- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate 60E REST API
Hi there,
i want to reboot my FortiGate 60E via the REST-API. Im using this endpoint:
doing this Request(obviously already authenticated):
curl -k -i -H "Accept: application/json" -X POST "https://ip:port/api/v2/monitor/system/os/reboot" --cookie cookie.txt
But I receive a Forbidden:
{
"http_method":"POST",
"status":"error",
"http_status":403,
"vdom":"root",
"path":"system",
"name":"os",
"action":"reboot",
"serial":"serial",
"version":"v6.0.5",
"build":268
}
How do I reboot the FortiGate via REST API?
PS: Im trying this with a user who has RW permission on all Categorys
Thank you!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Btw just tested and it works for me using the CSRFTOKEN also ;)
supports-MacBook-Pro:Downloads ken$ cat fgtcookies # Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk. #HttpOnly_192.168.1.99 FALSE / TRUE 0 APSCOOKIE_79100365 "Era%3D0%26Payload%3DBqjjbe7htCOsFsYzarB2IEMxijyyM0neq8nLlRqdPhTTvad7eL0LZpsb161uxmQC%0AsYzlEA9fitnCbWPkYrtdAXttq3v+u7JbmALCfl5T+ALAE1e1dgquZbFA7iWbn%2FRX%0AjMI7Pvc0zLzCbKRaSWynEw4C2gQXazjG9tdCsTkjydzANRRwh6uulPiNj%2F83T8bg%0Al3DihIFtCw8WjHnA%2F+xK2Q%3D%3D%0A%26AuthHash%3DCA4eiUKEM0zcXjGIij0hoUdQwG4A%0A"192.168.1.99 FALSE / TRUE 0 ccsrftoken_79100365 "FB4B8AD9C51C5E5CBEBECD63EE2457A9"192.168.1.99 FALSE / TRUE 0 ccsrftoken "FB4B8AD9C51C5E5CBEBECD63EE2457A9" supports-MacBook-Pro:Downloads ken$ curl -X POST -s -b fgtcookies -k -H "Content-Type: application/json" -H "X-CSRFTOKEN: FB4B8AD9C51C5E5CBEBECD63EE2457A9" https://192.168.1.99/api/..onitor/system/os/rebootsupports-MacBook-Pro:Downloads ken$ ping 8.8.8.8PING 8.8.8.8 (8.8.8.8): 56 data bytesRequest timeout for icmp_seq 0Request timeout for icmp_seq 1Request timeout for icmp_seq 2 I use my admin account so that profile show be able to reboot the appliance. Cookies were grabbed on the logincheck by using this approach http://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html YMMV but I didn't have any issues once I had the right URI in either case e.g /api/v2/monitor/system/os/reboot vrs /api/v2/monitor/system/dashboard/reboot I still think your profile is not correct for sysgrp and the action:reboot, just my hunch and this might lead into the 4xx status codes that are coming back. Ken Felix
PCNSE
NSE
StrongSwan
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Btw just tested and it works for me using the CSRFTOKEN also ;)
supports-MacBook-Pro:Downloads ken$ cat fgtcookies # Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk. #HttpOnly_192.168.1.99 FALSE / TRUE 0 APSCOOKIE_79100365 "Era%3D0%26Payload%3DBqjjbe7htCOsFsYzarB2IEMxijyyM0neq8nLlRqdPhTTvad7eL0LZpsb161uxmQC%0AsYzlEA9fitnCbWPkYrtdAXttq3v+u7JbmALCfl5T+ALAE1e1dgquZbFA7iWbn%2FRX%0AjMI7Pvc0zLzCbKRaSWynEw4C2gQXazjG9tdCsTkjydzANRRwh6uulPiNj%2F83T8bg%0Al3DihIFtCw8WjHnA%2F+xK2Q%3D%3D%0A%26AuthHash%3DCA4eiUKEM0zcXjGIij0hoUdQwG4A%0A"192.168.1.99 FALSE / TRUE 0 ccsrftoken_79100365 "FB4B8AD9C51C5E5CBEBECD63EE2457A9"192.168.1.99 FALSE / TRUE 0 ccsrftoken "FB4B8AD9C51C5E5CBEBECD63EE2457A9" supports-MacBook-Pro:Downloads ken$ curl -X POST -s -b fgtcookies -k -H "Content-Type: application/json" -H "X-CSRFTOKEN: FB4B8AD9C51C5E5CBEBECD63EE2457A9" https://192.168.1.99/api/..onitor/system/os/rebootsupports-MacBook-Pro:Downloads ken$ ping 8.8.8.8PING 8.8.8.8 (8.8.8.8): 56 data bytesRequest timeout for icmp_seq 0Request timeout for icmp_seq 1Request timeout for icmp_seq 2 I use my admin account so that profile show be able to reboot the appliance. Cookies were grabbed on the logincheck by using this approach http://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html YMMV but I didn't have any issues once I had the right URI in either case e.g /api/v2/monitor/system/os/reboot vrs /api/v2/monitor/system/dashboard/reboot I still think your profile is not correct for sysgrp and the action:reboot, just my hunch and this might lead into the 4xx status codes that are coming back. Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I lookup the httpsd log you just mentioned, is there a CLI command? ( I have not a lot of experience with these Fortinet, Im just a software-dev :-/)?
diag debug enable
diag debug application httpsd -1
But you should earlier logs so I guess you figured that part out? I would just open 2 ssh sessions and do the debugging in the 2nd session but you're on the right track.
Do you have a 2nd unit that you can test on ?
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Every other API call that I've found was not working for me.
So I just did the reboot through the Webclient and inspected the network traffic, since the Webclient obviously also uses the REST API.
There I found the endpoint I just posted. This is the same endpoint the Webclient calls on a reboot.
If I generate a new API_USER or a new Token doesnt make any difference. How do I lookup the httpsd log you just mentioned, is there a CLI command? ( I have not a lot of experience with these Fortinet, Im just a software-dev :-/)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, its working now! I rebooted the device and everything is working just fine now, dont know what happened. Thank you!
PS: Not whole trueth! Also got a typo for the Header ....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good, I was going to point out that one of a dev-ops developer was doing something where his script overwrote the token and the token was bad or invalid. I believe that will give you a 401 also iirc, so I was going to suggest that you validate that this is not what is happening.
The API_USER is much user-friendly than the CSFRTOKEN imho.
I would also suggest if you're developing towards the API, to use something like PostMAN. I do like 99% of my API diag, debug or research with it, and it very helpful if you want to save and share your collections. ,
https://www.getpostman.com I begin to tell you how many cases I worked where API credentials were hosed up, expired, wrong,etc........ Ken Felix
PCNSE
NSE
StrongSwan
- « Previous
-
- 1
- 2
- Next »
