Thursday, July 26, 2018

HOWTO use fortios API to add delete entries

I 'm writing this blog to demo a few simples means for adding  address into a Fortigate that could be called up in a blacklist. The API  interface is simple and quick and if you run a for-loop, you could easily add hundreds of address entries into a FGT for using in a blacklist for example in matter of a few seconds.


You do not need any special  account just a role that allows you  to write/delete in the FortiOS and a interface that has allowaccess https.

The 1st thing you need to understand,  the initial logincheck will provide a ccsrtoken value. This is only need when POST PUT DELETE actions are taken against the  FGT. You need to provide  this token in a custom X header and in the format of  "X-CSRFTOKEN:  BlahBlahBlahBlah"


In my demo I will show you how we grab  the token. Using curl and -c options, you can write the cookies while authentication against the fgt via HTTPS with  administrator account

e.g

curl -k -s -c fgtcookies -d username=kfelix -d secretkey=test1234 https://192.168.1.99/logincheck


The file "fgtcookies" will have your  cookies and the CSRFTOKEN. You will use a "POST" to add  entries and "DELETE" for deletion of "existing" entrys and a "PUT" to modify entries.

This CSRFTOKEN has to be present as a X- header

See examples below







And now we will add and delete  a few firewall entries using  POST and DELETE  http.methods and adding the token as custom X header.











Now in this case I used these items with curl manually and set the data to POST|DELETE  but in real life you would have a script that loop thru and  add or delete the entries. Your ipv4 list could be a seed from a threat intelligence or SIEM.

Or you could download a blacklist and format it a json and call that file up for execution

e.g





These entries would be added to a predefined  addrgroup  in the same fashion and with a http.method==POST and then that address-group used for denying traffic in a policy on the firewall.


here's a few  API calls that can be used for monitoring or reading cfg files. Here's a few examples I cooked up just for this blogpost.

>

reading  all system global and grep'ing for word  admin with a GET


curl -k  -b fgtcookies -H "Content-Type: application/json"  -H "Accept: application/json"  https://192.168.1.99/api/v2/cmdb/system/global | grep admin





>
reading  the system admin named kfelix


curl -k  -b fgtcookies -H "Content-Type: application/json"  -H "Accept: application/json"  https://192.168.1.99/api/v2/cmdb/system/admin/kfelix




>
reading  sys-status


curl -k  -b fgtcookies -H "Content-Type: application/json"  -H "Accept: application/json"  https://192.168.1.99/api/v2/cmdb/system/status



>
reading a firewall.policy ID#2


curl -k  -b fgtcookies -H "Content-Type: application/json"  -H "Accept: application/json"  https://192.168.1.99/api/v2/cmdb/firewall/policy/2





NOTE: In these HTTP-GET,  if you don't supply a value it will display all objects under that path/table

e.g

{ will display all policy id # }

curl -k  -b fgtcookies -H "Content-Type: application/json"  -H "Accept: application/json"  https://192.168.1.99/api/v2/cmdb/firewall/policy/


{ will display only policy id #7 }

curl -k  -b fgtcookies -H "Content-Type: application/json"  -H "Accept: application/json"  https://192.168.1.99/api/v2/cmdb/firewall/policy/7


So play around with the API  interface and  use it to automate  daily tasks and for speeding up rapid deployment of  cmds.  I would suggest that you  test the API and your scripts in a LAB b4 using  POST|DELETES in a production environment.

Also make sure you  place sanity  checks

      * if your going blacklist on add entries to the address group with a /32 subnet value
      * check your feeds and  scripts to ensure you do not mistakenly  add your own blocks or trusted networks
      *  be very careful with  DELETE operations
      *  make sys-config backups before and after the  operations are ran
      *  !!!! YMMV  and use extreme caution until you get it all under control  !!!!










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
  

No comments:

Post a Comment