
To set up FortiAPI, you'll need to register for an account on the Fortinet Developer Network. This will give you access to the API keys and credentials you need to get started.
First, make sure you have a FortiGate device with the necessary API enabled. The FortiAPI is only available on FortiOS 6.0 and later.
You can find the API keys and credentials in the Fortinet Developer Network portal. This includes your API key, client ID, and client secret.
To use the FortiAPI, you'll need to make a GET request to the API endpoint, using your API key and client ID to authenticate.
Related reading: Google Drive Developer Api
Authentication Token Based Authentication
Token-based authentication is the only method supported by FortiGate for API calls. This type of authentication requires administrators to generate a token that is included in each API request for authentication.
A token is automatically generated when a new API administrator is created in FortiOS, and it cannot be retrieved again once the API administrator is created. So, it's essential to record the token and store it in a safe location.
You can include the API token in any REST API request in either the request header or URL parameter, but it's recommended to use the request header for added security. To pass the API token in the request header, you need to explicitly add a specific field to the request header.
Here are the steps to create an API administrator and generate an API token:
1. Create an API administrator account with the minimum permissions required to complete the function.
2. Provide the account with read permissions if you only plan to use API calls to retrieve statistics or information from the FortiGate.
The API administrator account used in this topic's examples has full permissions, but it's not recommended to use it in production environments.
Broaden your view: How to Use Google Places Api in React
Admin Creation and Configuration
Creating an API administrator is crucial for interacting with the FortiGate API. This account should be created with the minimum permissions required to complete the function.

To create a REST API administrator, follow the steps outlined in the "REST API administrator" section. It's essential to note that the example API administrator account used in this topic has full permissions, which is not recommended in practice.
You should configure the Trusted Hosts field when creating a new REST API administrator to ensure that only trusted hosts/subnets can access the FortiGate REST API. This requires your Source Address.
Here are the security options to consider when creating a REST API administrator, listed in order of configuration difficulty:
For added security, consider configuring one or more of these fields when creating a new REST API administrator.
Create Admin, Generate Token
Creating the API administrator and generating the token is an essential step in setting up your FortiGate. This account should be created with the minimum permissions required to complete its function.
You should provide the API administrator account with read permissions if you only plan to use API calls to retrieve statistics or information from the FortiGate. This is a best practice to ensure the account doesn't have unnecessary access.

The API administrator account used in this topic has full permissions, which doesn't adhere to the recommendation. For detailed steps on creating a REST API administrator, see the REST API administrator section.
To add an extra layer of security, you should configure the Trusted Hosts field when creating a new REST API administrator. This ensures only trusted hosts/subnets can access the FortiGate REST API.
Here are the security options to consider when creating a REST API administrator, listed in order of configuration difficulty from easy to difficult:
Don't forget to record the token, as it can't be retrieved once the API administrator is created. Store it in a safe location to avoid having to generate a new token.
Configuration (FortiOS)
Configuration (FortiOS) is supported through REST API based configuration management. This allows for remote management of Fortigate devices.
You can use a PHP library to interact with Fortigate firewalls (FortiOS) APIs. This library can retrieve, create, update and delete configuration on the firewall.
To use the library, you'll need to register on Fortinet's developer website to access the supported methods.
Best Practices and Management

If the API token must be added to the URL query parameter, then enable the global setting to add it securely.
To configure security options when creating a REST API administrator, consider the following fields in order of configuration difficulty: easy, moderate, and difficult. This will ensure that only authorized hosts and users can access the FortiGate REST API.
To ensure security, configure the Trusted Hosts field when creating a new REST API administrator. This requires your Source Address to create the trusted host.
CORS (Cross Origin Resource Sharing) can be configured to allow third-party web apps to make API requests to the FortiGate using the token. However, avoid using the '*' wildcard if possible, as it can compromise security.
A PKI group can be configured to enable peer authentication using certificate matching, which provides an extra layer of security. This requires both the client certificate and token to match to gain access to the API.
Here are the security options in order of configuration difficulty:
- Trusted Hosts (easy)
- CORS Allow Origin (moderate)
- PKI Group (difficult)
Best Practices

When working with APIs, it's essential to follow best practices to ensure smooth integration and security.
If the API token must be added to the URL query parameter, then enable the global setting to do so. This allows for seamless integration without requiring additional coding.
In cases where API tokens are required, consider using environment variables to store sensitive information, making it easier to manage and rotate tokens as needed.
API tokens should be treated like passwords and stored securely, never hardcoded or exposed publicly. This is crucial for maintaining data integrity and preventing unauthorized access.
Regularly review and update API tokens to ensure they remain valid and secure, and to prevent any potential security risks.
Suggestion: Azure Api Security
Configuration Management Support
Configuration Management Support is crucial for efficient network management. You can use REST API based configuration management with REST Configlets.
Fortinet Fortigate devices offer configuration API support through FortiOS. This API allows you to interact with the firewall and manage its configuration.
The PHP library for Fortigate firewall APIs is a useful tool for managing Fortinet devices. It can be used to retrieve, create, update, and delete configuration on the firewall.
You can find all supported methods on Fortinet's developer website, but you'll need an account to access the information.
Network Configuration Manager Support is available for adding REST API support for other vendors, if needed.
REST API
To use Fortigate REST API features, you'll need to provide REST credentials to connect to your Fortigate device. These credentials can be provided directly from the "Apply Credentials" slide.
Network Configuration Manager provides the fields for each of these parameters with their default values, making it easy to set up. You can choose to either manage your Fortigate device with just REST Credentials or with a combination of CLI and REST credentials.
For important functions like Enabling/Disabling Syslog Change Detection, it's recommended to manage your Fortigate device by using a combination of CLI and REST credentials. This ensures you have the necessary authentication parameters set.
To associate REST credentials to a Fortigate device, follow these steps:
- Go to Inventory > Devices.
- Select the devices on which you want to apply the REST Credentials.
- Select "Apply Credentials" from the options.
- Select "REST API" as the protocol, or choose your desired protocol and provide CLI credentials.
- Check "Use REST API for communication whenever applicable".
- Provide all the required parameters in the form and save the credentials.
Using REST API features in Fortigate devices has several benefits. For example, it provides a GUI similar to the device's GUI, making it easy to update a part of the configuration directly from Network Configuration Manager.
Featured Images: pexels.com


