Fortigate API works for everything but admin password change

toy4two · ‎04-19-2021

Example 1 works fine. Example 2 fails with a 403 status code. RestAPI Admin account is a super_admin with access to Global. debug cli on Fortigate shows no communication for 2 but full communication with 1. Scratching my head on this for a few days now. The "password" option seems to break it. These command come off the Fortinet Developer Network 6.2 API page. There is no password complexity requirements on this Fortigate.

Works Ex 1:

curl -k -X PUT "https://FORTIGAGE-FQDN-HERE:443/api/v2/cmdb/system/admin/USERNAME-HERE?access_token=ACCESS-TOKEN-HERE" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "{ \"name\": \"USERNAME-HERE\", \"comments\": \"This is a comment\"}"

Fails Ex 2:

curl -k -X PUT "https://FORTIGAGE-FQDN-HERE:443/api/v2/cmdb/system/admin/USERNAME-HERE?access_token=ACCESS-TOKEN-HERE" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "{ \"name\": \"USERNAME-HERE\", \"password\": \"PASSWORD-HERE\", \"comments\": \"This is a comment\"}"

emnoc · ‎04-20-2021

So. I tested this and what I believe is, the api-user can not change sys-admin passwords with just a PUT or POST.

You can create a new admin but you can not change the password of the system admin. You can only change the other parameters of the system admin

To create a new admin with HTTP-POST json format data

{ "name":"systemadmin111", "comments":"pushed via. API", "password":"hotshotDiDiO", "accprofile" : "super_admin",}

To change a new admin attributes with HTTP-PUT json format data

{ "name":"systemadmin111", "comments":"change me", "accprofile" : "prof_admin", "schedule" : "none", }

curl -X POST -d @./createuser -k "https://x.x.x.x/api/v2/cmdb/system/admin?access_token=1xhG14ytfQ50wn0sNsxcgzpf2pW888" -H Content-Type: application/json curl -X PUT -d @./changeuser -k "https://x.x.x.x/api/v2/cmdb/system/admin/systemadmin111?access_token=1xhG14ytfQ50wn0sNsxcgzpf2pW888" -H Content-Type: application/json curl -k "https://x.x.x.x/api/v2/cmdb/system/admin/systemadmin111?access_token=1xhG14ytfQ50wn0sNsxcgzpf2pW888" -H Content-Type: application/json I would have to see if something else is doable but my testing shows if you use password or passwd and with HTTP-PUT it does not make any changes. A side note , if you do not set a password in your json body , fortios will create the user with password and allow you to login as-is the same holds true if you did it via the cli but if you use the webUI the password is mandatory. I was shock to say the least that you could even craft a system admin with no-password. Ken Felix

PCNSE

NSE

StrongSwan

View solution in original post

emnoc · ‎04-20-2021

yeah I ran into this also but never spent time investigating until you post this thread. I still believe FTNT put some type of hook in NOT allowing you permission to change existing admin.

It's the same for sms-phone also. You can see more of it when you make the API call

diag debug reset

diag debug enable

diag debug app httpsd -1

And then call the PUT and you will get the "deny for blah blah blah" and status code 403.

PCNSE

NSE

StrongSwan

View solution in original post

ainesbaptist · ‎07-27-2022

All these terms and examples are difficult for me. It is a shame to admit it. However, I began to delve into this topic only recently. Therefore, you should turn to knowledgeable specialists in this field. Btw, I started using the https://www.zaptest.com/hyperautomation services last week. I inherited my father’s business six months ago. I don’t know anything about it. So, I have to get knowledge and experience in a hurry. It’s annoying and morally oppressive. Maybe I should sell it? What do you think?

Fortigate API works for everything but admin password change

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website