AnsweredHot!FortiGate 60E REST API

Author
hermgerm
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/27 03:16:08
  • Status: offline
2019/09/27 03:23:18 (permalink)
0

FortiGate 60E REST API

Hi there,
 
i want to reboot my FortiGate 60E via the REST-API. Im using this endpoint:
 
doing this Request(obviously already authenticated):

curl -k -i -H "Accept: application/json" -X POST "https://ip:port/api/v2/monitor/system/os/reboot" --cookie cookie.txt

 
But I receive a Forbidden:
 
{
  "http_method":"POST",
  "status":"error",
  "http_status":403,
  "vdom":"root",
  "path":"system",
  "name":"os",
  "action":"reboot",
  "serial":"serial",
  "version":"v6.0.5",
  "build":268
}

 
How do I reboot the FortiGate via REST API?
 
PS: Im trying this with a user who has RW permission on all Categorys
Thank you!
#1
emnoc
Expert Member
  • Total Posts : 5397
  • Scores: 355
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: FortiGate 60E REST API 2019/09/27 04:31:44 (permalink)
0
Try a prof_admin profile. RW probably does work for that cmd level.
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#2
hermgerm
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/27 03:16:08
  • Status: offline
Re: FortiGate 60E REST API 2019/09/27 04:37:04 (permalink)
0
Im using a super_admin profile, still not working. Also prof_admin getting the same response.
#3
emnoc
Expert Member
  • Total Posts : 5397
  • Scores: 355
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: FortiGate 60E REST API 2019/09/28 03:22:15 (permalink)
0
FWIW . I tried the following with an api_user  based on some older API_REFERENCE
 
 
Socket1 $curl -X POST  -k   -H  "Authorization: Bearer jx67dQm6r8nd4qQQhptr3rnjhbHdzx" 
"https://192.168.1.99/api/v2/monitor/system/dashboard/reboot?access_token=jx67dQm6r8nd4qQQhptr3rnjhbHdzx"
{
  "path":"system",
  "name":"dashboard",
  "action":"reboot",
  "serial":"FWF50xxxxxxxxx",
  "version":"v6.0.0",
  "build":76,
  "status":"error",
  "http_status":404
}Socket1 $
 
It failed also. I haven't seen a working example on API reboot. The 404 tells me this entry point is not valid. In your status.code 403 seems to be authentication-related.
 
Do you have a api_user ?
 
Do other calls work? 
 
 
 
 
e.g API_USER  using a authorization header ( the token )
 
 
curl  -k   -H  "Authorization: Bearer jx67dQm6r8nd4qQQhptr3rnjhbHdzx"  "https://192.168.1.99/api/v2/monitor/system/dhcp?"
{
  "http_method":"GET",
  "results":[
    {
      "ip":"192.168.1.113",
      "mac":"bc:98:df:d3:eb:15",
      "vci":"android-dhcp-9",
      "expire_time":1570263781,
      "status":"leased",
      "interface":"internal",
      "type":"ipv4",
      "reserved":false,
      "server_mkey":1
    },
    {
      "ip":"192.168.1.112",
      "mac":"78:31:c1:d5:52:d0",
      "hostname":"supports-MBP",
      "expire_time":1570263602,
      "status":"leased",
      "interface":"internal",
      "type":"ipv4",
      "reserved":false,
      "server_mkey":1
    },
{output snipped} 
 
 
Socket1 $curl  -k   -H  "Authorization: Bearer jx67dQm6r8nd4qQQhptr3rnjhbHdzx"  "https://192.168.1.99/api/v2/monitor/firewall/policy"
{
  "http_method":"GET",
  "results":[
    {
      "policyid":0,
      "active_sessions":0,
      "bytes":0,
      "packets":0
    },
    {
      "policyid":1,
      "uuid":"4642baea-885e-51e9-6881-43df12c629e1",
      "active_sessions":26,
      "bytes":121036518,
      "packets":156639,
      "last_used":1569665902,
      "first_used":1569607211,
      "hit_count":3847,
      "session_last_used":1569665899,
      "session_first_used":1569607211,
      "session_count":25
    },
    {
      "policyid":2,
      "uuid":"47cd84ec-ce3d-51e9-2d18-6ba8026ba89f",
      "active_sessions":23,
      "bytes":3673664328,
      "packets":4089520,
      "last_used":1569665899,
      "first_used":1569607211,
      "hit_count":9610,
      "session_last_used":1569665899,
      "session_first_used":1569607211,
      "session_count":23
    },
{output snipped}
 
Socket1 $curl  -k   -H  "Authorization: Bearer jx67dQm6r8nd4qQQhptr3rnjhbHdzx"  "https://192.168.1.99/api/v2/monitor/router/statistics"
{
  "http_method":"GET",
  "results":{
    "total_lines":8,
    "total_lines_ipv4":8,
    "total_lines_ipv6":0
  },
  "vdom":"root",
  "path":"router",
  "name":"statistics",
  "status":"success",
  "serial":"xxxxxxxxx",
  "version":"v6.0.0",
  "build":76
 
Do you have any API reference pdf ?

PCNSE 
NSE 
StrongSwan  
#4
neonbit
Expert Member
  • Total Posts : 531
  • Scores: 69
  • Reward points: 0
  • Joined: 2013/07/02 21:39:52
  • Location: Dark side of the moon
  • Status: offline
Re: FortiGate 60E REST API 2019/09/28 08:00:41 (permalink)
0
I just tried it an got the same error. API profile has read/write for everything.
 
It's weird, I swear I tested this a while back and it worked, I think it was on 5.6 build. I'm curious as to why it's not working now.
#5
neonbit
Expert Member
  • Total Posts : 531
  • Scores: 69
  • Reward points: 0
  • Joined: 2013/07/02 21:39:52
  • Location: Dark side of the moon
  • Status: offline
Re: FortiGate 60E REST API 2019/09/28 08:50:45 (permalink)
0
Ok, so I did a debug and can see that it fails because there's no CSRF token sent with the API call:
 
FortiGate # [httpsd 221 - 1569684993 info] ap_invoke_handler[569] -- new request (handler='api_monitor_v2-handler', uri='/api/v2/monitor/system/os/reboot/', method='POST')
[httpsd 221 - 1569684993 info] ap_invoke_handler[573] -- User-Agent: insomnia/6.6.2
[httpsd 221 - 1569684993 info] ap_invoke_handler[576] -- Source: 192.168.160.254:59741 Destination: 192.168.160.102:443
[httpsd 221 - 1569684993 info] endpoint_handle_req[898] -- received api_monitor_v2_request from '192.168.160.254'
[httpsd 221 - 1569684993 info] aps_init_process_vdom[1258] -- initialized process vdom to 'root' (cookie='(null)')
[httpsd 221 - 1569684993 info] api_store_parameter[238] -- add API parameter 'access_token' (type=string)
[httpsd 221 - 1569684993 info] endpoint_process_req_vdom[709] -- new API request (action='reboot',path='system',name='os',vdom='root',user='admin')
[httpsd 221 - 1569684993 error] is_valid_csrf_token[2419] -- no CSRF token found
[httpsd 221 - 1569684993 error] api_endpoint_execute_handler[574] -- no valid CSRF token found
[httpsd 221 - 1569684993 error] api_return_http_result[690] -- API error 403 raised
 
I was under the impression when you send the API admin token in the URL that you don't need to add the CSRF header, maybe I'm missing something.
 
In any case, I reverted back to using the old way of using the REST API by logging in, copying the CSRF token and using it part of the API call and can confirm the reboot call is now working.
 
[httpsd 221 - 1569685240 info] ap_invoke_handler[569] -- new request (handler='logincheck-handler', uri='/logincheck', method='POST')
[httpsd 221 - 1569685240 info] ap_invoke_handler[573] -- User-Agent: insomnia/6.6.2
[httpsd 221 - 1569685240 info] ap_invoke_handler[576] -- Source: 192.168.160.254:60085 Destination: 192.168.160.102:443
[httpsd 221 - 1569685240 info] logincheck_handler[347] -- entering vdom for login_attempt (vdom='root')
[httpsd 221 - 1569685240 info] logincheck_handler[440] -- login attempt OK, VDOM updated to 'root'
[httpsd 221 - 1569685240 info] logincheck_handler[448] -- login_attempt (method=5, vdom='root', name='admin',admin_name='admin', auth_svr='')
[httpsd 221 - 1569685240 info] ap_invoke_handler[592] -- request completed (handler='logincheck-handler' result==0)
[httpsd 214 - 1569685304 info] ap_invoke_handler[569] -- new request (handler='api_monitor_v2-handler', uri='/api/v2/monitor/system/os/reboot', method='POST')
[httpsd 214 - 1569685304 info] ap_invoke_handler[573] -- User-Agent: insomnia/6.6.2
[httpsd 214 - 1569685304 info] ap_invoke_handler[576] -- Source: 192.168.160.254:60184 Destination: 192.168.160.102:443
[httpsd 214 - 1569685304 info] endpoint_handle_req[898] -- received api_monitor_v2_request from '192.168.160.254'
[httpsd 214 - 1569685304 info] aps_init_process_vdom[1258] -- initialized process vdom to 'root' (cookie='(null)')
[httpsd 214 - 1569685304 info] endpoint_process_req_vdom[709] -- new API request (action='reboot',path='system',name='os',vdom='root',user='admin')
[httpsd 214 - 1569685304 info] ap_invoke_handler[592] -- request completed (handler='api_monitor_v2-handler' result==0)
[httpsd 151 - 1569685310 error] log_error_core[439] -- [Sat Sep 28 15:41:50 2019] [notice] caught SIGTERM, shutting down
 
 
 
#6
hermgerm
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/27 03:16:08
  • Status: offline
Re: FortiGate 60E REST API 2019/09/29 09:06:28 (permalink)
0
Other request do work like I do it (im not using an API User, its just a normal super_admin which I login via /logincheck and then grab the CSRF-token) So I'm curious why its not working the way I do it.
 
Could you please post your curl call? 
#7
emnoc
Expert Member
  • Total Posts : 5397
  • Scores: 355
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: FortiGate 60E REST API 2019/09/29 11:09:55 (permalink)
0
So the dashboard/reboot does not work, your URI is not found in my documentation even tho my API reference doc is quite old. Do you have a link to a newier version?
 
To answer your question, I'm using super_admin  and post to the same URI as yours. I did a type of "do" vrs "os" to ensure and status.code 404
 
 
curl -X POST  -k   -H  "Authorization: Bearer jx67dQm6r8nd4qQQhptr3rnjhbHdzx"  "https://192.168.1.99/api/v2/monitor/system/os/reboot?access_token=jx67dQm6r8nd4qQQhptr3rnjhbHdzx"
curl: (52) Empty reply from server
 
{ debug output }
 
[httpsd 1362 - 1569780248     info] ap_invoke_handler[593] -- new request (handler='api_monitor_v2-handler', uri='/api/v2/monitor/system/do/reboot?access_token=******************************', method='POST')
[httpsd 1362 - 1569780248     info] ap_invoke_handler[597] -- User-Agent: curl/7.54.0
[httpsd 1362 - 1569780248     info] ap_invoke_handler[600] -- Source: 192.168.1.112:60747 Destination: 192.168.1.99:443
[httpsd 1362 - 1569780248     info] endpoint_handle_req[585] -- received api_monitor_v2_request from '192.168.1.112'
[httpsd 1362 - 1569780248  warning] api_access_check_for_api_key[954] -- API Key request authorized for soc2 from 192.168.1.112.
[httpsd 1362 - 1569780248  warning] endpoint_process_req[476] -- no matching method found
[httpsd 1362 - 1569780248    error] api_return_http_result[516] -- API error 404 raised
[httpsd 1362 - 1569780248     info] ap_invoke_handler[616] -- request completed (handler='api_monitor_v2-handler' result==0)
[httpsd 190 - 1569780258     info] ap_invoke_handler[593] -- new request (handler='api_monitor_v2-handler', uri='/api/v2/monitor/system/os/reboot?access_token=******************************', method='POST')
[httpsd 190 - 1569780258     info] ap_invoke_handler[597] -- User-Agent: curl/7.54.0
[httpsd 190 - 1569780258     info] ap_invoke_handler[600] -- Source: 192.168.1.112:60750 Destination: 192.168.1.99:443
[httpsd 190 - 1569780258     info] endpoint_handle_req[585] -- received api_monitor_v2_request from '192.168.1.112'
[httpsd 190 - 1569780258  warning] api_access_check_for_api_key[954] -- API Key request authorized for soc2 from 192.168.1.112.
[httpsd 190 - 1569780258     info] api_store_parameter[226] -- add API parameter 'access_token': '********' (type=string)
[httpsd 190 - 1569780258     info] endpoint_process_req_vdom[440] -- new API request (action='reboot',path='system',name='os',vdom='root',user='soc2')
[httpsd 123 - 1569780262    error] log_error_core[439] -- [Sun Sep 29 18:04:22 2019] [notice] caught SIGTERM, shutting down
Connection to 192.168.1.99 closed by remote host.
Connection to 192.168.1.99 closed.
 
NOTE" soc2 is my api_user name. Thanks for the correct URI. "
/api/v2/monitor/system/dashboard/reboot" is not working
 
So your issues were 100% authentication issues.
 
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#8
hermgerm
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/27 03:16:08
  • Status: offline
Re: FortiGate 60E REST API 2019/09/30 22:35:59 (permalink)
0
I honestly have no idea why, but rebooting is not working for me. If I try it the way you showed it (with an API user with Read/Write priv. on everything) it gives me a 401 - Error on every Request. If I authenticate with a super_admin via /logincheck and then do API calls with the CSRF-Token, I can make every API call, but rebooting is still giving me 403.
 
How do I enable this debugging thing you posted or how can I view these logs? Maybe this could help me.
 
Thank you!
post edited by hermgerm - 2019/09/30 22:57:40
#9
emnoc
Expert Member
  • Total Posts : 5397
  • Scores: 355
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: FortiGate 60E REST API 2019/09/30 23:36:34 (permalink)
0
Your httpsd debug should confirm, but let me test the other way ( CSRF )  and see what happens. I have no API reference that should that URI that you're using,  but call it up does work at least for me. So to that's the entry poin
 
Your 401 and 403 are disturbing, so I would investigate those items. BTW I'm stuck on fortiOS 6.0.0 in this FWF50 so I can test another model at this time. Have recently upload or download the appliance and what happens if you craft a new token?
 
 

PCNSE 
NSE 
StrongSwan  
#10
hermgerm
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/27 03:16:08
  • Status: offline
Re: FortiGate 60E REST API 2019/09/30 23:52:23 (permalink)
0
Every other API call that I've found was not working for me.
 
 
So I just did the reboot through the Webclient and inspected the network traffic, since the Webclient obviously also uses the REST API.
There I found the endpoint I just posted. This is the same endpoint the Webclient calls on a reboot.
 
If I generate a new API_USER or a new Token doesnt make any difference. How do I lookup the httpsd log you just mentioned, is there a CLI command? ( I have not a lot of experience with these Fortinet, Im just a software-dev :-/)?
#11
emnoc
Expert Member
  • Total Posts : 5397
  • Scores: 355
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: FortiGate 60E REST API 2019/09/30 23:59:14 (permalink) ☼ Best Answerby hermgerm 2019/10/01 00:22:54
0
Btw just tested and it works for me using the CSRFTOKEN  also ;)
 
 
supports-MacBook-Pro:Downloads ken$ cat fgtcookies # Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk. #HttpOnly_192.168.1.99 FALSE / TRUE 0 APSCOOKIE_79100365 "Era%3D0%26Payload%3DBqjjbe7htCOsFsYzarB2IEMxijyyM0neq8nLlRqdPhTTvad7eL0LZpsb161uxmQC%0AsYzlEA9fitnCbWPkYrtdAXttq3v+u7JbmALCfl5T+ALAE1e1dgquZbFA7iWbn%2FRX%0AjMI7Pvc0zLzCbKRaSWynEw4C2gQXazjG9tdCsTkjydzANRRwh6uulPiNj%2F83T8bg%0Al3DihIFtCw8WjHnA%2F+xK2Q%3D%3D%0A%26AuthHash%3DCA4eiUKEM0zcXjGIij0hoUdQwG4A%0A"192.168.1.99 FALSE / TRUE 0 ccsrftoken_79100365 "FB4B8AD9C51C5E5CBEBECD63EE2457A9"192.168.1.99 FALSE / TRUE 0 ccsrftoken "FB4B8AD9C51C5E5CBEBECD63EE2457A9"  supports-MacBook-Pro:Downloads ken$ curl -X POST -s -b fgtcookies -k -H "Content-Type: application/json" -H "X-CSRFTOKEN: FB4B8AD9C51C5E5CBEBECD63EE2457A9"   https://192.168.1.99/api/..onitor/system/os/rebootsupports-MacBook-Pro:Downloads ken$ ping 8.8.8.8PING 8.8.8.8 (8.8.8.8): 56 data bytesRequest timeout for icmp_seq 0Request timeout for icmp_seq 1Request timeout for icmp_seq 2 I use my admin account so that profile show be able to reboot the appliance. Cookies were grabbed on the logincheck by using this approach http://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html YMMV but I didn't have any issues once I had the right URI in either case  e.g /api/v2/monitor/system/os/reboot  vrs /api/v2/monitor/system/dashboard/reboot I still think your profile is not correct for sysgrp and the action:reboot, just my hunch and this might lead into the 4xx status codes that are coming back. Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#12
emnoc
Expert Member
  • Total Posts : 5397
  • Scores: 355
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: FortiGate 60E REST API 2019/10/01 00:02:09 (permalink)
0

How do I lookup the httpsd log you just mentioned, is there a CLI command? ( I have not a lot of experience with these Fortinet, Im just a software-dev :-/)?

 
diag debug enable
diag debug application httpsd -1
 
But you should earlier logs so I guess you figured that part out? I would just open 2 ssh sessions and do the debugging in the 2nd session but you're on the right track.
 
Do you have a 2nd unit that you can test on ?
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#13
hermgerm
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/27 03:16:08
  • Status: offline
Re: FortiGate 60E REST API 2019/10/01 00:28:39 (permalink)
0
Ok, its working now! I rebooted the device and everything is working just fine now, dont know what happened. Thank you!
 
PS: Not whole trueth! Also got a typo for the Header .... 
post edited by hermgerm - 2019/10/01 00:42:36
#14
emnoc
Expert Member
  • Total Posts : 5397
  • Scores: 355
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: FortiGate 60E REST API 2019/10/01 00:43:10 (permalink)
0
Good, I was going to point out that one of a dev-ops developer was doing something where his script overwrote the token and the token was bad or invalid. I believe that will give you a 401 also iirc, so I was going to suggest that you validate that this is not what is happening.
 
The API_USER is much user-friendly than the CSFRTOKEN imho.
 
I would also suggest if you're developing towards the API,  to use something like PostMAN. I do like 99% of my API diag, debug or research with it, and it very helpful if you want to save and share your collections. , 
https://www.getpostman.com
 
I begin to tell you how many cases I worked where API credentials were hosed up, expired, wrong,etc........
 
Ken Felix
 
 
 

PCNSE 
NSE 
StrongSwan  
#15
Jump to:
© 2019 APG vNext Commercial Version 5.5