Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor III

Created on ‎06-27-2025 08:12 AM

Set app control or ips in firewall via API does not work 7.2.12

The below code works for both a get or put and I get back status 200. the issue I have is that nothing in application-list or ips-sensor gets created on post or updated on put. 

If I create the policy then add the IPS and APP through the webui to something... and then run the put it doesnt update the values. In all cases I get a status 200. 

{
  "policyid": "{{ rule_id }}",
  "status": "enable",
  "name": "{{ rule_name }}",
  "srcintf": [
    {% for iface in srcintf %}
    { "name": "{{ iface.name }}" }{% if not loop.last %},{% endif %}
    {% endfor %}
  ],
  "dstintf": [
    {% for iface in dstintf %}
    { "name": "{{ iface.name }}" }{% if not loop.last %},{% endif %}
    {% endfor %}
  ],
  "action": "accept",
  "srcaddr": [
    {
    "name": "100.119.64.0_24"
    }
  ],
  "dstaddr": [
    {% for addr in ip_address %}
    { "name": "{{ addr.name }}" }{% if not loop.last %},{% endif %}
    {% endfor %}
  ],
  "service": [
    {% for svc in service %}
    { "name": "{{ svc.name }}" }{% if not loop.last %},{% endif %}
    {% endfor %}
  ],
  "http-policy-redirect": "disable",
  "ssh-policy-redirect": "disable",  
  "ztna-policy-redirect": "disable",
  "profile-type": "single",
  "profile-protocol-options": "default",
  "ssl-ssh-profile": "certificate-inspection",
  "ips-sensor": "g-default",
  "application-list": "g-CF_APP_CONTROL",
  "logtraffic": "utm",
  "np-acceleration": "enable",
  "nat": "disable",
  "schedule": "always"
}
24825
24825
Labels:
867
0 Kudos
1 Solution
aguerriero
Contributor III

Created on ‎07-05-2025 01:05 PM

It was a simple boneheaded mistake. When making the jinja template I cut out 

"utm-status": "enable"

The call works just fine for POST and PUT operations for update. Lucky thing I didn't spend any time on upgrading firewalls or deploying test firewalls. 

24825

View solution in original post

24825
483
0 Kudos
14 REPLIES 14
Jean-Philippe_P
Moderator
Moderator

Created on ‎06-29-2025 09:55 PM

Hello aguerriero, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Regards,
Jean-Philippe - Fortinet Community Team
571
0 Kudos
filiaks1
Contributor II

Created on ‎06-30-2025 04:49 AM Edited on ‎06-30-2025 06:20 AM

Have you tried this on the latest fortigate version 7.6.3 as this could be an old bug?

 

 

Also you mean to update the firewall policy rule through API with new profiles or to modify the attached profile's values? 

 

Outside of that you can try doing this though cli script that can be triggered as a workaound:

 

Solved: Restart Fortigate http/gui processes automatically... - Fortinet Community

541
filiaks1
Contributor II

Created on ‎06-30-2025 06:45 AM Edited on ‎06-30-2025 07:58 AM

Just as a note on 7.6.3 the PUT for firewall policy app or ips change works. I used the nice API Preview option as well. By the default the root vdom is selected , so if needed add a query parameter that fixes this as shown in the links below with the "  ?format="name|comment" " parameter.

 

 

Using APIs | FortiGate / FortiOS 7.6.3 | Fortinet Document Library

 

Add options for API Preview, Edit in CLI, and References | FortiGate / FortiOS 7.0.0 | Fortinet Docu...

 

 

Screenshot 2025-06-30 165657.png

 

Screenshot 2025-06-30 164418.png

 

 

 

524
0 Kudos
filiaks1
Contributor II

Created on ‎07-01-2025 01:29 PM Edited on ‎07-01-2025 01:30 PM

As a note when I send the full API request not just the needed changes I saw simillar issue. Just send te config changes or open a case.

 

Screenshot 2025-07-01 232305.png

 

459
aguerriero
Contributor III
In response to filiaks1

Created on ‎07-02-2025 05:46 AM

That didn't work for me. I get a 200 response and nothing changed. 

24825
24825
409
0 Kudos
filiaks1
Contributor II
In response to aguerriero

Created on ‎07-03-2025 12:19 AM

If you follow my 2 responses on 7.6.3 sending just the changes work and sending the full config I get 200 response and nothing is changed like you did.

382
aguerriero
Contributor III
In response to filiaks1

Created on ‎07-03-2025 06:48 AM

7.6 is still a feature release under evaluation and filled with bugs that would break our ztna and other things. I can't upgrade production to that until those bugs are corrected or we switch to a different ztna solution.

I switched to a python paramiko function and used a different jinja template. 

24825
24825
365
0 Kudos
filiaks1
Contributor II
In response to aguerriero

Created on ‎07-03-2025 12:04 PM

Paramiko is not a bad option to use SSH not API but did you try sending just the changes with Postman also maybe with Terraform as it will send only the changes as it keeps the state.

353
0 Kudos
aguerriero
Contributor III
In response to filiaks1

Created on ‎07-03-2025 01:19 PM

I have to pull data from multiple data sources like mysql, consul, postgresql, mongo, vault, and other APIs. I need tighter control and error checking, so I use python and the requests module. postman and terraform don't offer that. 



I tried sending just the changes and full configurations. Neither worked. I came across a similar situation with load balancers that you cannot set the loadbalance method on the first post and it defaults to static, and I had to do a put for just the load balance method. So sending just the change was the first thing I tried. 


24825
24825
335
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.