DescriptionWhen managing the FortiGate, API access is used for the following functions:
- Reading MAC Address Tables (L2 Poll)
- Reading IP Tables (L3 Poll)
- Reading VLANs
- Switching VLANs
If the API communication is not working properly, these functions will fail. SolutionFrom the CLI, run the below command to verify the FortiGate can be accessed via API:
curl -ki -H "Content-Type: application/json" -X POST https://<FortiGate IP>/logincheck?username=<userid>&secretkey=<password>
Example
curl -ki -H "Content-Type: application/json" -X POST https://10.12.240.2/logincheck?username=admin&secretkey=myPassword
The response should look similar to the following:
> HTTP/1.1 200 OK
Date: Fri, 04 Oct 2019 12:50:02 GMT
Server:
Set-Cookie: APSCOOKIE_1504669070="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Set-Cookie: VDOM_1504669070="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Set-Cookie: CENTRAL_MGMT_OVERRIDE_1504669070="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Set-Cookie: EDIT_HISTORY_1504669070="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Set-Cookie: FILE_DOWNLOADING_1504669070="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Set-Cookie: csrftoken_1504669070="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Set-Cookie: ccsrftoken_1504669070="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Set-Cookie: ccsrftoken="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15552000
X-UA-Compatible: IE=Edge
No response from FortiGate:
1. Verify the API port used in the FortiGate model (443 by default) matches the value in the FortiGate configuration.
- In the FortiGate UI, navigate to System > Settings. The HTTPS port is listed under Administration Settings
- In Control Server, the port can be verified by running the command
Device -ip <FortiGate IP address> | grep -i "API_Port"
Versions 8.3.5 and below: If the FortiGate is using a different port for API access, change the port in the model to match in the CLI
Device –setAttr –ip <FortiGate IP> –name API_Port –value <Port value>
Version 8.3.6 and above: FortiGate is accessed via CLI in order determine the API port in use. The model is then updated dynamically. If ports do not match, ensure the account used in the FortiGate model applies to both SSH access as well as REST API.
Note: The admin user account must have read/write access to all VDOMs. To create or view user accounts, navigate to System > Administrators in the FortiGate UI.
2. If API ports match, verify the port is not getting blocked somewhere in the network.
FortiGate responds with an error
1. Verify credentials are correct. In the Administration UI, navigate to Network Devices > Topology
2. Click the Credentials tab for the FortiGate model
3. Click Validate Credentials
If this results in the following message:
"SNMP connect succeeded. However device failed to connect using CLI credentials."
Then the API credentials are invalid. To correct, re-enter the API credentials under CLI Settings.
Note: The admin user account must have read/write access to all VDOMs. To create or view user accounts, navigate to System > Administrators in the FortiGate UI.
