- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiGate 60E REST API
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate 60E REST API
Hi there,
i want to reboot my FortiGate 60E via the REST-API. Im using this endpoint:
doing this Request(obviously already authenticated):
curl -k -i -H "Accept: application/json" -X POST "https://ip:port/api/v2/monitor/system/os/reboot" --cookie cookie.txt
But I receive a Forbidden:
{
"http_method":"POST",
"status":"error",
"http_status":403,
"vdom":"root",
"path":"system",
"name":"os",
"action":"reboot",
"serial":"serial",
"version":"v6.0.5",
"build":268
}
How do I reboot the FortiGate via REST API?
PS: Im trying this with a user who has RW permission on all Categorys
Thank you!
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Btw just tested and it works for me using the CSRFTOKEN also ;)
supports-MacBook-Pro:Downloads ken$ cat fgtcookies # Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk. #HttpOnly_192.168.1.99 FALSE / TRUE 0 APSCOOKIE_79100365 "Era%3D0%26Payload%3DBqjjbe7htCOsFsYzarB2IEMxijyyM0neq8nLlRqdPhTTvad7eL0LZpsb161uxmQC%0AsYzlEA9fitnCbWPkYrtdAXttq3v+u7JbmALCfl5T+ALAE1e1dgquZbFA7iWbn%2FRX%0AjMI7Pvc0zLzCbKRaSWynEw4C2gQXazjG9tdCsTkjydzANRRwh6uulPiNj%2F83T8bg%0Al3DihIFtCw8WjHnA%2F+xK2Q%3D%3D%0A%26AuthHash%3DCA4eiUKEM0zcXjGIij0hoUdQwG4A%0A"192.168.1.99 FALSE / TRUE 0 ccsrftoken_79100365 "FB4B8AD9C51C5E5CBEBECD63EE2457A9"192.168.1.99 FALSE / TRUE 0 ccsrftoken "FB4B8AD9C51C5E5CBEBECD63EE2457A9" supports-MacBook-Pro:Downloads ken$ curl -X POST -s -b fgtcookies -k -H "Content-Type: application/json" -H "X-CSRFTOKEN: FB4B8AD9C51C5E5CBEBECD63EE2457A9" https://192.168.1.99/api/..onitor/system/os/rebootsupports-MacBook-Pro:Downloads ken$ ping 8.8.8.8PING 8.8.8.8 (8.8.8.8): 56 data bytesRequest timeout for icmp_seq 0Request timeout for icmp_seq 1Request timeout for icmp_seq 2 I use my admin account so that profile show be able to reboot the appliance. Cookies were grabbed on the logincheck by using this approach http://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html YMMV but I didn't have any issues once I had the right URI in either case e.g /api/v2/monitor/system/os/reboot vrs /api/v2/monitor/system/dashboard/reboot I still think your profile is not correct for sysgrp and the action:reboot, just my hunch and this might lead into the 4xx status codes that are coming back. Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try a prof_admin profile. RW probably does work for that cmd level.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im using a super_admin profile, still not working. Also prof_admin getting the same response.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FWIW . I tried the following with an api_user based on some older API_REFERENCE
Socket1 $curl -X POST -k -H "Authorization: Bearer jx67dQm6r8nd4qQQhptr3rnjhbHdzx" "https://192.168.1.99/api/v2/monitor/system/dashboard/reboot?access_token=jx67dQm6r8nd4qQQhptr3rnjhbHdzx"{ "path":"system", "name":"dashboard", "action":"reboot", "serial":"FWF50xxxxxxxxx", "version":"v6.0.0", "build":76, "status":"error", "http_status":404}Socket1 $ It failed also. I haven't seen a working example on API reboot. The 404 tells me this entry point is not valid. In your status.code 403 seems to be authentication-related. Do you have a api_user ? Do other calls work? e.g API_USER using a authorization header ( the token ) curl -k -H "Authorization: Bearer jx67dQm6r8nd4qQQhptr3rnjhbHdzx" "https://192.168.1.99/api/v2/monitor/system/dhcp?"{ "http_method":"GET", "results":[ { "ip":"192.168.1.113", "mac":"bc:98:df:d3:eb:15", "vci":"android-dhcp-9", "expire_time":1570263781, "status":"leased", "interface":"internal", "type":"ipv4", "reserved":false, "server_mkey":1 }, { "ip":"192.168.1.112", "mac":"78:31:c1:d5:52:d0", "hostname":"supports-MBP", "expire_time":1570263602, "status":"leased", "interface":"internal", "type":"ipv4", "reserved":false, "server_mkey":1 },{output snipped} Socket1 $curl -k -H "Authorization: Bearer jx67dQm6r8nd4qQQhptr3rnjhbHdzx" "https://192.168.1.99/api/v2/monitor/firewall/policy"{ "http_method":"GET", "results":[ { "policyid":0, "active_sessions":0, "bytes":0, "packets":0 }, { "policyid":1, "uuid":"4642baea-885e-51e9-6881-43df12c629e1", "active_sessions":26, "bytes":121036518, "packets":156639, "last_used":1569665902, "first_used":1569607211, "hit_count":3847, "session_last_used":1569665899, "session_first_used":1569607211, "session_count":25 }, { "policyid":2, "uuid":"47cd84ec-ce3d-51e9-2d18-6ba8026ba89f", "active_sessions":23, "bytes":3673664328, "packets":4089520, "last_used":1569665899, "first_used":1569607211, "hit_count":9610, "session_last_used":1569665899, "session_first_used":1569607211, "session_count":23 },{output snipped} Socket1 $curl -k -H "Authorization: Bearer jx67dQm6r8nd4qQQhptr3rnjhbHdzx" "https://192.168.1.99/api/v2/monitor/router/statistics"{ "http_method":"GET", "results":{ "total_lines":8, "total_lines_ipv4":8, "total_lines_ipv6":0 }, "vdom":"root", "path":"router", "name":"statistics", "status":"success", "serial":"xxxxxxxxx", "version":"v6.0.0", "build":76 Do you have any API reference pdf ?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just tried it an got the same error. API profile has read/write for everything.
It's weird, I swear I tested this a while back and it worked, I think it was on 5.6 build. I'm curious as to why it's not working now.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, so I did a debug and can see that it fails because there's no CSRF token sent with the API call:
[size="2"]FortiGate # [httpsd 221 - 1569684993 info] ap_invoke_handler[569] -- new request (handler='api_monitor_v2-handler', uri='/api/v2/monitor/system/os/reboot/', method='POST')[/size] [size="2"][httpsd 221 - 1569684993 info] ap_invoke_handler[573] -- User-Agent: insomnia/6.6.2[/size] [size="2"][httpsd 221 - 1569684993 info] ap_invoke_handler[576] -- Source: 192.168.160.254:59741 Destination: 192.168.160.102:443[/size] [size="2"][httpsd 221 - 1569684993 info] endpoint_handle_req[898] -- received api_monitor_v2_request from '192.168.160.254'[/size] [size="2"][httpsd 221 - 1569684993 info] aps_init_process_vdom[1258] -- initialized process vdom to 'root' (cookie='(null)')[/size] [size="2"][httpsd 221 - 1569684993 info] api_store_parameter[238] -- add API parameter 'access_token' (type=string)[/size] [size="2"][httpsd 221 - 1569684993 info] endpoint_process_req_vdom[709] -- new API request (action='reboot',path='system',name='os',vdom='root',user='admin')[/size] [size="2"][httpsd 221 - 1569684993 error] is_valid_csrf_token[2419] -- no CSRF token found[/size] [size="2"][httpsd 221 - 1569684993 error] api_endpoint_execute_handler[574] -- no valid CSRF token found[/size] [size="2"][httpsd 221 - 1569684993 error] api_return_http_result[690] -- API error 403 raised[/size]
I was under the impression when you send the API admin token in the URL that you don't need to add the CSRF header, maybe I'm missing something.
In any case, I reverted back to using the old way of using the REST API by logging in, copying the CSRF token and using it part of the API call and can confirm the reboot call is now working.
[size="2"][httpsd 221 - 1569685240 info] ap_invoke_handler[569] -- new request (handler='logincheck-handler', uri='/logincheck', method='POST')[/size] [size="2"][httpsd 221 - 1569685240 info] ap_invoke_handler[573] -- User-Agent: insomnia/6.6.2[/size] [size="2"][httpsd 221 - 1569685240 info] ap_invoke_handler[576] -- Source: 192.168.160.254:60085 Destination: 192.168.160.102:443[/size] [size="2"][httpsd 221 - 1569685240 info] logincheck_handler[347] -- entering vdom for login_attempt (vdom='root')[/size] [size="2"][httpsd 221 - 1569685240 info] logincheck_handler[440] -- login attempt OK, VDOM updated to 'root'[/size] [size="2"][httpsd 221 - 1569685240 info] logincheck_handler[448] -- login_attempt (method=5, vdom='root', name='admin',admin_name='admin', auth_svr='')[/size] [size="2"][httpsd 221 - 1569685240 info] ap_invoke_handler[592] -- request completed (handler='logincheck-handler' result==0)[/size] [size="2"][httpsd 214 - 1569685304 info] ap_invoke_handler[569] -- new request (handler='api_monitor_v2-handler', uri='/api/v2/monitor/system/os/reboot', method='POST')[/size] [size="2"][httpsd 214 - 1569685304 info] ap_invoke_handler[573] -- User-Agent: insomnia/6.6.2[/size] [size="2"][httpsd 214 - 1569685304 info] ap_invoke_handler[576] -- Source: 192.168.160.254:60184 Destination: 192.168.160.102:443[/size] [size="2"][httpsd 214 - 1569685304 info] endpoint_handle_req[898] -- received api_monitor_v2_request from '192.168.160.254'[/size] [size="2"][httpsd 214 - 1569685304 info] aps_init_process_vdom[1258] -- initialized process vdom to 'root' (cookie='(null)')[/size] [size="2"][httpsd 214 - 1569685304 info] endpoint_process_req_vdom[709] -- new API request (action='reboot',path='system',name='os',vdom='root',user='admin')[/size] [size="2"][httpsd 214 - 1569685304 info] ap_invoke_handler[592] -- request completed (handler='api_monitor_v2-handler' result==0)[/size] [size="2"][httpsd 151 - 1569685310 error] log_error_core[439] -- [Sat Sep 28 15:41:50 2019] [notice] caught SIGTERM, shutting down[/size]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Other request do work like I do it (im not using an API User, its just a normal super_admin which I login via /logincheck and then grab the CSRF-token) So I'm curious why its not working the way I do it.
Could you please post your curl call?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the dashboard/reboot does not work, your URI is not found in my documentation even tho my API reference doc is quite old. Do you have a link to a newier version?
To answer your question, I'm using super_admin and post to the same URI as yours. I did a type of "do" vrs "os" to ensure and status.code 404
curl -X POST -k -H "Authorization: Bearer jx67dQm6r8nd4qQQhptr3rnjhbHdzx" "https://192.168.1.99/api/v2/monitor/system/os/reboot?access_token=jx67dQm6r8nd4qQQhptr3rnjhbHdzx"curl: (52) Empty reply from server
{ debug output }
[httpsd 1362 - 1569780248 info] ap_invoke_handler[593] -- new request (handler='api_monitor_v2-handler', uri='/api/v2/monitor/system/do/reboot?access_token=******************************', method='POST')[httpsd 1362 - 1569780248 info] ap_invoke_handler[597] -- User-Agent: curl/7.54.0[httpsd 1362 - 1569780248 info] ap_invoke_handler[600] -- Source: 192.168.1.112:60747 Destination: 192.168.1.99:443[httpsd 1362 - 1569780248 info] endpoint_handle_req[585] -- received api_monitor_v2_request from '192.168.1.112'[httpsd 1362 - 1569780248 warning] api_access_check_for_api_key[954] -- API Key request authorized for soc2 from 192.168.1.112.[httpsd 1362 - 1569780248 warning] endpoint_process_req[476] -- no matching method found[httpsd 1362 - 1569780248 error] api_return_http_result[516] -- API error 404 raised[httpsd 1362 - 1569780248 info] ap_invoke_handler[616] -- request completed (handler='api_monitor_v2-handler' result==0)[httpsd 190 - 1569780258 info] ap_invoke_handler[593] -- new request (handler='api_monitor_v2-handler', uri='/api/v2/monitor/system/os/reboot?access_token=******************************', method='POST')[httpsd 190 - 1569780258 info] ap_invoke_handler[597] -- User-Agent: curl/7.54.0[httpsd 190 - 1569780258 info] ap_invoke_handler[600] -- Source: 192.168.1.112:60750 Destination: 192.168.1.99:443[httpsd 190 - 1569780258 info] endpoint_handle_req[585] -- received api_monitor_v2_request from '192.168.1.112'[httpsd 190 - 1569780258 warning] api_access_check_for_api_key[954] -- API Key request authorized for soc2 from 192.168.1.112.[httpsd 190 - 1569780258 info] api_store_parameter[226] -- add API parameter 'access_token': '********' (type=string)[httpsd 190 - 1569780258 info] endpoint_process_req_vdom[440] -- new API request (action='reboot',path='system',name='os',vdom='root',user='soc2')[httpsd 123 - 1569780262 error] log_error_core[439] -- [Sun Sep 29 18:04:22 2019] [notice] caught SIGTERM, shutting downConnection to 192.168.1.99 closed by remote host.Connection to 192.168.1.99 closed. NOTE" soc2 is my api_user name. Thanks for the correct URI. "/api/v2/monitor/system/dashboard/reboot" is not working So your issues were 100% authentication issues. Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I honestly have no idea why, but rebooting is not working for me. If I try it the way you showed it (with an API user with Read/Write priv. on everything) it gives me a 401 - Error on every Request. If I authenticate with a super_admin via /logincheck and then do API calls with the CSRF-Token, I can make every API call, but rebooting is still giving me 403.
How do I enable this debugging thing you posted or how can I view these logs? Maybe this could help me.
Thank you!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your httpsd debug should confirm, but let me test the other way ( CSRF ) and see what happens. I have no API reference that should that URI that you're using, but call it up does work at least for me. So to that's the entry poin
Your 401 and 403 are disturbing, so I would investigate those items. BTW I'm stuck on fortiOS 6.0.0 in this FWF50 so I can test another model at this time. Have recently upload or download the appliance and what happens if you craft a new token?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- FortiGate with Grafana 57 Views
- Log messages when forwarding traffic 79 Views
- SDWAN Rules not loading. Circle of... 76 Views
- 2nd FSSO agent 51 Views
- VECTRA AI and Fortigate Integration 50 Views
Labels
-
FortiGate
6,526 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.