- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Authentication FortiAnalyzer API
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Authentication FortiAnalyzer API
Hi all,
I am trying to fetch raw logs using the FortiAnalyzer SOAP API and the searchFazLog API method, but I am unable to authenticate: I keep getting the -101 error code and "Invalid user/password or adom" error message. I have tried authenticating using local account credentials as wel as a domain account credentials, both without any success (these creds work when logging in via the web interface). I have also tried adding the HTTP basic authentication header, no game unfortunately.
We are currently using FAZ 5.2 (https://docs.fortinet.com/uploaded/files/2091/fortianalyzer_admin_520.pdf)
Here is the example of my request and the response: [link]https://pastebin.com/Tr57D2Lv[/link]
Can anybody point me in the right direction, as I'm sure I'm missing something trivial.
Cheers,
deacs
Solved! Go to Solution.
Labels:
- Labels:
-
5.2
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
brazz@fortinet.com wrote:So I assume we need to have a Super_Admin profile to perform this task.
Confirmed! The user must be a Super_Admin to be able to authenticate using the FAZ API.
Fantastic, I finally know what's potting. Thanks a million for your guys' help!
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi deacs
I haven't tested with FAZ 5.2 (only 6.0), but I can only get this error, if I deliberately put wrong user credentials into the request.
I'm using a local user with super_user admin profile for all ADOMs in my setup.
I checked whether "set rpc-permit read" needs to be set for the user in CLI (config system admin user), but that's not the case for the SOAP API.
Regards,
Gabe
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: gkaelin@fortinet.com | T: +41 79 882 80 98
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
I do not have any access to 5.2.0 yet , but I just did a test with my devices (6.0.2) and I got below result.
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:r20="http://r200806.ws.fmg.fortinet.com/">
<soapenv:Header/>
<soapenv:Body>
<r20:searchFazLog>
<!--Optional:-->
<servicePass>
<!--Optional:-->
<userID>admin</userID>
<!--Optional:-->
<password></password>
</servicePass>
<!--Optional:-->
<adom>test</adom>
<!--Optional:-->
<content>logs</content>
<!--Optional:-->
<format>rawFormat</format>
<!--Optional:-->
<deviceName></deviceName>
<!--Optional:-->
<vdom></vdom>
<logType>traffic</logType>
<!--Optional:-->
<searchCriteria></searchCriteria>
<maxNumMatches>30</maxNumMatches>
<startIndex>1</startIndex>
<checkArchive>0</checkArchive>
<!--Optional:-->
<DLPArchiveType>0</DLPArchiveType>
<!--Optional:-->
<compression>tar</compression>
</r20:searchFazLog>
</soapenv:Body>
</soapenv:Envelope>
Result:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://jaxb.dev.java.net/array" xmlns:ns3="http://r200806.ws.fmg.fortinet.com/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<ns3:searchFazLogResponse>
<errorMsg>
<errorCode>0</errorCode>
<errorMsg>searchFazLog successfully</errorMsg>
</errorMsg>
<totalResultsFound>300</totalResultsFound>
<matchesReturned>30</matchesReturned>
<startIndex>1</startIndex>
<logs>
<data>
<logEntry>date=2018-10-04 time=15:02:29 idseq=245935346670370822 bid=53641921 dvid=1463 itime=1538690910 euid=3 epid=150290 dsteuid=0 dstepid=150291 logflag=3 logver=60 proto=6 vrf=32 logid=0000000013 type=traffic subtype=forward level=notice action=accept policyid=1 sentbyte=2000 rcvdbyte=1000 sessionid=10033 srcport=10033 dstport=20 trandisp=noop duration=10 sentpkt=0 rcvdpkt=0 utmaction=block srcip=1.1.1.1 dstip=2.2.2.2 service=tcp/20 app=tcp/20 appcat=unscanned srcintf=dmz dstintf=internal srcintfrole=dmz dstintfrole=undefined dstcountry=France devtype=iPad osname=Apple osversion=ver mastersrcmac=01:01:01:01:01:01 srcmac=01:01:01:01:01:01 srccountry=Australia countssh=1 policytype=policy srcserver=0 dstdevtype="Android Phone" dstosname=Android dstosversion=ver masterdstmac=02:02:02:02:02:02 dstmac=02:02:02:02:02:02 dstserver=0 eventtime=1538690549 dstdevcategory=None devcategory=None devid=FWF60E4Q16025790 vd=5 devname=BBBBBBB utmref=BAQAAAAEAAABxBQAAEOW8aXs92m4BAAAAAF6Ptls=</logEntry>
</data>
<data>
<logEntry>date=2018-10-04 time=15:02:29 idseq=245935346670370820 bid=53641924 dvid=1463 itime=1538690910 euid=3 epid=150290 dsteuid=0 dstepid=150291 logflag=1 logver=60 proto=6 vrf=32 logid=0000000013 type=traffic subtype=forward level=notice action=accept policyid=1 sentbyte=2000 rcvdbyte=1000 sessionid=10032 srcport=10032 dstport=20 trandisp=noop duration=10 sentpkt=0 rcvdpkt=0 utmaction=allow srcip=1.1.1.1 dstip=2.2.2.2 service=tcp/20 app=tcp/20 appcat=unscanned srcintf=dmz dstintf=internal srcintfrole=dmz dstintfrole=undefined dstcountry=France devtype=iPad osname=Apple osversion=ver mastersrcmac=01:01:01:01:01:01 srcmac=01:01:01:01:01:01 srccountry=Australia countssh=1 policytype=policy srcserver=0 dstdevtype="Android Phone" dstosname=Android dstosversion=ver masterdstmac=02:02:02:02:02:02 dstmac=02:02:02:02:02:02 dstserver=0 eventtime=1538690549 dstdevcategory=None devcategory=None devid=FWF60E4Q16025790 vd=5 devname=BBBBBBB utmref=BAQAAAAEAAABxAwAAEOW8aXs92m4BAAAAAF6Ptls=</logEntry>
</data>
<data>
<logEntry>date=2018-10-04 time=15:02:29 idseq=245935346670370868 bid=53641590 dvid=1463 itime=1538690606 euid=3 epid=150290 dsteuid=0 dstepid=150291 logflag=3 logver=60 proto=6 vrf=32 logid=0000000013 type=traffic subtype=forward level=notice action=accept policyid=1 sentbyte=2000 rcvdbyte=1000 sessionid=30016 srcport=30016 dstport=20 trandisp=noop duration=10 sentpkt=0 rcvdpkt=0 utmaction=block srcip=1.1.1.1 dstip=2.2.2.2 service=tcp/20 app=tcp/20 appcat=unscanned srcintf=dmz dstintf=internal srcintfrole=dmz dstintfrole=undefined dstcountry=France threattyps="{\"Malicious Websites\"}" devtype=iPad osname=Apple osversion=ver mastersrcmac=01:01:01:01:01:01 srcmac=01:01:01:01:01:01 srccountry=Australia crscore=60 craction=4196352 countweb=1 hostname=www.abcd.com catdesc="Malicious Websites" policytype=policy srcserver=0 dstdevtype="Android Phone" dstosname=Android dstosversion=ver masterdstmac=02:02:02:02:02:02 dstmac=02:02:02:02:02:02 dstserver=0 eventtime=1538690549 threats={www.abcd.com} threatlvls={3} threatcnts={1} threatwgts={60} dstdevcategory=None devcategory=None devid=FWF60E4Q16025790 vd=5 devname=BBBBBBB utmref=BAQAAAAEAAAB3MwAAEOW8abs42m4BAAAAAC6Otls=</logEntry>
</data>
<data>
<logEntry>date=2018-10-04 time=15:02:28 idseq=245935346670370848 bid=53641599 dvid=1463 itime=1538690606 euid=16499 epid=101 dsteuid=0 dstepid=101 logflag=3 logver=60 proto=6 vrf=32 logid=0000000010 type=traffic subtype=forward level=notice action=deny policyid=100 sentbyte=200 rcvdbyte=400 sessionid=90151 srcport=900 dstport=800 duration=20 srcip=172.16.78.32 dstip=1.1.1.32 service=tcp/800 user="test user" app=tcp/800 appcat=unscanned srcintf=unknown-0 dstintf=unknown-0 srcintfrole=undefined dstintfrole=undefined wanoptapptype=cifs wanin=400 wanout=300 lanin=200 lanout=100 dstcountry=Australia threattyps={blocked-connection} srccountry=Reserved crscore=30 craction=131072 crlevel=high policytype=proxy-policy eventtime=1538690549 authserver="test server" threats={blocked-connection} threatlvls={3} threatcnts={1} threatwgts={30} devid=FWF60E4Q16025790 vd=5 devname=BBBBBBB</logEntry>
</data>
</logs>
</ns3:searchFazLogResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
I was getting that error though, the problem in my side was due to the admin certificate. try creating a new super admin user and try again .
Please keep me posted.
Cheers
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your replies guys!
FortiGabe wrote:I'm using a local user with super_user admin profile for all ADOMs in my setup.
brazz@fortinet.com wrote:I was getting that error though, the problem in my side was due to the admin certificate. try creating a new super admin user and try again.
I have only tried using a read-only local user (without super-admin privileges), as I only need to read logs and not change any configurations. Could you guys please try authenticating with the API using a local read-only account (due to bureaucracy reasons I am unable to try a super-admin just yet). Or can the API only be used by the admin user?
@brazz_FTNT I see in your request body that your password field is empty. Did you empty it before posting to the forum or was it empty when sending the request and did you use a Authorization header to send the username and password to the server? Also, you could please post the whole API url that you called?
Your guys' help is really appreciated!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
I have only tried using a read-only local user (without super-admin privileges), as I only need to read logs and not change any configurations. Could you guys please try authenticating with the API using a local read-only account (due to bureaucracy reasons I am unable to try a super-admin just yet). Or can the API only be used by the admin user?
I have tested with other Admin Profiles {Restricted_User and Standard_User} and I have got below result (like your case)
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://jaxb.dev.java.net/array" xmlns:ns3="http://r200806.ws.fmg.fortinet.com/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<ns3:searchFazLogResponse>
<errorMsg>
<errorCode>-101</errorCode>
<errorMsg>Invalid user/password or adom</errorMsg>
</errorMsg>
<totalResultsFound>0</totalResultsFound>
<matchesReturned>0</matchesReturned>
<startIndex>0</startIndex>
<logs/>
</ns3:searchFazLogResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
So I assume we need to have a Super_Admin profile to perform this task.
I see in your request body that your password field is empty. Did you empty it before posting to the forum or was it empty when sending the request and did you use a Authorization header to send the username and password to the server?
It was my test and I have not changed the factory setting config on my devices.
Please let me know if you find this helpful.
Cheers
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
brazz@fortinet.com wrote:So I assume we need to have a Super_Admin profile to perform this task.
Confirmed! The user must be a Super_Admin to be able to authenticate using the FAZ API.
Fantastic, I finally know what's potting. Thanks a million for your guys' help!
Related Posts
- FNAC persistence agent deployments 64 Views
- 802.1x authentication for wifi users 133 Views
- failed to load fortianalyzer 67 Views
- FSSO authentication fallback with flow-based policy 107 Views
- forti tunnel NPS 104 Views
Labels
-
FortiGate
6,438 -
FortiClient
1,282 -
5.2
801 -
5.4
639 -
FortiManager
560 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
330 -
FortiAP
325 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
IPsec
63 -
Wireless Controller
57 -
SSL-VPN
52 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
17 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.