Fortigate REST API auotimation tutorial from zero to pro

in Fortigate
#Fortigate #Python #API

Network automation gives us power of scaling. All Fortinet products come with REST API built-in that enables us to automate configuring, backing up, and monitoring the devices. I wrote this series of tutorials with beginners in mind - you don’t need any programming experience to follow. I encourage you to experiment on your own Fortigate along the tutorial. Once finished, you will be fully proficient in enabling API access on Fortigate, creating, changing, and cloning objects, as well as montiroing system state remotely with the help REST API over HTTPS.

First things first - some important facts about Fortigate API:

  • It works over HTTPS only,no HTTP, understandably

  • You have to create an API user. You cannot use existing administrator users for that.

  • You cannot run debug with API, but you can get system stats.

  • Fortigate listens for the API requests on the same port as GUI management, and you cannot make them independend.

  • You issue GET HTTP requests to get information from Fortigate, and you send POST HTTP requests to change the configuration of the firewall.

  • Only HTTP/1.1 is supported, no HTTP/2.

The workflow to enable API REST remote access on Fortigate:

Fortigate enable REST API workflow

Enable REST API on the Fortigate and allow access from specific IP address

First, we have to enable API access. I assume you follow along with the tutorial, so ignore for now the specific request parameters that I will explain later.

Create admin profile to restrict API user

It is best practice to give API user just the permisisons it needs to do the job. So, if you will use this user to query for Fortigate status only, for example, then it is logical to assign it Read-only admin profile. This means this APi user will be allowed GET HTTP requests only, and will not be able to change the configuration in any way.

Note
 In older FortiOS, like 5.6 or 5.8 you could just use built-in pofile of super_admin, but in newer versions you have only super_admin_readonly profile available by default. You have to create a custom profile for Write access.

Create API user

Task: as per workflow diagram, I first create an admin profile named api-full-access, then I will create a user named apiUser setting api-full-access profile, and allow it access from my IP of 94.198.41.212/32.

Important Note: The IP address(s) you set as trusted host HAS to be equal or a subset of already allowed IPs for any of regular admin users on the Fortigate. It cannot be independent/unrelated to admin accounts address. By "subset" I mean network-wise, e.g. if some Fortigate admin user has 10.10.10.0/24 as trusted host, the API user can have 10.10.10.23/32 as its allowed IP. This may sound illogical, after all the API user is unrelated to admin users, but this is the way it works. If you don’t configure it this way - your API request will just time out. Also - you cannot leave trusted host empty.