Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AtiT
Valued Contributor

Created on ‎10-11-2023 01:12 AM Edited on ‎10-11-2023 01:13 AM

Restrict REST API URL on FortiGate

Hello,

Is it possible to restrict the REST API URL to a specific URL only?

 

We would like to use webhooks where the URL looks like:
.../api/v2/monitor/system/automation-stitch/webhook/Webhook_Disable_FW_Rule_111

 

But the JSON REST API URL looks like:
.../api/v2/cmdb/firewall/policy/111

 

If we enable Webhook for the REST API admin it works. But also this REST API admin can call JSON queries and configure the part of the firewall that the REST API admin is allowed in the admin profile.
We would like to restrict/block the JSON API and allow the Webhook only.
It means that for example we can allow URL .../api/v2/monitor/* and block anything else.


Is it possible to do it somehow?

AtiT

AtiT
Labels:
2277
0 Kudos
4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Created on ‎10-15-2023 09:10 PM

Hello AtiT,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
2218
0 Kudos
ebilcari
Staff
Staff

Created on ‎10-16-2023 08:36 AM

If you have a FortiWeb deployed you can put it in the middle to manipulate URLs (Send 403 Forbidden for example). I guess from FGT you can't be so granular to limit access based only on the URL string.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
2201
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎10-31-2023 08:00 PM Edited on ‎10-31-2023 08:01 PM

I have never heard of a restriction by URl but have you limited the rest API user's permissions to read at the bare min?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2137
0 Kudos
emnoc
Esteemed Contributor III
In response to emnoc

Created on ‎10-31-2023 08:45 PM Edited on ‎11-01-2023 02:11 AM By Moderator

edit to add;

 

1: you might be able to control URL access by forcing the user thru a proxy

2: you could  enable CORS and limit the access even further

 

============squid =====

acl apiuser_src src 192.168.1.111

# let's assume the explicit proxy src_ip == 1.1.1.111

#

acl apiuser_url url_regex ^http://blahblah/api/v2/monitor/.*

http_access allow apiuser_src apiuser_url

http_access deny apiuser_src

 

=======================

 

fortios:

 

config system api-user

    edit "apiuserken"

        set comments ''

        set api-key ENC SH2DLrHipevPp+FZSfWb10d8WSoBJZxVZnSoRpOD/vfdP1tZWCZrTCpskcPmS8=

        set accprofile "APIusers"

        set vdom "root"

        set schedule ''

        set cors-allow-origin http://127.0.1.1:666

        set peer-auth disable

        config trusthost

            edit 1

                set type ipv4-trusthost

                set ipv4-trusthost 1.1.1.111 255.255.255.255

            next

        end

    next

end

===========

 

 

The api call would like

 

 

curl -v -k -H "Origin:  https://127.0.1.1:666" "https://192.168.1.99/api/v2/monitor/<uri blah blah>"

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2130
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.