Helpful ReplyHot!XML API

Author
hklb
Gold Member
  • Total Posts : 233
  • Scores: 29
  • Reward points: 0
  • Joined: 2014/06/10 15:00:59
  • Status: offline
2017/03/03 05:57:00 (permalink)
0

XML API

Hi,
 
is anyone has experience with XML API ? 
 
I don't know why, but all my request are not able to execute because I have an error "<errorCode>11</errorCode><errorMsg>No permission for the resource</errorMsg>".
 
This is what I done :
1) create user with super_admin profile
2) enable web service on interface
3) download wsdl from fortimanager
4) create a request as : URL : https://fmgIP:8080/FortiManagerWSxml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:r20="http://r200806.ws.fmg.fortinet.com/">
   <soapenv:Header/>
   <soapenv:Body>
      <r20:addCliGlobalSystemAdminUser>
            <!--Optional:-->
  <servicePass>
            <!--Optional:-->
   <userID>fmg</userID>
            <!--Optional:-->
   <password>fmg</password>
  </servicePass>
         <path>
            <!--Optional:-->
            <user>toto</user>
            <!--Optional:-->
            <option>?</option>
         </path>
         <!--1 or more repetitions:-->
         <data>
            <!--Zero or more repetitions:-->
            <hidden>0</hidden>
            <!--Zero or more repetitions:-->
            <pager-number>?</pager-number>
            <!--Zero or more repetitions:-->
            <mobile-number>?</mobile-number>
            <!--Zero or more repetitions:-->
            <phone-number>?</phone-number>
            <!--Zero or more repetitions:-->
            <email-address>?</email-address>
            <!--Zero or more repetitions:-->
            <first-name>?</first-name>
            <!--Zero or more repetitions:-->
            <last-name>?</last-name>
            <!--Optional:-->
            <rpc-permit>none</rpc-permit>
            <!--Optional:-->
            <two-factor-auth>disable</two-factor-auth>
            <!--Zero or more repetitions:-->
            <ca>?</ca>
            <!--Zero or more repetitions:-->
            <subject>?</subject>
            <!--Optional:-->
            <force-password-change>disable</force-password-change>
            <!--Zero or more repetitions:-->
            <password-expire>?</password-expire>
            <!--Zero or more repetitions:-->
            <radius-group-match>?</radius-group-match>
            <!--Optional:-->
            <radius-adom-override>disable</radius-adom-override>
            <!--Optional:-->
            <radius-accprofile-override>disable</radius-accprofile-override>
            <!--Optional:-->
            <wildcard>disable</wildcard>
            <!--Zero or more repetitions:-->
            <ssh-public-key3>?</ssh-public-key3>
            <!--Zero or more repetitions:-->
            <ssh-public-key2>?</ssh-public-key2>
            <!--Zero or more repetitions:-->
            <ssh-public-key1>?</ssh-public-key1>
            <!--Zero or more repetitions:-->
            <group>?</group>
            <!--Zero or more repetitions:-->
            <tacacs-plus-server>?</tacacs-plus-server>
            <!--Zero or more repetitions:-->
            <ldap-server>?</ldap-server>
            <!--Zero or more repetitions:-->
            <radius_server>?</radius_server>
            <!--Optional:-->
            <user_type>local</user_type>
            <!--Zero or more repetitions:-->
            <description>?</description>
            <!--Optional:-->
            <restrict-access>disable</restrict-access>
            <!--Zero or more repetitions:-->
            <profileid>Restricted_User</profileid>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost10>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost10>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost9>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost9>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost8>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost8>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost7>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost7>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost6>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost6>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost5>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost5>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost4>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost4>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost3>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost3>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost2>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128</ipv6_trusthost2>
            <!--Zero or more repetitions:-->
            <ipv6_trusthost1>::/0</ipv6_trusthost1>
            <!--Zero or more repetitions:-->
            <trusthost10>255.255.255.255 255.255.255.255</trusthost10>
            <!--Zero or more repetitions:-->
            <trusthost9>255.255.255.255 255.255.255.255</trusthost9>
            <!--Zero or more repetitions:-->
            <trusthost8>255.255.255.255 255.255.255.255</trusthost8>
            <!--Zero or more repetitions:-->
            <trusthost7>255.255.255.255 255.255.255.255</trusthost7>
            <!--Zero or more repetitions:-->
            <trusthost6>255.255.255.255 255.255.255.255</trusthost6>
            <!--Zero or more repetitions:-->
            <trusthost5>255.255.255.255 255.255.255.255</trusthost5>
            <!--Zero or more repetitions:-->
            <trusthost4>255.255.255.255 255.255.255.255</trusthost4>
            <!--Zero or more repetitions:-->
            <trusthost3>255.255.255.255 255.255.255.255</trusthost3>
            <!--Zero or more repetitions:-->
            <trusthost2>255.255.255.255 255.255.255.255</trusthost2>
            <!--Zero or more repetitions:-->
            <trusthost1>0.0.0.0 0.0.0.0</trusthost1>
            <!--Optional:-->
            <change-password>disable</change-password>
            <!--Zero or more repetitions:-->
            <password>titi</password>
            <!--Zero or more repetitions:-->
            <userid>?</userid>
            <!--Zero or more repetitions:-->
            <dashboard>
               <!--Optional:-->
               <diskio-period>1hour</diskio-period>
               <!--Optional:-->
               <diskio-content-type>util</diskio-content-type>
               <!--Optional:-->
               <time-period>1hour</time-period>
               <!--Zero or more repetitions:-->
               <num-entries>10</num-entries>
               <!--Optional:-->
               <res-cpu-display>average</res-cpu-display>
               <!--Optional:-->
               <res-period>10min</res-period>
               <!--Optional:-->
               <res-view-type>history</res-view-type>
               <!--Optional:-->
               <log-rate-period>?</log-rate-period>
               <!--Optional:-->
               <log-rate-topn>5</log-rate-topn>
               <!--Optional:-->
               <log-rate-type>device</log-rate-type>
               <!--Optional:-->
               <widget-type>?</widget-type>
               <!--Zero or more repetitions:-->
               <tabid>0</tabid>
               <!--Optional:-->
               <status>open</status>
               <!--Zero or more repetitions:-->
               <refresh-interval>300</refresh-interval>
               <!--Zero or more repetitions:-->
               <column>0</column>
               <!--Zero or more repetitions:-->
               <name>?</name>
               <!--Zero or more repetitions:-->
               <moduleid>0</moduleid>
            </dashboard>
            <!--Zero or more repetitions:-->
            <dashboard-tabs>
               <!--Zero or more repetitions:-->
               <name>?</name>
               <!--Zero or more repetitions:-->
               <tabid>0</tabid>
            </dashboard-tabs>
            <!--Zero or more repetitions:-->
            <meta-data>
               <!--Zero or more repetitions:-->
               <fieldvalue>?</fieldvalue>
               <!--Optional:-->
               <status>enabled</status>
               <!--Optional:-->
               <importance>optional</importance>
               <!--Zero or more repetitions:-->
               <fieldlength>0</fieldlength>
               <!--Zero or more repetitions:-->
               <fieldname>?</fieldname>
            </meta-data>
            <!--Zero or more repetitions:-->
            <restrict-dev-vdom>
               <!--Zero or more repetitions:-->
               <dev-vdom>?</dev-vdom>
            </restrict-dev-vdom>
            <!--Zero or more repetitions:-->
            <policy-package>
               <!--Zero or more repetitions:-->
               <policy-package-name>?</policy-package-name>
            </policy-package>
            <!--Zero or more repetitions:-->
            <app-filter>
               <!--Zero or more repetitions:-->
               <app-filter-name>?</app-filter-name>
            </app-filter>
            <!--Zero or more repetitions:-->
            <ips-filter>
               <!--Zero or more repetitions:-->
               <ips-filter-name>?</ips-filter-name>
            </ips-filter>
            <!--Zero or more repetitions:-->
            <web-filter>
               <!--Zero or more repetitions:-->
               <web-filter-name>?</web-filter-name>
            </web-filter>
            <!--Zero or more repetitions:-->
            <adom-exclude>
               <!--Zero or more repetitions:-->
               <adom-name>?</adom-name>
            </adom-exclude>
            <!--Zero or more repetitions:-->
            <adom>
               <!--Zero or more repetitions:-->
               <adom-name>all_adoms</adom-name>
            </adom>
         </data>
         <session>?</session>
      </r20:addCliGlobalSystemAdminUser>
   </soapenv:Body>
</soapenv:Envelope>

5) it return this error :
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://jaxb.dev.java.net/array" xmlns:ns3="http://r200806.ws.fmg.fortinet.com/">
   <SOAP-ENV:Header/>
   <SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
      <ns3:addCliGlobalSystemAdminUserResponse>
         <status>
            <errorCode>11</errorCode>
            <errorMsg>No permission for the resource</errorMsg>
         </status>
      </ns3:addCliGlobalSystemAdminUserResponse>
   </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

 
Is anyone can help me ?
 
Lucas
#1
hklb
Gold Member
  • Total Posts : 233
  • Scores: 29
  • Reward points: 0
  • Joined: 2014/06/10 15:00:59
  • Status: offline
Re: XML API 2017/03/03 07:03:48 (permalink)
0
I tested with legacy operation wdsl file and it works fine, so user/password and access to FMG is correct..
 
Is there some options to enable to be able to use other request as legacy operations ?
 
 
#2
ffischer
New Member
  • Total Posts : 17
  • Scores: 2
  • Reward points: 0
  • Joined: 2016/12/20 00:56:05
  • Status: offline
Re: XML API 2017/03/09 04:44:13 (permalink) ☄ Helpfulby ede_pfau 2017/03/09 05:40:18
5 (1)
had the same issues...
 
you have to enable the  user logging into tha API 
for using the XML-SOAP API..
 
config sys admin user
  edit scriptuser
    set rpc-permit read-write
end
 
I did not find it in the API Docs, but it is  documented in FortiManager - CLI Reference.
 quite hard to find...
 
 
#3
hklb
Gold Member
  • Total Posts : 233
  • Scores: 29
  • Reward points: 0
  • Joined: 2014/06/10 15:00:59
  • Status: offline
Re: XML API 2017/03/09 08:04:41 (permalink)
0
Hi,
 
Yes, I already do that.. but same result...
 
Is it work for you with "rpc-permit read-write" ?
 
Thanks
#4
ergotherego
Gold Member
  • Total Posts : 131
  • Scores: 14
  • Reward points: 0
  • Status: offline
Re: XML API 2017/03/09 19:16:12 (permalink)
0
We were not able to use the API with a service account (remote user) even with rpc RW enabled. We ended up having to use the local admin account. So maybe try that?
#5
ffischer
New Member
  • Total Posts : 17
  • Scores: 2
  • Reward points: 0
  • Joined: 2016/12/20 00:56:05
  • Status: offline
Re: XML API 2017/03/13 03:37:11 (permalink)
0
Yes this works for me with FMGR 5.4.2
I created a new scriptuser named scrusr
I suppose assigning the the "Super_User" profile
to the script user is necessary as well
(OK... I did not test without...)
 
config system admin user
    edit "scrusr"
        set password ENC <deleted>
        set profileid "Super_User"
            set adom "all_adoms"
            set policy-package "all_policy_packages"
        set description "Script User"
            config meta-data
                edit "Contact Email"
                next
                edit "Contact Phone"
                next
            end
        set rpc-permit read-write
            config dashboard
               ........<deleted>
            end
    next
end
#6
avremy
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/01 06:16:51
  • Status: offline
Re: XML API 2019/07/16 04:15:24 (permalink)
0
for those that struggled with this, you need to use the execSysLoginUser operation to get a session code and then use it in all the following requests until it expires
request: 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:r20="http://r200806.ws.fmg.fortinet.com/">
<soapenv:Header/>
<soapenv:Body>
  <r20:execSysLoginUser>
    <data>
      <user>user</user>
      <passwd>password</passwd>
    </data>
  </r20:execSysLoginUser>
</soapenv:Body>
</soapenv:Envelope>

 
response:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
                   xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                   xmlns:ns1="http://jaxb.dev.java.net/array" xmlns:ns3="http://r200806.ws.fmg.fortinet.com/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  <ns3:execSysLoginUserResponse>
    <status>
      <errorCode>0</errorCode>
      <errorMsg>OK</errorMsg>
    </status>
    <session>e3zuodiMYmQIWzH36zT9+EVAFooHR8iYqUebs+94U68zORiAbkd4d6BqCr9ml9IMq3ymZtBa8pvVLjKjhEnx4g==</session>
  </ns3:execSysLoginUserResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

 
then an example authenticated request would look like this:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:r20="http://r200806.ws.fmg.fortinet.com/">
   <soapenv:Header/>
   <soapenv:Body>
      <r20:getSysStatus>
 <session>e3zuodiMYmQIWzH36zT9+EVAFooHR8iYqUebs+94U68zORiAbkd4d6BqCr9ml9IMq3ymZtBa8pvVLjKjhEnx4g==</session>      </r20:getSysStatus>
   </soapenv:Body>
</soapenv:Envelope>

 
Hope this helps someone 
Avremy
#7
Jump to:
© 2019 APG vNext Commercial Version 5.5