10. Provisioning Template Management#
10.1. General Introduction#
10.1.1. How to get all provisioning templates?#
Tested with FMG 7.2.2-INTERIM build 1247.
Getting all templates from ADOM adom_72_003:
REQUEST:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/template/adom/adom_72_003"
}
],
"session": "jn9iXGAGSGicSBO6exwiFEqF2kgmVWlWWIGopnL/WqxBgJvVslB8+jvoxMUHP6xFgEByd4gXtt9Uci87nTsatw==",
"verbose": 1
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": [
{
"name": "IPsec_Fortinet_Recommended",
"oid": 4119,
"template setting": {
"option": "readonly",
"stype": "_ipsec",
"widgets": [
"_ipsec"
]
},
"type": "template"
},
{
"name": "BRANCH_IPsec_Recommended",
"oid": 4123,
"template setting": {
"option": "readonly",
"stype": "_ipsec",
"widgets": [
"_ipsec"
]
},
"type": "template"
},
{
"name": "HUB_IPsec_Recommended",
"oid": 4129,
"template setting": {
"option": "readonly",
"stype": "_ipsec",
"widgets": [
"_ipsec"
]
},
"type": "template"
},
{
"name": "BRANCH_BGP_Recommended",
"oid": 4135,
"template setting": {
"option": "readonly",
"stype": "router_bgp",
"widgets": [
"router_bgp"
]
},
"type": "template"
},
{
"name": "HUB_BGP_Recommended",
"oid": 4140,
"template setting": {
"option": "readonly",
"stype": "router_bgp",
"widgets": [
"router_bgp"
]
},
"type": "template"
},
{
"name": "branches",
"oid": 4154,
"scope member": [
{
"name": "adom_72_003_dev_001",
"vdom": "root"
}
],
"template setting": {
"stype": "_ipsec",
"widgets": [
"_ipsec"
]
},
"type": "template"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/adom/adom_72_003"
}
]
}
10.2. How to get the controller status?#
Caught in:
#454555
#469731
#604197
It seems to be a non public API.
REQUEST:
{
"method": "exec",
"params": [
{
"url": "/deployment/get/controller/status",
"data": {
"adom": "...",
"ctypes": ["fsw"],
"device": "...",
"options": ["savedb", "resync" ]
}
}
],
"session": "...",
"id": 1
}
We can also add wtp
or fext
as other ctypes
.
10.3. Firmware Template#
10.3.1. Introduction#
Caught in #711918.
Main FMG JSON RPC API url
for firmware template seems to be:
/um/image/template/upgrade
10.3.2. How to assign a device?#
Caught in #964977.
{
"id": 3,
"method": "add",
"params": [
{
"data": [
{
"name": "dc_emea_001",
"vdom": "root"
}
],
"url": "/pm/fwmprof/adom/dc_emea/fmw_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/fwmprof/adom/dc_emea/fmw_001/scope member"
}
]
}
10.3.3. How to get Upgrade Reports for Firmware Template?#
Caught in #0919211.
To get the Upgrade Reports generated by the to_fgt_740
Firmware Template in the dc_emea
ADOM:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"adom": "dc_emea",
"name": "fgt_to_740"
},
"url": "um/image/template/report"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"data": {
"report": [
{
"adom-name": "dc_emea",
"adom-oid": 165,
"device-number": 1,
"devices": [
{
"end-time": 1700776054,
"name": "fgt-741-001",
"oid": 175,
"package-status": 0,
"skip-path": 1,
"start-time": 1700775638,
"taskid": 9,
"tasks": [
{
"current_version": "7.4.1-b2463",
"package-status": 0,
"platform": "FortiGate-VM64",
"product": 1,
"profile_name": "fgt_to_740",
"result": 0,
"serial": "FGVMMLTM22002647",
"target_version": "7.4.0-b2360",
"upgrade_path": [
"7.4.0-b2360"
]
}
]
}
],
"end-time": 1700776054,
"name": "fgt_to_740",
"report-time": 1700776054,
"start-time": 1700775638,
"success-number": 1,
"taskid": 9
}
]
},
"status": {
"code": 0,
"message": "OK"
},
"url": "um/image/template/report"
}
]
}
Note
In this output, there’s a single Upgrade Report.
Note
To get the upgrade reports for your managed devices, see section How to get the Upgrade Report for managed devices?:
10.4. Certificate Template#
10.4.1. How to create a Certificate Template?#
10.4.1.1. How to create an external Certificate Template?#
We create the certificate template fgt-gw
in ADOM dc_los_angeles
:
REQUEST:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"name": "fgt-gw",
"id-type": 0,
"organization-unit": [
"CSE"
],
"organization": "Fortinet",
"city": "Nice",
"state": "PACA",
"country": "FR",
"email": "",
"key-type": 0,
"key-size": 3,
"curve-name": 0,
"scep-server": "https://10.0.0.1/scep/foobar",
"scep-password": "fortinet",
"scep-ca-identifier": "",
"type": 0,
"digest-type": 0
},
"url": "/pm/config/adom/dc_los_angeles/obj/certificate/template"
}
],
"session": "I/fVV/gPmb1U58MnQ/35Uc92qqi01moTnNeQehw2kQpeAnfGkpEovsm8ztt5FziV7j3oSU1r22DURAY1wBrFVsZlKjRAsudE"
}
10.4.1.2. How to create a local Certificate Template?#
We create the certificate template certificate_template_001
in ADOM
adom_72_001
:
REQUEST:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"city": "Nice",
"country": "FR",
"name": "certificate_template_001",
"organization": "FTNT",
"organization-unit": "CSE",
"state": "PACA",
"type": "local"
},
"url": "/pm/config/adom/adom_72_001/obj/certificate/template"
}
],
"session": "I/fVV/gPmb1U58MnQ/35Uc92qqi01moTnNeQehw2kQpeAnfGkpEovsm8ztt5FziV7j3oSU1r22DURAY1wBrFVsZlKjRAsudE"
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"name": "certificate_template_001"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/adom_72_001/obj/certificate/template"
}
]
}
10.4.2. How to generate a certificate using a Certificate Template?#
We generate a certificate for managed device adom_72_001_dev_001
(and its
VDOM root
) in ADOM adom_72_001
using certificate template
certificate_template_001
:
REQUEST:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"adom": "adom_72_001",
"scope": [
{
"name": "adom_72_001_dev_001",
"vdom": "root"
}
],
"template": "certificate_template_001"
},
"url": "/securityconsole/sign/certificate/template"
}
],
"session": "xFaabUP9DBZgZLb6jLrwzaeispnbifvVNsiD8kh3D2v8vio+8Jeotu+h2D7YZ2PDulZR++mWVdD65Vnpd9ye0oJqwn2VzeF/"
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"task": 4935
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/securityconsole/sign/certificate/template"
}
]
}
Upon task completion, FortiManager will place the generated certificate in managed device’s Device DB.
We can obtain it using the following request:
REQUEST:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/config/device/adom_72_001_dev_001/vdom/root/vpn/certificate/local/certificate_template_001"
}
],
"session": "Fal40VB0ye1pHdRBPv0OAX7k85b7nOMRQlSV5ZRA6yf+UL+G1a1MxYcA9gB5vmrATnj/MhlOZU65n5toZBkRBXIRrLCNc4h5",
"verbose": 1
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"_certinfo": {
"is_ca": 0,
"issuer": "O = Fortinet Ltd., CN = Fortinet",
"negsn": 0,
"serial": "11:f1:48:3a:06:9d:67:d4",
"subject": "C = FR, ST = PACA, L = Nice, O = FTNT, OU = CSE, CN = adom_72_001_dev_001.root",
"subject_parsed": {
"C": "FR",
"CN": "adom_72_001_dev_001.root",
"L": "Nice",
"O": "FTNT",
"OU": "CSE",
"ST": "PACA"
},
"validfrom": "2022-08-22 17:37:44 GMT",
"validto": "2032-08-26 17:37:44 GMT",
"version": 1
},
"acme-ca-url": "https://acme-v02.api.letsencrypt.org/directory",
"acme-domain": null,
"acme-email": null,
"acme-renew-window": 30,
"acme-rsa-key-size": 2048,
"auto-regenerate-days": 0,
"auto-regenerate-days-warning": 0,
"ca-identifier": null,
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDIDCCAggCCBHxSDoGnWfUMA0GCSqGSIb3DQEBBQUAMCsxFjAUBgNVBAoTDUZv\ncnRpbmV0IEx0ZC4xETAPBgNVBAMTCEZvcnRpbmV0MB4XDTIyMDgyMjE3Mzc0NFoX\nDTMyMDgyNjE3Mzc0NFowazELMAkGA1UEBhMCRlIxDTALBgNVBAgTBFBBQ0ExDTAL\nBgNVBAcTBE5pY2UxDTALBgNVBAoTBEZUTlQxDDAKBgNVBAsTA0NTRTEhMB8GA1UE\nAxQYYWRvbV83Ml8wMDFfZGV2XzAwMS5yb290MIIBIjANBgkqhkiG9w0BAQEFAAOC\nAQ8AMIIBCgKCAQEAp87wNOEOqm/+uc6vCQNL6cH5U9bMOxfZ0kmXHOui5pXeex+4\nr9Q2JoIkU+osWXwJXOuxDYCcK3ol6+5gX6Y60iPqfRS7VOXgNGd+z36r8hxIZjTe\neaNzHvml1nfxMwqALzf4wRn4zTB2GLJouV4RF8fxv4u0ockseDOnW07HVEPwv+ET\n1B7pxXMKh3RcnN630zETlLVFJ35kEf879iqC+Ony6pA0CtVdQTAdBCxxNaFVUjGK\nKaqWVx2yAjYp2eHl5e7mU0JEMCgOTS5A5mYqmevj04hw9s+LrvE4bshjq/eUdMSe\nQltZ2T9TP3dEWr8QSdu6wwq4EpP0Af/hK8k48QIDAQABow0wCzAJBgNVHRMEAjAA\nMA0GCSqGSIb3DQEBBQUAA4IBAQBN6qsjHJTFx0KGS/+VKuHkShC3vDgfUzn/qWcP\nnpkgUtU48JWIQSv4QVLtiLa+qfHnFv6TbQfVD/qcaDncdV2HE7F85po9QwyAf7ec\nqGcQw000qiojjMVsmt7abqiebJBJp8OtBdJutYv3OH1AtvIOV+Enj0YXPCtWzV9y\n2BMySPvYVA8VBJNbOfJE6QoTP/ZhR+xjHen6fPqOchjJXIAidIIOeVpH5msuSLuk\nk2F6K2Pow5gyvpgv/gwMMn+XZ2AzWKGfr2j1QXRVO9fHyNNB5e6RtQ+fJZgpLHh/\n8+zE6lSSUjvdPBM6t+4gvrun08trkdHzT3FSs5rWoqR2tMdS\n-----END CERTIFICATE-----",
"cmp-path": null,
"cmp-regeneration-method": "keyupate",
"cmp-server": null,
"cmp-server-cert": [],
"comments": null,
"csr": null,
"enroll-protocol": "none",
"extension": [
{
"content": "CA:FALSE",
"critical": 0,
"name": "X509v3 Basic Constraints"
}
],
"ike-localid": null,
"ike-localid-type": "asn1dn",
"last-updated": 0,
"name": "certificate_template_001",
"name-encoding": "printable",
"oid": 3172,
"password": [
"ENC",
"7ENU9ioxcoKvKJDeKgih/bzn7Wa+n3Oq64tpOtwsTXbdAzmaGtJx7AlTJNYcUdBk2/T3RX9tgiWPqSHWGAPKuIe4IuKOIeDWdtrcFvuY/SHTUk+rZ5ACIP2g9DgZ2Dk+AreXnXtzUEkTBws65+gCn3GuNae9vR1NN53E/HI9vI7VVF8+"
],
"private-key-retain": "disable",
"range": "global",
"scep-url": null,
"source": "user",
"source-ip": "0.0.0.0",
"state": null,
"tmp-cert-file": null
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/device/adom_72_001_dev_001/vdom/root/vpn/certificate/local/certificate_template_001"
}
]
}
Note
The private-key
cannot be exposed using the FortiManager API.
10.5. System Template#
10.5.1. How to get list of system templates?#
We want the list of system templates in ADOM DEMO_009
.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"url": "pm/devprof/adom/DEMO_009"
}
],
"session": "PvxNZ0qnX2vWunu8n7wg7PfygD7e5aNKODztfQ+9Du80tr7OZMelMPAx+ad2I7Xh/u8bucNnhdwGMMUYjfT03A==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"description": "",
"enabled options": [
"dns",
"ntp",
"email",
"admin",
"snmp",
"repmsg",
"ftgd",
"log",
"interface",
"router",
"combined"
],
"name": "default",
"oid": 4794,
"type": "devprof"
},
{
"description": "",
"enabled options": [
"admin",
"interface"
],
"name": "sys_template",
"oid": 4802,
"scope member": [
{
"name": "hub2"
}
],
"type": "devprof"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/devprof/adom/DEMO_009"
}
]
}
10.5.2. How to clone a system template?#
Caught in #0624808.
It is possible to clone the following kind of templates:
pm/devprof/adom/<adom>/<template>
pm/ecprof/adom/<adom>/<template>
pm/crprof/adom/<adom>/<template>
pm/wanprof/adom/<adom>/<template>
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "clone",
"params": [
{
"data": {
"name": "cloned-system-template-001"
},
"url": "/pm/devprof/adom/DEMO_013/system-template-001"
}
],
"session": "a2vokc0TuCVM73XKIE3YvVAeTpDLABEphNWBE93T9z9WVUJOiE9fLxRJrumlI1kbasQqjMQnAYUo3JTL96+wVQ==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/devprof/adom/DEMO_013/system-template-001"
}
]
}
10.5.3. System Template Assignment#
10.5.3.1. How to get assigned devices for a particular System Template?#
We get the list of assigned devices for System Template branches
from ADOM
root
:
REQUEST:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"type",
"scope member",
"description",
"enabled options"
],
"url": "pm/devprof/adom/root/branches"
}
],
"session": "68un8YYUlzJXSCJzGdCXKE6EDqmZR2vLEq556xPb+JHXVcXhuxWr927VyLZ246msjoDgVJBZr/em4c6QUNToMnXOXBPOJu/L",
"verbose": 1
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"description": "",
"enabled options": [
"ntp",
"ftgd"
],
"name": "branches",
"oid": 4405,
"scope member": [
{
"name": "root_dev_001"
},
{
"name": "root_dev_002"
},
{
"name": "root_dev_003"
}
],
"type": "devprof"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/devprof/adom/root/branches"
}
]
}
10.5.3.2. How to assign a system template to a device?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": [
{
"name": "branch2_fgt",
"vdom": "root"
}
],
"url": "/pm/devprof/adom/DEMO/system.template.branches/scope member"
}
],
"session": "ADeQPTL6U2bxwKra2E6NArY/6B6sQ8pixJf0g0ic46FpW3AZSXqPGzSrY8VJpgC0AsznEhlqgH7xYcJrl2VYCQ==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/devprof/adom/DEMO/system.template.branches/scope member"
}
]
}
10.5.3.3. How to unassign a system template from a device?#
Just replace add
with delete
.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "delete",
"params": [
{
"data": [
{
"name": "branch2_fgt",
"vdom": "root"
}
],
"url": "/pm/devprof/adom/DEMO/system.template.branches/scope member"
}
],
"session": "ADeQPTL6U2bxwKra2E6NArY/6B6sQ8pixJf0g0ic46FpW3AZSXqPGzSrY8VJpgC0AsznEhlqgH7xYcJrl2VYCQ==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/devprof/adom/DEMO/system.template.branches/scope member"
}
]
}
10.5.4. Modify a system template content?#
To change a template configuration, we can use this URL:
/pm/config/adom/<adom>/devprof/<template>/<widget>
where widget
could be the following paths:
Widget Name in GUI |
Widget path in API |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Legacy widget
The legacy widget are the ones without override or per-device mapping support.
Here we’re showing how to modify the syslog severity for System Template
default
in ADOM root
(caught in #0593505):
REQUEST:
{
"id": 96,
"method": "set",
"params": [
{
"data": {
"exclude-list": null,
"severity": 3
},
"url":
"pm/config/adom/root/devprof/default/log/syslogd/filter"
}
],
"session": 5450
}
RESPONSE:
{
"id": 96,
"result": [
{
"data": {
"exclude-list": null,
"severity": 3
},
"status": {
"code": 0,
"message": "OK"
},
"url":
"pm/config/adom/root/devprof/default/log/syslogd/filter"
}
]
}
Widget with override or per-device mapping support
The widgets of the form device/template/widget/<something>
support
override or per-device mapping. They have been introduced in FMG 6.4.2.
We want to add an override for device hub1
which is linked to system
template sys_template
in ADOM DEMO_009
.
Firt the DNS widget content:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"url": "/pm/config/adom/DEMO_009/devprof/sys_template/device/template/widget/dns"
}
],
"session": "Sgx5EOLLXT97rfuIuZgYnF8gQERyS04Byr/5B7TzUTixGCM/Ylixdgevz49VC65I/h6gA6sTaHCxvxQaBKaQxA==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"action-list": [
{
"action": "conf-sys-dns",
"dynamic_mapping": [
{
"_scope": [
{
"name": "hub2",
"vdom": "root"
}
],
"local-value": "{\"secondary\":\"8.8.8.8\",\"primary\":\"172.16.100.100\"}"
}
],
"model": "all",
"seq": 1,
"value": "{\"primary\":\"172.16.100.100\",\"secondary\":\"208.91.112.53\"}",
"var-list": [
{
"name": "system dns/timeout",
"override": null
},
{
"name": "system dns/ssl-certificate",
"override": null
},
{
"name": "system dns/server-hostname",
"override": null
},
{
"name": "system dns/retry",
"override": null
},
{
"name": "system dns/dns-over-tls",
"override": null
},
{
"name": "system dns/dns-cache-ttl",
"override": null
},
{
"name": "system dns/dns-cache-limit",
"override": null
},
{
"name": "system dns/cache-notfound-responses",
"override": null
},
{
"name": "system dns/domain",
"override": null
},
{
"name": "system dns/secondary",
"override": "enable"
},
{
"name": "system dns/primary",
"override": "enable"
}
]
}
],
"name": "dns"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO_009/devprof/sys_template/device/template/widget/dns"
}
]
}
We can observe there’s an existing per-device mapping for device hub2
.
We set a similar override or per-device mapping for device hub1
.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"_scope": [
{
"name": "hub1",
"vdom": "root"
}
],
"local-value": "{\"primary\":\"1.1.1.1\",\"secondary\":\"2.2.2.2\"}"
},
"url": "/pm/config/adom/DEMO_009/devprof/sys_template/device/template/widget/dns/action-list/1/dynamic_mapping"
}
],
"session": "5Gd5SMRuz+Af9/2Zf200NN3lqQk2yUCKbEWeGLvfvkGnkARgJ99hoMbp8qzyqXHZw+hNLV4jt3YKiIcGHM+Qjg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"_scope": null
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO_009/devprof/sys_template/device/template/widget/dns/action-list/1/dynamic_mapping"
}
]
}
10.5.4.1. How to add the interface widget?#
There are two methods, but both of them require to get the existing widgets list first.
Using
/pm/devprof/<adom>/<template>
entry
To add the Interface widget, we have to update the enabled options
list by
adding keyword interface
:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "set",
"params": [
{
"data": {
"enabled options": [
"dns",
"admin",
"snmp",
"interface"
]
},
"url": "pm/devprof/adom/demo/foobar"
}
],
"session": "pDMQ1pEj7hu2oYneGyMI/IwFdiQv+CvRfXQUX/8kKLyB0CrvOgIaBXIyr1gpEBP3nRkKUHdm2VQhlag0k99e3A==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/devprof/adom/germany/foobar"
}
]
}
Using
/pm/config/<adom>/devprof/<template>/device/profile/setting
entry
To add the Interface widget, we have to update the enabled-pages
list by
adding keyword interface
:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "set",
"params": [
{
"data": {
"enabled-pages": [
"dns",
"admin",
"snmp",
"interface"
]
},
"url": "pm/config/adom/demo/devprof/foobar/device/profile/setting"
}
],
"session": "pDMQ1pEj7hu2oYneGyMI/IwFdiQv+CvRfXQUX/8kKLyB0CrvOgIaBXIyr1gpEBP3nRkKUHdm2VQhlag0k99e3A==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/demo/devprof/foobar/device/profile/setting"
}
]
}
10.5.4.2. How to add a new Config Interface action in the interface widget?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "set",
"params": [
{
"data": [
{
"action": "conf-intf",
"model": "all",
"value": "{\"name\": \"internal3\", \"ip\": \"172.16.$(region_id).$(site_id)/24\", \"allowaccess\": 7}",
"var-list": [
{
"name": "system interface/allowaccess",
"override": 0
},
{
"name": "system interface/ip",
"override": 0
},
{
"name": "system interface/name",
"override": 0
}
]
}
],
"url": "pm/config/adom/demo/devprof/foobar/device/template/widget/interface/action-list"
}
],
"session": "a2keKgYvGVxeNA1VkhlFFsm13A0y2zFq+Ozyr0MhCTvci85Yoe9C53NhbLHkxBdxNNgssSWpDFVLkDGBfz09lg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"seq": 2
},
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/demo/germany/devprof/foobar/device/template/widget/interface/action-list"
}
]
}
10.5.4.3. How to get the settings of the DNS widget?#
REQUEST:
{
"id": 3,
"method": "get",
"params": [
{
"url": "pm/config/adom/demo_001/devprof/corporates/device/template/widget/dns/action-list"
}
],
"session": "NizInwxMIZ+USfDhYfkl8hM7bIVk6xd0VpDxTwpR3G0aj9XF7cMcPWEVic9qZQhidd+qz66BQAOuxWfD+btVsQ==",
"verbose": 1
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": [
{
"action": "conf-sys-dns",
"dynamic_mapping": null,
"model": "all",
"seq": 1,
"value": {
"primary": "8.8.8.8",
"secondary": "1.1.1.1"
},
"var-list": [
{
"name": "system dns/timeout",
"override": null
},
{
"name": "system dns/ssl-certificate",
"override": null
},
{
"name": "system dns/server-hostname",
"override": null
},
{
"name": "system dns/retry",
"override": null
},
{
"name": "system dns/dns-over-tls",
"override": null
},
{
"name": "system dns/dns-cache-ttl",
"override": null
},
{
"name": "system dns/dns-cache-limit",
"override": null
},
{
"name": "system dns/cache-notfound-responses",
"override": null
},
{
"name": "system dns/domain",
"override": null
},
{
"name": "system dns/secondary",
"override": null
},
{
"name": "system dns/primary",
"override": null
}
]
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/demo_001/devprof/corporates/device/template/widget/dns/action-list"
}
]
}
10.5.4.4. How to change the FortiAnalyzer setting?#
We change the FortiAnalyzer IP address and Serial Number set in System Template
branches
from ADOM root
:
REQUEST:
{
"id": 3,
"method": "set",
"params": [
{
"data": {
"target-ip": "10.0.0.4",
"target-sn": [
"FAZVMTM0000000004"
]
},
"url": "pm/config/adom/root/devprof/branches/device/profile/fortianalyzer"
}
],
"session": "k2t4ybTRkj1mdqflN3EtkoCpCeDgVMsW/eTgSFfHbZ+c/Dut8dHLecHHd/nPhiafAg7NwAjUrG0KbaNyzyX//EjK6GwimW9q"
}
RESPONSE:
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/root/devprof/branches/device/profile/fortianalyzer"
}
]
}
10.5.5. How to import a system template?#
Caught in #069924.
TBC.
URL is:
/pm/config/adom/<adom>/_devprof/import
10.6. FortiAP Management#
10.6.1. How to create a Model FortiAP with firmware enforcement?#
REQUEST:
{
"id": "2e2e8c25-c412-41b7-8ffd-97cacdd4985f",
"method": "add",
"params": [
{
"data": {
"_prefer-img-ver": "6.4.3-b00451",
"name": "fap_001",
"wtp-id": "FP421ETF18002996",
"wtp-profile": "FAP421E-default"
},
"push": 1,
"url": "/pm/config/device/foobar_001/vdom/root/wireless-controller/wtp"
}
],
"session": 2597
}
RESPONSE:
{
"id": "2e2e8c25-c412-41b7-8ffd-97cacdd4985f",
"result": [
{
"data": {
"wtp-id": "FP421ETF18002996"
},
"status": {
"code": 0,
"message": "OK"
},
"taskid": 111,
"url": "/pm/config/device/foobar_001/vdom/root/wireless-controller/wtp"
}
]
}
Recent versions of FortiManager (7.0.x) seem to use a different method:
REQUEST:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"_platform-type": 63,
"name": "fap_site_2",
"wtp-id": "PU431FTH20026061",
"wtp-profile": "branches"
},
"scope member": [
{
"name": "cluster_site_2",
"vdom": "root"
}
],
"url": "/pm/config/adom/production/obj/wireless-controller/wtp"
}
],
"session": "yieRVVWz0wDz7mwP5n/lRkjBitMY1wdm5UtmFAXVq2TnzIzcU+TUmiBfw9LIDuLoymlphNbTF1O+4aoWEhyuRQ=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"wtp-id": "PU431FTH20026061"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/production/obj/wireless-controller/wtp"
}
]
}
And more recently, we have seen this new form (using an explicit _is-model
attribute):
{
"id": "1",
"method": "add",
"params": [
{
"url": "/pm/config/adom/{{adom}}/obj/wireless-controller/wtp",
"scope member": [
{
"name": "dut_fgt_03",
"vdom":"root"
}
],
"data": {
"name": "fap_002",
"wtp-id": "FP23JFTF21002583",
"wtp-profile": "FAP23JF-default",
"_is-model": 1,
"_platform-type": 71,
"_prefer-img-ver": "7.2.2-b0318"
}
}
],
"session": "{{session}}"
}
{
"id": "1",
"result": [
{
"data": {
"wtp-id": "FP23JFTF21002583"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/production/obj/wireless-controller/wtp"
}
]
}
10.6.2. How to get the _platform-type
?#
To add a Model AP, you need to specify the _platform-type
.
You can obtain the list of supported AP platforms along with their respective
_platform-type
values using the following call:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"url": "pm/config/adom/root/_data/attropts/wireless-controller/wtp-profile/platform/type"
}
],
"session": "Pn8cb2BcGEe9AOyjvbt3plrGjf7xLbXiC0BdJeHS/X+g2pBb02zK8yMUknEUIVUcmR3SXiDSSYRFDRcD0sHKfQ==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"help": "FortiWiFi local radio.",
"name": "FWF",
"val": 30
},
{
"help": "Default 11n AP.",
"name": "AP-11N",
"val": 33
},
{
"help": "FAP220B/221B.",
"name": "220B",
"val": 5
},
[...]
{
"help": "FAP433F.",
"name": "433F",
"val": 67
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/root/_data/attropts/wireless-controller/wtp-profile/platform/type"
}
]
}
The returned val
attribute is the _platform-type
value to use when
adding a Model AP.
10.6.3. How to delete a FortiAP profile?#
Caught in #0600899.
When in Central FortiAP Management mode, we can use this trick where we delete what is matching the filter:
REQUEST:
{
"id": 1,
"method": "delete",
"params": [
{
"url": "pm/config/adom/62_NoVDOM/obj/wireless-controller/wtp-profile",
"filter": [
"name", "in", "foobar"
],
"confirm":1
}
]
}
10.6.4. How to get list of managed FortiAPs from ADOM DB?#
Caught in #0610724.
To get the managed FortiAPs for managed device cluster_site_2
and its
root
VDOM from ADOM production
:
REQUEST:
{
"id": 3,
"method": "get",
"params": [
{
"scope member": [
{
"name": "cluster_site_2",
"vdom": "root"
}
],
"url": "/pm/config/adom/production/obj/wireless-controller/wtp"
}
],
"session": "cDY7zhvU+dnifZ5yT78ESFWxgcXcDMwbUUEZo5yymQqj0ClhvqMDVYTLYVhj+e7XAq7fvxzWzHv53BBN6Eb7NA==",
"verbose": 1
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": [
{
"_conn-state": "unknown",
"_data-chan-sec": 0,
"_last-checked": 0,
"_lldp-vlan": 0,
"_mesh-downlink": "disable",
"_mesh-hop-count": 0,
"_mesh-mode": 0,
"_mgmt-vlan-id": 0,
"_platform-type": 63,
"_rogue-ap-count": 0,
"_sensors-temperatures": [],
"_update-time": 0,
"_upgrade-time": 0,
"_wtp-port": 0,
"admin": "enable",
"apcfg-profile": [],
"bonjour-profile": [],
"firmware-provision-latest": "disable",
"image-download": "enable",
"index": 0,
"ip-fragment-preventing": "tcp-mss-adjust",
"lan": {
"port-esl-mode": "offline",
"port-esl-ssid": [],
"port-mode": "offline",
"port-ssid": [],
"port1-mode": "offline",
"port1-ssid": [],
"port2-mode": "offline",
"port2-ssid": [],
"port3-mode": "offline",
"port3-ssid": [],
"port4-mode": "offline",
"port4-ssid": [],
"port5-mode": "offline",
"port5-ssid": [],
"port6-mode": "offline",
"port6-ssid": [],
"port7-mode": "offline",
"port7-ssid": [],
"port8-mode": "offline",
"port8-ssid": []
},
"led-state": "enable",
"mesh-bridge-enable": "default",
"name": "fap_site_2",
"override-allowaccess": "disable",
"override-ip-fragment": "disable",
"override-lan": "disable",
"override-led-state": "disable",
"override-login-passwd-change": "disable",
"override-split-tunnel": "disable",
"radio-1": {
"_bssid": null,
"_client-count": 0,
"_country-code": 0,
"_country-name": null,
"_max-vaps": 0,
"_mesh-downlink": "disable",
"_mode": 0,
"_oper-chan": 0,
"_oper-txpower": 0,
"auto-power-target": "-70",
"drma-manual-mode": "ncf",
"override-band": "disable",
"override-channel": "disable",
"override-txpower": "disable",
"override-vaps": "disable",
"power-mode": "percentage",
"power-value": 27,
"radio-id": 0,
"vap1": null,
"vap2": null,
"vap3": null,
"vap4": null,
"vap5": null,
"vap6": null,
"vap7": null,
"vap8": null
},
"radio-2": {
"_bssid": null,
"_client-count": 0,
"_country-code": 0,
"_country-name": null,
"_max-vaps": 0,
"_mesh-downlink": "disable",
"_mode": 0,
"_oper-chan": 0,
"_oper-txpower": 0,
"auto-power-target": "-70",
"drma-manual-mode": "ncf",
"override-band": "disable",
"override-channel": "disable",
"override-txpower": "disable",
"override-vaps": "disable",
"power-mode": "percentage",
"power-value": 27,
"radio-id": 1,
"vap1": null,
"vap2": null,
"vap3": null,
"vap4": null,
"vap5": null,
"vap6": null,
"vap7": null,
"vap8": null
},
"radio-3": {
"_bssid": null,
"_client-count": 0,
"_country-code": 0,
"_country-name": null,
"_max-vaps": 0,
"_mesh-downlink": "disable",
"_mode": 0,
"_oper-chan": 0,
"_oper-txpower": 0,
"auto-power-target": "-70",
"drma-manual-mode": "ncf",
"override-band": "disable",
"override-channel": "disable",
"override-txpower": "disable",
"override-vaps": "disable",
"power-mode": "percentage",
"power-value": 27,
"radio-id": 2,
"vap1": null,
"vap2": null,
"vap3": null,
"vap4": null,
"vap5": null,
"vap6": null,
"vap7": null,
"vap8": null
},
"radio-4": {
"auto-power-target": "-70",
"override-band": "disable",
"override-channel": "disable",
"override-txpower": "disable",
"override-vaps": "disable",
"power-mode": "percentage",
"power-value": 27,
"radio-id": 3,
"vap1": null,
"vap2": null,
"vap3": null,
"vap4": null,
"vap5": null,
"vap6": null,
"vap7": null,
"vap8": null
},
"region": [],
"region-x": "0",
"region-y": "0",
"scope member": [
{
"name": "cluster_site_2",
"vdom": "root"
}
],
"split-tunneling-acl": null,
"split-tunneling-acl-local-ap-subnet": "disable",
"split-tunneling-acl-path": "local",
"tun-mtu-downlink": 0,
"tun-mtu-uplink": 0,
"uuid": "71b0b548-93bd-51ec-a584-aa9d086c7a2f",
"wtp-id": "PU431FTH20026060",
"wtp-mode": "normal",
"wtp-profile": [
"branches"
]
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/production/obj/wireless-controller/wtp"
}
]
}
Should we want to retrieve the managed FortiAPs for multiples devices, we could use any of those scope member combinations:
"scope member": [
{
"name": "device_1",
"vdom": "root"
},
{
"name": "device_2",
"vdom": "root"
},
]
"scope member": [
{
"name": "device_group_1"
},
{
"name": "device_group_2"
},
]
"scope member": [
{
"name": "device_group_1"
},
{
"name": "device_group_2"
},
{
"name": "device_1",
"vdom": "root"
},
{
"name": "device_2",
"vdom": "root"
},
]
"scope member": [
{
"name": "All_FortiGare"
},
]
10.6.5. How to get a specific FortiAP profile?#
To get the branches
FortiAP profile from the root
ADOM:
REQUEST:
{
"method": "get",
"params": [
{
"url": "pm/config/adom/root/obj/wireless-controller/wtp-profile/branches",
"option": [
"get flags",
"get used",
"get devobj mapping",
"get meta",
"extra info"
]
}
],
"id": "7e0d5a6d-9528-4613-9f49-f2c1c91e6abc"
}
RESPONSE:
{
"id": "7e0d5a6d-9528-4613-9f49-f2c1c91e6abc",
"result": [
{
"data": {
"_created timestamp": 1659044466,
"_created-by": "admin",
"_last-modified-by": "admin",
"_modified timestamp": 1659044467,
"allowaccess": 0,
"ap-country": 1126,
"ap-handoff": 0,
"apcfg-profile": [],
"ble-profile": [],
"... TRUNCATED ...",
"radio-1": {
"... TRUNCATED ...",
"vaps": [
"ssid_001"
],
"... TRUNCATED ..."
}
"... TRUNCATED ..."
},
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/root/obj/wireless-controller/wtp-profile/branches"
}
]
}
10.6.6. How to get details of managed FortiAP?#
This is useful for instance, when we want to get the FortiAP status.
REQUEST:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name",
"admin",
"_conn-state"
],
"loadsub": 0,
"scope member": [
{
"name": "amer-00-fgt-01",
"vdom": "root"
},
{
"name": "amer-12-fgt-01",
"vdom": "root"
},
{
"name": "amer-13-fgt-01",
"vdom": "root"
}
],
"url": "pm/config/adom/demo/obj/wireless-controller/wtp"
}
],
"session": "8w0K16UkSdVqQvZXRoYCFu1FQG6PE04iLMDbZB7qUneIZSp1d16F4hQGrHxzkA7RnuhoM4/xVEkRzgZz6yKlVw==",
"verbose": 1
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": [
{
"_conn-state": "idle",
"admin": "enable",
"name": "FP23JFTF21002594",
"scope member": [
{
"name": "amer-00-fgt-01",
"vdom": "root"
}
]
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/demo/obj/wireless-controller/wtp"
}
]
}
In the request, the scope member refers to three devices amer-00-fgt-01
,
amer-12-fgt-01
and amer-13-fgt-01
(and their respective root
VDOM).
We can also use device groups:
"scope member": [
{
"name": "device_group_01"
},
{
"name": "device_group_02"
}
}
We can specify the default all devices group:
"scope member": [
{
"name": "All_FortiGate"
}
]
We can combine devices and device groups:
"scope member": [
{
"name": "device_01",
"vdom": "root"
},
{
"name": "device_group_01"
},
{
"name": "device_group_02"
}
{
"name": "device_02",
"vdom": "root"
}
]
10.6.7. How to rename a managed FAP?#
REQUEST:
{
"id": 3,
"method": "update",
"params": [
{
"data": {
"name": "barfoo",
"wtp-id": "PU431FTH20026060"
},
"scope member": [
{
"name": "cluster_site_2",
"vdom": "root"
}
],
"url": "/pm/config/adom/production/obj/wireless-controller/wtp"
}
],
"session": "Soi7tSb2eF8ZrT9kHFmEEZ5FJfl3fcAw1kypP+lg0/4T1JQ2YnCpOUe7w8ymTm1zCq8lR/pB++L8ed6BX4Tkcg=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"wtp-id": "PU431FTH20026060"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/production/obj/wireless-controller/wtp"
}
]
}
10.7. FortiSwitch Management#
10.7.1. How to add a model FortiSwich#
Adding a Model FortiSwitch using the FortiSwitch Manager page in FortiManager GUI will make the FortiSwitch device visible in the FortiSwitch Manager page only.
The FortiSwitch device will be visible within the associated Device DB only after an installation.
10.7.1.1. Add a Model FortiSwitch with FortiManager 7.0/7.2#
The following method is forcing the Model FortiSwitch to appear both in FortiSwitch Manager and its corresponding Device DB:
{
"id": 1,
"method": "add",
"params": [
{
"data": {
"name": "branch2_fsw",
"switch-id": "S108DVEN3ND-GG54"
},
"push": 1,
"url": "/pm/config/device/branch2_fgt/vdom/root/switch-controller/managed-switch"
}
],
"session": "{{session}}"
}
Note
The attribute push
is very important here.
{
"id": 1,
"result": [
{
"data": {
"switch-id": "S108DVEN3ND-GG54"
},
"status": {
"code": 0,
"message": "OK"
},
"taskid": 503,
"url": "/pm/config/device/branch2_fgt/vdom/root/switch-controller/managed-switch"
}
]
}
You can also use the following recommended alternative because it follows the FortiManager GUI logic:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"name": "fsw_site_9",
"platform": "FortiSwitch-108D-VM",
"switch-id": "S108DVRC8W1KH102",
"vlan-interface": "fortilink"
},
"scope member": [
{
"name": "fgt_site_9",
"vdom": "root"
}
],
"url": "/pm/config/adom/adom_dc3/obj/fsp/managed-switch"
}
],
"session": "{{session}}"
}
Warning
If you use the FortiManager CLI to debug what the FortiManager GUI is doing when you add a new FortiSwitch from the FortiSwitch Manager page, you will get a FortiManager JSON RPC API request similar to the following one:
{ "client": "gui json:30925", "id": "cbacc2f8-8d12-4020-91f6-186ba1ca9f64", "keep_session_idle": 1, "method": "add", "params": [ { "data": { "fsw-wan1-admin": 2, "fsw-wan1-peer": "fortilink", "name": "fsw_004", "platform": "FortiSwitch-108F-FPOE", "state": 2, "switch-id": "S108FF0000000004", "vlan-interface": "fortilink" }, "scope member": [ { "name": "site_002", "vdom": "root" } ], "url": "/pm/config/adom/dc_amer/obj/fsp/managed-switch/" } ], "session": 54501 }
You can see the two
fsw-wan1-admin
andfsw-wan1-peer
attributeSurprinsingly, if you use them in your FortiManager JSON RPC API request, you will get an error like that:
{ "result": [ { "status": { "code": -10, "message": "The data is invalid for selected url" }, "url": "/pm/config/adom/dc_amer/obj/fsp/managed-switch/" } ], "id": 1 }
{
"id": 3,
"result": [
{
"data": {
"switch-id": "S108DVRC8W1KH102"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/adom_dc3/obj/fsp/managed-switch"
}
]
}
10.7.1.2. Add a Model FortiSwitch with FortiManager 7.4#
10.7.2. How to create a custom command?#
{
"id": "1",
"method": "add",
"params": [
{
"url": "pm/config/adom/{{adom}}/obj/switch-controller/custom-command",
"data":
{
"command": "config user tacacs\n edit TACACS_SRV\n set authorization enable\n set authen-type ascii\n set key fortinet123456\n set server 10.0.0.1\n next\nend",
"command-name": "custom_command_002"
}
}
],
"session": "{{session}}"
}
Note
You have to use the
\n
character to pass a line in the CLI script
{
"id": "1",
"result": [
{
"data": {
"command-name": "custom_command_002"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/production/obj/switch-controller/custom-command"
}
]
}
10.7.3. How to add a customer command to a FortiSwitch Template?#
{
"id": "1",
"verbose": 1,
"method": "add",
"params": [
{
"url": "/pm/config/adom/{{adom}}/obj/switch-controller/managed-switch/fsw_template_001/custom-command",
"data": {
"command-entry": "custom_command_002",
"command-name": "custom_command_002"
}
}
],
"session": "{{session}}"
}
Note
command-name
is an existing FortiSwitch custom command object (see How to create a custom command?)
{
"id": "1",
"result": [
{
"data": {
"command-entry": "custom_command_002"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/production/obj/switch-controller/managed-switch/fsw_template_001/custom-command"
}
]
}
10.7.4. How to assign a FortiSwitch template to a FortiSwitch?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "update",
"params": [
{
"data": {
"template": "fortiswitch.template.branches"
},
"scope member": [
{
"name": "branch2_fgt",
"vdom": "root"
}
],
"url": "/pm/config/adom/DEMO/obj/fsp/managed-switch/S108DVEN3ND-GG54"
}
],
"session": "choFZ1lhbjiexhxXCZyNqPhLO9V1N7gyVV29BoDixl1WuVvv7v7vrsd9H5mkAAqxt0/bVt/j4FPhWQOObbLSAg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"switch-id": "S108DVEN3ND-GG54"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO/obj/fsp/managed-switch/S108DVEN3ND-GG54"
}
]
}
10.7.5. How to import a FortiSwitch Template from a managed device?#
Caught in #612834.
REQUEST:
{
"id": "70b61e3d-53fb-47e2-b763-64e8700331c8",
"method": "exec",
"params": [
{
"url": "pm/config/adom/root/_fsp/import/template",
"data": {
"switch": "S548DN4K16000358",
"template": "sdfas",
"device": {
"name": "FortiGate-140E-POE",
"vdom": "root"
}
}
}
]
}
10.7.6. How to get the default port configuration for a particular switch model?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"url": "/pm/config/adom/DB/_fsp/managed-switch/platforms/FortiSwitch-124D"
}
],
"session": "BQza7EvapJmDJuT15xS5AZGz7h93b6JMAuLYhBNqwEokjDjcoYTLaW18YTDreVjUr+D49zDrmqt6uPEReGuYOg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"capability": "0x000000000000000000000015394dffd7",
"capability32": "0x394dffd7",
"max-allowed-trunk-members": 8,
"name": "FortiSwitch-124D",
"poe-detection-type": 3,
"poe_ports": [],
"ports": [
"port1",
"port2",
"port3",
"port4",
"port5",
"port6",
"port7",
"port8",
"port9",
"port10",
"port11",
"port12",
"port13",
"port14",
"port15",
"port16",
"port17",
"port18",
"port19",
"port20",
"port21",
"port22",
"port23",
"port24",
"port25",
"port26"
],
"prefix": "S124DN"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DB/_fsp/managed-switch/platforms/FortiSwitch-124D"
}
]
}
10.7.7. How to add a per-device mapping to a vlan?#
We can just use the add
method as shown below:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"_dhcp-status": "enable",
"_scope": [
{
"name": "device_002",
"vdom": "root"
}
],
"dhcp-server": {
"auto-configuration": "enable",
"conflicted-ip-timeout": 1800,
"ddns-auth": "disable",
"ddns-server-ip": "0.0.0.0",
"ddns-ttl": 300,
"ddns-update": "disable",
"ddns-update-override": "disable",
"ddns-zone": null,
"default-gateway": "10.1.6.99",
"dns-server1": "0.0.0.0",
"dns-server2": "0.0.0.0",
"dns-server3": "0.0.0.0",
"dns-server4": "0.0.0.0",
"dns-service": "specify",
"domain": null,
"exclude-range": null,
"filename": null,
"forticlient-on-net-status": "enable",
"id": 0,
"ip-range": [
{
"end-ip": "10.1.6.200",
"id": 1,
"start-ip": "10.1.6.100"
}
],
"lease-time": 604800,
"mac-acl-default-action": "assign",
"netmask": "255.255.255.0",
"next-server": "0.0.0.0",
"ntp-server1": "0.0.0.0",
"ntp-server2": "0.0.0.0",
"ntp-server3": "0.0.0.0",
"ntp-service": "specify",
"options": [
{
"code": 0,
"id": 1,
"type": "hex",
"value": null
}
],
"reserved-address": [
{
"action": "reserved",
"circuit-id": null,
"circuit-id-type": "string",
"description": null,
"id": 1,
"ip": "0.0.0.0",
"mac": "00:00:00:00:00:00",
"remote-id": null,
"remote-id-type": "string",
"type": "mac"
}
],
"server-type": "regular",
"status": "enable",
"tftp-server": [],
"timezone": "00",
"timezone-option": "disable",
"vci-match": "disable",
"vci-string": [],
"wifi-ac-service": "specify",
"wifi-ac1": "0.0.0.0",
"wifi-ac2": "0.0.0.0",
"wifi-ac3": "0.0.0.0",
"wins-server1": "0.0.0.0",
"wins-server2": "0.0.0.0"
},
"interface": {
"dhcp-relay-agent-option": "enable",
"dhcp-relay-ip": [],
"dhcp-relay-service": "disable",
"dhcp-relay-type": "regular",
"ip": [
"10.1.6.99",
"255.255.255.0"
],
"ipv6": {
"autoconf": "disable",
"dhcp6-client-options": null,
"dhcp6-information-request": "disable",
"dhcp6-prefix-delegation": "disable",
"dhcp6-prefix-hint": "::/0",
"dhcp6-prefix-hint-plt": 604800,
"dhcp6-prefix-hint-vlt": 2592000,
"dhcp6-relay-ip": [],
"dhcp6-relay-service": "disable",
"dhcp6-relay-type": "regular",
"ip6-address": "::/0",
"ip6-allowaccess": [
"ping",
"ssh"
],
"ip6-default-life": 1800,
"ip6-delegated-prefix-list": null,
"ip6-dns-server-override": "enable",
"ip6-extra-addr": null,
"ip6-hop-limit": 0,
"ip6-link-mtu": 0,
"ip6-manage-flag": "disable",
"ip6-max-interval": 600,
"ip6-min-interval": 198,
"ip6-mode": "static",
"ip6-other-flag": "disable",
"ip6-prefix-list": null,
"ip6-reachable-time": 0,
"ip6-retrans-time": 0,
"ip6-send-adv": "disable",
"ip6-subnet": "::/0",
"ip6-upstream-interface": [],
"nd-mode": "basic",
"vrip6_link_local": "::",
"vrrp-virtual-mac6": "disable",
"vrrp6": null
},
"secondary-IP": "disable",
"secondaryip": null,
"vlanid": 1016
}
},
"url": "/pm/config/adom/TEST/obj/fsp/vlan/vl_marketing/dynamic_mapping"
}
],
"session": "O0CeySMnJwAbA9IWMYiw5gm4d/JsFKjm7nysBMomXhF76KvpCIiPoy0OV77J8RphQyC9BOtX3uSwGy4FDG8xePGD64aGirdg",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"_scope": null
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/obj/fsp/vlan/vl_marketing/dynamic_mapping"
}
]
}
10.7.8. How to delete a per-device mapping from a vlan?#
It is as simple as appending the device and vdom in the URL:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "delete",
"params": [
{
"url": "/pm/config/adom/TEST/obj/fsp/vlan/vl_marketing/dynamic_mapping/device_001/root"
}
],
"session": "O19REjZMetkNVUapIPEpZduaWm6ibvUHfossFL/AuxLXM9fu2ruW0CCrC8Zp3YzDhU7y2+lBqtDvd9glT/hJ1JcVqQfHgCCo",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/TEST/obj/fsp/vlan/vl_marketing/dynamic_mapping/device_001/root"
}
]
}
10.7.9. How to get list of managed FortiSwitch?#
This is useful for instance, when we want to get the FortiSwitch status.
REQUEST:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name",
"switch-id",
"scope member",
"state",
"status"
],
"scope member": [
{
"name": "amer-12-fgt-01",
"vdom": "root"
},
{
"name": "amer-13-fgt-01",
"vdom": "root"
}
],
"url": "/pm/config/adom/demo/obj/fsp/managed-switch"
}
],
"session": "gYd7D9tR9I1diN8OifeR48Uk7QgPdxXpF5exoDMUHbX63+sJ6OFQKkVhFK7LLkuzjupy7rj2dDbiUwEeTeG8tw==",
"verbose": 1
}
RESPONSE::
{
"id": 3,
"result": [
{
"data": [
{
"name": "S108DVI_CWPKU64E",
"scope member": [
{
"name": "amer-12-fgt-01",
"vdom": "root"
}
],
"state": "enable",
"status": "idle",
"switch-id": "S108DVI_CWPKU64E"
},
{
"name": "S108DV89EWKQE248",
"scope member": [
{
"name": "amer-13-fgt-01",
"vdom": "root"
}
],
"state": "enable",
"status": "idle",
"switch-id": "S108DV89EWKQE248"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/obj/fsp/managed-switch"
}
]
}
In the request, the scope member refers to two devices amer-12-fgt-01
and
amer-13-fgt-01
(and their respective root
VDOM).
We can also use device groups:
"scope member": [
{
"name": "device_group_01"
},
{
"name": "device_group_02"
}
]
We can specify the default all devices group:
"scope member": [
{
"name": "All_FortiGate"
},
]
We can combine devices and device groups:
"scope member": [
{
"name": "device_01",
"vdom": "root"
},
{
"name": "device_group_01"
},
{
"name": "device_group_02"
}
{
"name": "device_02",
"vdom": "root"
}
]
10.7.10. How to update a port in a FortiSwitch Template?#
REQUEST:
{
"id": 1,
"method": "update",
"params": [
{
"url":"/pm/config/adom/{{adom}}/obj/switch-controller/managed-switch/branches/ports/port4",
"data": {
"allowed-vlans": [
"quarantine",
"vl_1002"
],
"vlan": [
"vl_1002"
]
}
}
],
"session": "{{session_id}}"
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"port-name": "port4"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/knock_37311/obj/switch-controller/managed-switch/branches/ports/port4"
}
]
}
10.8. FortiExtender#
10.8.1. How to add a Model FortiExtender?#
To add a new Model FortiExtender in dev_002
managed device in dc_Kl
ADOM:
{
"id": "1",
"method": "add",
"params": [
{
"data": {
"name": "fext_002",
"ext-name": "fext_002",
"id": "FX212F0000000002",
"extension-type": 1,
"profile": "fext_branches",
"_is_model": true,
"authorized": true,
"_prefer-img-ver": null
},
"scope member": [
{
"name": "dev_002",
"vdom": "root"
}
],
"url": "pm/config/adom/dc_kl/obj/extension-controller/extender"
}
],
"session": "{{session}}"
}
{
"result": [
{
"data": {
"name": "fext_002"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/dc_kl/obj/extension-controller/extender"
}
],
"id": "1"
}
10.8.2. How to get the list of FortiExtender devices for one ADOM?#
To get the list of FortiExtender devices for one ADOM and its managed devices or device groups, you can use the following request:
{
"id": "1",
"method": "get",
"params": [
{
"url": "pm/config/adom/dc_amiens/obj/extension-controller/extender",
"scope member": [
{
"name": "{device name}",
"vdom": "{vdom name}"
},
{
"...",
},
{
"name": "{device group name}",
},
]
}
]
}
To avoid passing specific scope member
elements, you can use the
pre-defined All_FortiGate
device group to get all the FortiExtender devices for the specifid ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"scope member": [
{
"name": "All_FortiGate"
}
],
"url": "pm/config/adom/dc_amiens/obj/extension-controller/extender"
}
],
"session": "{session}",
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": [
{
"_extender_conn": "0",
"_modem1": {
"_activation_status": null,
"_auto-switch": {
"dataplan": null,
"disconnect": null,
"disconnect-period": 0,
"disconnect-threshold": 0,
"oid": 5552,
"signal": null,
"status": null,
"switch-back": null,
"switch-back-time": null,
"switch-back-timer": 0
},
"_band": null,
"_cdma_profile": {
"_aaa_spi": null,
"_ha_spi": null,
"_home_addr": null,
"_idx": null,
"_nai": null,
"_primary_ha": null,
"_secondary_ha": null,
"_status": null,
"oid": 5548
},
"_connect_status": null,
"_current_snr": null,
"_data_plan": null,
"_drc_cdma_evdo": null,
"_esn_imei": null,
"_gsm_profile": {
"_apn": null,
"_cid": null,
"_type": null,
"oid": 5549
},
"_imsi": null,
"_lte_physical_cellid": null,
"_lte_rs_throughput": null,
"_lte_rssi": null,
"_lte_sinr": null,
"_lte_ts_throughput": null,
"_manufacture": null,
"_model": null,
"_modem_type": null,
"_oma_dm_version": null,
"_operating_mode": null,
"_physical_port": null,
"_pin_status": null,
"_plmn": null,
"_product": null,
"_revision": null,
"_roaming_status": null,
"_rssi": null,
"_service": null,
"_signal_rsrp": null,
"_signal_rsrq": null,
"_signal_strength": null,
"_sim1": {
"_carrier": null,
"_data_usage": 0,
"_iccid": null,
"_imsi": null,
"_is_active": 0,
"_maximum_allowed_data": 0,
"_modem": 0,
"_next_billing_date": null,
"_overage_allowed": null,
"_phone_number": null,
"_slot": 0,
"_status": null,
"oid": 5550
},
"_sim2": {
"_carrier": null,
"_data_usage": 0,
"_iccid": null,
"_imsi": null,
"_is_active": 0,
"_maximum_allowed_data": 0,
"_modem": 0,
"_next_billing_date": null,
"_overage_allowed": null,
"_phone_number": null,
"_slot": 0,
"_status": null,
"oid": 5551
},
"_usb_wan_mac": null,
"_usim_status": null,
"_wireless_operator": null,
"_wireless_signal": null,
"conn-status": 0,
"default-sim": null,
"gps": null,
"ifname": [],
"modem-id": 0,
"oid": 5547,
"preferred-carrier": null,
"redundant-intf": null,
"redundant-mode": null,
"sim1-pin": null,
"sim1-pin-code": [
"ENC",
"wAzU2vUukJt4urg6L/5pUEr0wOp67icWAmHV0xAfDqb4yhvs1mab45sl5bdjBA/tsKAuzwIqCZyjqGkQWbgz7+UahXoPkzrN9oepiYs2rwdat8AiltSSil1hGhN+Ojxm5ptF032kIu0uNmm6kveiM/8Z8x1ve1QUnOd+aD17g3QwEN/a"
],
"sim2-pin": null,
"sim2-pin-code": [
"ENC",
"4iyRkNUkNc3yrEqpFFzd+duvSZaoUrM2VFoud5cNKj9nWCn6mYX2Eql9P+ToqVGEF8NcPqB51NzYC6sgF2HHGWApuAar1YIcRtXgc4ZikfQfmX8CWv3s+VS+sykrKYaxckloniztq4DumBMPYg43lryWnMr/zp2sGcCZA1MWD1Vc5z/Y"
],
"status": null
},
"_modem2": {
"_activation_status": null,
"_auto-switch": {
"dataplan": null,
"disconnect": null,
"disconnect-period": 0,
"disconnect-threshold": 0,
"oid": 5558,
"signal": null,
"status": null,
"switch-back": null,
"switch-back-time": null,
"switch-back-timer": 0
},
"_band": null,
"_cdma_profile": {
"_aaa_spi": null,
"_ha_spi": null,
"_home_addr": null,
"_idx": null,
"_nai": null,
"_primary_ha": null,
"_secondary_ha": null,
"_status": null,
"oid": 5554
},
"_connect_status": null,
"_current_snr": null,
"_data_plan": null,
"_drc_cdma_evdo": null,
"_esn_imei": null,
"_gsm_profile": {
"_apn": null,
"_cid": null,
"_type": null,
"oid": 5555
},
"_imsi": null,
"_lte_physical_cellid": null,
"_lte_rs_throughput": null,
"_lte_rssi": null,
"_lte_sinr": null,
"_lte_ts_throughput": null,
"_manufacture": null,
"_model": null,
"_modem_type": null,
"_oma_dm_version": null,
"_operating_mode": null,
"_physical_port": null,
"_pin_status": null,
"_plmn": null,
"_product": null,
"_revision": null,
"_roaming_status": null,
"_rssi": null,
"_service": null,
"_signal_rsrp": null,
"_signal_rsrq": null,
"_signal_strength": null,
"_sim1": {
"_carrier": null,
"_data_usage": 0,
"_iccid": null,
"_imsi": null,
"_is_active": 0,
"_maximum_allowed_data": 0,
"_modem": 0,
"_next_billing_date": null,
"_overage_allowed": null,
"_phone_number": null,
"_slot": 0,
"_status": null,
"oid": 5556
},
"_sim2": {
"_carrier": null,
"_data_usage": 0,
"_iccid": null,
"_imsi": null,
"_is_active": 0,
"_maximum_allowed_data": 0,
"_modem": 0,
"_next_billing_date": null,
"_overage_allowed": null,
"_phone_number": null,
"_slot": 0,
"_status": null,
"oid": 5557
},
"_usb_wan_mac": null,
"_usim_status": null,
"_wireless_operator": null,
"_wireless_signal": null,
"conn-status": 0,
"default-sim": null,
"gps": null,
"ifname": [],
"modem-id": 0,
"oid": 5553,
"preferred-carrier": null,
"redundant-intf": null,
"redundant-mode": null,
"sim1-pin": null,
"sim1-pin-code": [
"ENC",
"uXot5E9uQdDojm/ovmf/7ahqUreca9JxuWsIGiEOv3EN8c3a4qRXptq+IcOKltReMkTFdhRWF2Qmml+KqzLjBg9zgge+avuJjVx6ybgwvYv3L7gSQPDZbE9H8vwjPwTkfeqsz7BsBToQvtIYXVGjHtsgfiTG/SJA5BZIYPfuTIK6DCy7"
],
"sim2-pin": null,
"sim2-pin-code": [
"ENC",
"ZAySYbFqADbVIi61RvJ2hTJ7L6cCksu29Hs6ff1PTOhLyhUwiCr/gbeeIrHZdjv3EsBN9rjnv3DVZ+ZwMPI8oziGT1q+shKsATN7XG3JBDfjkbiuike/bDpzmIZSSwO9I9HuxTQ3wO9h6kATvPG2uctz7g+jAi9z6A5TI2/pBQSAkY1e"
],
"status": null
},
"_upgrade-time": 0,
"authorized": "enable",
"bandwidth-limit": 1024,
"device-id": 1024,
"enforce-bandwidth": "disable",
"extension-type": "wan-extension",
"firmware-provision-latest": "disable",
"id": "FX311F**********",
"login-password": [
"ENC",
"L9Wm51q6WxKcpx9ZJTaSxAPhuwAoU0wY0zAqxd3tTjJuJTwy2FEYTxJm4PJHgw1gyZuIE2KQRDJe1VEcWc+QFIbZEZ3hfcXUVg57XSkQtlimZ+E/DO2MmQnZjrDe6/VmcnwY/SLdkWigCrSvqe4ewD9rdoU1GUdLFL9s4ySZfD/uuXj9GCWihc5A9bPc2JgShwmvbw=="
],
"login-password-change": "no",
"name": "FX311F",
"oid": 5545,
"override-allowaccess": "disable",
"override-enforce-bandwidth": "disable",
"override-login-password-change": "disable",
"profile": [],
"scope member": [
{
"name": "dut_fgt_04",
"vdom": "root"
}
],
"vdom": 0,
"wan-extension": {
"modem1-extension": [],
"modem2-extension": [],
"oid": 5546
}
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/dc_amiens/obj/extension-controller/extender"
}
]
}
10.8.3. How to delete a FortiExtender device?#
To delete the fext_001
FortiExtender device from the dc_emea
ADOM:
{
"id": 3,
"method": "delete",
"params": [
{
"scope member": [
{
"name": "dc_emea_dev_001",
"vdom": "root"
}
],
"url": "pm/config/adom/dc_emea/obj/extension-controller/extender/fext_001"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/config/adom/dc_emea/obj/extension-controller/extender/fext_001"
}
]
}
10.9. CLI Template#
10.9.1. How to add a cli template?#
We add cli template 001_cli_template
in ADOM adom_dut
:
REQUEST:
{
"id": 1,
"method": "add",
"params": [
{
"data": {
"name": "001_cli_template",
"script": "config system global\nset hostname branch_$(site_id)\nend"
},
"url": "/pm/config/adom/adom_dut/obj/cli/template"
}
],
"session": ""{{session}}",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"name": "001_cli_template"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/adom_dut/obj/cli/template"
}
]
}
10.9.2. How to delete a cli template?#
We delete cli template 005_cli_template
from ADOM adom_dut
:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "delete",
"params": [
{
"url": "/pm/config/adom/adom_dut/obj/cli/template/005_cli_template"
}
],
"session": "7RR3zyNa51ehGh5vkejo8zeqYuCNO3/DliyYAjrGd+Ytdd5jHD9pu4o17pXvt2TtWASZBhJxlTtxZbVw6uBFvw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/adom_dut/obj/cli/template/005_cli_template"
}
]
}
10.9.3. How to add a cli template group ?#
We add cli template group 001_cli_template_group
in ADOM adom_dut
and
with a two cli template members 001_cli_template
and 002_cli_template
:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"member": [
"001_cli_template",
"002_cli_template"
],
"name": "001_cli_template_group"
},
"url": "/pm/config/adom/adom_dut/obj/cli/template-group"
}
],
"session": "M/9TkWeX+6HmdPF7d51EkT2+/eTVQAqIyNdgPrdkfoBApi/g3ReNXzcDrBpuDbtJ0OJza+Zja2dExCglF9rxYQ==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"name": "001_cli_template_group"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/adom_dut/obj/cli/template-group"
}
]
}
10.9.4. How to add a cli template in an cli template group?#
We add cli templates 003_cli_template
and 004_cli_template
to the cli
template group 001_cli_template_group
in ADOM adom_dut
:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": [
"003_cli_template",
"004_cli_template"
],
"url": "/pm/config/adom/adom_dut/obj/cli/template-group/001_cli_template_group/member"
}
],
"session": "e7++sagQwrojdzHdmjWzzLwBa2bmCWxrFUXbxIqzOCCh8idncLvsA+wsAOlFs5pp45lrQoooRayUFE07GFHwfQ==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/adom_dut/obj/cli/template-group/001_cli_template_group/member"
}
]
}
10.9.5. How to delete a cli template group?#
We delete cli template group 001_cli_template_group
from ADOM
adom_dut
:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "delete",
"params": [
{
"url": "/pm/config/adom/adom_dut/obj/cli/template-group/001_cli_template_group"
}
],
"session": "OSNbLm35oUYLRoWwhdZ1Wbhp/1tpXWEimxLaZULCnSyIZGQxmJ9/JusfomklwA3UvIKJtXqUf/eTJGCJlyd+Dw==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/adom_dut/obj/cli/template-group/001_cli_template_group"
}
]
}
10.9.6. How to get the list of assigned devices for a cli template?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"option": [
"scope member"
],
"url": "/pm/config/adom/DEMO/obj/cli/template/cli.template.005.router.bgp"
}
],
"session": "OzznUZjuf542CtWPlOuzOxFCmUp++ayZFMy8YQOxpcTzTebnlp3zMEFdaI5tWBPHjMRWZAtAU+Q/mWAPI+B1LA==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": {
"description": null,
"modification-time": "1585299880555",
"name": "cli.template.005.router.bgp",
"obj flags": 16,
"scope member": [
{
"name": "branch2_fgt",
"vdom": "vd_001"
}
],
"script": "config router route-map\nedit \"NO_SLA\"\nconfig rule\nedit 1\nset set-community \"65000:2\"\nnext\nend\nnext\nedit \"SLA\"\nconfig rule\nedit 1\nset set-community \"65000:1\"\nnext\nend\nnext\nend\n\nconfig router bgp\nset as 65000\nset router-id 0.0.$(region_id).$(branch_id)\nset keepalive-timer 5\nset holdtime-timer 15\nset ibgp-multipath enable\nset network-import-check disable\nset additional-path enable\nset scan-time 20\nset graceful-restart enable\nconfig neighbor\nedit 10.0.$(region_id)1.1\nset soft-reconfiguration enable\nset remote-as 65000\nset route-map-out \"NO_SLA\"\nset route-map-out-preferable \"SLA\"\nset additional-path both\nset connect-timer 5\nnext\nedit 10.0.$(region_id)2.1\nset soft-reconfiguration enable\nset remote-as 65000\nset route-map-out \"NO_SLA\"\nset route-map-out-preferable \"SLA\"\nset additional-path both\nset connect-timer 5\nnext\nend\nconfig network\nedit 1\nset prefix 10.3.$(region_id)$(branch_id).0 255.255.255.0\nnext\nedit 2\nset prefix 169.254.$(region_id)$(branch_id).1 255.255.255.255\nnext\nedit 3\nset prefix 10.4.$(region_id)$(branch_id).0 255.255.255.0\nnext\nend\nend"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO/obj/cli/template/cli.template.005.router.bgp"
}
]
}
10.9.7. How to get the list of assigned devices for a cli template group?#
We get the list of assigned devices or device groups for CLI Template Group
branches
in ADOM demo_001
:
REQUEST:
{
"id": 3,
"method": "get",
"params": [
{
"fields": [
"name"
],
"option": [
"scope member"
],
"url": "/pm/config/adom/demo_001/obj/cli/template-group/branches"
}
],
"session": "PLWvfSfwODuu0etx59Ypv/mD1E6EzywAtuTJimnMQ1PFryZHf/wyWMmyyoMqAHNVUhCqyJrQ9Ps1D0mxS4IUCg=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"name": "branches",
"obj flags": 16,
"oid": 3725,
"scope member": [
{
"name": "demo_001_dev_001",
"vdom": "root"
},
{
"name": "branches"
}
]
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo_001/obj/cli/template-group/branches"
}
]
}
The CLI Template Group branches
is having two assigned elements:
Device
demo_001_dev_001
(and its nativeroot
VDOM)Device group
branches
10.9.8. How to assign a Cli Template to a device?#
This section is applicable to CLI Templates and Pre-Run CLI Templates.
Following request will assign cli template cli.template.005.router.bgp
to
two of the branch2_fgt
’s vdoms.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": [
{
"name": "branch2_fgt",
"vdom": "vd_001"
},
{
"name": "branch2_fgt",
"vdom": "vd_002"
}
],
"url": "/pm/config/adom/DEMO/obj/cli/template/cli.template.005.router.bgp/scope member"
}
],
"session": "tcOpRF2jaIJ3BAORWKscwn1syZQhqzpPOdMj5okCSg4+pJd0jrYdEWNzXG9rHj/iMNYDLMIfQI3NrpKbb3aS7Q==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO/obj/cli/template/cli.template.005.router.bgp/scope member"
}
]
}
10.9.9. How to assign a Pre-Run CLI Template to a device?#
A Pre-RUN CLI Template is just a CLI Template applied at a different time in the installation process.
To assign the test_001
Pre-Run CLI Template to the dc_emea_dev_003
device from the dc_emea
ADOM:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"name": "dc_emea_dev_001",
"vdom": "global"
},
"url": "/pm/config/adom/dc_emea/obj/cli/template/test_001/scope member"
}
],
"session": "TlAAeLDAWnuS1F9NMWPgmxvFxfscIwv9WOWXN31VskM+eMT9GluESP5Sg8foa1TPxWvpRdH9bGiew7pKO9kPMQ=="
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/dc_emea/obj/cli/template/test_001/scope member"
}
]
}
10.9.10. How to assign a CLI template group to a device?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": [
{
"name": "branch2_fgt",
"vdom": "root"
}
],
"url": "/pm/config/adom/DEMO/obj/cli/template-group/cli.template.group.branches/scope member"
}
],
"session": "oyeLwnK5I3/80mDfTv6sUjluR53QWJnVXAAWlknFJZ98shF5caZPDIwfs3/7OWKr9A3+XA4cRJK3qZ++gllqrQ==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO/obj/cli/template-group/cli.template.group.branches/scope member"
}
]
}
10.9.11. How to assign a CLI Template (Group) to the global VDOM of a device?#
Just use global
as VDOM name:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": {
"name": "device_001",
"vdom": "global"
},
"url": "/pm/config/adom/demo/obj/cli/template-group/branches/scope member"
}
],
"session": "zChH9+y8oP6Pejxr2xyu+zGJhj7wtgv9nBHSKeE+p8P3hNT+mXZGLl71v9YXEnFgPftwPwl2RciFWAvLq45IPQ==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/obj/cli/template-group/branches/scope member"
}
]
}
10.9.12. How to unassign a device from a cli template?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "delete",
"params": [
{
"data": [
{
"name": "branch2_fgt",
"vdom": "vd_001"
},
{
"name": "branch2_fgt",
"vdom": "vd_002"
}
],
"url": "/pm/config/adom/DEMO/obj/cli/template/cli.template.005.router.bgp/scope member"
}
],
"session": "wbdeuDFUt7J7W/1o5vIpTvDT0fCIRBHyP2fL0BDmQnhIpob4ikYcQUijo3moWv467Q9XSQhpaK85K5MYZv51oA==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO/obj/cli/template/cli.template.005.router.bgp/scope member"
}
]
}
10.9.13. How to unassign a device from a cli template group?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "delete",
"params": [
{
"data": {
"name": "branch2_fgt",
"vdom": "vd_001"
},
"url": "/pm/config/adom/DEMO/obj/cli/template-group/cli.template.group.branches/scope member"
}
],
"session": "PhOtZut4nOnRs+4tfGBHpVgigkF30snHKXDJkKB+645dAQjp9LGzjW6exMQsNCI12pOyNDwl7gqfbJ0HGQiZ0Q==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/DEMO/obj/cli/template-group/cli.template.group.branches/scope member"
}
]
}
10.10. SD-WAN Template#
10.10.1. SD-WAN Template Assignement#
10.10.1.1. How to assign a SD-WAN template to a device?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "add",
"params": [
{
"data": [
{
"name": "branch2_fgt",
"vdom": "root"
}
],
"url": "/pm/wanprof/adom/DEMO/sdwan.template.branches/scope member"
}
],
"session": "WYy1EnQn09jiTFIM4kKJLfn7OFi4HkP7eGfoNAQcI4tzXfNX+n1nlcqS6x4N3H5WfUJGr1D4GCYv7Dmp5Whxcg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/wanprof/adom/DEMO/sdwan.template.branches/scope member"
}
]
}
10.10.1.2. How to unassign a SD-WAN template from a device?#
Just replace add
with delete
.
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "delete",
"params": [
{
"data": [
{
"name": "branch2_fgt",
"vdom": "root"
}
],
"url": "/pm/wanprof/adom/DEMO/sdwan.template.branches/scope member"
}
],
"session": "WYy1EnQn09jiTFIM4kKJLfn7OFi4HkP7eGfoNAQcI4tzXfNX+n1nlcqS6x4N3H5WfUJGr1D4GCYv7Dmp5Whxcg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/wanprof/adom/DEMO/sdwan.template.branches/scope member"
}
]
}
10.10.2. How to get list of SD-WAN template with assigned devices?#
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"fields": [
"scope member",
"description"
],
"sortings": [
{
"name": 1
}
],
"url": "/pm/wanprof/adom/DEMO"
}
],
"session": "lXvZLSAvsKGIqn63OKVOmfUd0dgDhiBGmV9tZf3/fKRoG42Wm1wtyB+WJoT3VMHm1xJkv2i+mFS0Wbx3zbWBlg==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"description": "",
"name": "sdwan.template.branch3",
"oid": 1905,
"scope member": [
{
"name": "branch3_fgt",
"vdom": "root"
}
]
},
{
"description": "",
"name": "sdwan.template.branches",
"oid": 1540,
"scope member": [
{
"name": "branch1_fgt",
"vdom": "root"
}
]
},
{
"description": "",
"name": "sdwan.template.datacenter",
"oid": 1710,
"scope member": [
{
"name": "datacenter_fgt",
"vdom": "root"
}
]
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/wanprof/adom/DEMO"
}
]
}
10.10.3. How to get historical data for devices?#
This is about getting the date used to produce the Device Manager > SD-WAN > Monitoring > Table View historical graphs…
To capture the used FMG JSON API:
# diagnose debug service rtm 255
# diagnose debug enable
# diagnose debug timestamp enable
One example of what we get, when we click the device in the Table View page:
REQUEST:
{
"id": 1,
"jsonrpc": "1.0",
"method": "get",
"params": [
{
"filter": {
"key": [
[
"interface",
]
],
"timestamp": [
[
"start",
"==",
1583496501
],
[
"end",
"==",
1583500101
]
]
},
"url": "/rtm/global/rhistory/monitor/sd-wan-intf-log/device/branch1_fgt"
}
],
"session": "KIV4BMu67GdlpGBpU7LqGQ34I4vIlsaHBD5jyNQwxNTSUUlsXZn2gaO4CJmvVe1dT7Jd9AatFqQaAIV1oN3pYA==",
"verbose": 1
}
RESPONSE:
{
"id": 1,
"result": [
{
"data": [
{
"interface": "ol_inet_0",
"log": [
{
"timestamp": 1583496552,
"value": {
"bi_bandwidth": 38,
"egress_queue": [],
"rx_bandwidth": 19,
"rx_bytes": 31460,
"tx_bandwidth": 19,
"tx_bytes": 31340
}
},
[...]
10.10.4. TODO: SD-WAN Monitoring - Table View#
Caught in #0598650.
REQUEST:
{
"client": "rtmmond:544",
"id": 5801,
"method": "exec",
"params": [
{
"data": {
"dir": "/var/upload/virtual-wan/sla-log"
},
"url": "proc/rest/data"
}
],
"root": "dmworker"
}
10.10.5. FortiManager 6.4 and older#
10.10.5.1. How to create an interface member?#
In ADOM jpf_demo
, we add interface member ul_inet2
pointing to the same
name and existing normalized interface ul_inet2
:
REQUEST:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"interface": [
"ul_inet2"
],
"name": "ul_inet2"
},
"url": "/pm/config/adom/jpf_demo/obj/dynamic/virtual-wan-link/members"
}
],
"session": "raFZDHgo5kjbL1965fd4i0Y2bCygF7DB5tdVHVT7E260rcBfqEoyg6RiLijPEnBAJdaeJ7xPg63Dfs3NFMazfA=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"name": "ul_inet2"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/jpf_demo/obj/dynamic/virtual-wan-link/members"
}
]
}
10.10.5.2. How to create an SD-WAN Template?#
In ADOOM jpf_demo
, we create SD-WAN Template branches
:
REQUEST:
{
"id": 3,
"method": "add",
"params": [
{
"data": [
{
"name": "branches",
"type": "wanprof"
}
],
"url": "/pm/wanprof/adom/jpf_demo"
}
],
"session": "f6dC0P+/KW1FafCOFvl7TbxZZv4Jr8uJx5gEFpm1KPdB0uLPGUpsOuofucGMSMJry5vVIffH8c/8fFbYKUi02g=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/wanprof/adom/jpf_demo"
}
]
}
10.11. IPsec Tunnel Template#
10.11.1. How to get the list of IPsec Tunnel Templates?#
The following example shows how to get the list of existing IPsec Tunnel
Template in the demo
ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/template/_ipsec/adom/demo"
}
],
"session": "{{session}}"
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": [
{
"name": "IPsec_Fortinet_Recommended",
"oid": 5480,
"template setting": {
"option": "readonly",
"stype": "_ipsec",
"widgets": [
"_ipsec"
]
},
"type": "template"
},
{
"name": "BRANCH_IPsec_Recommended",
"oid": 5484,
"template setting": {
"option": "readonly",
"stype": "_ipsec",
"widgets": [
"_ipsec"
]
},
"type": "template"
},
{
"name": "HUB_IPsec_Recommended",
"oid": 5490,
"template setting": {
"option": "readonly",
"stype": "_ipsec",
"widgets": [
"_ipsec"
]
},
"type": "template"
},
{
"name": "ipsec_tunnel_template_001",
"oid": 5584,
"scope member": [
{
"name": "dev_001",
"vdom": "root"
},
{
"name": "dev_002",
"vdom": "root"
}
],
"template setting": {
"description": "New IPsec Tunnel Template",
"stype": "_ipsec",
"widgets": [
"_ipsec"
]
},
"type": "template"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_ipsec/adom/demo"
}
]
}
Note
The
*_Recommended
default IPsec Tunnel Templates are returnedWhen devices are device groups are assigned to IPsec Tunnel Template, FortiManager returns the corresponding
scope member
attribute, as shown for theipsec_tunnel_template_001
.
10.11.2. How to get a specific IPsec Tunnel Template?#
The following example shows how to get the ipsec_tunnel_template_001
IPsec Tunnel Template in the demo
ADOM using:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001"
}
],
"session": "{{session}}"
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": {
"name": "ipsec_tunnel_template_001",
"oid": 5584,
"scope member": [
{
"name": "dev_001",
"vdom": "root"
},
{
"name": "dev_002",
"vdom": "root"
}
],
"template setting": {
"description": "New IPsec Tunnel Template",
"option": null,
"stype": "_ipsec",
"widgets": [
"_ipsec"
]
},
"type": "template"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001"
}
]
}
It is also possible to use the filter
way to get the same result:
{
"id": 3,
"method": "get",
"params": [
{
"filter": [
"name",
"==",
"ipsec_tunnel_template_001"
],
"url": "/pm/template/_ipsec/adom/demo"
}
],
"session": "{{session}}"
"verbose": 1
}
{
"id": 3,
"result": [
{
"data": [
{
"name": "ipsec_tunnel_template_001",
"oid": 5584,
"scope member": [
{
"name": "dev_001",
"vdom": "root"
},
{
"name": "dev_002",
"vdom": "root"
}
],
"template setting": {
"description": "New IPsec Tunnel Template",
"stype": "_ipsec",
"widgets": [
"_ipsec"
]
},
"type": "template"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_ipsec/adom/demo"
}
]
}
10.11.3. How to get the tunnels of an IPsec Tunnel Template?#
The following example shows how to get the tunnel entries in the
ipsec_tunnel_template_001
IPsec Tunnel Template in the demo
ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/template/_ipsec/ipsec_tunnel_template_001/action-list"
}
],
"session": "{{session}}",
"verbose": 1
}
Click to see response
{
"id": 3,
"result": [
{
"data": [
{
"action": "conf-ipsec-template",
"dynamic_mapping": null,
"oid": 5591,
"seq": 1,
"value": {
"automatic-routing": "enable",
"local-addr-type": "dynamic",
"name": "ol_isp1",
"nat": "disable",
"remote-subnet": [
"0.0.0.0/0.0.0.0"
],
"system interface": {
"ip": "0.0.0.0/0.0.0.0",
"remote-ip": "0.0.0.0/0.0.0.0"
},
"vpn ipsec phase1-interface": {
"acct-verify": "disable",
"add-gw-route": "disable",
"aggregate-member": "disable",
"authmethod": "psk",
"auto-discovery-crossover": "allow",
"auto-discovery-forwarder": "disable",
"auto-discovery-offer-interval": 5,
"auto-discovery-psk": "disable",
"auto-discovery-receiver": "disable",
"auto-discovery-sender": "disable",
"auto-negotiate": "enable",
"backup-gateway": [],
"childless-ike": "disable",
"client-auto-negotiate": "disable",
"client-keep-alive": "disable",
"comments": null,
"dhgrp": [
"14",
"5"
],
"distance": 15,
"dpd": "on-demand",
"dpd-retrycount": 3,
"dpd-retryinterval": [
20
],
"eap-cert-auth": "disable",
"eap-exclude-peergrp": [],
"eap-identity": "use-id-payload",
"ems-sn-check": "disable",
"encap-local-gw4": "0.0.0.0",
"encap-local-gw6": "::",
"encap-remote-gw4": "0.0.0.0",
"encap-remote-gw6": "::",
"encapsulation": "none",
"encapsulation-address": "ike",
"enforce-unique-id": "disable",
"esn": "disable",
"exchange-fgt-device-id": "disable",
"exchange-interface-ip": "disable",
"exchange-ip-addr4": "0.0.0.0",
"exchange-ip-addr6": "::",
"fallback-tcp-threshold": 15,
"fec-egress": "disable",
"fec-health-check": [],
"fec-ingress": "disable",
"fec-mapping-profile": [],
"fgsp-sync": "disable",
"fortinet-esp": "disable",
"fragmentation": "enable",
"fragmentation-mtu": 1200,
"group-authentication": "disable",
"group-authentication-secret": [
"ENC",
"vWtqtv0dyV9YmI2AVPGvHksmmGvaIQ0BPKapHEWAaZTomwBa3+cDcSVGHyGAVY73P5v58A1coRE7YJ6Nr9QKTgXTtPpJnTizVaju7iduNiLI6Ip82yHg6eBd6GiwX79JEmm67CA1GCJxisS/Ab7tJH7O8sn4JQby9FeGK9rxMD3zaC2h/g56sbmC74TRrrUj61HE0Q=="
],
"ha-sync-esp-seqno": "enable",
"idle-timeout": "disable",
"ike-version": "1",
"inbound-dscp-copy": "disable",
"include-local-lan": "disable",
"interface": [
"port1"
],
"ip-fragmentation": "post-encapsulation",
"ip-version": "4",
"ipsec-tunnel-slot": "auto",
"ipv4-split-exclude": [],
"ipv4-split-include": [],
"ipv6-dns-server1": "::",
"ipv6-dns-server2": "::",
"ipv6-dns-server3": "::",
"ipv6-split-exclude": [],
"ipv6-split-include": [],
"keepalive": 10,
"keylife": 86400,
"kms": [],
"link-cost": 0,
"local-gw": "0.0.0.0",
"localid": "$(local_id)",
"localid-type": "auto",
"mesh-selector-type": "disable",
"mode": "main",
"mode-cfg": "disable",
"monitor": [],
"monitor-hold-down-delay": 0,
"monitor-hold-down-time": "00:00",
"monitor-hold-down-type": "immediate",
"monitor-min": 0,
"name": "ol_isp1",
"nattraversal": "enable",
"negotiate-timeout": 30,
"net-device": "disable",
"npu-offload": "enable",
"oid": 5589,
"packet-redistribution": "disable",
"passive-mode": "disable",
"peertype": "any",
"ppk": "disable",
"ppk-identity": null,
"ppk-secret": [
"ENC",
"NQ700fmIoUlU5b4CTWn/STfnb0a5+oFLyiWrlV3pVKjtPvDcnHl7hANCiors48fMGnpd8ftwf5iKRisHrySywxQ7+Xulrn3vBrfzotfqVZ0uG2kUQ4e6DYSqI25IH9DqvCWy6R1uc6Wv9BqWCPMYM1ZAomfoMId86EsnphUeu1cvNEcPIiKQajAEkr53/2xWKYxhlg=="
],
"priority": 1,
"proposal": [
"aes128-sha256",
"aes256-sha256"
],
"psksecret": [
"ENC",
"q5YWHfF1iymMLOiQK4rkHQtQkvvbp4uMNY2F1JBZjm2spZVs4KDygSkZR7ZGYUVgrsg2rFyuOkONSe8hvPf2AqT43a8SCjQxHNJoODllPgHdZE8UOfzlEVWDNgGK25VWe2aa7TVmsPoGED2gVSk1tPcJV92oxcVdUTfYaukumwnXD2kT"
],
"qkd": "disable",
"qkd-profile": [],
"reauth": "disable",
"rekey": "enable",
"remote-gw": "10.1.0.1",
"rsa-signature-format": "pkcs1",
"rsa-signature-hash-override": "disable",
"save-password": "disable",
"split-include-service": [],
"suite-b": "disable",
"transit-gateway": "disable",
"transport": "udp",
"type": "static",
"vni": 0,
"wizard-type": "custom",
"xauthtype": "disable"
},
"vpn ipsec phase2-interface": []
},
"var-list": null
},
{
"action": "conf-ipsec-template",
"dynamic_mapping": null,
"oid": 5592,
"seq": 2,
"value": {
"automatic-routing": "enable",
"local-addr-type": "dynamic",
"name": "ol_isp2",
"nat": "disable",
"remote-subnet": [
"0.0.0.0/0.0.0.0"
],
"system interface": {
"ip": "0.0.0.0/0.0.0.0",
"remote-ip": "0.0.0.0/0.0.0.0"
},
"vpn ipsec phase1-interface": {
"acct-verify": "disable",
"add-gw-route": "disable",
"aggregate-member": "disable",
"authmethod": "psk",
"auto-discovery-crossover": "allow",
"auto-discovery-forwarder": "disable",
"auto-discovery-offer-interval": 5,
"auto-discovery-psk": "disable",
"auto-discovery-receiver": "disable",
"auto-discovery-sender": "disable",
"auto-negotiate": "enable",
"backup-gateway": [],
"childless-ike": "disable",
"client-auto-negotiate": "disable",
"client-keep-alive": "disable",
"comments": null,
"dhgrp": [
"14",
"5"
],
"distance": 15,
"dpd": "on-demand",
"dpd-retrycount": 3,
"dpd-retryinterval": [
20
],
"eap-cert-auth": "disable",
"eap-exclude-peergrp": [],
"eap-identity": "use-id-payload",
"ems-sn-check": "disable",
"encap-local-gw4": "0.0.0.0",
"encap-local-gw6": "::",
"encap-remote-gw4": "0.0.0.0",
"encap-remote-gw6": "::",
"encapsulation": "none",
"encapsulation-address": "ike",
"enforce-unique-id": "disable",
"esn": "disable",
"exchange-fgt-device-id": "disable",
"exchange-interface-ip": "disable",
"exchange-ip-addr4": "0.0.0.0",
"exchange-ip-addr6": "::",
"fallback-tcp-threshold": 15,
"fec-egress": "disable",
"fec-health-check": [],
"fec-ingress": "disable",
"fec-mapping-profile": [],
"fgsp-sync": "disable",
"fortinet-esp": "disable",
"fragmentation": "enable",
"fragmentation-mtu": 1200,
"group-authentication": "disable",
"group-authentication-secret": [
"ENC",
"vWtqtv0dyV9YmI2AVPGvHksmmGvaIQ0BPKapHEWAaZTomwBa3+cDcSVGHyGAVY73P5v58A1coRE7YJ6Nr9QKTgXTtPpJnTizVaju7iduNiLI6Ip82yHg6eBd6GiwX79JEmm67CA1GCJxisS/Ab7tJH7O8sn4JQby9FeGK9rxMD3zaC2h/g56sbmC74TRrrUj61HE0Q=="
],
"ha-sync-esp-seqno": "enable",
"idle-timeout": "disable",
"ike-version": "1",
"inbound-dscp-copy": "disable",
"include-local-lan": "disable",
"interface": [
"port2"
],
"ip-fragmentation": "post-encapsulation",
"ip-version": "4",
"ipsec-tunnel-slot": "auto",
"ipv4-split-exclude": [],
"ipv4-split-include": [],
"ipv6-dns-server1": "::",
"ipv6-dns-server2": "::",
"ipv6-dns-server3": "::",
"ipv6-split-exclude": [],
"ipv6-split-include": [],
"keepalive": 10,
"keylife": 86400,
"kms": [],
"link-cost": 0,
"local-gw": "0.0.0.0",
"localid": "$(local_id)",
"localid-type": "auto",
"mesh-selector-type": "disable",
"mode": "main",
"mode-cfg": "disable",
"monitor": [],
"monitor-hold-down-delay": 0,
"monitor-hold-down-time": "00:00",
"monitor-hold-down-type": "immediate",
"monitor-min": 0,
"name": "ol_isp2",
"nattraversal": "enable",
"negotiate-timeout": 30,
"net-device": "disable",
"npu-offload": "enable",
"oid": 5590,
"packet-redistribution": "disable",
"passive-mode": "disable",
"peertype": "any",
"ppk": "disable",
"ppk-identity": null,
"ppk-secret": [
"ENC",
"NQ700fmIoUlU5b4CTWn/STfnb0a5+oFLyiWrlV3pVKjtPvDcnHl7hANCiors48fMGnpd8ftwf5iKRisHrySywxQ7+Xulrn3vBrfzotfqVZ0uG2kUQ4e6DYSqI25IH9DqvCWy6R1uc6Wv9BqWCPMYM1ZAomfoMId86EsnphUeu1cvNEcPIiKQajAEkr53/2xWKYxhlg=="
],
"priority": 1,
"proposal": [
"aes128-sha256",
"aes256-sha256"
],
"psksecret": [
"ENC",
"kWsLpmFEmPg6+O1jkuhgUGWNW14f37YfY6BtY4qEWO8qiJ3zEgXtzK/3YYmj4c9FDyQ7qbV6RQXHJvuY/3Nt4hJGFAslnZxGj6xae6wd4xGpMsID7xeT1gJAsPLAU/tR2S1lnzXtJyvmErqH/zmkrPhhkz/Y0+BtsAfHS4BrY6tR93ds"
],
"qkd": "disable",
"qkd-profile": [],
"reauth": "disable",
"rekey": "enable",
"remote-gw": "10.2.0.1",
"rsa-signature-format": "pkcs1",
"rsa-signature-hash-override": "disable",
"save-password": "disable",
"split-include-service": [],
"suite-b": "disable",
"transit-gateway": "disable",
"transport": "udp",
"type": "static",
"vni": 0,
"wizard-type": "custom",
"xauthtype": "disable"
},
"vpn ipsec phase2-interface": []
},
"var-list": null
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/template/_ipsec/ipsec_tunnel_template_001/action-list"
}
]
}
Note
With older FortiManager versions (can’t be more specific), it was possible to obtain the same result using a different FortiManager JSON RPC API
url
For instance to get the tunnels of the
ipsec_tunnel_template_001
IPsec Tunnel Template in thedemo
ADOM, the following API request was used:{ "id": 3, "method": "get", "params": [ { "url": "/pm/config/adom/demo/template/ipsec_tunnel_template_001/device/template/widget/ipsec/action-list/" } ], "session": "{{session}}" }
10.11.4. How to get a specific tunnel of an IPsec Tunnel Template?#
The tunnel master key is the seq
attribute which can be obtained when getting tunnels of an IPsec Tunnel Template (see section How to get the tunnels of an IPsec Tunnel Template?).
The following example shows how to get the tunnel with ol_isp1
(seq
is 1
) from the ipsec_tunnel_template_001
in the demo
ADOM:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/config/adom/demo/template/_ipsec/ipsec_tunnel_template_001/action-list/1"
}
],
"session": "{{session}}",
"verbose": 1
}
Click to see response
{
"id": 3,
"result": [
{
"data": {
"action": "conf-ipsec-template",
"dynamic_mapping": null,
"model": null,
"oid": 5591,
"seq": 1,
"value": {
"automatic-routing": "enable",
"local-addr-type": "dynamic",
"name": "ol_isp1",
"nat": "disable",
"remote-subnet": [
"0.0.0.0/0.0.0.0"
],
"system interface": {
"ip": "0.0.0.0/0.0.0.0",
"remote-ip": "0.0.0.0/0.0.0.0"
},
"vpn ipsec phase1-interface": {
"acct-verify": "disable",
"add-gw-route": "disable",
"aggregate-member": "disable",
"authmethod": "psk",
"auto-discovery-crossover": "allow",
"auto-discovery-forwarder": "disable",
"auto-discovery-offer-interval": 5,
"auto-discovery-psk": "disable",
"auto-discovery-receiver": "disable",
"auto-discovery-sender": "disable",
"auto-negotiate": "enable",
"backup-gateway": [],
"childless-ike": "disable",
"client-auto-negotiate": "disable",
"client-keep-alive": "disable",
"comments": null,
"dhgrp": [
"14",
"5"
],
"distance": 15,
"dpd": "on-demand",
"dpd-retrycount": 3,
"dpd-retryinterval": [
20
],
"eap-cert-auth": "disable",
"eap-exclude-peergrp": [],
"eap-identity": "use-id-payload",
"ems-sn-check": "disable",
"encap-local-gw4": "0.0.0.0",
"encap-local-gw6": "::",
"encap-remote-gw4": "0.0.0.0",
"encap-remote-gw6": "::",
"encapsulation": "none",
"encapsulation-address": "ike",
"enforce-unique-id": "disable",
"esn": "disable",
"exchange-fgt-device-id": "disable",
"exchange-interface-ip": "disable",
"exchange-ip-addr4": "0.0.0.0",
"exchange-ip-addr6": "::",
"fallback-tcp-threshold": 15,
"fec-egress": "disable",
"fec-health-check": [],
"fec-ingress": "disable",
"fec-mapping-profile": [],
"fgsp-sync": "disable",
"fortinet-esp": "disable",
"fragmentation": "enable",
"fragmentation-mtu": 1200,
"group-authentication": "disable",
"group-authentication-secret": [
"ENC",
"vWtqtv0dyV9YmI2AVPGvHksmmGvaIQ0BPKapHEWAaZTomwBa3+cDcSVGHyGAVY73P5v58A1coRE7YJ6Nr9QKTgXTtPpJnTizVaju7iduNiLI6Ip82yHg6eBd6GiwX79JEmm67CA1GCJxisS/Ab7tJH7O8sn4JQby9FeGK9rxMD3zaC2h/g56sbmC74TRrrUj61HE0Q=="
],
"ha-sync-esp-seqno": "enable",
"idle-timeout": "disable",
"ike-version": "1",
"inbound-dscp-copy": "disable",
"include-local-lan": "disable",
"interface": [
"port1"
],
"ip-fragmentation": "post-encapsulation",
"ip-version": "4",
"ipsec-tunnel-slot": "auto",
"ipv4-split-exclude": [],
"ipv4-split-include": [],
"ipv6-dns-server1": "::",
"ipv6-dns-server2": "::",
"ipv6-dns-server3": "::",
"ipv6-split-exclude": [],
"ipv6-split-include": [],
"keepalive": 10,
"keylife": 86400,
"kms": [],
"link-cost": 0,
"local-gw": "0.0.0.0",
"localid": "$(local_id)",
"localid-type": "auto",
"mesh-selector-type": "disable",
"mode": "main",
"mode-cfg": "disable",
"monitor": [],
"monitor-hold-down-delay": 0,
"monitor-hold-down-time": "00:00",
"monitor-hold-down-type": "immediate",
"monitor-min": 0,
"name": "ol_isp1",
"nattraversal": "enable",
"negotiate-timeout": 30,
"net-device": "disable",
"npu-offload": "enable",
"oid": 5589,
"packet-redistribution": "disable",
"passive-mode": "disable",
"peertype": "any",
"ppk": "disable",
"ppk-identity": null,
"ppk-secret": [
"ENC",
"NQ700fmIoUlU5b4CTWn/STfnb0a5+oFLyiWrlV3pVKjtPvDcnHl7hANCiors48fMGnpd8ftwf5iKRisHrySywxQ7+Xulrn3vBrfzotfqVZ0uG2kUQ4e6DYSqI25IH9DqvCWy6R1uc6Wv9BqWCPMYM1ZAomfoMId86EsnphUeu1cvNEcPIiKQajAEkr53/2xWKYxhlg=="
],
"priority": 1,
"proposal": [
"aes128-sha256",
"aes256-sha256"
],
"psksecret": [
"ENC",
"OgEVpeNbadLJfCzF2xboH6jNNhCJxuDgQ6ZH6qjJO6vk9IPOOm/0MAqX8RJrQculrx76SbTZb9uAs21OTZdSGAi9+XAZF5f6AcBA31LcOjUrJZmJ5ESVKuSGQQbgiVrdbZdmrpF64wBnk+K1CglXt0a2c9+N3tYPgIWlCfS0CuroHamN"
],
"qkd": "disable",
"qkd-profile": [],
"reauth": "disable",
"rekey": "enable",
"remote-gw": "10.1.0.1",
"rsa-signature-format": "pkcs1",
"rsa-signature-hash-override": "disable",
"save-password": "disable",
"split-include-service": [],
"suite-b": "disable",
"transit-gateway": "disable",
"transport": "udp",
"type": "static",
"vni": 0,
"wizard-type": "custom",
"xauthtype": "disable"
},
"vpn ipsec phase2-interface": []
},
"var-list": null
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/template/_ipsec/ipsec_tunnel_template_001/action-list/1"
}
]
}
10.11.5. How to create a new IPsec Tunnel Template?#
The following example shows how to create the ipsec_tunnel_template_001
in ADOM demo
.
The created ipsec_tunnel_template_001
will be empty.
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"name": "ipsec_tunnel_template_001",
"template setting": {
"description": "New IPsec Tunnel Template",
"stype": "_ipsec",
"widgets": [
"_ipsec"
]
},
"type": "template"
},
"url": "/pm/template/_ipsec/adom/demo"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_ipsec/adom/demo"
}
]
}
10.11.6. How to create a new tunnel entry in an IPsec Tunnel Template?#
Considering the amount of possible settings that can be used to configure a tunnel entry within an IPsec Tunnel Template, the following process is recommended:
Use FortiManager GUI to create an IPsec Tunnel Template and the desired tunnel entry
Get the tunnel entry from the created IPsec Tunnel Template (see section How to get the tunnels of an IPsec Tunnel Template?).
Clean the tunnel entry; you need to remove all the possible seq or oid attributes
Update the tunnel entry with your desired settings
Use the following API request to add it in your existing IPsec Tunnel Template
Click to see request
{
"id": 4,
"method": "add",
"params": [
{
"data": {
"action": "conf-ipsec-template",
"dynamic_mapping": null,
"value": {
"automatic-routing": "enable",
"local-addr-type": "dynamic",
"name": "ol_isp4",
"nat": "disable",
"remote-subnet": [
"0.0.0.0/0.0.0.0"
],
"system interface": {
"ip": "0.0.0.0/0.0.0.0",
"remote-ip": "0.0.0.0/0.0.0.0"
},
"vpn ipsec phase1-interface": {
"acct-verify": "disable",
"add-gw-route": "disable",
"add-route": "enable",
"aggregate-member": "disable",
"authmethod": "psk",
"auto-discovery-crossover": "allow",
"auto-discovery-forwarder": "disable",
"auto-discovery-offer-interval": 5,
"auto-discovery-psk": "disable",
"auto-discovery-receiver": "disable",
"auto-discovery-sender": "disable",
"auto-negotiate": "enable",
"backup-gateway": [],
"childless-ike": "disable",
"client-auto-negotiate": "disable",
"client-keep-alive": "disable",
"comments": null,
"dhgrp": [
"14",
"5"
],
"distance": 15,
"dpd": "on-demand",
"dpd-retrycount": 3,
"dpd-retryinterval": [
20
],
"eap-cert-auth": "disable",
"eap-exclude-peergrp": [],
"eap-identity": "use-id-payload",
"ems-sn-check": "disable",
"encap-local-gw4": "0.0.0.0",
"encap-local-gw6": "::",
"encap-remote-gw4": "0.0.0.0",
"encap-remote-gw6": "::",
"encapsulation": "none",
"encapsulation-address": "ike",
"enforce-unique-id": "disable",
"esn": "disable",
"exchange-fgt-device-id": "disable",
"exchange-interface-ip": "disable",
"exchange-ip-addr4": "0.0.0.0",
"exchange-ip-addr6": "::",
"fallback-tcp-threshold": 15,
"fec-egress": "disable",
"fec-health-check": [],
"fec-ingress": "disable",
"fec-mapping-profile": [],
"fgsp-sync": "disable",
"fortinet-esp": "disable",
"fragmentation": "enable",
"fragmentation-mtu": 1200,
"group-authentication": "disable",
"group-authentication-secret": [
"ENC",
"vWtqtv0dyV9YmI2AVPGvHksmmGvaIQ0BPKapHEWAaZTomwBa3+cDcSVGHyGAVY73P5v58A1coRE7YJ6Nr9QKTgXTtPpJnTizVaju7iduNiLI6Ip82yHg6eBd6GiwX79JEmm67CA1GCJxisS/Ab7tJH7O8sn4JQby9FeGK9rxMD3zaC2h/g56sbmC74TRrrUj61HE0Q=="
],
"ha-sync-esp-seqno": "enable",
"idle-timeout": "disable",
"ike-version": "1",
"inbound-dscp-copy": "disable",
"include-local-lan": "disable",
"interface": [
"port4"
],
"ip-fragmentation": "post-encapsulation",
"ip-version": "4",
"ipsec-tunnel-slot": "auto",
"ipv4-dns-server1": "0.0.0.0",
"ipv4-dns-server2": "0.0.0.0",
"ipv4-dns-server3": "0.0.0.0",
"ipv4-split-exclude": [],
"ipv4-split-include": [],
"ipv6-dns-server1": "::",
"ipv6-dns-server2": "::",
"ipv6-dns-server3": "::",
"ipv6-split-exclude": [],
"ipv6-split-include": [],
"keepalive": 10,
"keylife": 86400,
"kms": [],
"link-cost": 0,
"local-gw": "0.0.0.0",
"localid": "$(local_id)",
"localid-type": "auto",
"mesh-selector-type": "disable",
"mode": "main",
"mode-cfg": "enable",
"monitor": [],
"monitor-hold-down-delay": 0,
"monitor-hold-down-time": "00:00",
"monitor-hold-down-type": "immediate",
"monitor-min": 0,
"name": "ol_isp4",
"nattraversal": "enable",
"negotiate-timeout": 30,
"net-device": "enable",
"npu-offload": "enable",
"packet-redistribution": "disable",
"passive-mode": "disable",
"peertype": "any",
"ppk": "disable",
"ppk-identity": null,
"ppk-secret": [
"ENC",
"NQ700fmIoUlU5b4CTWn/STfnb0a5+oFLyiWrlV3pVKjtPvDcnHl7hANCiors48fMGnpd8ftwf5iKRisHrySywxQ7+Xulrn3vBrfzotfqVZ0uG2kUQ4e6DYSqI25IH9DqvCWy6R1uc6Wv9BqWCPMYM1ZAomfoMId86EsnphUeu1cvNEcPIiKQajAEkr53/2xWKYxhlg=="
],
"priority": 1,
"proposal": [
"3des-sha256",
"aes128-sha256",
"aes256-sha256"
],
"psksecret": [
"ENC",
"g73TtefcuMRNMr7WN/AMtDoAIL9qSml2e0vC82V07B+g17Z4aZSCaomgx5pqFCfidmkFZ+w+wvA+/WD6tyz536owihc6zYbEBxSxdBGsUa44geMD2Be/o/yDmQZJo7R5UrRtWAweS1qpX+hZBKLt/Z/O0Ytbh72RS5VeRrqwqcz7kv+M"
],
"qkd": "disable",
"qkd-profile": [],
"reauth": "disable",
"rekey": "enable",
"remote-gw": "10.4.0.1",
"rsa-signature-format": "pkcs1",
"rsa-signature-hash-override": "disable",
"save-password": "disable",
"split-include-service": [],
"suite-b": "disable",
"transit-gateway": "disable",
"transport": "udp",
"type": "static",
"vni": 0,
"wizard-type": "custom",
"xauthtype": "disable"
},
"vpn ipsec phase2-interface": [
{
"add-route": "phase1",
"auto-discovery-forwarder": "phase1",
"auto-discovery-sender": "phase1",
"auto-negotiate": "disable",
"comments": null,
"dhcp-ipsec": "disable",
"diffserv": "disable",
"diffservcode": "000000",
"dst-addr-type": "subnet",
"dst-port": 0,
"dst-subnet": [
"0.0.0.0",
"0.0.0.0"
],
"encapsulation": "tunnel-mode",
"inbound-dscp-copy": "phase1",
"ipv4-df": "disable",
"keepalive": "enable",
"keylife-type": "seconds",
"keylifeseconds": 40000,
"name": "ol_isp4",
"pfs": "enable",
"phase1name": "ol_isp4",
"proposal": [
"aes128-sha256",
"aes256-sha256",
"aes128-sha1",
"aes256-sha1",
"aes128gcm",
"aes256gcm",
"chacha20poly1305"
],
"protocol": 0,
"replay": "enable",
"route-overlap": "use-new",
"single-source": "disable",
"src-addr-type": "subnet",
"src-port": 0,
"src-subnet": [
"0.0.0.0",
"0.0.0.0"
]
}
]
},
"var-list": null
},
"url": "/pm/config/adom/demo/template/_ipsec/ipsec_tunnel_template_001/action-list"
}
],
"session": "{{session}}"
}
{
"id": 4,
"result": [
{
"data": {
"seq": 4
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/template/_ipsec/ipsec_tunnel_template_001/action-list"
}
]
}
Click to see the script
"""
Create a new tunnel in an IPsec Tunnel Template
"""
from pyFMG.fortimgr import FortiManager
IP = "10.210.34.120"
USERNAME = "devops"
PASSWORD = "fortinet"
with FortiManager(
IP,
USERNAME,
PASSWORD,
verbose=True,
disable_request_warnings=True,
) as fmg:
ADOM = "demo"
MKEY = "ipsec_tunnel_template_001"
url = f"/pm/config/adom/{ADOM}/template/_ipsec/{MKEY}/action-list"
# Get the existing tunnels, last one is the one you want to use as a
# reference
response = fmg.get(url)
# Extract the list of tunnels
tunnels = response[1]
# Last one is the one to be used as a reference
tunnel = tunnels[-1].copy()
# Get rid of seq, and OIDs (you have multiple OIDs)
del tunnel["oid"]
del tunnel["seq"]
del tunnel["value"]["vpn ipsec phase1-interface"]["oid"]
for p2 in tunnel["value"]["vpn ipsec phase2-interface"]:
del p2["oid"]
# Adapt the tunnel configuration
TUNNEL_NAME = "ol_isp4"
tunnel["value"]["name"] = TUNNEL_NAME
tunnel["value"]["vpn ipsec phase1-interface"]["remote-gw"] = "10.4.0.1"
tunnel["value"]["vpn ipsec phase1-interface"]["name"] = TUNNEL_NAME
tunnel["value"]["vpn ipsec phase1-interface"]["interface"] = ["port4"]
tunnel["value"]["vpn ipsec phase1-interface"]["mode-cfg"] = "enable"
tunnel["value"]["vpn ipsec phase1-interface"]["net-device"] = "enable"
tunnel["value"]["vpn ipsec phase2-interface"][0]["name"] = TUNNEL_NAME
tunnel["value"]["vpn ipsec phase2-interface"][0]["phase1name"] = TUNNEL_NAME
# Add this new tunnel in the IPsec Tunnel Template
fmg.debug = True
fmg.add(
url,
data=tunnel,
)
fmg.debug = False
10.11.7. How to update an existing tunnel entry in an IPsec Tunnel Interface?#
Like for the add a new tunnel case (see section How to create a new tunnel entry in an IPsec Tunnel Template?) this is not trivial.
The following process is recommended:
Get the tunnel you want to modify using How to get a specific tunnel of an IPsec Tunnel Template?
Clean the tunnel entry; you need to remove all the possible seq or oid attributes
Update the tunnel entry with your desired settings
Use the following API request to update the IPsec Tunnel Template with your updated tunnel entry:
Click to see request
{
"id": 4,
"method": "update",
"params": [
{
"data": {
"action": "conf-ipsec-template",
"dynamic_mapping": null,
"model": null,
"value": {
"automatic-routing": "enable",
"local-addr-type": "dynamic",
"name": "ol_isp4",
"nat": "disable",
"remote-subnet": [
"0.0.0.0/0.0.0.0"
],
"system interface": {
"ip": "0.0.0.0/0.0.0.0",
"remote-ip": "0.0.0.0/0.0.0.0"
},
"vpn ipsec phase1-interface": {
"acct-verify": "disable",
"add-gw-route": "disable",
"add-route": "enable",
"aggregate-member": "disable",
"authmethod": "psk",
"auto-discovery-crossover": "allow",
"auto-discovery-forwarder": "disable",
"auto-discovery-offer-interval": 5,
"auto-discovery-psk": "disable",
"auto-discovery-receiver": "disable",
"auto-discovery-sender": "disable",
"auto-negotiate": "enable",
"backup-gateway": [],
"childless-ike": "disable",
"client-auto-negotiate": "disable",
"client-keep-alive": "disable",
"comments": null,
"dhgrp": [
"14",
"5"
],
"distance": 15,
"dpd": "on-demand",
"dpd-retrycount": 3,
"dpd-retryinterval": [
20
],
"eap-cert-auth": "disable",
"eap-exclude-peergrp": [],
"eap-identity": "use-id-payload",
"ems-sn-check": "disable",
"encap-local-gw4": "0.0.0.0",
"encap-local-gw6": "::",
"encap-remote-gw4": "0.0.0.0",
"encap-remote-gw6": "::",
"encapsulation": "none",
"encapsulation-address": "ike",
"enforce-unique-id": "disable",
"esn": "disable",
"exchange-fgt-device-id": "disable",
"exchange-interface-ip": "disable",
"exchange-ip-addr4": "0.0.0.0",
"exchange-ip-addr6": "::",
"fallback-tcp-threshold": 15,
"fec-egress": "disable",
"fec-health-check": [],
"fec-ingress": "disable",
"fec-mapping-profile": [],
"fgsp-sync": "disable",
"fortinet-esp": "disable",
"fragmentation": "enable",
"fragmentation-mtu": 1200,
"group-authentication": "disable",
"group-authentication-secret": [
"ENC",
"vWtqtv0dyV9YmI2AVPGvHksmmGvaIQ0BPKapHEWAaZTomwBa3+cDcSVGHyGAVY73P5v58A1coRE7YJ6Nr9QKTgXTtPpJnTizVaju7iduNiLI6Ip82yHg6eBd6GiwX79JEmm67CA1GCJxisS/Ab7tJH7O8sn4JQby9FeGK9rxMD3zaC2h/g56sbmC74TRrrUj61HE0Q=="
],
"ha-sync-esp-seqno": "enable",
"idle-timeout": "disable",
"ike-version": "1",
"inbound-dscp-copy": "disable",
"include-local-lan": "disable",
"interface": [
"port4"
],
"ip-fragmentation": "post-encapsulation",
"ip-version": "4",
"ipsec-tunnel-slot": "auto",
"ipv4-dns-server1": "0.0.0.0",
"ipv4-dns-server2": "0.0.0.0",
"ipv4-dns-server3": "0.0.0.0",
"ipv4-split-exclude": [],
"ipv4-split-include": [],
"ipv6-dns-server1": "::",
"ipv6-dns-server2": "::",
"ipv6-dns-server3": "::",
"ipv6-split-exclude": [],
"ipv6-split-include": [],
"keepalive": 10,
"keylife": 86400,
"kms": [],
"link-cost": 0,
"local-gw": "0.0.0.0",
"localid": "$(local_id)",
"localid-type": "auto",
"mesh-selector-type": "disable",
"mode": "main",
"mode-cfg": "enable",
"monitor": [],
"monitor-hold-down-delay": 0,
"monitor-hold-down-time": "00:00",
"monitor-hold-down-type": "immediate",
"monitor-min": 0,
"name": "ol_isp4",
"nattraversal": "enable",
"negotiate-timeout": 30,
"net-device": "enable",
"npu-offload": "enable",
"packet-redistribution": "disable",
"passive-mode": "disable",
"peertype": "any",
"ppk": "disable",
"ppk-identity": null,
"ppk-secret": [
"ENC",
"NQ700fmIoUlU5b4CTWn/STfnb0a5+oFLyiWrlV3pVKjtPvDcnHl7hANCiors48fMGnpd8ftwf5iKRisHrySywxQ7+Xulrn3vBrfzotfqVZ0uG2kUQ4e6DYSqI25IH9DqvCWy6R1uc6Wv9BqWCPMYM1ZAomfoMId86EsnphUeu1cvNEcPIiKQajAEkr53/2xWKYxhlg=="
],
"priority": 1,
"proposal": [
"3des-sha256",
"aes128-sha256",
"aes256-sha256"
],
"psksecret": [
"ENC",
"TydeKqgUi6no2Uw0823BDtUEKGJ8bveeYnF89AL1UBxKwEtMRPWDZdCqcUZWvT4fb9WxjxE46IVfensAVliIh+4ClKn3ZG0RWgwIFykUzVEj8WJ8wNUNG7XCcWmwAYrRbUK93VmF4EkAUSAPgRtYGCPLPoa/zDTBK3abOg9iB+rZ0Obi"
],
"qkd": "disable",
"qkd-profile": [],
"reauth": "disable",
"rekey": "enable",
"remote-gw": "10.6.0.1",
"rsa-signature-format": "pkcs1",
"rsa-signature-hash-override": "disable",
"save-password": "disable",
"split-include-service": [],
"suite-b": "disable",
"transit-gateway": "disable",
"transport": "udp",
"type": "static",
"vni": 0,
"wizard-type": "custom",
"xauthtype": "disable"
},
"vpn ipsec phase2-interface": [
{
"add-route": "phase1",
"auto-discovery-forwarder": "phase1",
"auto-discovery-sender": "phase1",
"auto-negotiate": "disable",
"comments": null,
"dhcp-ipsec": "disable",
"diffserv": "disable",
"diffservcode": "000000",
"dst-addr-type": "subnet",
"dst-port": 0,
"dst-subnet": [
"0.0.0.0",
"0.0.0.0"
],
"encapsulation": "tunnel-mode",
"inbound-dscp-copy": "phase1",
"ipv4-df": "disable",
"keepalive": "enable",
"keylife-type": "seconds",
"keylifeseconds": 40000,
"name": "ol_isp4",
"pfs": "enable",
"phase1name": [
"ol_isp4"
],
"proposal": [
"aes128-sha256",
"aes256-sha256",
"aes128-sha1",
"aes256-sha1",
"aes128gcm",
"aes256gcm",
"chacha20poly1305"
],
"protocol": 0,
"replay": "enable",
"route-overlap": "use-new",
"single-source": "disable",
"src-addr-type": "subnet",
"src-port": 0,
"src-subnet": [
"0.0.0.0",
"0.0.0.0"
]
}
]
},
"var-list": null
},
"url": "/pm/config/adom/demo/template/_ipsec/ipsec_tunnel_template_001/action-list/4"
}
],
"session": "{{session}}"
}
{
"id": 4,
"result": [
{
"data": {
"seq": 4
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/adom/demo/template/_ipsec/ipsec_tunnel_template_001/action-list/4"
}
]
}
Click to see the script
"""
Update an existing tunnel in an IPsec Tunnel Template
"""
from pyFMG.fortimgr import FortiManager
IP = "10.210.34.120"
USERNAME = "devops"
PASSWORD = "fortinet"
with FortiManager(
IP,
USERNAME,
PASSWORD,
verbose=True,
disable_request_warnings=True,
) as fmg:
ADOM = "demo"
MKEY = "ipsec_tunnel_template_001"
SEQ = 4
url = f"/pm/config/adom/{ADOM}/template/_ipsec/{MKEY}/action-list/{SEQ}"
# Get the tunnel you wan to modify
response = fmg.get(url)
tunnel = response[1].copy()
# Get rid of seq, and OIDs (you have multiple OIDs)
del tunnel["oid"]
del tunnel["seq"]
del tunnel["value"]["vpn ipsec phase1-interface"]["oid"]
for p2 in tunnel["value"]["vpn ipsec phase2-interface"]:
del p2["oid"]
# Modify your tunnel
tunnel["value"]["vpn ipsec phase1-interface"]["remote-gw"] = "10.6.0.1"
# Update your tunnel
fmg.debug = True
fmg.update(
url,
data=tunnel,
)
fmg.debug = False
10.11.8. How to assign devices to an IPsec Tunnel Template?#
The following example shows how to assign the dev_001
managed device and
its root
VDOM to the ipsec_tunnel_template_001
IPsec Tunnel Template
in the demo
ADOM:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"name": "dev_001",
"vdom": "root"
},
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
]
}
The following example shows how to assign the dev_002
and dev_003
managed devices and their respective root
VDOMs to the
ipsec_tunnel_template_001
IPsec Tunnel Template in the demo
ADOM:
{
"id": 3,
"method": "add",
"params": [
{
"data": [
{
"name": "dev_002",
"vdom": "root"
},
{
"name": "dev_003",
"vdom": "root"
}
],
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
]
}
10.11.9. How to assign device groups to an IPsec Tunnel Template?#
The following example shows how to assign the dev_grp_001
device group
to the ipsec_tunnel_template_001
IPsec Tunnel Template in the demo
ADOM:
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"is group": 1,
"name": "dev_grp_001"
},
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
]
}
The following example shows how to assign the dev_grp_002
and
dev_grp_003
device groups to the ipsec_tunnel_template_001
IPsec
Tunnel Template in the demo
ADOM:
{
"id": 3,
"method": "add",
"params": [
{
"data": [
{
"is group": 1,
"name": "dev_grp_002"
},
{
"is group": 1,
"name": "dev_grp_003"
}
],
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
]
}
10.11.10. How to unassign devices from an IPsec Tunnel Template?#
The following example shows how to unassign the dev_001
managed device and
its root
VDOM from the ipsec_tunnel_template_001
IPsec Tunnel Template
in the demo
ADOM:
{
"id": 3,
"method": "delete",
"params": [
{
"data": {
"name": "dev_001",
"vdom": "root"
},
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
]
}
The following example shows how to unassign the dev_002
and dev_003
managed devices and their respective root
VDOMs from the
ipsec_tunnel_template_001
IPsec Tunnel Template in the demo
ADOM:
{
"id": 3,
"method": "delete",
"params": [
{
"data": [
{
"name": "dev_002",
"vdom": "root"
},
{
"name": "dev_003",
"vdom": "root"
}
],
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
]
}
10.11.11. How to unassign device groups from an IPsec Tunnel Template?#
The following example shows how to unassign the dev_grp_001
device group
from the ipsec_tunnel_template_001
IPsec Tunnel Template in the demo
ADOM:
{
"id": 3,
"method": "delete",
"params": [
{
"data": {
"is group": 1,
"name": "dev_grp_001"
},
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
]
}
The following example shows how to unassign the dev_grp_002
and
dev_grp_003
device groups from the ipsec_tunnel_template_001
IPsec
Tunnel Template in the demo
ADOM:
{
"id": 3,
"method": "delete",
"params": [
{
"data": [
{
"is group": 1,
"name": "dev_grp_002"
},
{
"is group": 1,
"name": "dev_grp_003"
}
],
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001/scope member"
}
]
}
10.11.12. How to delete an IPsec Tunnel Template?#
The following example shows how to delete the ipsec_tunnel_template_001
in ADOM demo
:
{
"id": 3,
"method": "delete",
"params": [
{
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_ipsec/adom/demo/ipsec_tunnel_template_001"
}
]
}
10.12. Static Route Template#
10.12.1. How to update/set a static route template?#
Caught in #0690603.
REQUEST:
{
"client":"gui forward:10270",
"id": "df8d1f1b-e13f-443d-9afc-c2d38d098dba",
"keep_session_idle": 1,
"method": "set",
"params": [
{
"data": [
{
"action": "conf-static-router",
"dynamic_mapping": null,
"model": "all",
"seq": 1,
"value": "{\"comment\":\"\",\"device\":\"port5\",\"distance\":10,\"dst\":[\"0.0.0.0\",\"0.0.0.0\"],\"gateway\":\"172.18.26.1\",\"priority\":0,\"seq-num\":0,\"status\":\"enable\",\"weight\":0}",
"var-list": [
{
"name": "router static\/bfd",
"override": 0
},
{
"name": "router static\/link-monitor-exempt",
"override": 0
},
{
"name": "router static\/internet-service-custom",
"override": 0
},
{
"name": "router static\/internet-service",
"override": 0
},
{
"name": "router static\/dstaddr",
"override": 0
},
{
"name": "router static\/virtual-wan-link",
"override": 0
},
{
"name": "router static\/dynamic-gateway",
"override": 0
},
{
"name": "router static\/blackhole",
"override": 0
},
{
"name": "router static\/comment",
"override": 0
},
{
"name": "router static\/priority",
"override": 0
},
{
"name": "router static\/weight",
"override": 0
},
{
"name": "router static\/distance",
"override": 0
},
{
"name": "router static\/gateway",
"override": 0
},
{
"name": "router static\/status",
"override": 0
},
{
"name": "router static\/dst",
"override": 0
},
{
"name": "router static\/device",
"override": 0
},
{
"name": "router static\/seq-num",
"override": 0
}
]
}
],
"target start": 2,
"url": "/pm/config/adom/root/template/test1/device/template/widget/router/action-list/"
}
],
"session": 6783
}
10.12.2. How to get Static Route Templates?#
We get all Static Route Templates from ADOM root
:
REQUEST:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/template/_router_static/adom/root"
}
],
"session": "KY9gBgxpcfKw2w7Ya6Qb0mG4jbh5kgPb4LytdywexHmHs7KK7nUx2gRz4vv/nShMnQq/PTZ2aps9gwbpcTBMzg==",
"verbose": 1
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": [
{
"name": "branches",
"oid": 3924,
"scope member": [
{
"name": "site_001",
"vdom": "root"
}
],
"template setting": {
"stype": "_router_static",
"widgets": [
"_router_static"
]
},
"type": "template"
},
{
"name": "hubs",
"oid": 3928,
"template setting": {
"stype": "_router_static",
"widgets": [
"_router_static"
]
},
"type": "template"
}
],
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_router_static/adom/root"
}
]
}
10.12.3. How to get a specific Static Route Template?#
We get Static Route Template branches
from ADOM root
:
REQUEST:
{
"id": 3,
"method": "get",
"params": [
{
"url": "/pm/template/_router_static/adom/root/branches"
}
],
"session": "6GkxtDeWVOQnARmjgHgEDRb4EiSj4c1g1xlCfJ2EHxmKnU3OJwGjSraJjQpDvxmp3914eOsvGWganKIQUUB6Ug==",
"verbose": 1
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"name": "branches",
"oid": 3924,
"scope member": [
{
"name": "site_001",
"vdom": "root"
}
],
"template setting": {
"description": null,
"option": null,
"stype": "_router_static",
"widgets": [
"_router_static"
]
},
"type": "template"
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_router_static/adom/root/branches"
}
]
}
10.12.4. How to assign a device to a Static Route Template?#
Starting with FMG 7.2.1, you can use the add
way (vs the update
way
which forces you to first get the list of existing members, to update the list,
and then to push it back).
We assign device site_003
and its VDOM root
to Static Route Template
branches
in ADOM root
:
REQUEST:
{
"id": 3,
"method": "add",
"params": [
{
"data": [
{
"name": "site_003",
"vdom": "root"
}
],
"url": "/pm/template/_router_static/adom/root/branches/scope member"
}
],
"session": "h/Z14lbhlu+Nk6ZpqQnXrM8z2jh+HFXJTP4h8QqhxDD4IQ6oohLctpcoXh/YAKcxLb+7EGxjSVyYw/DzZCL9gyOcQARoDb+0"
}
RESPONSE:
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_router_static/adom/root/branches/scope member"
}
]
}
10.12.5. How to assign a device group to a Static Route Template?#
We assign device group branches
to Static Route Template branches
in
ADOM root
:
REQUEST:
{
"id": 3,
"method": "add",
"params": [
{
"data": [
{
"is group": 1,
"name": "branches"
}
],
"url": "/pm/template/_router_static/adom/root/branches/scope member"
}
],
"session": "qG4el6X+OTwoScWKwMuNKwjCieab6fKxHgKVyxOsZ4nsbW2Qb0dTPFfEsJWOr6Wu+2Uncj3mhLoVf9jhenrO4hFMCIjoRii6"
}
RESPONSE:
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_router_static/adom/root/branches/scope member"
}
]
}
10.12.6. How to unassign a device from a Static Route Template?#
We unassign device site_003
and its VDOM root
from Static Route
Template branches
in ADOM root
:
REQUEST:
{
"id": 3,
"method": "delete",
"params": [
{
"data": [
{
"name": "site_003",
"vdom": "root"
}
],
"url": "/pm/template/_router_static/adom/root/branches/scope member"
}
],
"session": "6FAQQNLnra/2eZem4NTzSu9IpB0clQ6GaCfhz7D8jag+djcaP8QtRWPP6mK+yKNM7YKARB55V25IR3+eqsF/5JAfIJfXFKmi"
}
RESPONSE:
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_router_static/adom/root/branches/scope member"
}
]
}
10.12.7. How to unassign a device group from a Static Route Template?#
We unassign device group branches
from Static Route Template branches
in ADOM root
:
REQUEST:
{
"id": 3,
"method": "delete",
"params": [
{
"data": [
{
"is group": 1,
"name": "branches"
}
],
"url": "/pm/template/_router_static/adom/root/branches/scope member"
}
],
"session": "NQ8D2CMzoMgvuD3Sztyxrq7n6zW36tkigp7pLkz/ys4yDJOJ5rVLr8FKj2Pbm6e/tqfca0pUlGjqYuDGZ6lQHEDknPh32hLK"
}
RESPONSE:
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/template/_router_static/adom/root/branches/scope member"
}
]
}
10.12.8. How to create a Static Route Template from an Import from Device operation?#
Caught in #0976806.
The following example shows how to create the static_route_template_001
by
importing existing static routes (IPv4 and IPv6 ones) from the existing dev_001
managed device and its root
VDOM.
The static_route_template_001
Static Route Template will be created in the
demo
ADOM:
{
"id": 3,
"method": "clone",
"params": [
{
"data": {
"new url": "/pm/config/adom/demo/template/_router_static/static_route_template_001"
},
"url": "/pm/config/device/dev_001/vdom/root/router/static"
},
{
"data": {
"new url": "/pm/config/adom/demo/template/_router_static/static_route_template_001"
},
"url": "/pm/config/device/dev_001/vdom/root/router/static6"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/device/dev_001/vdom/root/router/static"
},
{
"status": {
"code": 0,
"message": "OK"
},
"url": "/pm/config/device/dev_001/vdom/root/router/static6"
}
]
}
10.13. Template Group#
10.13.1. How to create a Template Group?#
The following example shows how to create a new Template Group named template_group_001
in the dc_africa
ADOM and referencing the following
other templates:
The
cli_template_group_001
CLI Template GroupThe
ap_profile_001
FortiAP ProfileThe
fsw_template_001
FortiSwitch TemplateThe
fext_profile_001
FortiExtender ProfileThe
system_template_001
System TemplateThe
threat_weight_template_001
Threat Weight TemplateThe
ipsec_tunel_template_001
IPsec Tunnel TemplateThe
bgp_template_001
BGP TemplateThe
static_route_template_001
Static Route TemplateThe
sdwan_template_001
SD-WAN Template
{
"id": 3,
"method": "add",
"params": [
{
"data": {
"name": "template_group_001",
"template group setting": {
"description": "",
"cliprofs": [
"cli_template_group_001"
],
"wtpprofs": [
"ap_profile_001"
],
"fspprofs": [
"fsw_template_001"
],
"fxtprofs": [
"fext_profile_001"
],
"templates": [
"1__system_template_001",
"3__threat_weight_template_001",
"4-1__ipsec_tunnel_template_001",
"4-1240__bgp_template_001",
"4-2__static_route_template_001",
"5__sdwan_template_001"
]
},
"type": "tmplgrp"
},
"url": "pm/tmplgrp/adom/dc_africa"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/tmplgrp/adom/dc_africa"
}
]
}
As you can see, some of the used templates can be referenced by just using their
names.
For instance to specify a CLI Template Group (or a CLI Template), you just use
the name of the CLI Template Group like cli_template_group_001
.
It is the same logic for when you want to reference an FortiAP Profile, a
FortiSwitch Template or a FortiExtender Profile.
However, in the above example, what’s unusual is the way you specify some of
the used templates in the templates
attribute.
For instance to specify the system_template_001
System Template, you have
to use 1__system_template_001
.
Here is what you should use to designate such a template:
<key>-[<sub_key>]__<template_name>
where:
key
is the identifier of the template typeFor instance
1
for a System Template,3
for a Threat Weigth Template,4
for an IPsec Tunnel Template, a BGP Template and a Static Route Template, and5
for a SD-WAN Templatesub_key
is mostly for when thekey
value is4
; it helps to specify the exact template typeFor instance,
1
for IPsec Tunnel Template,1240
for BGP Template and2
for Static Route Templatetemplate_name
is the template name
The following table give all the possible key
, sub_key
collected from
FortiManager 7.4.2:
|
|
Template Type |
---|---|---|
|
N/A |
System Template |
|
N/A |
Threat Weight Template |
|
|
IPsec Tunnel Template |
|
|
Static Route Template |
|
|
BGP Template |
|
N/A |
SD-WAN Template |
10.13.2. How to assign a Template Group to a Device Group?#
Caught in #0751625.
REQUEST:
{
"id": "64ed853f-1c61-47cb-8581-cefa6742694b",
"method": "update",
"params": [
{
"url": "pm/tmplgrp/adom/vpn_mgmt70",
"data": [
{
"name": "qagr",
"type": "tmplgrp",
"scope member": [
{
"name": "BBY-gr",
"is group": 1
}
],
"template group setting": {
"description": "",
"cliprofs": [
"cli_001"
],
"templates": [
"4-2__staticroute001",
"4-1__55"
]
}
}
]
}
]
}
10.14. How to delete a Template Group?#
To delete the template_group_001
from the dc_africa
ADOM:
{
"id": 3,
"method": "delete",
"params": [
{
"url": "pm/tmplgrp/adom/dc_africa/template_group_001"
}
],
"session": "{{session}}"
}
{
"id": 3,
"result": [
{
"status": {
"code": 0,
"message": "OK"
},
"url": "pm/tmplgrp/adom/dc_africa/template_group_001"
}
]
}
10.16. Export/import#
Starting with FMG 7.2.0 build 1114, it is now possible to export/import the Provisioning Templates along with some other similar objects like FortiSwitch Template, FortiAP Profiles, etc.
10.16.1. How to get the list of template which can be exported?#
REQUEST:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"list_category": "yes"
},
"url": "/deployment/export/template"
}
],
"session": "A9TEprfeUJVGQVh6KmBvq3DUj1OxK3/Y/H3BjldNv2h3h8x9ANQT2umZtaPxPEVAqK2HopBeirNEA3ox6AMozQ=="
}
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"category": {
"ap-prof": "AP Profile",
"bgp-prof": "BGP Templates",
"ble-prof": "Bluetooth Profile",
"bonjour-prof": "Bonjour Profile",
"cert-prof": "Certificate Templates",
"cli-prof": "CLI Templates",
"cr-prof": "Threat Weight Templates",
"cst-prof": "NSX-T Service Templates",
"fext-prof": "FortiExtender Templates",
"ipsec-prof": "IPsec Tunnel Templates",
"qos-prof": "QoS Profile",
"route-prof": "Static Route Templates",
"sdwan-prof": "SD-WAN Templates",
"switch-prof": "FortiSwitch Templates",
"sys-prof": "System Templates"
}
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/deployment/export/template"
}
]
}
10.16.2. How to export a selected list of templates?#
REQUEST:
{
"id": 3,
"method": "exec",
"params": [
{
"data": {
"adom": 162,
"category": [
"ap-prof",
"bgp-prof",
"ble-prof",
"bonjour-prof",
"cert-prof",
"cli-prof",
"cr-prof",
"cst-prof",
"fext-prof",
"ipsec-prof",
"qos-prof",
"route-prof",
"sdwan-prof",
"switch-prof",
"sys-prof"
],
"create_task": "true"
},
"url": "/deployment/export/template"
}
],
"session": "jhB4fV6YFtuKK+J7TDsOvlYC+6aPDsaPlqpp8iBC55gGjXb3AvpEpd0XSaP2RObspzlpElAuV3dIicaPwwUThg=="
}
Note
We have to provide the ADOM OID (
162
in the above request); it won’t work if we provide the ADOM name.
RESPONSE:
{
"id": 3,
"result": [
{
"data": {
"file": "export_template_w1ClUv.json",
"taskid": 68
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/deployment/export/template"
}
]
}