Provisioning Template Management ================================ Templates Operations -------------------- How to get all provisioning templates? ++++++++++++++++++++++++++++++++++++++ Tested with FMG 7.2.2-INTERIM build 1247. The following example shows how to get provisioning templates in the ``demo`` ADOM: .. tab-set:: .. tab-item:: REQUEST .. code-block:: json { "id": 3, "method": "get", "params": [ { "url": "/pm/template/adom/demo" } ], "session": "{{demo}}", "verbose": 1 } .. tab-item:: RESPONSE .. code-block:: json { "id": 3, "result": [ { "data": [ { "name": "IPsec_Fortinet_Recommended", "oid": 4119, "template setting": { "option": "readonly", "stype": "_ipsec", "widgets": [ "_ipsec" ] }, "type": "template" }, { "name": "BRANCH_IPsec_Recommended", "oid": 4123, "template setting": { "option": "readonly", "stype": "_ipsec", "widgets": [ "_ipsec" ] }, "type": "template" }, { "name": "HUB_IPsec_Recommended", "oid": 4129, "template setting": { "option": "readonly", "stype": "_ipsec", "widgets": [ "_ipsec" ] }, "type": "template" }, { "name": "BRANCH_BGP_Recommended", "oid": 4135, "template setting": { "option": "readonly", "stype": "router_bgp", "widgets": [ "router_bgp" ] }, "type": "template" }, { "name": "HUB_BGP_Recommended", "oid": 4140, "template setting": { "option": "readonly", "stype": "router_bgp", "widgets": [ "router_bgp" ] }, "type": "template" }, { "name": "SITES_BRANCH_IPsec", "oid": 4154, "scope member": [ { "name": "dev_001", "vdom": "root" } ], "template setting": { "stype": "_ipsec", "widgets": [ "_ipsec" ] }, "type": "template" } ], "status": { "code": 0, "message": "OK" }, "url": "/pm/template/adom/demo" } ] } How to get the list of used and modified provisioning templates? ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ That's how FortiManager GUI can show you that a Template Group has been modified and explain why. For example, in the picture below, the ``sites`` Template Group is marked with the *Modified* status. If you hover your mouse over the red triangle icon, a tooltip appears with further details. You can see that two new templates were added (an IPsec Tunnel Template named ``sites_BRANCH_IPsec`` and an SD-WAN Template named ``sites_BRANCH_SDWAN``), and the existing System Template named ``sites_BRANCH_ST`` was also modified: .. thumbnail:: images/provisioning_templates/image_001.png To gather this information, FortiManager GUI used the following API call: .. tab-set:: .. tab-item:: REQUEST .. code-block:: json { "id": 3, "method": "get", "params": [ { "url": "/pm/config/adom/demo/_package/dirty_info" } ], "session": "{{session}}", "verbose": 1 } .. tab-item:: RESPONSE .. code-block:: json { "id": 3, "result": [ { "data": [ { "oid": 42646, "templates": [ { "objects": [ { "action": "edit", "url": "fwmprof setting enforced version/FortiGate-40F" } ], "template": "fwmprof/PSIRT_Thu_Jul_17_2025" }, { "objects": [ { "action": "edit", "url": "fwmprof setting/42647" } ], "template": "fwmprof/PSIRT_Thu_Jul_17_2025" } ] }, { "members": [ { "action": "add", "url": "template/_ipsec/sites_BRANCH_IPsec" }, { "action": "add", "url": "wanprof/sites_BRANCH_SDWAN" } ], "oid": 42650, "templates": [ { "objects": [ { "action": "edit", "url": "device profile settings/42654" } ], "template": "devprof/sites_BRANCH_ST" }, { "objects": [ { "action": "edit", "url": "device template widget action-list var-list/system dns/cache-notfound-responses" } ], "template": "devprof/sites_BRANCH_ST" }, { "objects": [ { "action": "edit", "url": "device template widget action-list var-list/system dns/dns-cache-limit" } ], "template": "devprof/sites_BRANCH_ST" }, { "objects": [ { "action": "edit", "url": "device template widget action-list var-list/system dns/dns-cache-ttl" } ], "template": "devprof/sites_BRANCH_ST" }, { "objects": [ { "action": "edit", "url": "device template widget action-list var-list/system dns/dns-over-tls" } ], "template": "devprof/sites_BRANCH_ST" }, { "objects": [ { "action": "edit", "url": "device template widget action-list var-list/system dns/domain" } ], "template": "devprof/sites_BRANCH_ST" }, { "objects": [ { "action": "edit", "url": "device template widget action-list var-list/system dns/primary" } ], "template": "devprof/sites_BRANCH_ST" }, { "objects": [ { "action": "edit", "url": "device template widget action-list var-list/system dns/retry" } ], "template": "devprof/sites_BRANCH_ST" }, { "objects": [ { "action": "edit", "url": "device template widget action-list var-list/system dns/secondary" } ], "template": "devprof/sites_BRANCH_ST" }, { "objects": [ { "action": "edit", "url": "device template widget action-list var-list/system dns/server-hostname" } ], "template": "devprof/sites_BRANCH_ST" }, { "objects": [ { "action": "edit", "url": "device template widget action-list var-list/system dns/ssl-certificate" } ], "template": "devprof/sites_BRANCH_ST" }, { "objects": [ { "action": "edit", "url": "device template widget action-list var-list/system dns/timeout" } ], "template": "devprof/sites_BRANCH_ST" }, { "objects": [ { "action": "edit", "url": "device template widget/dns/conf-sys-dns" } ], "template": "devprof/sites_BRANCH_ST" }, { "objects": [ { "action": "edit", "url": "system ntp/42659" } ], "template": "devprof/sites_BRANCH_ST" } ] }, { "oid": 42681, "templates": [ { "objects": [ { "action": "edit", "url": "system ntp/42659" } ], "template": "devprof/sites_BRANCH_ST" } ] } ], "status": { "code": 0, "message": "OK" }, "url": "/pm/config/adom/demo/_package/dirty_info" } ] } How to CLI Preview a template? ++++++++++++++++++++++++++++++ TBD. Notes from #1222894: - 7.6.4 and 7.6.5 are having different GUI features. - 7.6.4/7.6.5: - The action is called *Preview CLI Configuration*. It is using this API ``/securityconsole/template/cli/preview`` and looks like the assigned devices (scope) is optional. - 7.6.5+/8.0.0: - The action is called *Preview on Device*. It is using this API ``"/securityconsole/template/validate`` and assigned devices (scope) is required. It will provide a more accurate preview with meta variable replaced with mapping value; it will also process objects referenced in the template and add to the preview. Its like a dry-run of installation and provide a per device preview if there is no error. How to validate a template? +++++++++++++++++++++++++++ This is to make sure that all used metadata variables are resolved for the managed devices assigned to the template. The following example shows how to trigger a template validation for the ``template_group_001`` Template Group assigned to the ``dev_001`` managed device in the ``demo``: .. tab-set:: .. tab-item:: REQUEST .. code-block:: json { "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "flag": "json", "pkg": "adom/demo/tmplgrp/template_group_001", "scope": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "securityconsole/template/validate" } ], "session": "{{session}}" } .. tab-item:: RESPONSE .. code-block:: json { "id": 3, "result": [ { "data": { "task": 28 }, "status": { "code": 0, "message": "OK" }, "url": "securityconsole/template/validate" } ] } How to get the controller status? --------------------------------- Caught in: - #454555 - #469731 - #604197 It seems to be a non public API. **REQUEST:** .. code-block:: json { "method": "exec", "params": [ { "url": "/deployment/get/controller/status", "data": { "adom": "...", "ctypes": ["fsw"], "device": "...", "options": ["savedb", "resync" ] } } ], "session": "...", "id": 1 } We can also add ``wtp`` or ``fext`` as other ``ctypes``. Firmware Template ----------------- Introduction ++++++++++++ Caught in #711918. Main FMG JSON RPC API ``url`` for firmware template seems to be: .. code-block:: /um/image/template/upgrade How to assign a device? +++++++++++++++++++++++ Caught in #964977. .. tab-set:: .. tab-item:: REQUEST .. code-block:: json { "id": 3, "method": "add", "params": [ { "data": [ { "name": "dc_emea_001", "vdom": "root" } ], "url": "/pm/fwmprof/adom/dc_emea/fmw_001/scope member" } ], "session": "{{session}}" } .. tab-item:: RESPONSE .. code-block:: json { "id": 3, "result": [ { "status": { "code": 0, "message": "OK" }, "url": "/pm/fwmprof/adom/dc_emea/fmw_001/scope member" } ] } How to get an Upgrade Preview for Firmware Template? ++++++++++++++++++++++++++++++++++++++++++++++++++++ Caught in #1076332. This is useful for reviewing which devices will require an upgrade. The following example demonstrates how to retrieve an upgrade preview for the `firmware_template_001` Firmware Template within the ``demo`` ADOM: .. tab-set:: .. tab-item:: REQUEST .. code-block:: json { "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "name": "firmware_template_001" }, "url": "/um/image/template/preview" } ] } .. tab-item:: RESPONSE .. code-block:: json { "id": 3, "result": [ { "data": { "report": { "adom-name": "demo", "adom_oid": 38741, "device-number": 1, "devices": [ { "end-time": 1732884824, "name": "fgt-001", "oid": 39590, "package-status": 1, "skip-path": 0, "start-time": 0, "taskid": 0, "tasks": [ { "current_version": "7.6.0-b3401", "package-status": 1, "platform": "FortiGate-VM64", "product": 1, "profile_name": "firmware_template_001", "result": 0, "serial": "FGVMMLREDACTED39", "target_version": "7.4.4-b2662", "upgrade_path": [ "7.4.4-b2662" ] } ] } ], "end-time": 1732884824, "name": "firmware_template_001", "report-time": 1732884824, "start-time": 0, "success-number": 0, "taskid": 0 }, "status": "success", "taskid": 0 }, "status": { "code": 0, "message": "OK" }, "url": "/um/image/template/preview" } ] } .. note:: In this example, the ``fgt-001`` device will require an upgrade. However, considering the ``current_version`` and ``target_version`` attributes, this would actually result in a downgrade. Regardless of the scenario, the ``upgrade_path`` attribute will outline the steps required to reach the target version. How to get an Upgrade Report for Firmware Template? +++++++++++++++++++++++++++++++++++++++++++++++++++ Caught in #0919211. To get the Upgrade Report generated by the ``to_fgt_740`` Firmware Template in the ``dc_emea`` ADOM: .. tab-set:: .. tab-item:: REQUEST .. code-block:: json { "id": 3, "method": "exec", "params": [ { "data": { "adom": "dc_emea", "name": "fgt_to_740" }, "url": "um/image/template/report" } ], "session": "{{session}}" } .. tab-item:: RESPONSE .. code-block:: json { "id": 3, "result": [ { "data": { "report": [ { "adom-name": "dc_emea", "adom-oid": 165, "device-number": 1, "devices": [ { "end-time": 1700776054, "name": "fgt-741-001", "oid": 175, "package-status": 0, "skip-path": 1, "start-time": 1700775638, "taskid": 9, "tasks": [ { "current_version": "7.4.1-b2463", "package-status": 0, "platform": "FortiGate-VM64", "product": 1, "profile_name": "fgt_to_740", "result": 0, "serial": "FGVMMLTM22002647", "target_version": "7.4.0-b2360", "upgrade_path": [ "7.4.0-b2360" ] } ] } ], "end-time": 1700776054, "name": "fgt_to_740", "report-time": 1700776054, "start-time": 1700775638, "success-number": 1, "taskid": 9 } ] }, "status": { "code": 0, "message": "OK" }, "url": "um/image/template/report" } ] } .. note:: - In this output, there's a single Upgrade Report. .. note:: To get the upgrade reports for your managed devices, see section :ref:`How to get the Upgrade Report for managed devices?`. How to list Firmware Templates? +++++++++++++++++++++++++++++++ The following example shows how to retrieve the list of firmware templates for the ``demo`` ADOM: .. tab-set:: .. tab-item:: REQUEST .. code-block:: json { "id": 3, "method": "get", "params": [ { "url": "/pm/fwmprof/adom/demo" } ], "session": "{{session}}" } .. tab-item:: RESPONSE .. code-block:: json { "result": [ { "data": [ { "fwmprof setting": { "checksum": "1719401524-418766485", "description": null, "enforced version": [ { "flags": 0, "platform": "FAP-Default", "product": 2, "upgrade-path": 1, "version": "7.0.3-b0060" }, { "flags": 0, "platform": "FSW-Default", "product": 3, "upgrade-path": 1, "version": "7.0.5-b0086" }, { "flags": 0, "platform": "FXT-Default", "product": 4, "upgrade-path": 1, "version": "7.2.5-b0164" }, { "flags": 0, "platform": "FGT-Default", "product": 1, "upgrade-path": 1, "version": "7.0.15-b0632" } ], "image-source": 0, "schedule-day": 0, "schedule-end-time": null, "schedule-start-time": null, "schedule-type": 0 }, "name": "firmware_template_001", "oid": 4458, "type": "fwmprof" } ], "status": { "code": 0, "message": "OK" }, "url": "/pm/fwmprof/adom/demo" } ], "id": 3 } .. note:: In this output, the firmware template includes samples of all supported products using the default platform config values. How to create a new Firmware Template? ++++++++++++++++++++++++++++++++++++++ The following example shows how to create the ``firmware_template_001`` Firmware Template in the ``demo`` ADOM. In this example, ``dev_001`` is being assigned to the template at the time of creation. .. tab-set:: .. tab-item:: REQUEST .. code-block:: json { "id": 3, "method": "add", "params": [ { "data": { "fwmprof setting": { "description": "This is the description field data.", "enforced version": [ { "flags": 104, "platform": "FGT-Default", "product": 1, "upgrade-path": 1, "version": "7.2.11-b1740" } ], "image-source": null, "schedule-day": null, "schedule-end-time": null, "schedule-start-time": null, "schedule-type": 0 }, "name": "firmware_template_001", "type": "fwmprof", "scope member": [ { "name": "dev_001", "vdom": "root" } ] }, "url": "pm/fwmprof/adom/demo" } ], "session": "{{session}}" } .. note:: - ``fwmprof setting``: defines the firmware template settings. The possible attributes are: - ``schedule-day``: specifies the day(s) of the week when the upgrade task is scheduled to run and is only valid when the ``weekly`` schedule type is selected. The value is submitted as an array of strings that specify the day of the week. For example, to schedule the upgrade task to run every Monday, Wednesday, and Friday, the value would be: .. code-block:: json "schedule-day": [ "monday", "wednesday", "friday" ] - ``schedule-end-time``: specifies the end time for the upgrade task schedule. It is required when the schedule type is set to ``once``, ``daily``, or ``weekly``. The value must be submitted as a 24-hour date/time formatted string for the ``once`` schedule type (e.g., ``2024-12-31 23:59:00``) or as a 24-hour time formatted string for the ``daily`` and ``weekly`` schedule types (e.g., ``23:59:00``). - ``schedule-start-time``: specifies the start time for the upgrade task schedule. It is required when the schedule type is set to ``once``, ``daily``, or ``weekly``. The value must be submitted as a 24-hour date/time formatted string for the ``once`` schedule type (e.g., ``2024-12-31 23:59:00``) or as a 24-hour time formatted string for the ``daily`` and ``weekly`` schedule types (e.g., ``23:59:00``). - ``schedule-type``: defines the schedule for the upgrade task. The supported schedule types include: - ``none``: the upgrade task will not be scheduled to run automatically. Start and end times are not required for this schedule type. - ``once``: the upgrade task will run only once at the specified start time. Start and end times are required and must be submitted as a 24-hour date/time formatted string. For example: ``2024-12-31 23:59:00``. - ``daily``: the upgrade task will run every day at the specified start time. Start and end times are required and must be submitted as a 24-hour time formatted string. For example: ``23:59:00``. - ``weekly``: the upgrade task will run on the specified days of the week at the specified start time. Start and end times are required and must be submitted as a 24-hour time formatted string as with the ``daily`` schedule type. The ``schedule-day`` attribute is also required for this schedule type to specify the day(s) of the week when the upgrade task should run. - ``image-source``: specifies the source of the firmware image. The supported values include: - ``0``: image sourced from FortiGuard - ``1``: image sourced from FortiManager - ``null``: defaults to ``0`` - ``name`` specifies the name of the firmware template. - ``enforced_version``: specifies the firmware version enforced for devices assigned to the firmware template. This attribute is an array of objects that specifies the firmware version enforced for each of the devices assigned to the template. - ``platform``: specifies the platform for which the firmware version is enforced. Values must include a valid hardware platform supported by FortiManager that is in the range defined by the ``product`` attribute. For example, if the ``product`` attribute is set to ``1`` (FortiGate), valid values for the ``platform`` attribute include: - ``FortiGate-40F`` - ``FortiGate-60F`` - ``FortiGate-VM64`` - ``FGT-Default`` (this is a special value that can be used to apply the enforced firmware version to any FortiGate platform) A list of supported platforms can be retrieved using the following FortiManager CLI command: .. code-block:: text diagnose dvm supported-platforms list` - ``product``: specifies the product for which the firmware version is enforced: - ``1``: FortiGate - ``2``: FortiSwitch - ``3``: FortiAP - ``4``: FortiExtender - ``5``: FortiExtender-Modem - ``flags``: specifies additional options for the enforced firmware version. Most flags apply only to the FortiGate platform. The value is calculated by summing the numeric values of the enabled flags: .. list-table:: Firmware Template Enforced Version Flags :header-rows: 1 :widths: 30 50 20 * - Flag - Description - Numeric Value * - Boot from Alternate Partition After upgrade - Boot to secondary partition after upgrade - ``1`` * - Only upgrade FortiGate Clusters with all members up - Upgrade HA clusters only when all members up - ``8`` * - Skip Fortigate Disk Check - Skip the auto disk check during upgrade - ``32`` * - Skip FortiGate Auto Scan Disk - Skip disk auto scan during upgrade - ``64`` The default value is ``104`` and is calculated by combining the numeric values of the following flags: - ``Only Upgrade FortiGate Clusters with all members up`` (``8``) - ``Skip Fortigate Disk Check`` (``32``) - ``Skip FortiGate Auto Scan Disk`` (``64``) Total is giving ``104`` (``8 + 32 + 64``). Certificate Template -------------------- How to create a Certificate Template? +++++++++++++++++++++++++++++++++++++ When a Certificate Template is created, FortiManager also generates a Dynamic Local Certificate with the same name. The Certificate Template is used for enrolling certificates for managed devices, while the corresponding Dynamic Local Certificate enables referencing the device certificate within ADOM DB objects. Each time a Certificate Template is used to enroll a certificate for a managed device, FortiManager creates a new device-specific mapping (aka *per-device mapping*) in the Dynamic Local Certificate with the same name. How to create an external Certificate Template? _______________________________________________ The following example shows how to create the ``certificate_template_001`` Certificate Template in the ``demo`` ADOM: .. tab-set:: .. tab-item:: REQUEST .. code-block:: json { "id": 3, "method": "add", "params": [ { "data": { "name": "certificate_template_001", "id-type": 0, "organization-unit": [ "CSE" ], "organization": "Fortinet", "city": "Nice", "state": "PACA", "country": "FR", "email": "", "key-type": 0, "key-size": 3, "curve-name": 0, "scep-server": "https://10.0.0.1/app/cert/scep", "scep-password": "fortinet", "scep-ca-identifier": "ca_crt", "type": 0, "digest-type": 0 }, "url": "/pm/config/adom/demo/obj/certificate/template" } ], "session": "{{session}}" } How to create a local Certificate Template? ___________________________________________ The following example shows how to create the ``certificate_template_002`` Certificate Template in the ``demo`` ADOM: .. tab-set:: .. tab-item:: REQUEST .. code-block:: json { "id": 3, "method": "add", "params": [ { "data": { "city": "Nice", "country": "FR", "name": "certificate_template_001", "organization": "FTNT", "organization-unit": "CSE", "state": "PACA", "type": "local" }, "url": "/pm/config/adom/demo/obj/certificate/template" } ], "session": "{{session}}" } .. tab-item:: RESPONSE .. code-block:: json { "id": 3, "result": [ { "data": { "name": "certificate_template_002" }, "status": { "code": 0, "message": "OK" }, "url": "/pm/config/adom/ademo/obj/certificate/template" } ] } How to enroll a certificate using a Certificate Template? +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The following example demonstrates how to enroll a certificate for the ``dev_001`` managed device in the ``demo`` ADOM using ``certificate_template_001`` Certificate Template. .. tab-set:: .. tab-item:: REQUEST .. code-block:: json { "id": 3, "method": "exec", "params": [ { "data": { "adom": "demo", "scope": [ { "name": "dev_001", "vdom": "root" } ], "template": "certificate_template_001" }, "url": "/securityconsole/sign/certificate/template" } ], "session": "{{session}}" } .. note:: When you debug FortiManager using the following CLI: .. code-block:: text diagnose debug service main 255 diagnose debug enable you can see that the ``template`` value is a full path to the Certificate Template [1]_: .. code-block:: text :emphasize-lines: 5-6 Request [gui webforward:2911:fbce18d1-bda7-4ff9-9353-01a85adf7eeb]: { "client": "gui webforward:2911", "id": "fbce18d1-bda7-4ff9-9353-01a85adf7eeb", "keep_session_idle": 1, "method": "exec", "params": [{ "data": { "adom": "demo", "scope": [{ "name": "dev_001", "vdom": "root"}], "template": "adom\/ demo\/obj\/certificate\/template\/certificate_template_001"}, "url": "\/securityconsole\/sign\/certificate\/template"}], "session": 59590} .. tab-item:: RESPONSE .. code-block:: json { "id": 3, "result": [ { "data": { "task": 4935 }, "status": { "code": 0, "message": "OK" }, "url": "/securityconsole/sign/certificate/template" } ] } After the task is completed, FortiManager saves the generated certificate in the managed device's Device DB, using the Certificate Template name as the certificate object's name. It also creates a per-device mapping entry in the Dynamic Local Certificate that is automatically generated with the Certificate Template. The enrolled certificate stored in the ``dev_001`` Device DB can be retrieved using the following request: .. tab-set:: .. tab-item:: REQUEST .. code-block:: json { "id": 3, "method": "get", "params": [ { "url": "/pm/config/device/demo/vdom/root/vpn/certificate/local/certificate_template_001" } ], "session": "{{session}}", "verbose": 1 } .. note:: You can see that FortiManager created the certificate object using the Certificate Template name (``certificate_template_001``). .. tab-item:: RESPONSE .. code-block:: json { "id": 3, "result": [ { "data": { "_certinfo": { "is_ca": 0, "issuer": "O = Fortinet Ltd., CN = Fortinet", "negsn": 0, "serial": "11:f1:48:3a:06:9d:67:d4", "subject": "C = FR, ST = PACA, L = Nice, O = FTNT, OU = CSE, CN = adom_72_001_dev_001.root", "subject_parsed": { "C": "FR", "CN": "adom_72_001_dev_001.root", "L": "Nice", "O": "FTNT", "OU": "CSE", "ST": "PACA" }, "validfrom": "2022-08-22 17:37:44 GMT", "validto": "2032-08-26 17:37:44 GMT", "version": 1 }, "acme-ca-url": "https://acme-v02.api.letsencrypt.org/directory", "acme-domain": null, "acme-email": null, "acme-renew-window": 30, "acme-rsa-key-size": 2048, "auto-regenerate-days": 0, "auto-regenerate-days-warning": 0, "ca-identifier": null, "certificate": "-----BEGIN CERTIFICATE-----\nMIIDIDCCAggCCBHxSDoGnWfUMA0GCSqGSIb3DQEBBQUAMCsxFjAUBgNVBAoTDUZv\ncnRpbmV0IEx0ZC4xETAPBgNVBAMTCEZvcnRpbmV0MB4XDTIyMDgyMjE3Mzc0NFoX\nDTMyMDgyNjE3Mzc0NFowazELMAkGA1UEBhMCRlIxDTALBgNVBAgTBFBBQ0ExDTAL\nBgNVBAcTBE5pY2UxDTALBgNVBAoTBEZUTlQxDDAKBgNVBAsTA0NTRTEhMB8GA1UE\nAxQYYWRvbV83Ml8wMDFfZGV2XzAwMS5yb290MIIBIjANBgkqhkiG9w0BAQEFAAOC\nAQ8AMIIBCgKCAQEAp87wNOEOqm/+uc6vCQNL6cH5U9bMOxfZ0kmXHOui5pXeex+4\nr9Q2JoIkU+osWXwJXOuxDYCcK3ol6+5gX6Y60iPqfRS7VOXgNGd+z36r8hxIZjTe\neaNzHvml1nfxMwqALzf4wRn4zTB2GLJouV4RF8fxv4u0ockseDOnW07HVEPwv+ET\n1B7pxXMKh3RcnN630zETlLVFJ35kEf879iqC+Ony6pA0CtVdQTAdBCxxNaFVUjGK\nKaqWVx2yAjYp2eHl5e7mU0JEMCgOTS5A5mYqmevj04hw9s+LrvE4bshjq/eUdMSe\nQltZ2T9TP3dEWr8QSdu6wwq4EpP0Af/hK8k48QIDAQABow0wCzAJBgNVHRMEAjAA\nMA0GCSqGSIb3DQEBBQUAA4IBAQBN6qsjHJTFx0KGS/+VKuHkShC3vDgfUzn/qWcP\nnpkgUtU48JWIQSv4QVLtiLa+qfHnFv6TbQfVD/qcaDncdV2HE7F85po9QwyAf7ec\nqGcQw000qiojjMVsmt7abqiebJBJp8OtBdJutYv3OH1AtvIOV+Enj0YXPCtWzV9y\n2BMySPvYVA8VBJNbOfJE6QoTP/ZhR+xjHen6fPqOchjJXIAidIIOeVpH5msuSLuk\nk2F6K2Pow5gyvpgv/gwMMn+XZ2AzWKGfr2j1QXRVO9fHyNNB5e6RtQ+fJZgpLHh/\n8+zE6lSSUjvdPBM6t+4gvrun08trkdHzT3FSs5rWoqR2tMdS\n-----END CERTIFICATE-----", "cmp-path": null, "cmp-regeneration-method": "keyupate", "cmp-server": null, "cmp-server-cert": [], "comments": null, "csr": null, "enroll-protocol": "none", "extension": [ { "content": "CA:FALSE", "critical": 0, "name": "X509v3 Basic Constraints" } ], "ike-localid": null, "ike-localid-type": "asn1dn", "last-updated": 0, "name": "certificate_template_001", "name-encoding": "printable", "oid": 3172, "password": [ "ENC", "7ENU9ioxcoKvKJDeKgih/bzn7Wa+n3Oq64tpOtwsTXbdAzmaGtJx7AlTJNYcUdBk2/T3RX9tgiWPqSHWGAPKuIe4IuKOIeDWdtrcFvuY/SHTUk+rZ5ACIP2g9DgZ2Dk+AreXnXtzUEkTBws65+gCn3GuNae9vR1NN53E/HI9vI7VVF8+" ], "private-key-retain": "disable", "range": "global", "scep-url": null, "source": "user", "source-ip": "0.0.0.0", "state": null, "tmp-cert-file": null }, "status": { "code": 0, "message": "OK" }, "url": "/pm/config/device/dev_001/vdom/root/vpn/certificate/local/certificate_template_001" } ] } .. note:: The ``private-key`` cannot be exposed using the FortiManager API. How to assign a Certificate Template to a managed device? +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ When the managed device is already with a certificate not enrolled by the Certificate Template (for instance by uploading a certificate in the device Device DB - see :ref:`How to upload a certificate?`), and you still want to be able to refer to that certificate in some applicable ADOM DB objects, you can still decide to add a per-device mapping entry in the Dynamic Local Certificate which was automatically generated with the Certificate Template. In fact, you have to assign the corresponding Dynamic Local Certificate which is having the same name as the Certiticate Template. The following example shows how to assign the ``certificate_template_001`` Dynamic Local Certificate to the ``dev_001`` managed device in the ``demo`` ADOM: .. tab-set:: .. tab-item:: REQUEST .. code-block:: json { "id": 3, "method": "add", "params": [ { "data": [ { "_scope": { "name": "dev_001", "vdom": "root" }, "local-cert": "cert_001" } ], "url": "/pm/config/adom/demo/obj/dynamic/certificate/local/certificate_template_001/dynamic_mapping" } ], "session": "{{session}}" } .. note:: The ``local-cert`` attribute should refer to an existing certificate in the ``dev_001`` Device DB. ``certificate_template_001`` is the name of the Dynamic Local Certificate object. It shares the same name as the Certificate Template because FortiManager automatically creates the Dynamic Local Certificate when the Certificate Template is created. .. tab-item:: RESPONSE .. code-block:: json { "id": 3, "result": [ { "data": { "_scope": [ { "name": "dev_001", "vdom": "root" } ] }, "status": { "code": 0, "message": "OK" }, "url": "/pm/config/adom/demo/obj/dynamic/certificate/local/certificate_template_001/dynamic_mapping" } ] } .. note:: The list of existing assigned managed devices is preserved. How to unassign a Certificate Template to a managed device? +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ In fact, you have to unassign the corresponding Dynamic Local Certificate which is having the same name as the Certiticate Template. The following example shows how to unassign the ``certificate_template_001`` Dynamic Local Certificate from the ``dev_001`` managed device in the ``demo`` ADOM: .. tab-set:: .. tab-item:: REQUEST .. code-block:: json { "id": 3, "method": "delete", "params": [ { "url": "/pm/config/adom/demo/obj/dynamic/certificate/local/certificate_template_001/dynamic_mapping/dev_001/root" } ], "session": "{{session}}" } .. tab-item:: RESPONSE .. code-block:: json { "id": 3, "result": [ { "status": { "code": 0, "message": "OK" }, "url": "/pm/config/adom/demo/obj/dynamic/certificate/local/certificate_template_001/dynamic_mapping/dev_001/root" } ] } .. note:: The list of existing assigned managed devices is preserved. System Template --------------- How to get list of system templates? ++++++++++++++++++++++++++++++++++++ We want the list of system templates in ADOM ``DEMO_009``. **REQUEST:** .. code-block:: json { "id": 1, "jsonrpc": "1.0", "method": "get", "params": [ { "url": "pm/devprof/adom/DEMO_009" } ], "session": "PvxNZ0qnX2vWunu8n7wg7PfygD7e5aNKODztfQ+9Du80tr7OZMelMPAx+ad2I7Xh/u8bucNnhdwGMMUYjfT03A==", "verbose": 1 } **RESPONSE:** .. code-block:: json { "id": 1, "result": [ { "data": [ { "description": "", "enabled options": [ "dns", "ntp", "email", "admin", "snmp", "repmsg", "ftgd", "log", "interface", "router", "combined" ], "name": "default", "oid": 4794, "type": "devprof" }, { "description": "", "enabled options": [ "admin", "interface" ], "name": "sys_template", "oid": 4802, "scope member": [ { "name": "hub2" } ], "type": "devprof" } ], "status": { "code": 0, "message": "OK" }, "url": "pm/devprof/adom/DEMO_009" } ] } How to clone a System Template? +++++++++++++++++++++++++++++++ Caught in #0624808. It is possible to clone the following kind of templates: - ``pm/devprof/adom//