Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AtiT
Valued Contributor

Restrict REST API URL on FortiGate

Hello,

Is it possible to restrict the REST API URL to a specific URL only?

 

We would like to use webhooks where the URL looks like:
.../api/v2/monitor/system/automation-stitch/webhook/Webhook_Disable_FW_Rule_111

 

But the JSON REST API URL looks like:
.../api/v2/cmdb/firewall/policy/111

 

If we enable Webhook for the REST API admin it works. But also this REST API admin can call JSON queries and configure the part of the firewall that the REST API admin is allowed in the admin profile.
We would like to restrict/block the JSON API and allow the Webhook only.
It means that for example we can allow URL .../api/v2/monitor/* and block anything else.


Is it possible to do it somehow?

AtiT

AtiT
4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello AtiT,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
ebilcari
Staff
Staff

If you have a FortiWeb deployed you can put it in the middle to manipulate URLs (Send 403 Forbidden for example). I guess from FGT you can't be so granular to limit access based only on the URL string.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
emnoc
Esteemed Contributor III

I have never heard of a restriction by URl but have you limited the rest API user's permissions to read at the bare min?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
emnoc
Esteemed Contributor III

edit to add;

 

1: you might be able to control URL access by forcing the user thru a proxy

2: you could  enable CORS and limit the access even further

 

============squid =====

acl apiuser_src src 192.168.1.111

# let's assume the explicit proxy src_ip == 1.1.1.111

#

acl apiuser_url url_regex ^http://blahblah/api/v2/monitor/.*

http_access allow apiuser_src apiuser_url

http_access deny apiuser_src

 

=======================

 

fortios:

 

config system api-user

    edit "apiuserken"

        set comments ''

        set api-key ENC SH2DLrHipevPp+FZSfWb10d8WSoBJZxVZnSoRpOD/vfdP1tZWCZrTCpskcPmS8=

        set accprofile "APIusers"

        set vdom "root"

        set schedule ''

        set cors-allow-origin http://127.0.1.1:666

        set peer-auth disable

        config trusthost

            edit 1

                set type ipv4-trusthost

                set ipv4-trusthost 1.1.1.111 255.255.255.255

            next

        end

    next

end

===========

 

 

The api call would like

 

 

curl -v -k -H "Origin:  https://127.0.1.1:666" "https://192.168.1.99/api/v2/monitor/<uri blah blah>"

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors