Fortigate RestAPI Config Backup – FortiOS 6.0.4

Previously I wrote a post how to backup the Fortigate config using session based authentication. As per the API reference, this is considered legacy, and other authentication method –API token, is preferred. In this post, I demonstrate how to use FortiOS RestAPI with API token. And I will introduce how to parse current configuration.

I used FortiOS 6.0.4 to deploy this, and it is most likely not working with other version(especially 5.x).

The flow is as follows:

  1. Create access profile for API user
  2. Create API user in Fortigate
  3. Generate API token for API user
  4. Send request and get the backup config

1. Create access profile

To get the backup, you need to have a permission for sysgrp. If you need to access part –e.g. logs/fw, you can add them. I create a profile “readOnly” here.

FGTAWS0004BE1ADE # config system accprofile
FGTAWS0004BE1ADE (accprofile) # edit readOnly
new entry 'readOnly' added
FGTAWS0004BE1ADE (readOnly) # set sysgrp read
FGTAWS0004BE1ADE (readOnly) # end

2. Create API user in Fortigate

Using the profile you created in step 1, you can create a user for API access. The configuration is straight forward. However, trusthost seems to have some bug and it doesn’t identify some CIDR notation(e.g. 0.0.0.0/0) correctly, and you need to create specific host entry(with 32 bit mask).

FGTAWS0004BE1ADE # config system api-user
FGTAWS0004BE1ADE (api-user) # edit api-admin
new entry 'api-admin' added
FGTAWS0004BE1ADE (api-admin) # set accprofile "readOnly"
FGTAWS0004BE1ADE (api-admin) # set vdom root
FGTAWS0004BE1ADE (api-admin) # config trusthost
FGTAWS0004BE1ADE (trusthost) # edit 1
new entry '1' added
FGTAWS0004BE1ADE (1) # set ipv4-trusthost 'ip_address_of_your_machine' 255.255.255.255
FGTAWS0004BE1ADE (1) # end
FGTAWS0004BE1ADE (api-admin) # end

3. Generate API token

Once user is ready, you can generate API key. Please note this API key is shown only when the key is generated, and it cannot be retrieved after you generate.

FGTAWS0004BE1ADE # execute api-user generate-key api-admin
New API key: 'your_api_token'
NOTE: The bearer of this API key will be granted all access privileges assigned to the api-user api-admin.

4. Test

All the necessary elements are ready, and it’s time to test. You can test it straight away with cUrl like, `curl -k ‘https://<your_fortigate_address>/api/v2/cmdb/firewall/address?vdom=root&access_token=<your_api_token>’.

I made a short python script so that I can reuse later. You can save this as ‘fortigate.py’ in your working folder.

import requests
import urllib3 # disable security warning for SSL certificate
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable security warning for SSL certificate


def config_download(ipaddr, api_token, filename='backup.conf'):
    '''
    input: ipaddr(string) - target ip address of fortigate
    input: api_token(string) - api_token for api user(accprofile should have sysgrp.mnt)
    input: filename(string) - file name of the config to be saved. default backup.conf
    output: True if backup successfule. False if not successful.
    Tested on: Fortigate OnDemand on AWS - FortiOS6.0.4
    '''
    base_url = f'https://{ipaddr}/api/v2/'
    headers = {'Authorization': f'Bearer {api_token}'}
    params = {'scope': 'global'}
    uri = 'monitor/system/config/backup/'
    
    rep = requests.get(base_url + uri, headers=headers, params=params, verify=False)

    if rep.status_code != 200:
        print(f'Something went wrong. status_code: {rep.status_code}')
        return False

    with open(filename, 'w') as f:
        f.write(rep.text)
    
    return True

And you can import this module and call config_download to get the local copy of current configuration.

>>> import fortigate
>>>
>>> ip_addr = 'Fortigate_IP_Address'
>>> api_token = 'API_TOKEN'
>>>
>>> if (fortigate.config_download(ip_addr, api_token, 'backup20190215.conf')):
...   print('Done!')
... else:
...   print('Error!!')
...
Done!
>>>
>>> with open('backup20190215.conf', 'r') as f:
...   f.readline()
...
'#config-version=FGTAWS-6.0.4-FW-build0231-190107:opmode=0:vdom=0:user=api-admin\n'
>>>

API TOKENを使用してのRest API経由でコンフィグのバックアップができます。FortiOS6.0.4で検証済み。