Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hyjaal
New Contributor II

Fortigate - Add an ip address with API

Hi,

 

I'm trying to add ip addresses to my Fortigate but I'm getting an HTTP Forbidden.

Here are the commands I run:
curl -k -i -X POST https://X.X.X.X/logincheck -d "username=apiuser&secretkey=apiuser" --dump-header header.txt -c cookies.txt
curl -k -i -X POST https://X.X.X.X/api/v2/cmdb/firewall/address -d "{'name':'test','subnet':'1.1.1.1/32' }" -b header.txt

 

My user apiuser has the profile super_admin.

 

Do you know why I'm getting an HTTP/1.1 403 Forbidden?

 

Thank you in advance.

 

All the best,
Hyjaal

1 Solution
Hyjaal
New Contributor II

Hello,

 

I just found my answer :)

 

Here are the commands:

curl -k -c fgtcookies -d username=apiuser -d secretkey=apiuser https://X.X.X.X/logincheck


token=$(grep token fgtcookies | awk -F '"' '{print $2}')

 

curl -s -b fgtcookies -k -X POST -H "Content-Type: application/json" -d "{'name':'test','subnet':'1.1.1.1/32' }" -H "X-CSRFTOKEN: $token" https://X.X.X.X/api/v2/cmdb/firewall/address

 

curl -k -i -X GET https://X.X.X.X/logout -b fgtcookies

 

 

This method allows you to create hosts.For example, I was able to create 3 hosts :
test1 1.1.1.1/32
test2 1.1.1.2/32
test3 1.1.1.3/32

 

 

Hyjaal

View solution in original post

5 REPLIES 5
ozkanaltas
Valued Contributor III

Hello @Hyjaal ,

 

For Fortigate doesn't need to api-username on the request. 

 

Can you try it like that? 

 

curl -k -i -X POST https://X.X.X.X/api/v2/cmdb/firewall/address?access_token=<YOUR_API_KEY> -d "{'name':'test','subnet':'1.1.1.1/32' }"

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-About-REST-API/ta-p/195425

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Hyjaal
New Contributor II

Hello @ozkanaltas,

 

I don't have an API KEY as I use session cookies.

 

apiuser is an administrator account and not REST API Admin, I don't know if it makes a difference.

 

I don't see myself generating an API KEY on each of my Fortigates (~500devices)

 

If I can't use session cookies, is there a cli command to generate the token?

 

Have a nice day,
Hyjaal

ozkanaltas
Valued Contributor III

Hello @Hyjaal ,

 

Can you try your request with "cookies.txt"?

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-REST-API-Access-FortiGate/ta-p/196540 

 

This will generate 2 files:

headers.txt:   It contains all information about the authentication. This file will be needed for GET commands
cookies.txt:   It contain the cookie generated for the authentication. This file will be needed for POST commands

 

 

If you want to create the rest API user and key via cli you can follow this document.

 

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/399023/rest-api-administrato...

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Hyjaal
New Contributor II

 

hi,

 

I confirm that it works by calling the cookies.txt file.

 

curl -k -i -X GET https://X.X.X.X/api/v2/cmdb/router/static -b cookies.txt | grep -i "seq"
% Total % Received % Xferd Average Speed Time Time Time Current
Download Upload Total Spent Left Speed
100 2277 100 2277 0 0 12005 0 --:--:-- --:--:-- --:--:-- 12047
"seq-num":1,
"seq-num":2,
"seq-num":3,

 

That's why I don't understand why I have an HTTP Forbidden for adding an ip address

Hyjaal
New Contributor II

Hello,

 

I just found my answer :)

 

Here are the commands:

curl -k -c fgtcookies -d username=apiuser -d secretkey=apiuser https://X.X.X.X/logincheck


token=$(grep token fgtcookies | awk -F '"' '{print $2}')

 

curl -s -b fgtcookies -k -X POST -H "Content-Type: application/json" -d "{'name':'test','subnet':'1.1.1.1/32' }" -H "X-CSRFTOKEN: $token" https://X.X.X.X/api/v2/cmdb/firewall/address

 

curl -k -i -X GET https://X.X.X.X/logout -b fgtcookies

 

 

This method allows you to create hosts.For example, I was able to create 3 hosts :
test1 1.1.1.1/32
test2 1.1.1.2/32
test3 1.1.1.3/32

 

 

Hyjaal

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors