Fortigate RestAPI Config Backup – FortiOS 6.0.4

Previously I wrote a post how to backup the Fortigate config using session based authentication. As per the API reference, this is considered legacy, and other authentication method –API token, is preferred. In this post, I demonstrate how to use FortiOS RestAPI with API token. And I will introduce how to parse current configuration.

I used FortiOS 6.0.4 to deploy this, and it is most likely not working with other version(especially 5.x).

The flow is as follows:

  1. Create access profile for API user
  2. Create API user in Fortigate
  3. Generate API token for API user
  4. Send request and get the backup config

1. Create access profile

To get the backup, you need to have a permission for sysgrp. If you need to access part –e.g. logs/fw, you can add them. I create a profile “readOnly” here.

2. Create API user in Fortigate

Using the profile you created in step 1, you can create a user for API access. The configuration is straight forward. However, trusthost seems to have some bug and it doesn’t identify some CIDR notation(e.g. correctly, and you need to create specific host entry(with 32 bit mask).

3. Generate API token

Once user is ready, you can generate API key. Please note this API key is shown only when the key is generated, and it cannot be retrieved after you generate.

4. Test

All the necessary elements are ready, and it’s time to test. You can test it straight away with cUrl like, `curl -k ‘https://<your_fortigate_address>/api/v2/cmdb/firewall/address?vdom=root&access_token=<your_api_token>’.

I made a short python script so that I can reuse later. You can save this as ‘’ in your working folder.

And you can import this module and call config_download to get the local copy of current configuration.

API TOKENを使用してのRest API経由でコンフィグのバックアップができます。FortiOS6.0.4で検証済み。