Previously I wrote a post how to backup the Fortigate config using session based authentication. As per the API reference, this is considered legacy, and other authentication method –API token, is preferred. In this post, I demonstrate how to use FortiOS RestAPI with API token. And I will introduce how to parse current configuration.
I used FortiOS 6.0.4 to deploy this, and it is most likely not working with other version(especially 5.x).
The flow is as follows:
- Create access profile for API user
- Create API user in Fortigate
- Generate API token for API user
- Send request and get the backup config
1. Create access profile
To get the backup, you need to have a permission for sysgrp. If you need to access part –e.g. logs/fw, you can add them. I create a profile “readOnly” here.
FGTAWS0004BE1ADE # config system accprofile FGTAWS0004BE1ADE (accprofile) # edit readOnly new entry 'readOnly' added FGTAWS0004BE1ADE (readOnly) # set sysgrp read FGTAWS0004BE1ADE (readOnly) # end
2. Create API user in Fortigate
Using the profile you created in step 1, you can create a user for API access. The configuration is straight forward. However, trusthost seems to have some bug and it doesn’t identify some CIDR notation(e.g. 0.0.0.0/0) correctly, and you need to create specific host entry(with 32 bit mask).
FGTAWS0004BE1ADE # config system api-user FGTAWS0004BE1ADE (api-user) # edit api-admin new entry 'api-admin' added FGTAWS0004BE1ADE (api-admin) # set accprofile "readOnly" FGTAWS0004BE1ADE (api-admin) # set vdom root FGTAWS0004BE1ADE (api-admin) # config trusthost FGTAWS0004BE1ADE (trusthost) # edit 1 new entry '1' added FGTAWS0004BE1ADE (1) # set ipv4-trusthost 'ip_address_of_your_machine' 255.255.255.255 FGTAWS0004BE1ADE (1) # end FGTAWS0004BE1ADE (api-admin) # end
3. Generate API token
Once user is ready, you can generate API key. Please note this API key is shown only when the key is generated, and it cannot be retrieved after you generate.
FGTAWS0004BE1ADE # execute api-user generate-key api-admin New API key: 'your_api_token' NOTE: The bearer of this API key will be granted all access privileges assigned to the api-user api-admin.
4. Test
All the necessary elements are ready, and it’s time to test. You can test it straight away with cUrl like, `curl -k ‘https://<your_fortigate_address>/api/v2/cmdb/firewall/address?vdom=root&access_token=<your_api_token>’.
I made a short python script so that I can reuse later. You can save this as ‘fortigate.py’ in your working folder.
import requests
import urllib3 # disable security warning for SSL certificate
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable security warning for SSL certificate
def config_download(ipaddr, api_token, filename='backup.conf'):
'''
input: ipaddr(string) - target ip address of fortigate
input: api_token(string) - api_token for api user(accprofile should have sysgrp.mnt)
input: filename(string) - file name of the config to be saved. default backup.conf
output: True if backup successfule. False if not successful.
Tested on: Fortigate OnDemand on AWS - FortiOS6.0.4
'''
base_url = f'https://{ipaddr}/api/v2/'
headers = {'Authorization': f'Bearer {api_token}'}
params = {'scope': 'global'}
uri = 'monitor/system/config/backup/'
rep = requests.get(base_url + uri, headers=headers, params=params, verify=False)
if rep.status_code != 200:
print(f'Something went wrong. status_code: {rep.status_code}')
return False
with open(filename, 'w') as f:
f.write(rep.text)
return True
And you can import this module and call config_download to get the local copy of current configuration.
>>> import fortigate
>>>
>>> ip_addr = 'Fortigate_IP_Address'
>>> api_token = 'API_TOKEN'
>>>
>>> if (fortigate.config_download(ip_addr, api_token, 'backup20190215.conf')):
... print('Done!')
... else:
... print('Error!!')
...
Done!
>>>
>>> with open('backup20190215.conf', 'r') as f:
... f.readline()
...
'#config-version=FGTAWS-6.0.4-FW-build0231-190107:opmode=0:vdom=0:user=api-admin\n'
>>>
API TOKENを使用してのRest API経由でコンフィグのバックアップができます。FortiOS6.0.4で検証済み。