Hi,
is anyone has experience with XML API ?
I don't know why, but all my request are not able to execute because I have an error "<errorCode>11</errorCode><errorMsg>No permission for the resource</errorMsg>".
This is what I done :
1) create user with super_admin profile
2) enable web service on interface
3) download wsdl from fortimanager
4) create a request as : URL : [link]https://fmgIP:8080/FortiManagerWSxml[/link]
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:r20="http://r200806.ws.fmg.fortinet.com/">
<soapenv:Header/>
<soapenv:Body>
<r20:addCliGlobalSystemAdminUser>
<!--Optional:-->
<servicePass>
<!--Optional:-->
<userID>fmg</userID>
<!--Optional:-->
<password>fmg</password>
</servicePass>
<path>
<!--Optional:-->
<user>toto</user>
<!--Optional:-->
<option>?</option>
</path>
<!--1 or more repetitions:-->
<data>
<!--Zero or more repetitions:-->
<hidden>0</hidden>
<!--Zero or more repetitions:-->
<pager-number>?</pager-number>
<!--Zero or more repetitions:-->
<mobile-number>?</mobile-number>
<!--Zero or more repetitions:-->
<phone-number>?</phone-number>
<!--Zero or more repetitions:-->
<email-address>?</email-address>
<!--Zero or more repetitions:-->
<first-name>?</first-name>
<!--Zero or more repetitions:-->
<last-name>?</last-name>
<!--Optional:-->
<rpc-permit>none</rpc-permit>
<!--Optional:-->
<two-factor-auth>disable</two-factor-auth>
<!--Zero or more repetitions:-->
<ca>?</ca>
<!--Zero or more repetitions:-->
<subject>?</subject>
<!--Optional:-->
<force-password-change>disable</force-password-change>
<!--Zero or more repetitions:-->
<password-expire>?</password-expire>
<!--Zero or more repetitions:-->
<radius-group-match>?</radius-group-match>
<!--Optional:-->
<radius-adom-override>disable</radius-adom-override>
<!--Optional:-->
<radius-accprofile-override>disable</radius-accprofile-override>
<!--Optional:-->
<wildcard>disable</wildcard>
<!--Zero or more repetitions:-->
<ssh-public-key3>?</ssh-public-key3>
<!--Zero or more repetitions:-->
<ssh-public-key2>?</ssh-public-key2>
<!--Zero or more repetitions:-->
<ssh-public-key1>?</ssh-public-key1>
<!--Zero or more repetitions:-->
<group>?</group>
<!--Zero or more repetitions:-->
<tacacs-plus-server>?</tacacs-plus-server>
<!--Zero or more repetitions:-->
<ldap-server>?</ldap-server>
<!--Zero or more repetitions:-->
<radius_server>?</radius_server>
<!--Optional:-->
<user_type>local</user_type>
<!--Zero or more repetitions:-->
<description>?</description>
<!--Optional:-->
<restrict-access>disable</restrict-access>
<!--Zero or more repetitions:-->
<profileid>Restricted_User</profileid>
<!--Zero or more repetitions:-->
<ipv6_trusthost10>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost10>
<!--Zero or more repetitions:-->
<ipv6_trusthost9>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost9>
<!--Zero or more repetitions:-->
<ipv6_trusthost8>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost8>
<!--Zero or more repetitions:-->
<ipv6_trusthost7>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost7>
<!--Zero or more repetitions:-->
<ipv6_trusthost6>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost6>
<!--Zero or more repetitions:-->
<ipv6_trusthost5>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost5>
<!--Zero or more repetitions:-->
<ipv6_trusthost4>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost4>
<!--Zero or more repetitions:-->
<ipv6_trusthost3>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost3>
<!--Zero or more repetitions:-->
<ipv6_trusthost2>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost2>
<!--Zero or more repetitions:-->
<ipv6_trusthost1>::/0</ipv6_trusthost1>
<!--Zero or more repetitions:-->
<trusthost10>255.255.255.255 255.255.255.255</trusthost10>
<!--Zero or more repetitions:-->
<trusthost9>255.255.255.255 255.255.255.255</trusthost9>
<!--Zero or more repetitions:-->
<trusthost8>255.255.255.255 255.255.255.255</trusthost8>
<!--Zero or more repetitions:-->
<trusthost7>255.255.255.255 255.255.255.255</trusthost7>
<!--Zero or more repetitions:-->
<trusthost6>255.255.255.255 255.255.255.255</trusthost6>
<!--Zero or more repetitions:-->
<trusthost5>255.255.255.255 255.255.255.255</trusthost5>
<!--Zero or more repetitions:-->
<trusthost4>255.255.255.255 255.255.255.255</trusthost4>
<!--Zero or more repetitions:-->
<trusthost3>255.255.255.255 255.255.255.255</trusthost3>
<!--Zero or more repetitions:-->
<trusthost2>255.255.255.255 255.255.255.255</trusthost2>
<!--Zero or more repetitions:-->
<trusthost1>0.0.0.0 0.0.0.0</trusthost1>
<!--Optional:-->
<change-password>disable</change-password>
<!--Zero or more repetitions:-->
<password>titi</password>
<!--Zero or more repetitions:-->
<userid>?</userid>
<!--Zero or more repetitions:-->
<dashboard>
<!--Optional:-->
<diskio-period>1hour</diskio-period>
<!--Optional:-->
<diskio-content-type>util</diskio-content-type>
<!--Optional:-->
<time-period>1hour</time-period>
<!--Zero or more repetitions:-->
<num-entries>10</num-entries>
<!--Optional:-->
<res-cpu-display>average</res-cpu-display>
<!--Optional:-->
<res-period>10min</res-period>
<!--Optional:-->
<res-view-type>history</res-view-type>
<!--Optional:-->
<log-rate-period>?</log-rate-period>
<!--Optional:-->
<log-rate-topn>5</log-rate-topn>
<!--Optional:-->
<log-rate-type>device</log-rate-type>
<!--Optional:-->
<widget-type>?</widget-type>
<!--Zero or more repetitions:-->
<tabid>0</tabid>
<!--Optional:-->
<status>open</status>
<!--Zero or more repetitions:-->
<refresh-interval>300</refresh-interval>
<!--Zero or more repetitions:-->
<column>0</column>
<!--Zero or more repetitions:-->
<name>?</name>
<!--Zero or more repetitions:-->
<moduleid>0</moduleid>
</dashboard>
<!--Zero or more repetitions:-->
<dashboard-tabs>
<!--Zero or more repetitions:-->
<name>?</name>
<!--Zero or more repetitions:-->
<tabid>0</tabid>
</dashboard-tabs>
<!--Zero or more repetitions:-->
<meta-data>
<!--Zero or more repetitions:-->
<fieldvalue>?</fieldvalue>
<!--Optional:-->
<status>enabled</status>
<!--Optional:-->
<importance>optional</importance>
<!--Zero or more repetitions:-->
<fieldlength>0</fieldlength>
<!--Zero or more repetitions:-->
<fieldname>?</fieldname>
</meta-data>
<!--Zero or more repetitions:-->
<restrict-dev-vdom>
<!--Zero or more repetitions:-->
<dev-vdom>?</dev-vdom>
</restrict-dev-vdom>
<!--Zero or more repetitions:-->
<policy-package>
<!--Zero or more repetitions:-->
<policy-package-name>?</policy-package-name>
</policy-package>
<!--Zero or more repetitions:-->
<app-filter>
<!--Zero or more repetitions:-->
<app-filter-name>?</app-filter-name>
</app-filter>
<!--Zero or more repetitions:-->
<ips-filter>
<!--Zero or more repetitions:-->
<ips-filter-name>?</ips-filter-name>
</ips-filter>
<!--Zero or more repetitions:-->
<web-filter>
<!--Zero or more repetitions:-->
<web-filter-name>?</web-filter-name>
</web-filter>
<!--Zero or more repetitions:-->
<adom-exclude>
<!--Zero or more repetitions:-->
<adom-name>?</adom-name>
</adom-exclude>
<!--Zero or more repetitions:-->
<adom>
<!--Zero or more repetitions:-->
<adom-name>all_adoms</adom-name>
</adom>
</data>
<session>?</session>
</r20:addCliGlobalSystemAdminUser>
</soapenv:Body>
</soapenv:Envelope>
5) it return this error :
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://jaxb.dev.java.net/array" xmlns:ns3="http://r200806.ws.fmg.fortinet.com/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<ns3:addCliGlobalSystemAdminUserResponse>
<status>
<errorCode>11</errorCode>
<errorMsg>No permission for the resource</errorMsg>
</status>
</ns3:addCliGlobalSystemAdminUserResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Is anyone can help me ?
Lucas
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
had the same issues...
you have to enable the user logging into tha API
for using the XML-SOAP API..
config sys admin user edit scriptuser set rpc-permit read-write end
I did not find it in the API Docs, but it is documented in FortiManager - CLI Reference.
quite hard to find...
I tested with legacy operation wdsl file and it works fine, so user/password and access to FMG is correct..
Is there some options to enable to be able to use other request as legacy operations ?
had the same issues...
you have to enable the user logging into tha API
for using the XML-SOAP API..
config sys admin user edit scriptuser set rpc-permit read-write end
I did not find it in the API Docs, but it is documented in FortiManager - CLI Reference.
quite hard to find...
Hi,
Yes, I already do that.. but same result...
Is it work for you with "rpc-permit read-write" ?
Thanks
We were not able to use the API with a service account (remote user) even with rpc RW enabled. We ended up having to use the local admin account. So maybe try that?
Yes this works for me with FMGR 5.4.2 I created a new scriptuser named scrusr
I suppose assigning the the "Super_User" profile
to the script user is necessary as well
(OK... I did not test without...) config system admin user edit "scrusr" set password ENC <deleted> set profileid "Super_User" set adom "all_adoms" set policy-package "all_policy_packages" set description "Script User" config meta-data edit "Contact Email" next edit "Contact Phone" next end set rpc-permit read-write config dashboard ........<deleted> end next end
for those that struggled with this, you need to use the execSysLoginUser operation to get a session code and then use it in all the following requests until it expires
request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:r20="http://r200806.ws.fmg.fortinet.com/">
<soapenv:Header/>
<soapenv:Body>
<r20:execSysLoginUser>
<data>
<user>user</user>
<passwd>password</passwd>
</data>
</r20:execSysLoginUser>
</soapenv:Body>
</soapenv:Envelope>
response:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ns1="http://jaxb.dev.java.net/array" xmlns:ns3="http://r200806.ws.fmg.fortinet.com/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<ns3:execSysLoginUserResponse>
<status>
<errorCode>0</errorCode>
<errorMsg>OK</errorMsg>
</status>
<session>e3zuodiMYmQIWzH36zT9+EVAFooHR8iYqUebs+94U68zORiAbkd4d6BqCr9ml9IMq3ymZtBa8pvVLjKjhEnx4g==</session>
</ns3:execSysLoginUserResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
then an example authenticated request would look like this:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:r20="http://r200806.ws.fmg.fortinet.com/">
<soapenv:Header/>
<soapenv:Body>
<r20:getSysStatus>
<session>e3zuodiMYmQIWzH36zT9+EVAFooHR8iYqUebs+94U68zORiAbkd4d6BqCr9ml9IMq3ymZtBa8pvVLjKjhEnx4g==</session> </r20:getSysStatus>
</soapenv:Body>
</soapenv:Envelope>
Hope this helps someone
Avremy
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1632 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.