Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor III

Created on ‎06-27-2025 08:12 AM

Set app control or ips in firewall via API does not work 7.2.12

The below code works for both a get or put and I get back status 200. the issue I have is that nothing in application-list or ips-sensor gets created on post or updated on put. 

If I create the policy then add the IPS and APP through the webui to something... and then run the put it doesnt update the values. In all cases I get a status 200. 

{
  "policyid": "{{ rule_id }}",
  "status": "enable",
  "name": "{{ rule_name }}",
  "srcintf": [
    {% for iface in srcintf %}
    { "name": "{{ iface.name }}" }{% if not loop.last %},{% endif %}
    {% endfor %}
  ],
  "dstintf": [
    {% for iface in dstintf %}
    { "name": "{{ iface.name }}" }{% if not loop.last %},{% endif %}
    {% endfor %}
  ],
  "action": "accept",
  "srcaddr": [
    {
    "name": "100.119.64.0_24"
    }
  ],
  "dstaddr": [
    {% for addr in ip_address %}
    { "name": "{{ addr.name }}" }{% if not loop.last %},{% endif %}
    {% endfor %}
  ],
  "service": [
    {% for svc in service %}
    { "name": "{{ svc.name }}" }{% if not loop.last %},{% endif %}
    {% endfor %}
  ],
  "http-policy-redirect": "disable",
  "ssh-policy-redirect": "disable",  
  "ztna-policy-redirect": "disable",
  "profile-type": "single",
  "profile-protocol-options": "default",
  "ssl-ssh-profile": "certificate-inspection",
  "ips-sensor": "g-default",
  "application-list": "g-CF_APP_CONTROL",
  "logtraffic": "utm",
  "np-acceleration": "enable",
  "nat": "disable",
  "schedule": "always"
}
24825
24825
Labels:
854
0 Kudos
1 Solution
aguerriero
Contributor III

Created on ‎07-05-2025 01:05 PM

It was a simple boneheaded mistake. When making the jinja template I cut out 

"utm-status": "enable"

The call works just fine for POST and PUT operations for update. Lucky thing I didn't spend any time on upgrading firewalls or deploying test firewalls. 

24825

View solution in original post

24825
470
0 Kudos
14 REPLIES 14
filiaks1
Contributor II
In response to aguerriero

Created on ‎07-03-2025 02:04 PM

Maybe just download a trial fortigate 7.4.8 and test as I mentioned on 7.6.3 the partial API update works :)

235
0 Kudos
aguerriero
Contributor III
In response to filiaks1

Created on ‎07-03-2025 02:50 PM

There isn't any need. Whether it works on 7.4.X or 7.6.X it isn't a valid workaround or solution. I have over a 1000 fortigates in my company's asset list and upgrading them to make a single API call work while potentially introducing bugs into production systems is a non starter.

I already implemented a valid SSH workaround. If one of the members or staff has a valid 7.2.X API solution, that is the preferred path. 

If one of the staff recommends I open a ticket I will link this thread in the ticket so the help desk engineer can read it before attempting any screen sharing or debug collections for their engineers to look at. 

24825
24825
227
0 Kudos
filiaks1
Contributor II
In response to aguerriero

Created on ‎07-03-2025 11:57 PM Edited on ‎07-03-2025 11:59 PM

While you wait for the staff recommendations as I am like you a user maybe leverage Fortimanager it could help with managing those 1000 firewalls and the bug could be not there. Also at some point when you have to upgrade it will help with upgrading many firewalls.

 

Using FortiManager API - Fortinet Community

How To FortiManager API? — How to FortiManager API - Wed Jun 18 22:17:50 2025

 

For a big customer you probably leverage https://fndn.fortinet.net/index.php as for API issues it could be a better place just contact your sales and account managers from fortinet to give you access.

209
0 Kudos
filiaks1
Contributor II

Created on ‎07-05-2025 12:07 PM

Some extra info while you wait for the staff recommendations as I also play with the API for my own needs and I saw a mistake when I was copying from the API preview as fortinet seems to have made this for the hidden endpoint "/jsonrpc" that should be not used directly :) If I copy just the JSON in data object even if it is not only changes it works fine, so on newer versions it is ok.

 

 

From the picture below I need to copy only the things in "data" and when I click copy to clipboard.

Screenshot 2025-07-05 220615.png

 

 

For your version maybe see the old way of authentication with X-CSRFToken that can be collected from " /logincheck?username=admin&secretkey=xxxxx " with a POST request and empty json body as it is a cookie that you after that use as a header value for X-CSRFToken.  Forti has also the way at Authentication | FortiPortal 7.2.0 | Fortinet Document Library but it seems worse to me and who knows maybe that will be workaround for you as maybe the new API token option still has issues on your version.

 

 

194
0 Kudos
aguerriero
Contributor III

Created on ‎07-05-2025 01:05 PM

It was a simple boneheaded mistake. When making the jinja template I cut out 

"utm-status": "enable"

The call works just fine for POST and PUT operations for update. Lucky thing I didn't spend any time on upgrading firewalls or deploying test firewalls. 

24825
24825
471
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.