":True,"ack_post_disclaimer":true}' -H "Content-Tye: application/json" https://[device2]:8443/api/v2/authentication

returns:

{

  "status_code":5,

  "status_message":"LOGIN_SUCCESS",

  "session_key":"a5a5a5a5a5a5adasda8sd8sd8ewerfgfg",

  "session_key_timeout":"30"

}

following GET request returns needed data:

curl -X GET -g -k --noproxy '*' https://[device2]:8443/api/v2/monitor/system/status/?access_token=a5a5a5a5a5a5adasda8sd8sd8ewerfgfg

{

  "http_method":"GET",

  "results":{

    "model_name":"FortiGate",

    "model_number":"200F",

    "model":"FG200F",

    "hostname":"Device2",

    "log_disk_status":"not_available"

  }

Does anyone had a same issue? What can be a reason?

Thanks