Thursday, September 5, 2019

Howto Use FortiOS api-user

In this blog I will demo some basic api-user with the FortiOS token.

The API interface on the fortigate, is very well documented and defined. You can review my earlier API blog for the FortiOS here on blogspot.

http://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html

The 1st item you will need to defined is a api-user. In this example we have a user name "soc2". The user is logged in the events logs btw. You need to set a "accessprofile" and that profile needs to allow whatever function the api is trying to do.





You will have to call up  api key. This key is generated one time and is visible on the cli. Here' I crafted a user for socpuppets api-key

  cli cmd  execute api-user generate-key <username>





Next to make system level calls you need to use HTTPS and send a Application header in the format of "Authorization: Bearer <your generated api token key> "   https:/x.x.x.x/api/v2/cmdb/<api path to the object your calling >

Here's a few example using cURL for exploring the API.



curl -k  -H -- "Authorization: Bearer 6qQyk7Q3Hpz8k6z74161xG0Q5GNkpn"  "https://192.168.1.99/api/v2/cmdb/system/global?access_token=6qQyk7Q3Hpz8k6z74161xG0Q5GNkpn"  


And the output would be some thing like the following;

 {

  "http_method":"GET",
  "revision":"4.0.0.79100365.1565843549",
  "results":{
    "language":"english",
    "gui-ipv6":"disable",
    "gui-certificates":"enable",
    "gui-custom-language":"disable",
    "gui-wireless-opensecurity":"disable",
    "gui-display-hostname":"disable",
    "gui-lines-per-page":50,
    "admin-https-ssl-versions":"tlsv1-1 tlsv1-2",
    "admintimeout":15,
    "admin-console-timeout":0,
    "admin-concurrent":"enable",
    "admin-lockout-threshold":3,
    "admin-lockout-duration":60,
    "refresh":0,
    "interval":5,
    "failtime":5,
    "daily-restart":"disable",
    "restart-time":"00:00",
    "radius-port":1812,
    "admin-login-max":100,
    "remoteauthtimeout":5,
    "ldapconntimeout":500,
    "batch-cmdb":"enable",
    "multi-factor-authentication":"optional",
    "dst":"enable",
    "timezone":"04",
    "traffic-priority":"tos",
    "traffic-priority-level":"medium",
    "anti-replay":"strict",
    "send-pmtu-icmp":"enable",
    "honor-df":"enable",
    "management-vdom":"root",
    "hostname":"xxxxxxxx",
    "alias":"xxxxxxxxxx",
    "strong-crypto":"enable",
    "ssh-cbc-cipher":"enable",
    "ssh-hmac-md5":"enable",
    "ssh-kex-sha1":"en
( output snipped)

Here's a few more simple calls you can test.

Example we will look at the addrgrp   /api/v2/cmdb/firewall/addrgrp



( out was snipped )


How about a policy #1 . /api/v2/cmdb/firewall/policy/1




( out was snipped )

Here we will look at policy counters;   /api/v2/monitor/firwall/policy/?vdom=root&access_token=<tokenvalue>




( out was snipped )


If you request a object that does not exist like policyid #222 in this example you will get a status code 404





Example we will look at a api-user    /api/v2/cmdb/system/api-user




( out was snipped )



Example we will look at a accprofile    /api/v2/cmdb/system/accprofile




( out was snipped )

In the above examples these where http.get here we will clear policy counters via a simple POST and check afterwards to see counter values cleared






So please play around with the API and api-user in the FortiOS. All examples are done with v6.0.0. 

The API can simplify and help in auditing fortios configurations. It's a great tool from a security engineer tool box to quickly gather details for analysis and auditing.


A tip, to temporary disable the access for api-user, define a noaccess-profile and apply that to any api user. Any calls to sublevels that are set as none will be blocked.

accessprofile ( with none set ) 







Note: You can find more details and posting at the fortinet forum community. I've been a member since 2005 and regular poster since 2007 under the name "emnoc". Myself and other contributors have posted very useful information and help at this forum.

https://forum.fortinet.com/






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \


No comments:

Post a Comment