Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hermgerm
New Contributor

FortiGate 60E REST API

Hi there,

 

i want to reboot my FortiGate 60E via the REST-API. Im using this endpoint:

 

doing this Request(obviously already authenticated):


curl -k -i -H "Accept: application/json" -X POST "https://ip:port/api/v2/monitor/system/os/reboot" --cookie cookie.txt

 

But I receive a Forbidden:

 

{
  "http_method":"POST",
  "status":"error",
  "http_status":403,
  "vdom":"root",
  "path":"system",
  "name":"os",
  "action":"reboot",
  "serial":"serial",
  "version":"v6.0.5",
  "build":268
}

 

How do I reboot the FortiGate via REST API?

 

PS: Im trying this with a user who has RW permission on all Categorys

Thank you!

1 Solution
emnoc
Esteemed Contributor III

Btw just tested and it works for me using the CSRFTOKEN  also ;)

 

 

supports-MacBook-Pro:Downloads ken$ cat fgtcookies # Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk. #HttpOnly_192.168.1.99 FALSE / TRUE 0 APSCOOKIE_79100365 "Era%3D0%26Payload%3DBqjjbe7htCOsFsYzarB2IEMxijyyM0neq8nLlRqdPhTTvad7eL0LZpsb161uxmQC%0AsYzlEA9fitnCbWPkYrtdAXttq3v+u7JbmALCfl5T+ALAE1e1dgquZbFA7iWbn%2FRX%0AjMI7Pvc0zLzCbKRaSWynEw4C2gQXazjG9tdCsTkjydzANRRwh6uulPiNj%2F83T8bg%0Al3DihIFtCw8WjHnA%2F+xK2Q%3D%3D%0A%26AuthHash%3DCA4eiUKEM0zcXjGIij0hoUdQwG4A%0A"192.168.1.99 FALSE / TRUE 0 ccsrftoken_79100365 "FB4B8AD9C51C5E5CBEBECD63EE2457A9"192.168.1.99 FALSE / TRUE 0 ccsrftoken "FB4B8AD9C51C5E5CBEBECD63EE2457A9"  supports-MacBook-Pro:Downloads ken$ curl -X POST -s -b fgtcookies -k -H "Content-Type: application/json" -H "X-CSRFTOKEN: FB4B8AD9C51C5E5CBEBECD63EE2457A9"   https://192.168.1.99/api/..onitor/system/os/rebootsupports-MacBook-Pro:Downloads ken$ ping 8.8.8.8PING 8.8.8.8 (8.8.8.8): 56 data bytesRequest timeout for icmp_seq 0Request timeout for icmp_seq 1Request timeout for icmp_seq 2 I use my admin account so that profile show be able to reboot the appliance. Cookies were grabbed on the logincheck by using this approach http://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html YMMV but I didn't have any issues once I had the right URI in either case  e.g /api/v2/monitor/system/os/reboot  vrs /api/v2/monitor/system/dashboard/reboot I still think your profile is not correct for sysgrp and the action:reboot, just my hunch and this might lead into the 4xx status codes that are coming back. Ken Felix

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
14 REPLIES 14
emnoc
Esteemed Contributor III

Btw just tested and it works for me using the CSRFTOKEN  also ;)

 

 

supports-MacBook-Pro:Downloads ken$ cat fgtcookies # Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk. #HttpOnly_192.168.1.99 FALSE / TRUE 0 APSCOOKIE_79100365 "Era%3D0%26Payload%3DBqjjbe7htCOsFsYzarB2IEMxijyyM0neq8nLlRqdPhTTvad7eL0LZpsb161uxmQC%0AsYzlEA9fitnCbWPkYrtdAXttq3v+u7JbmALCfl5T+ALAE1e1dgquZbFA7iWbn%2FRX%0AjMI7Pvc0zLzCbKRaSWynEw4C2gQXazjG9tdCsTkjydzANRRwh6uulPiNj%2F83T8bg%0Al3DihIFtCw8WjHnA%2F+xK2Q%3D%3D%0A%26AuthHash%3DCA4eiUKEM0zcXjGIij0hoUdQwG4A%0A"192.168.1.99 FALSE / TRUE 0 ccsrftoken_79100365 "FB4B8AD9C51C5E5CBEBECD63EE2457A9"192.168.1.99 FALSE / TRUE 0 ccsrftoken "FB4B8AD9C51C5E5CBEBECD63EE2457A9"  supports-MacBook-Pro:Downloads ken$ curl -X POST -s -b fgtcookies -k -H "Content-Type: application/json" -H "X-CSRFTOKEN: FB4B8AD9C51C5E5CBEBECD63EE2457A9"   https://192.168.1.99/api/..onitor/system/os/rebootsupports-MacBook-Pro:Downloads ken$ ping 8.8.8.8PING 8.8.8.8 (8.8.8.8): 56 data bytesRequest timeout for icmp_seq 0Request timeout for icmp_seq 1Request timeout for icmp_seq 2 I use my admin account so that profile show be able to reboot the appliance. Cookies were grabbed on the logincheck by using this approach http://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html YMMV but I didn't have any issues once I had the right URI in either case  e.g /api/v2/monitor/system/os/reboot  vrs /api/v2/monitor/system/dashboard/reboot I still think your profile is not correct for sysgrp and the action:reboot, just my hunch and this might lead into the 4xx status codes that are coming back. Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
emnoc
Esteemed Contributor III

How do I lookup the httpsd log you just mentioned, is there a CLI command? ( I have not a lot of experience with these Fortinet, Im just a software-dev :-/)?

 

diag debug enable

diag debug application httpsd -1

 

But you should earlier logs so I guess you figured that part out? I would just open 2 ssh sessions and do the debugging in the 2nd session but you're on the right track.

 

Do you have a 2nd unit that you can test on ?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
hermgerm

Every other API call that I've found was not working for me.

 

 

So I just did the reboot through the Webclient and inspected the network traffic, since the Webclient obviously also uses the REST API.

There I found the endpoint I just posted. This is the same endpoint the Webclient calls on a reboot.

 

If I generate a new API_USER or a new Token doesnt make any difference. How do I lookup the httpsd log you just mentioned, is there a CLI command? ( I have not a lot of experience with these Fortinet, Im just a software-dev :-/)?

hermgerm

Ok, its working now! I rebooted the device and everything is working just fine now, dont know what happened. Thank you!

 

PS: Not whole trueth! Also got a typo for the Header .... 

emnoc
Esteemed Contributor III

Good, I was going to point out that one of a dev-ops developer was doing something where his script overwrote the token and the token was bad or invalid. I believe that will give you a 401 also iirc, so I was going to suggest that you validate that this is not what is happening.

 

The API_USER is much user-friendly than the CSFRTOKEN imho.

 

I would also suggest if you're developing towards the API,  to use something like PostMAN. I do like 99% of my API diag, debug or research with it, and it very helpful if you want to save and share your collections. , 

https://www.getpostman.com   I begin to tell you how many cases I worked where API credentials were hosed up, expired, wrong,etc........   Ken Felix  

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors