Helpful ReplyHot!Rest api usage

Page: < 12 Showing page 2 of 2
Author
Irfan Pathan
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/08/13 04:51:23
  • Location: Indore (India)
  • Status: offline
Re: Rest api usage 2019/08/10 10:11:14 (permalink)
0
Hi,
Create api user, You will get api key token.
then 
curl -k https://<deviceipaddress>/api/v2/cmdb/firewall/address?vdom=root&access_token=<apikeytokenhere>
#21
nbctcp
Silver Member
  • Total Posts : 65
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/03/05 04:48:26
  • Location: Indonesia
  • Status: offline
Re: Rest api usage 2019/11/19 10:11:49 (permalink)
0
 
SW INFO:
-fortigate version
Version: FortiGate-VM64-KVM v6.2.1,build0932,190716 (GA)
 
CONFIG:
# show system api-user
config system api-user
edit "api-admin"
set api-key ENC SH2PPzcc9QjwfKbZt65EU5ufPXSGvnazXmEJatKySDyFiAUjmbEk0ZEKRbXG2Q=
set accprofile "super_admin"
set vdom "root"
config trusthost
edit 1
set ipv4-trusthost 10.0.1.70 255.255.255.255
next
end
next
end
 
PROBLEMS:
# curl -k http://10.0.1.51/api/v2/c...x4gwhH53jb551QrbQwkG58
[1] 28518
root@eve-ng:~# <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>401 Authorization Required</TITLE>
</HEAD><BODY>
<H1>Authorization Required</H1>
This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.<P>
<P>Additionally, a 401 Authorization Required
error was encountered while trying to use an ErrorDocument to handle the request.
</BODY></HTML>
 
QUESTIONS:
1. I got above error with those config, although I am using super_admin profile
What's wrong with step?
In curl, I can only using http because  I am using trial license
 
tq
#22
emnoc
Expert Member
  • Total Posts : 5464
  • Scores: 355
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Rest api usage 2019/11/19 12:28:58 (permalink)
0
Pass the header  in the header field.
 
https://socpuppet.blogspot.com/2019/09/howto-use-fortios-apiuser.html
 
Header set with curl and "-H" option, this is required.
 
"Authorization: Bearer 6qQyk7Q3Hpz8k6z74161xG0Q5GNkpn" 
 
BTW, I'm like 100% sure the API will not work over HTTP, but double-check. In real life nobody will send credentials over unsecured HTTP.
 
Ken Felix
 
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#23
Jordan_Thompson_FTNT
optimizzz
  • Total Posts : 467
  • Scores: 16
  • Reward points: 0
  • Joined: 2011/10/17 21:30:20
  • Location: Canada
  • Status: offline
Re: Rest api usage 2019/11/19 12:44:04 (permalink)
0
emnoc
 
BTW, I'm like 100% sure the API will not work over HTTP, but double-check. In real life nobody will send credentials over unsecured HTTP.

 
This is correct - API keys can only be used over HTTPS.
#24
nbctcp
Silver Member
  • Total Posts : 65
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/03/05 04:48:26
  • Location: Indonesia
  • Status: offline
Re: Rest api usage 2019/11/21 05:03:56 (permalink)
0
@emnoc
I am following your way, but I still got error 403
Here my steps

STEPS TAKEN
https://github.com/Nevets82/Posh-FortiGate
config system accprofile
    edit "readonly_admin"
        set mntgrp read
        set admingrp read
        set updategrp read
        set authgrp read
        set sysgrp read
        set netgrp read
        set loggrp read
        set routegrp read
        set fwgrp read
        set vpngrp read
        set utmgrp read
        set wanoptgrp read
        set endpoint-control-grp read
        set wifi read
    next
end
 
config system admin
        edit readonly_user
        set trusthost1 192.168.88.70 255.255.255.255
        set accprofile readonly_admin
        set comments "User for PowerShell backup and troubleshooting tasks"
        set vdom root
        set password P@ssw0rd
    next
end
 
config system api-user
   edit api-readonly_user
   set accprofile readonly_admin
   set vdom root
   config trusthost
   edit 1
   set ipv4-trusthost 192.168.88.70 255.255.255.255
   end
end
 
# execute api-user generate-key api-readonly_user
New API key: mrfQbbhnwsp39HQmtkjw4N6HxyNgmm
NOTE: The bearer of this API key will be granted all access privileges assigned to the api-user api-admin.
 
# cat fortibackup.sh
#/bin/bash
IP=192.168.88.41
TOKEN=mrfQbbhnwsp39HQmtkjw4N6HxyNgmm
D=`date +%F_%T`
curl  -k -o $IP-$D.conf  -H  "Authorization: Bearer $TOKEN" "https://$IP/api/v2/monitor/system/config/backup/?scope=global&amp;access_token=$TOKEN"
exit
 
PROBLEMS:
# ./fortibackup.sh
# cat 192.168.88.41-2019-11-21_14\:58\:15.conf
{
  "http_method":"GET",
  "status":"error",
  "http_status":403,
  "vdom":"root",
  "path":"system",
  "name":"config",
  "action":"backup",
  "serial":"FGT80C3909631394",
  "version":"v5.6.3",
  "build":1547
}
 
QUESTIONS:
  1. I still got error 403 code
Which steps I am missing
 
tq
 
emnoc
Pass the header  in the header field.
 
https://socpuppet.blogspot.com/2019/09/howto-use-fortios-apiuser.html
 
Header set with curl and "-H" option, this is required.
 
"Authorization: Bearer 6qQyk7Q3Hpz8k6z74161xG0Q5GNkpn" 
 
BTW, I'm like 100% sure the API will not work over HTTP, but double-check. In real life nobody will send credentials over unsecured HTTP.
 
Ken Felix
 
 
Ken Felix




#25
oheigl
Gold Member
  • Total Posts : 265
  • Scores: 12
  • Reward points: 0
  • Joined: 2010/02/18 04:27:05
  • Location: Austria
  • Status: offline
Re: Rest api usage 2019/11/21 06:10:50 (permalink) ☄ Helpfulby nbctcp 2019/11/21 09:06:30
0
Hi,
 
remove the GET parameter, it's not needed if you pass the API key via the header:
curl -k -o $IP-$D.conf -H "Authorization: Bearer $TOKEN" "https://$IP/api/v2/monitor/system/config/backup?scope=global"

 
Also you can have a look at the debug on the FortiGate (connect via SSH since GUI is also making API requests):
 
diag debug application httpsd -1
diag debug enable

 
And please upgrade your Firmware version, in 5.6.3 everything could be a bug 
#26
nbctcp
Silver Member
  • Total Posts : 65
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/03/05 04:48:26
  • Location: Indonesia
  • Status: offline
Re: Rest api usage 2019/11/21 09:15:03 (permalink)
0
You are correct guru
1. modify accprofile mntgrp
-turn on debug
diag debug application httpsd -1
diag debug enable
I can see, maintenance group complain about write permission
-modify

config system accprofile
    edit "readonly_admin"
        set mntgrp read
change to
config system accprofile
    edit "readonly_admin"
        set mntgrp read-write
 
2. modify this
curl  -k -o $IP-$D.conf  -H  "Authorization: Bearer $TOKEN" "https://$IP/api/v2/monitor/system/config/backup/?scope=global"
 
RESULT:
1. I can get the config but not full config.
How do I know that, because full config usually 500kb, while this is 125kb
 
QUESTIONS:
1. How to get full config
#27
oheigl
Gold Member
  • Total Posts : 265
  • Scores: 12
  • Reward points: 0
  • Joined: 2010/02/18 04:27:05
  • Location: Austria
  • Status: offline
Re: Rest api usage 2019/11/21 09:47:20 (permalink)
0
I don't think it's possible, because you can't even select something like that via the GUI, only via CLI.
 
But the full configuration just adds all the default values, so it's not useful anyway, or what would you like to achieve?
#28
nbctcp
Silver Member
  • Total Posts : 65
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/03/05 04:48:26
  • Location: Indonesia
  • Status: offline
Re: Rest api usage 2019/11/21 10:11:52 (permalink)
0
Full configuration is useful in case I need to keep my public key.
Public key won't appear in standard config.
Unless I need to take note which Fortigate has public key and what the key
 
QUESTIONS:
1. beside Public key. In what case do I need full-config actually
I am curios why full-config is created.
Must a  be a reason for that
2. Can I restore using full-config
tq
#29
oheigl
Gold Member
  • Total Posts : 265
  • Scores: 12
  • Reward points: 0
  • Joined: 2010/02/18 04:27:05
  • Location: Austria
  • Status: offline
Re: Rest api usage 2019/11/21 10:19:25 (permalink)
5 (1)
I just tried a configuration backup and the certificate with the public and private key is in there, without a full configuration. The full configuration is useful to check if default values have changed or something like that, but other then that I can't see a reason why you would need it. Maybe in older FortiOS versions the keys weren't backuped, can't remember exactly.
 
Kind regards
#30
nbctcp
Silver Member
  • Total Posts : 65
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/03/05 04:48:26
  • Location: Indonesia
  • Status: offline
Re: Rest api usage 2019/11/21 10:43:51 (permalink)
0
Yes, you were right again
After testing myself, I can see public key appear in standard config
Sorry for my mistake statement
 
QUESTIONS:
1. what is the reason admin choose to backup using API instead of using ssh
 
STEPS:
config system admin
edit "admin"
set accprofile "super_admin"
set vdom "root"
set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhgCSKwiNYG7YDE0QUm2mefS8oq89dvms1+ArW/vRZ2j2AIl9a/NRMIK7whvUstVWD60HVWcGAlzpIYnCMZm3d82xifCJgSsi2QamWKzvHG27EPmn2KmXJTFdINcvK60tih89ebxGN3sPX3nv/LlyX5p3gmvcGyW019ipTEo5zFN0aMYSrkg5Xiuw3xFZhGYgNxRpSLNf1IwGcacTq+XMx58kic1QRNEnqgUrmIM1ODLpfaWm3ecq6NVTfa2UcIjPQXaweFpEgtViN5rtOi+z0oE7wm1RpbA+bM6vHeJHlBsigFqa/0Z9EY2DXtYwCM+IYzgXWF6zxtloAixDQrqi3w=="
set password ENC SH2Ywn7CB5xxWby6HnrxVenKMvR5fb1wSqSSHEkt2KChtXxZR8X7TB0er5JQEY=
next
end
 
# execute backup config tftp fgt.cfg 192.168.88.10
I can see fgt.cfg has public key
config system admin
edit "admin"
set accprofile "super_admin"
set vdom "root"
set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhgCSKwiNYG7YDE0QUm2mefS8oq89dvms1+ArW/vRZ2j2AIl9a/NRMIK7whvUstVWD60HVWcGAlzpIYnCMZm3d82xifCJgSsi2QamWKzvHG27EPmn2KmXJTFdINcvK60tih89ebxGN3sPX3nv/LlyX5p3gmvcGyW019ipTEo5zFN0aMYSrkg5Xiuw3xFZhGYgNxRpSLNf1IwGcacTq+XMx58kic1QRNEnqgUrmIM1ODLpfaWm3ecq6NVTfa2UcIjPQXaweFpEgtViN5rtOi+z0oE7wm1RpbA+bM6vHeJHlBsigFqa/0Z9EY2DXtYwCM+IYzgXWF6zxtloAixDQrqi3w=="
set password ENC SH2Ywn7CB5xxWby6HnrxVenKMvR5fb1wSqSSHEkt2KChtXxZR8X7TB0er5JQEY=
next
end
 
oheigl
I just tried a configuration backup and the certificate with the public and private key is in there, without a full configuration. The full configuration is useful to check if default values have changed or something like that, but other then that I can't see a reason why you would need it. Maybe in older FortiOS versions the keys weren't backuped, can't remember exactly.
 
Kind regards




post edited by nbctcp - 2019/11/21 10:46:48
#31
emnoc
Expert Member
  • Total Posts : 5464
  • Scores: 355
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Rest api usage 2019/11/21 11:13:48 (permalink)
0
Either method good, API is better in that ssh pub/key and key checking is not madatory if you access via the HTTPS and API interface.
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#32
Page: < 12 Showing page 2 of 2
Jump to:
© 2020 APG vNext Commercial Version 5.5