Hello,
Is it possible to restrict the REST API URL to a specific URL only?
We would like to use webhooks where the URL looks like:
.../api/v2/monitor/system/automation-stitch/webhook/Webhook_Disable_FW_Rule_111
But the JSON REST API URL looks like:
.../api/v2/cmdb/firewall/policy/111
If we enable Webhook for the REST API admin it works. But also this REST API admin can call JSON queries and configure the part of the firewall that the REST API admin is allowed in the admin profile.
We would like to restrict/block the JSON API and allow the Webhook only.
It means that for example we can allow URL .../api/v2/monitor/* and block anything else.
Is it possible to do it somehow?
AtiT
Hello AtiT,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
If you have a FortiWeb deployed you can put it in the middle to manipulate URLs (Send 403 Forbidden for example). I guess from FGT you can't be so granular to limit access based only on the URL string.
I have never heard of a restriction by URl but have you limited the rest API user's permissions to read at the bare min?
PCNSE
NSE
StrongSwan
Created on 10-31-2023 08:45 PM Edited on 11-01-2023 02:11 AM By Stephen_G
edit to add;
1: you might be able to control URL access by forcing the user thru a proxy
2: you could enable CORS and limit the access even further
============squid =====
acl apiuser_src src 192.168.1.111
# let's assume the explicit proxy src_ip == 1.1.1.111
#
acl apiuser_url url_regex ^http://blahblah/api/v2/monitor/.*
http_access allow apiuser_src apiuser_url
http_access deny apiuser_src
=======================
fortios:
config system api-user
edit "apiuserken"
set comments ''
set api-key ENC SH2DLrHipevPp+FZSfWb10d8WSoBJZxVZnSoRpOD/vfdP1tZWCZrTCpskcPmS8=
set accprofile "APIusers"
set vdom "root"
set schedule ''
set cors-allow-origin http://127.0.1.1:666
set peer-auth disable
config trusthost
edit 1
set type ipv4-trusthost
set ipv4-trusthost 1.1.1.111 255.255.255.255
next
end
next
end
===========
The api call would like
curl -v -k -H "Origin: https://127.0.1.1:666" "https://192.168.1.99/api/v2/monitor/<uri blah blah>"
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.