FortiOS 6.0.4 REST API Reference PDF

FortiOS - REST API Reference
Version 6.0.4
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE
https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
FORTINET COOKBOOK
https://cookbook.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM
https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
END USER LICENSE AGREEMENT
https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
January 10, 2018

FortiOS 6.0.4 REST API Reference
01-604-472442-20190110
TABLE OF CONTENTS
Change Log 5
Introduction 6
What's New in the REST API 6
Authentication 7
Session-based authentication 7
Token-based authentication 9
Authorization 12
Supported HTTP methods 12
Response codes 12
Debugging 13
CMDB API 15
URL path 15
URL parameters 15
Generic parameters 16
Specific parameters 16
Body data 17
Limitation 18
Filter with multiple key/value pairs 18
Filter Syntax 18
Filter Operators 18
Combining Filters 19
Reserved Characters 19
List of Methods 20
collection 20
resource 21
Examples 24
Retrieve table 24
Retrieve table schema 24
Retrieve table default 25
Purge table 25
Retrieve object 25
Create object 25
Edit object 25
Delete object 26
Clone object 26
Move object 26
Append child object 26
Edit child object 27
Delete child object 27
Purge child table 27
Retrieve complex table 27
Edit complex table 27
Send requests to multiple vdoms 28
FortiOS REST API Reference Fortinet Inc.

4
Monitor API 29
URL path 29
URL parameters 29
Generic parameters 29
Specific parameters 30
Body data 30
File upload 30
File upload via JSON data 30
File upload via multi-part file 31
File download 31
File download via browser 31
File download via script 31
List of Methods 32
endpoint-control 43
firewall 48
geoip 58
ips 59
license 59
log 60
registration 65
router 69
system 72
switch-controller 86
extender-controller 113
user 114
utm 124
virtual-wan 125
webfilter 126
vpn 129
vpn-certificate 132
wanopt 135
webproxy 137
webcache 137
wifi 138
Examples 144

Change Log
Date Change Description
2019-01-10 Initial release.


Introduction
All requests to FortiOS REST APIs require valid authentication and authorization before being processed.
The following REST APIs are supported:
l CMDB API
l Retrieve object meta data (default, schema)
l Retrieve object/table (with filter, format, start, count, other flags)
l Create object
l Modify object
l Delete object
l Clone object
l Move object
l Monitor API
l Retrieve/Reset endpoint stats (with filter, start, count)
l Perform endpoint operations
l Upload/Download file
l Restore/Backup config
l Upgrade/Downgrade firmware
l Restart/Shutdown FGT
What's New in the REST API
l Added support for testing the connectivity of a given Sandbox IP
l Added support for retrieving the list of device types
l Updated the access groups for the endpoints
l Updated a few parameters including change in types and description
New APIs
Method URI Description Change Summary
GET /system/sandbox/test-connect/ Test the connectivity of a given New API

FortiSandbox IP
GET /user/device-type/select/ Retrieve a list of device types. New API

Introduction 7
Updated APIs
Method URI Description Change Summary
GET /firewall/session/select List all active firewall sessions Added a new parameter

(optionally filtered). "policytype" of type string Filter:
Policy type [policy6].
GET /firewall/session/select List all active firewall sessions Updated protocol parameter type

(optionally filtered). from integer to string.
GET /router/policy/select Retrieve a list of active IPv4 Added new parameters : start,

policy routes. count, count_only
GET /router/policy6/select Retrieve a list of active IPv6 Added new parameters : start,

policy routes. count, count_only
GET /vpn/one-click/members Get information on devices Updated summary to use the new

registered in the Overlay name overlay controller VPN
Controller VPN cloud assisted
group.
GET /vpn/one-click/status Get the last status message Updated summary to use the new

from FortiCloud? Overlay name overlay controller VPN
Controller VPN cloud service.
Removed APIs
Method URI Description Change

Summary
GET /firewall/session-top/select/ List of top sessions by specified grouping Removed API

criteria.
Authentication
Starting in FortiOS 5.6.1, there are two ways that user can authenticate against the API:
l Session-based authentication (legacy)
l Token-based authentication (5.6.1 and newer)
Session-based authentication
As the name suggests, the authentication is valid per login session. The user needs to send a login request to obtain a
authentication cookie and CSRF token to be used for subsequent requests. The user then needs to send a logout
request to invalidate the authentication cookie and CSRF token.

Introduction 8
Authentication Cookie
Authentication cookie (APSCOOKIE) is provided by the API after a successful login request. All subsequent requests
must include this cookie to be authorized by the API. Any request without the cookie or with mismatched cookie will be
denied access to the API (HTTP 401 error code).
CSRF Tokens
Cross-Site Request Forgery (CSRF) Tokens are alphanumeric values that are passed back-and-forth between client and
server to ensure that a user's form submission does not originate from an offsite document.
The CSRF token is available in the session ccsrftoken cookie, which must be included in the request header under
X-CSRFTOKEN. See test script sample for how to handle CSRF token.
Only write requests (HTTP POST/PUT/DELETE) need CSRF tokens. Read requests (HTTP
GET) do not require CSRF tokens.
Setting Up an Authenticated Session
To authenticate with the FortiGate and request a session, send a POST request to the log in request handler with your
username and password.
Login URL /logincheck
The request body must contain the following keys in URL form encoding:
Key Type Description
username String The admin username.
secretkey String The password for that admin.
ajax Int (1) Required: Format the response for easier parsing. Enable using 1.
Example:
POST /logincheck
username=AdminUser&secretkey=AdminPassword&ajax=1
Ensure that you're using the correct protocol. By default, a FortiGate will redirect HTTP requests to HTTPS and your
login requests may fail. As well, FortiGate 's will use a self-signed server certificate by default. Refer to the
documentation for the specific library or framework that you're using to validate the certificate manually.
The response to this request will be in the following format:
<status_code><javascript>
A successful login response would be:
1document.location="/ng/prompt?viewOnly&redir=%2Fng%2F";
For most uses, you only need to read the first character of the response body to get the response status code.

Introduction 9
Code Description
0 Log in failure. Most likely an incorrect username/password combo.
1 Successful log in*
2 Admin is now locked out
3 Two-factor Authentication is needed**
* In some cases users may receive a successful login status but not be completely authenticated, such as when there is
a post-login-banner configured.
** For Two-Factor log in, make another POST request with the same username and password, but include the token_
code parameter with the value of the one-time-password.
Once you've received a successful login status, read each Set-Cookie header and retain the following Cookies:
Name Description
APSCOOKIE_<NUMBER> This cookie authenticates you with the FortiGate. You must present this cookie
with every subsequent request you make after logging in.
ccsrftoken This is the (c)CSRF token. As described in Authorization on page 12, you must
provide the value of this cookie as a X-CSRFTOKEN header. *
*There may be two ccsrftoken cookies, one with a number suffix that matches the APSCOOKIE. For simplicity, you
don't need to locate that cookie and can rely on the ccsrftoken cookie.
Logging out of an Authenticated Session
Authenticated sessions will remain active with the device until any of the following occurs:
l The admin logs out
l The session remains inactive for longer than the timeout specified by the admintimeout setting in config
system global
l The admin is disconnected by another admin
There are a limited number of admins that can have active sessions on the device, therefore it's recommended that you
log out when you're finished using the device.
To log out, a POST request to the /logout URL will remove the current session.
Logout URL /logout
Body data none needed
Token-based authentication
The authentication is done via a single API token. This token is only generated once when creating an API admin. The
user must store this token in a safe place because it cannot be retrieved again. The user can however regenerate the
token at any time. Each API request must include the token in order to be authenticated as the associated API admin.

Introduction 10
Only HTTPS access is allowed with token-based authentication to ensure maximum security.
Create API admin
In order to use the token-based authentication, user must first create a special API admin. The user can assign vdom
provision and admin profile to this API admin which defines the admin's privileges.
Only Super admin can create or modify API admin.
config system api-user

edit "api-admin"
set comments "admin for API access only"
set api-key ENC SH23sQt? +/9D9/mKb1oQoDvlP32ggn/cpQeGcY/VGUe5S5WIr5nqU20xcNMYDQE=
set accprofile "API profile"
set vdom "root"
config trusthost
edit 1
set ipv4-trusthost 192.168.10.0 255.255.255.0
next
end
next
end
GUI does not allow user to pick super admin or prof_admin profile for API admin to encourage
user to use a special profile.
Trusted host
At least one trusted host must be configured for the API admin. The user can define multiple trusted host/subnet. IPv6
hosts are also supported.
PKI Certificate
Token-based also supports certificate matching as an extra layer of security (set PKI group in api-user). Both client
certificate and token must match to be granted access to the API. PKI option is enabled by default.
CORS permission
Token-based also supports Cross Origin Resource Sharing (CORS) allowing third-party web apps to make API requests
to FGT using the token. CORS is disabled by default.

Introduction 11
Generate API token
After creating the api-user, user can generate new token via CLI command, GUI, or REST API. The token is only shown
once and cannot be retrieved after. The user needs to generate new token if they forget.
CLI command:
execute api-user generate-key [API user name]
New API key: fccys3cfbhyhqbqghkyzm1QGNnm31r
The bearer of this API key will be granted all access privileges assigned to the api-user api-
admin.
REST API
Request Body data Description
POST /api/v2/monitor/system/api- {'api-user':"api- "Generate a new api-key for the specified

user/generate-key?vdom=root admin"} api-key-auth admin. The old api-key will be
replaced. The response contains the only
chance to read the new api-key plaintext in
the access_token field."
Use the API token
The API token can be included in any REST API request via either request header or URL parameter
Passing API token via request header
The user needs to explicitly add the following field to the request header: 'Authorization': 'Bearer ' +

[api_token]
Authorization: Bearer fccys3cfbhyhqbqghkyzm1QGNnm31r
Passing API token via request URL parameter
The user needs to explicitly include the following field in the request URL parameter: access_token=[api_token]
Method URL Body Description

data
GET /api/v2/cmdb/firewall/address ?vdom=root&access_ Retrieve all

token=fccys3cfbhyhqbqghkyzm1QGNnm31r IPv4 firewall
addresses,
vdom root

Introduction 12
Authorization
After the request is authenticated, the API will check if the associated admin has the permission to perform the
operation. Each admin or API admin has an admin profile and vdom scope which define the privileges of the admin. For
example, if the admin has vdom scope set to "vdom1" and a profile that only has read-only permission to Firewall
objects access group, the admin can only access vdom1 resource, and cannot make change to Firewall objects (policy,
address, etc).
Each endpoint requires specific group permission defined in 'Access Group' of the endpoint summary table. Request to
the endpoint will be checked against this access group to ensure the admin has proper permission to access the
resource. Make sure the administrative account you login with has the permissions required to perform the intended
actions.
Admin with read-only permission to the resource can only send read requests (HTTP GET) to the resource. Admin with
write permission to the resource can send read/write requests (HTTP GET/POST/PUT/DELETE) to the resource. Admin
with no permission to the resource cannot access the resource.
Request with insufficient profile permission will return 403 error.
Supported HTTP methods
FortiOS REST APIs support the following HTTP methods:
HTTP Method Description
GET Retrieve a resource or collection of resources.
POST Create a resource or execute actions.
PUT Update a resource.
DELETE Delete a resource or collection of resources.
For any action other than GET, you must provide the X-CSRFTOKEN header in the request. The value of this header is
the value of the ccsrftoken cookie that is provided by the FortiGate when you log in.
If the request is submitted using HTTP POST , the HTTP method can also be overridden using the "X-HTTP-Method-
Override" HTTP header.
Response codes
FortiOS APIs use well-defined HTTP status codes to indicate the results of queries to the API.
The following table shows how some of the HTTP status codes are used in the context of FortiOS REST APIs.

Introduction 13
HTTP Response Code Description
200 - OK Request returns successful.
400 - Bad Request Request cannot be processed by the API.
401 - Not Authorized Request without successful login session.
403 - Forbidden Request is missing CSRF token or administrator is missing access profile
permissions.
404 - Resource Not Found Unable to find the specified resource.
405 - Method Not Allowed Specified HTTP method is not allowed for this resource.
413 - Request Entity Too Large Request cannot be processed due to large entity.
424 - Failed Dependency Fail dependency can be duplicate resource, missing required parameter, missing
required attribute, invalid attribute value.
429 - Too many requests The request is actively blocked by FGT due to a rate limit. For example, if an
admin uses invalid credentials too many times, there will be a timeout before
they can try again.
500 - Internal Server Error Internal error when processing the request.
Debugging
Verbose debug output can be enabled in the FortiGate CLI with the following commands:
diagnose debug enable
diagnose debug application httpsd -1
This will produce the following output when the REST API for IPv4 policy statistics is queried:

[httpsd 228 - 1418751787] http_config.c[558] ap_invoke_handler -- new request (handler='api_
monitor_v2-handler', uri='/api/v2/monitor/firewall/policy', method='GET')
[httpsd 228 - 1418751787] http_config.c[562] ap_invoke_handler -- User-Agent: Mozilla/5.0
(Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/39.0.2171.71 Safari/537.36
[httpsd 228 - 1418751787] http_config.c[565] ap_invoke_handler -- Source: 192.168.1.100:56256
Destination: 192.168.1.99:443
[httpsd 228 - 1418751787] api_monitor.c[1427] api_monitor_v2_handler -- received api_monitor_
v2_request from '192.168.1.100'
[httpsd 228 - 1418751787] aps_access.c[3652] aps_chk_rolebased_perm -- truncated URI
(/api/v2/monitor/firewall/policy) to (/api/v2/monitor) for permission check
[httpsd 228 - 1418751787] api_monitor.c[1265] handle_req_v2_vdom -- attempting to change from
vdom "root" to vdom "root"
[httpsd 228 - 1418751787] api_monitor.c[1280] handle_req_v2_vdom -- new API request
(action='select',path='firewall',name='policy',vdom='root',user='admin')
[httpsd 228 - 1418751787] api_monitor.c[1286] handle_req_v2_vdom -- returning to original vdom
"root"
[httpsd 228 - 1418751787] http_config.c[581] ap_invoke_handler -- request completed
(handler='api_monitor_v2-handler' result==0)

Introduction 14
This debug will also include all requests to/from the FortiOS web interface, in addition to
REST API requests.

CMDB API
CMDB API is used to retrieve and modify CLI configurations. For example, create/edit/delete firewall policy.
URL path
All CMDB requests start with '/api/v2/cmdb/'. Below is the format of CMDB URL path.
/api/v2/cmdb/<path>/<name>/<mkey>(optional)/<child_name>(optional)/<child_mkey>(optional)/
CMDB URL path follows CLI commands syntax with an exception of vdom configuration.
CLI Command path name mkey child_ child_ Full URL

name mkey
configure vdom system vdom /api/v2/cmdb/system/vdom/
configure vdom, edit vdom1 system vdom vdom1 /api/v2/cmdb/system/

vdom/vdom1/
configure firewall schedule firewall. recurring /api/v2/cmdb/

recurring schedule firewall.schedule/recurring/
configure firewall policy firewall policy /api/v2/cmdb/firewall/policy/
configure firewall policy, firewall policy 1 /api/v2/cmdb/firewall/policy/1/

edit 1
configure firewall policy, firewall policy 1 srcintf /api/v2/cmdb/firewall/

edit 1, set srcintf policy/1/srcintf/
configure firewall policy, firewall policy 1 srcintf lan /api/v2/cmdb/firewall/

edit 1, delete srcintf lan policy/1/srcintf/lan/
For operations on the entire table, mkey is not needed. For instance, add new entry, get all entries, purge table.
For operations on a specific resource, mkey is required. For example, edit/delete/clone/move a firewall policy.
For operations on the child table, child_name is required. For example, retrieve child table, purge child table, add new
entry to child table.
For operations on the child table entry, child_mkey is required. For example, delete/move child object.
URL parameters
In addition to the URL path, user can specify URL parameters which are appended to the URL path.

CMDB API 16
Generic parameters
The following URL parameters are generic to all CMDB requests.
URL parameter Example Description
vdom=root GET /api/v2/cmdb/firewall/address/?vdom=root Return result/apply changes

on the specified vdom. If
vdom parameter is not
provided, use current vdom
instead. If admin does not
have access to the vdom,
return permission error.
vdom=root,vdom1 GET /api/v2/cmdb/firewall/address/?vdom=root,vdom1 Return result/apply changes

on the specified vdoms. If
vdom=root&vdom=vdom1 GET Return result/apply changes

/api/v2/cmdb/firewall/address/?vdom=root&vdom=vdom1 on the specified vdoms. If
vdom=* GET /api/v2/cmdb/firewall/address/?vdom=* Return a list of results/apply

changes on all provisioned
vdoms. The request is only
applicable to vdoms that the
admin has access to.
Specific parameters
Each CMDB method may require extra URL parameters which are unique to the method. Those extra parameters are
documented in the "Extra Parameters" section of each CMDB method.
Below are some examples.
action=schema GET /api/v2/cmdb/firewall/policy Return schema of the resource table

/?action=schema
action=default GET /api/v2/cmdb/firewall/policy Return default attributes of the resource

/?action=default

CMDB API 17
action=move PUT /api/v2/cmdb/firewall/policy/1 Move policy 1 to after policy 2

/?action=move&after=2
action=clone POST Clone 'address1' to 'address1_clone'

/api/v2/cmdb/firewall/address/address1
/?action=clone&nkey=address1_clone
skip=1 GET Return a list of all firewall policy but only show

/api/v2/cmdb/firewall/policy/?skip=1 relevant attributes
skip=1 GET Return firewall policy 1 but only show relevant

/api/v2/cmdb/firewall/policy/1/?skip=1 attributes
format=policyid|action GET /api/v2/cmdb/firewall/policy Return a list of all firewall policy, however,

/?format=policyid|action only show policyid and action for each policy
format=policyid|action GET /api/v2/cmdb/firewall/policy Return firewall policy 1, however, only show

/1?format=policyid|action policyid and action
start=0&count=10 GET /api/v2/cmdb/firewall/address Return the first 10 firewall addresses

/?start=0&count=10
key=type&pattern=fqdn GET /api/v2/cmdb/firewall/address Return all addresses with type fqdn

/?key=type&pattern=fqdn
filter=type==fqdn GET /api/v2/cmdb/firewall/address Return all addresses with type fqdn

/?filter=type==fqdn
filter=type== GET /api/v2/cmdb/firewall/address Return all addresses with type fqdn or ipmask

fqdn,type==ipmask&filter= /?filter=type==fqdn,type== which has visibility enabled
visibility==enable ipmask&filter=visibility==enable
Body data
Beside URL parameters, some POST/PUT requests also require body data, which must be included in the HTTP body.
For example, to create/edit firewall address object, user needs to specify the new/edit object data.
GET/DELETE requests do not accept body data.
Request Body data Description
POST /api/v2/cmdb/firewall/address?vdom=root {'name':"address1", 'type': create new firewall address

"ipmask", 'subnet': "1.1.1.0 with the specified data
255.255.255.0"}
PUT {'subnet': "2.2.2.0 edit firewall address with the

/api/v2/cmdb/firewall/address/address1?vdom=root 255.255.255.0"} specified data

CMDB API 18
Limitation
If the body data has the same name as some reserved URL parameters, such as name, path, or action, the request
would fail due to the conflict. For example, firewall policy has 'name' and 'action' attribute which conflict with the
reserved URL parameter 'name' and 'action'. POST/PUT with normal method would fail with 405 error. A workaround is
to enclosed all object data in a 'json' keyword so the API can correctly identify object data. For example:
Request Body data Descripti

on
POST {'name':"test_policy", 'srcintf': [{"name":"port1"}], 'dstintf': This would

/api/v2/cmdb/firewall/policy?vdom [{"name":"port2"}],'srcaddr': [{"name":"all"}],'dstaddr': fail with
=root [{"name":"all"}],'action':"accept",'status':"enable",'schedule':"always 405 error
",'service':[{'name':"ALL"}],'nat':"disable"}
POST {'json':{'name':"test_policy", 'srcintf': [{"name":"port1"}], 'dstintf': This would

/api/v2/cmdb/firewall/policy?vdom [{"name":"port2"}],'srcaddr': [{"name":"all"}],'dstaddr': work
=root [{"name":"all"}],'action':"accept",'status':"enable",'schedule':"always
",'service':[{'name':"ALL"}],'nat':"disable"}}
Filter with multiple key/value pairs
Filtering multiple key/value pairs are also supported for all CMDB retrieval requests via 'filter' URL parameter.
Filter Syntax
Filters are defined in the following syntax: key operator pattern
Key Operator Pattern Full Request Description
schedule == always GET Only return firewall policy with

/api/v2/cmdb/firewall/policy/?filter= schedule 'always'
schedule==always
schedule != always GET Return all firewall policy with

/api/v2/cmdb/firewall/policy/?filter= schedule other than 'always'
schedule!=always
Filter Operators
Operator Description
== Case insensitive match with pattern.
!= Does not match with pattern (case insensitive).

CMDB API 19
Operator Description
=@ Pattern found in object value (case insensitive).
!@ Pattern not found in object value (case insensitive).
<= Value must be less than or equal to pattern.
< Value must be less than pattern.
>= Value must be greater than or equal to pattern.
> Value must be greater than pattern.
Combining Filters
Filters can be combined to create complex queries.
Combination Description Example
Logical OR Separate filters using commas ",". The GET /api/v2/cmdb/firewall/policy?filter=

following example returns all policies schedule==always,schedule==once
using the always schedule or the once
schedule.
Logical AND Filter strings can be combined to create GET /api/v2/cmdb/firewall/policy/?filter=

logical AND queries by including multiple schedule==always&filter=action==accept
filters in the request. This example
includes all policies using schedule
always AND action accept.
Combining You can combine AND and OR filters GET /api/v2/cmdb/firewall/policy/?filter=

AND and OR together to create more complex filters. schedule==always&filter=action==accept,action==deny
This example includes all policies using
schedule always AND action accept OR
action deny.
Reserved Characters
The following characters need to be escaped if they are part of a filter pattern.
Character Escaped Value
, \,
\ \\

CMDB API 20
List of Methods
Type HTTP Method Action Summary
collection GET Select all entries in a CLI table.
resource GET default Return the CLI default values for this object type.
resource GET default Return the CLI default values for entire CLI tree.
resource GET schema Return the CLI schema for this object type.
resource GET schema Return schema for entire CLI tree.
resource GET revision Return the CMDB revision for this object type.
collection DELETE Delete all objects in this table.
collection POST Create an object in this table.
resource GET Select a specific entry from a CLI table.
resource PUT Update this specific resource.
resource PUT move Move this specific resource.
resource POST clone Clone this specific resource.
resource DELETE Delete this specific resource.
resource GET Build API directory.
collection
GET
Summary Select all entries in a CLI table.
HTTP Method GET
ETag Caching Enabled
Response Type array
Extra parameters
Name Type Summary Required
datasource boolean Enable to include datasource information for each linked object. No
start int Starting entry index. No
count int Maximum number of entries to return. No

CMDB API 21
with_meta boolean Enable to include meta information about each object (type id, No

references, etc).
skip boolean Enable to call CLI skip operator to hide skipped properties. No
format string List of property names to include in results, separated by | (i.e. No

policyid|srcintf).
filter string Comma separated list of key value pairs to filter on. Filters will be No

logically OR'd together.
key string If present, objects will be filtered on property with this name. No
pattern string If present, objects will be filtered on property with this value. No
scope string Scope [global|vdom|both*] No
resource
GET: default
Summary Return the CLI default values for this object type.
HTTP Method GET
Response Type object
GET: default
Summary Return the CLI default values for entire CLI tree.
HTTP Method GET
GET: schema
Summary Return the CLI schema for this object type.
HTTP Method GET

CMDB API 22
GET: schema
Summary Return schema for entire CLI tree.
HTTP Method GET
GET: revision
Summary Return the CMDB revision for this object type.
HTTP Method GET
DELETE
Summary Delete all objects in this table.
HTTP Method DELETE
POST
Summary Create an object in this table.
HTTP Method POST
GET
Summary Select a specific entry from a CLI table.
HTTP Method GET
Response Type array
Extra parameters
datasource boolean Enable to include datasource information for each linked object. No
with_meta boolean Enable to include meta information about each object (type id, No

references, etc).

CMDB API 23
skip boolean Enable to call CLI skip operator to hide skipped properties. No
format string List of property names to include in results, separated by | (i.e. No

policyid|srcintf).
PUT
Summary Update this specific resource.
HTTP Method PUT
PUT: move
Summary Move this specific resource.
HTTP Method PUT
Extra parameters
before string The ID of the resource that this resource will be moved before. No
after string The ID of the resource that this resource will be moved after. No
POST: clone
Summary Clone this specific resource.
HTTP Method POST
Extra parameters
nkey string The ID for the new resouce to be created. No
DELETE
Summary Delete this specific resource.
HTTP Method DELETE

CMDB API 24
GET
Summary Build API directory.
HTTP Method GET
Examples
Retrieve table
Method URL URL Parameters Body Description

Data
GET /api/v2/cmdb/ ?vdom=root Retrieve all IPv4 firewall addresses,

firewall/address vdom root
GET /api/v2/cmdb/ ?vdom=root&start= Retrieve the first 10 firewall

firewall/address 0&count=10&skip=1 addresses, skip inapplicable
attributes, vdom root
GET /api/v2/cmdb/ ?vdom=root&format=name|type Retrieve all firewall addresses but only

firewall/address show name and type, vdom root
GET /api/v2/cmdb/ ?vdom=root&key= Retrieve all fqdn firewall addresses,

firewall/address type&pattern=fqdn vdom root
GET /api/v2/cmdb/ ?vdom=root&filter= Retrieve all fqdn firewall addresses,

firewall/address type==fqdn vdom root
GET /api/v2/cmdb/ ?vdom=root&filter= Retrieve all fqdn or iprange firewall

firewall/address type==fqdn,type==iprange addresses, vdom root
GET /api/v2/cmdb/ ?vdom=root&filter=type== Retrieve all fqdn firewall addresses

firewall/address fqdn&filter=associated- that belong to lan interface, vdom root
interface==lan
Retrieve table schema

Data
GET /api/v2/cmdb/firewall/address ?action=schema Retrieve firewall address object's

schema

CMDB API 25
Retrieve table default

Data
GET /api/v2/cmdb/firewall/address ?action=default Retrieve firewall address object's default
Purge table

Data
DELETE /api/v2/cmdb/firewall/address ?vdom=root Purge all firewall addresses, vdom root
Retrieve object

Data
GET /api/v2/cmdb/ ?action=select&vdom=root Retrieve only firewall address

firewall/address/address1 'address1', vdom root

Create object
Method URL URL Body Data Description

Parameters
POST /api/v2/cmdb/firewall/address ?vdom=root {"name":"address1"} Create firewall address

'address1', root vdom
POST /api/v2/cmdb/application/list ?vdom=root {"name":"profile1"} Create application list profile1,

vdom root
Edit object

Parameters
PUT /api/v2/cmdb/firewall/ ?vdom=root {"name":"address2"} Rename 'address1' to 'address2',

address/address1 vdom root
PUT /api/v2/cmdb/firewall/ ?vdom=root {"comment":"test Edit 'address1' to update comment

address/address1 comment"} 'test comment', vdom root

CMDB API 26

Parameters
PUT /api/v2/cmdb/ ?vdom=root {"entries": Edit profile1 to add child object '1'

application/list/profile1 [{"id":1,"application": which has child table 'applications',
[{"id":31236}, vdom root
{"id":31237}]}]}
Delete object

Data
DELETE /api/v2/cmdb/firewall/ ?vdom=root Delete firewall address 'address1', root vdom

address/address1
Clone object

Data
POST /api/v2/cmdb/ ?vdom=root&action= Clone 'address1' to 'address1_clone', root

firewall/address/address1 clone&nkey=address1_ vdom
clone
Move object

Data
PUT /api/v2/cmdb/ ?vdom=root&action= Move policy 1 to after policy 2, root vdom

firewall/policy/1 move&after=2
Append child object

Data
POST /api/v2/cmdb/application ?vdom=root {"id":3} Add 3 to application profile1 child table

/list/profile1/entries entries, vdom root

CMDB API 27
Edit child object

Parameters
PUT /api/v2/cmdb/application ?vdom=root {"application": Edit child entry 3 to update child

/list/profile1/entries/3 [{"id":31236}, application list, vdom root
{"id":31237}]}
Delete child object

Data
DELETE /api/v2/cmdb/application ?vdom=root Delete 3 from application profile1 child

/list/profile1/entries/3 table entries, vdom root
Purge child table

Data
DELETE /api/v2/cmdb/application ?vdom=root Purge application profile1 child table

/list/profile1/entries entries, vdom root
Retrieve complex table

Data
GET /api/v2/cmdb/ ?action=select Retrieve vpn ssl settings object

vpn.ssl/settings
Edit complex table

Parameters
PUT /api/v2/cmdb/ ?vdom=root {"authentication- Edit complex object vpn.ssl.settings to

vpn.ssl/settings rule":[{"id":"1"}, create/modify child table, vdom root
{"id":"2"}]}

CMDB API 28
Send requests to multiple vdoms

Data
GET /api/v2/cmdb/ ?vdom=root,vdom1 Retrieve all IPv4 firewall addresses for

firewall/address both root and vdom1
GET /api/v2/cmdb/ ?vdom=root&vdom=vdom1 Retrieve all IPv4 firewall addresses for

firewall/address both root and vdom1
GET /api/v2/cmdb/ ?vdom=* Retrieve all IPv4 firewall addresses for all

firewall/address accessible vdoms

Monitor API
Monitor API is used to perform specific actions on endpoint resources. For example, retrieve/close firewall sessions,
restart/shutdown FGT, backup/restore config file.
URL path
All Monitor API requests start with '/api/v2/monitor/'. Below is the format of Monitor URL path:
/api/v2/monitor/<uri>/
Each Monitor endpoint has a specific URI, which are provided by the URI field of each endpoint.
URI Full URL Description
/firewall/policy/ GET List traffic statistics for all IPv4 policies

/api/v2/monitor/firewall/policy/
/firewall/policy/reset POST Reset traffic statistics for all IPv4 policies

/api/v2/monitor/firewall/policy/reset
URL parameters
In addition to the URL path, user can specify URL parameters which are appended to the URL path.
Generic parameters
The following URL parameters are generic to all Monitor requests.
vdom=root GET /api/v2/monitor/firewall/ Return result/apply changes on the specified vdom. If

policy/?vdom=root vdom parameter is not provided, use current vdom
instead. If admin does not have access to the vdom,
vdom=root,vdom1 GET /api/v2/monitor/firewall/ Return a list of results/apply changes on provided vdoms.

policy/?vdom=root,vdom1
vdom=* GET /api/v2/monitor/firewall/ Return a list of results/apply changes on all provisioned

policy/?vdom=* vdoms. The request is only applicable to vdoms that the
admin has access to.

Monitor API 30
Specific parameters
Each Monitor endpoint may require extra URL parameters which are unique to the endpoint. Those extra parameters
are documented in the "Extra Parameters" section of each endpoint.
Required parameters are marked with "required: true" flag.
count=-1 GET /api/v2/monitor/firewall/session?count=1 Return all ipv4 firewall sessions
ip_ GET /api/v2/monitor/firewall/session?ip_ Return the first 10 ipv6 firewall

version=ipv6&count=10 version=ipv6&count=10 sessions
Body data
Beside URL parameters, some POST requests also require body data, which must be included in the HTTP body. The
extra body data are documented in "Extra Parameters" section of each endpoint.
GET requests do not accept body data.
Required body data are marked with "required: true" flag.
Request Body Data Description
POST /api/v2/monitor/firewall/ {'pro': "udp", 'saddr': "192.168.100.110", Close the specific ipv4 firewall

session/close?vdom=root 'daddr': "96.45.33.73", 'sport': 55933, sessions
'dport': 8888}
File upload
File upload is supported for some endpoints. For example, upload VM license, restore config file. The upload file must
be stored in the HTTP body. There are two different methods to do so: via JSON data or multi-part file.
File upload via JSON data
The upload file can be encoded directly into the HTTP body as JSON data using the 'file_content' field.
The JSON data must be encoded in base64 format.
For instance, below is how you can upload/restore config file via JSON data using Python Requests module.
self.session.post(url='/api/v2/monitor/system/config/restore',
params={"vdom": "vdom1"},
data={"source": "upload",

Monitor API 31
"scope": "vdom",
"file_content": b64encode(open("vd1.conf.txt", "r").read())})
File upload via multi-part file
Another way to store upload file in HTTP body is to include it as a multi-part file.
The multi-part file does not need to be encoded in base64 format.
For instance, below is how you can upload/restore config file via multi-part file using Python Requests module.
self.session.post(url='/api/v2/monitor/system/config/restore',
params={"vdom": "vdom1"},
data={"source": "upload",
"scope": "vdom"},
files=[('random_name',
('random_conf.conf', open("vd1.conf.txt", "r"), 'text/plain'))])
File download
File download is also supported in some endpoints. For example, download CA certificate, backup config file.
The downloaded file is stored in the response's raw content, not JSON data.
For example, here is the request to download global certificate name Fortinet_Factory, type local, scope
global:
GET /api/v2/monitor/system/certificate/download?mkey=Fortinet_
Factory&type=local&scope=global
File download via browser
When sending file download request via a browser, the browser automatically checks the response's header for
'Content-Disposition': attachment. If present, the browser will download the file to local directory using the
name.
File download via script
When sending file download request via a script, the script will need to manually perform the above steps to convert the
response's content into a file. For example, the script needs to check the response header for 'Content-
Disposition': attachment, and write the content into a local file with the given name.

Monitor API 32
List of Methods
URI HTTP Method Summary
endpoint-control/profile/xml/ GET List XML representation for each endpoint-control profile.
endpoint-control/registration- POST Check if provided registration password is valid for current

password/check/ VDOM.
endpoint-control/record- GET List endpoint records.

list/select/
endpoint- GET Summary of FortiClient registrations.

control/registration/summary/
endpoint- POST Quarantine endpoint by FortiClient UID or MAC.

control/registration/quarantine/
endpoint- POST Unquarantine endpoint by FortiClient UID or MAC.

control/registration/unquarantine/
endpoint- POST Block endpoint by FortiClient UID or MAC.

control/registration/block/
endpoint- POST Unblock endpoint by FortiClient UID or MAC.

control/registration/unblock/
endpoint- POST Deregister endpoint by FortiClient UID or MAC.

control/registration/deregister/
endpoint-control/installer/select/ GET List available FortiClient installers.
endpoint- GET Download a FortiClient installer via FortiGuard.

control/installer/download/
endpoint- GET Download an endpoint avatar image.

control/avatar/download/
firewall/health/select/ GET List configured load balance server health monitors.
firewall/local-in/select/ GET List implicit and explicit local-in firewall policies.
firewall/acl/select/ GET List counters for all IPv4 ACL.
firewall/acl/clear_counters/ POST Reset counters for one or more IPv4 ACLs by policy ID.
firewall/acl6/select/ GET List counters for all IPv6 ACL.
firewall/acl6/clear_counters/ POST Reset counters for one or more IPv6 ACLs by policy ID.
firewall/internet-service- GET List internet services that exist at a given IP or Subnet.

match/select/
firewall/internet-service- GET List all details for a given Internet Service ID.

details/select/
firewall/policy/select/ GET List traffic statistics for IPv4 policies.

Monitor API 33
firewall/policy/reset/ POST Reset traffic statistics for all IPv4 policies.
firewall/policy/clear_counters/ POST Reset traffic statistics for one or more IPv4 policies by policy

ID.
firewall/policy6/select/ GET List traffic statistics for IPv6 policies.
firewall/policy6/reset/ POST Reset traffic statistics for all IPv6 policies.
firewall/policy6/clear_counters/ POST Reset traffic statistics for one or more IPv6 policies by policy

ID.
firewall/proxy-policy/select/ GET List traffic statistics for all explicit proxy policies.
firewall/proxy-policy/clear_ POST Reset traffic statistics for one or more explicit proxy policies by

counters/ policy ID.
firewall/policy-lookup/select/ GET Performs a policy lookup by creating a dummy packet and

asking the kernel which policy would be hit.
firewall/session/select/ GET List all active firewall sessions (optionally filtered).
firewall/session/clear_all/ POST Immediately clear all active IPv4 and IPv6 sessions and IPS

sessions of current VDOM.
firewall/session/close/ POST Close a specific firewall session that matches all provided

criteria.
firewall/shaper/select/ GET List of statistics for configured firewall shared traffic shapers.
firewall/shaper/reset/ POST Reset statistics for all configured traffic shapers.
firewall/per-ip-shaper/select/ GET List of statistics for configured firewall per-IP traffic shapers.
firewall/per-ip-shaper/reset/ POST Reset statistics for all configured firewall per-IP traffic shapers.
firewall/load-balance/select/ GET List all firewall load balance servers.
firewall/address-fqdns/select/ GET List of FQDN address objects and the IPs they resolved to.
firewall/address-fqdns6/select/ GET List of IPv6 FQDN address objects and the IPs they resolved

to.
firewall/ippool/select/ GET List IPv4 pool statistics.
firewall/address-dynamic/select/ GET List of Fabric Connector address objects and the IPs they

resolve to.
firewall/address6-dynamic/select/ GET List of IPv6 Fabric Connector address objects and the IPs they

resolve to.
geoip/geoip-query/select/ GET Retrieve location details for IPs queried against FortiGuard's

geoip service.
ips/rate-based/select/ GET Returns a list of rate-based signatures in IPS package.
license/status/select/ GET Get current license & registration status.

Monitor API 34
license/database/upgrade/ POST Upgrade a license database on this device using uploaded file.
license/forticare-resellers/select/ GET Get current FortiCare resellers for the requested country.
license/forticare-org-list/select/ GET Get FortiCare organization size and industry lists.
log/current-disk-usage/select/ GET Return current used, free and total disk bytes.
log/device/state/ GET Retrieve information on state of log devices.
log/forticloud/select/ GET Return FortiCloud log status.
log/fortianalyzer/select/ GET Return FortiAnalyzer/FortiManager log status.
log/fortianalyzer-queue/select/ GET Retrieve information on FortiAnalyzer's queue state. Note:-

FortiAnalyzer logs are queued only if upload-option is realtime.
log/hourly-disk-usage/select/ GET Return historic hourly disk usage in bytes.
log/historic-daily-remote- GET Returns the amount of logs in bytes sent daily to a remote

logs/select/ logging service (FortiCloud or FortiAnalyzer).
log/stats/select/ GET Return number of logs sent by category per day for a specific

log device.
log/stats/reset/ POST Reset logging statistics for all log devices.
log/forticloud-report/download/ GET Download PDF report from FortiCloud.
log/ips-archive/download/ GET Download IPS/application control packet capture files. Uses

configured log display device.
log/policy-archive/download/ GET Download policy-based packet capture archive.
log/av-archive/download/ GET Download file quarantined by AntiVirus.
log/event/select/ GET List all event log descriptions.
registration/forticloud/login/ POST Login to FortiCloud.
registration/forticloud/create/ POST Create a FortiCloud account.
registration/forticloud/logout/ POST Logout from FortiCloud.
registration/forticloud/disclaimer/ GET Retrieve the FortiCloud disclaimer.
registration/forticloud/domains/ GET Retrieve a list of FortiCloud login domains.
registration/forticare/login/ POST Login to FortiCare.
registration/forticare/create/ POST Create a new FortiCare account.
registration/forticare/add-license/ POST Add a FortiCare license.
router/ipv4/select/ GET List all active IPv4 routing table entries.
router/ipv6/select/ GET List all active IPv6 routing table entries.

Monitor API 35
router/statistics/select/ GET Retrieve routing table statistics, including number of matched

routes.
router/lookup/select/ GET Performs a route lookup by querying the routing table.
router/policy/select/ GET Retrieve a list of active IPv4 policy routes.
router/policy6/select/ GET Retrieve a list of active IPv6 policy routes.
system/admin/toggle-vdom- POST Toggles VDOM mode on/off. Enables or disables VDOM mode

mode/ if it is disabled or enabled respectively.
system/api-user/generate-key/ POST Generate a new api-key for the specified api-key-auth admin.

The old api-key will be replaced. The response contains the
only chance to read the new api-key plaintext in the api_key
field.
system/config-revision/select/ GET Returns a list of system configuration revisions.
system/config-revision/update- POST Updates comments for a system configuration file.

comments/
system/config-revision/delete/ POST Deletes one or more system configuration revisions.
system/config-revision/file/ GET Download a specific configuration revision.
system/config-revision/info/ GET Retrieve meta information for a specific configuration revision.
system/config-revision/save/ POST Create a new config revision checkpoint.
system/current-admins/select/ GET Return a list of currently logged in administrators.
system/disconnect- POST Disconnects logged in administrators.

admins/select/
system/time/set/ POST Sets current system time stamp.
system/time/select/ GET Gets current system time stamp.
system/os/reboot/ POST Immediately reboot this device.
system/os/shutdown/ POST Immediately shutdown this device.
system/global-resources/select/ GET Retrieve current usage of global resources as well as both the

default and user configured maximum values.
system/vdom-resource/select/ GET Retrieve VDOM resource information, including CPU and

memory usage.
system/dhcp/select/ GET Returns a list of all DHCP IPv4 and IPv6 DHCP leases.
system/dhcp/revoke/ POST Revoke IPv4 DHCP leases.
system/dhcp6/revoke/ POST Revoke IPv6 DHCP leases.
system/firmware/select/ GET Retrieve a list of firmware images available to use for upgrade

on this device.

Monitor API 36
system/firmware/upgrade/ POST Upgrade firmware image on this device using uploaded file.
system/firmware/upgrade-paths/ GET Retrieve a list of supported firmware upgrade paths.
system/fsck/start/ POST Set file system check flag so that it will be executed on next

device reboot.
system/storage/select/ GET Retrieve information for the non-boot disk.
system/change-password/select/ POST Save admin and guest-admin passwords.
system/password-policy- POST Check whether password conforms to the password policy.

conform/select/
system/csf/select/ GET Retrieve a full tree of downstream FortiGates registered to the

Security Fabric.
system/csf/pending- GET Retrieve FortiGates with pending authorizations for joining the

authorizations/ Security Fabric. Note:- This list is currently available on
Security Fabric root only.
system/modem/select/ GET Retrieve statistics for internal/external configured modem.
system/modem/reset/ POST Reset statistics for internal/external configured modem.
system/modem/connect/ POST Trigger a connect for the configured modem.
system/modem/disconnect/ POST Trigger a disconnect for the configured modem.
system/modem/update/ POST Update supported modem list from FortiGuard.
system/3g-modem/select/ GET List all 3G modems available via FortiGuard.
system/resource/usage/ GET Retreive current and historical usage data for a provided

resource.
system/sniffer/select/ GET Return a list of all configured packet captures.
system/sniffer/restart/ POST Restart specified packet capture.
system/sniffer/start/ POST Start specified packet capture.
system/sniffer/stop/ POST Stop specified packet capture.
system/sniffer/download/ GET Download a stored packet capture.
system/automation-stitch/stats/ GET Stats for automation stitches.
system/automation-stitch/test/ POST Triggers an automation stitch for testing purposes.
switch-controller/managed- GET Retrieve statistics for configured FortiSwitches

switch/select/
switch-controller/managed- POST Update administrative state for a given FortiSwitch (enable or

switch/update/ disable authorization).

Monitor API 37
switch-controller/managed- POST Restart a given FortiSwitch.

switch/restart/
switch-controller/managed- POST Reset PoE on a given FortiSwitch's port.

switch/poe-reset/
switch-controller/managed- GET Retrieve XML for rendering FortiSwitch faceplate widget.

switch/faceplate-xml/
switch-controller/managed- POST Send 'Factory Reset' command to a given FortiSwitch.

switch/factory-reset/
switch-controller/managed- GET Retrieve DHCP servers monitored by FortiSwitches.

switch/dhcp-snooping/
switch-controller/fsw- GET Retrieve a list of recommended firmware for managed

firmware/select/ FortiSwitches.
switch-controller/fsw- POST Download FortiSwitch firmware from FortiGuard to the

firmware/download/ FortiGate according to FortiSwitch image ID.
switch-controller/fsw- POST Push FortiSwitch firmware to the given device.

firmware/push/
switch-controller/fsw- POST Upload FortiSwitch firmware to the management FortiGate

firmware/upload/ and then push to target FortiSwitches.
switch-controller/detected- GET Retrieve a list of devices detected on all switches.

device/select/
switch-controller/validate-switch- GET Validate a FortiSwitch serial number prefix.

prefix/select/
system/interface/select/ GET Retrieve statistics for all system interfaces.
system/interface/dhcp-status/ GET Retrieve the DHCP client status of an interface.
system/interface/dhcp-renew/ POST Renew DHCP lease of an interface.
system/available- GET Retrieve a list of all interfaces along with some meta

interfaces/select/ information regarding their availability.
system/acquired-dns/select/ GET Retrieve a list of interfaces and their acquired DNS servers.
system/resolve-fqdn/select/ GET Resolves the provided FQDNs to FQDN -> IP mappings.
system/nat46-ippools/select/ GET Retrieve a list of all IPv6 IP pools that are valid for NAT 46

policies.
system/usb-log/select/ GET Retrieve information about connected USB drives, including

estimated log sizes.
system/usb-log/start/ POST Start backup of logs from current VDOM to USB drive.
system/usb-log/stop/ POST Stop backup of logs to USB drive.

Monitor API 38
system/usb-device/eject/ POST Eject USB drives for safe removal.
system/ipconf/select/ GET Determine if there is an IP conflict for a specific IP using ARP.
system/fortiguard/update/ POST Immediately update status for FortiGuard services.
system/fortiguard/clear-statistics/ POST Immediately clear all FortiGuard statistics.
system/fortiguard/test- POST Test availability of FortiGuard services.

availability/
system/fortiguard/server-info/ GET Get FortiGuard server list and information.
system/fortimanager/status/ GET Get FortiManager status.
system/fortimanager/config/ POST Configure FortiManager IP. Register FortiManager if

'fortimanager_ip' is provided. Unregister FortiManager if only
'unregister' parameter is specified and set to true.
system/fortimanager/backup- GET Get FortiManager backup summary.

summary/
system/fortimanager/backup- POST Import or update from FortiManager objects.

action/
system/fortimanager/backup- GET Get the properties of a FortiManager object.

details/
system/available- GET Get available certificates.

certificates/select/
system/certificate/download/ GET Download certificate.
system/debug/download/ GET Download debug report for technical support.
system/com-log/dump/ POST Dump system com-log to file.
system/com-log/update/ GET Fetch system com-log file dump progress.
system/com-log/download/ GET Download com-log file (after file dump is complete).
system/botnet/stat/ GET Retrieve statistics for FortiGuard botnet database.
system/botnet/select/ GET List all known IP-based botnet entries in FortiGuard botnet

database.
system/botnet-domains/select/ GET List all known domain-based botnet entries in FortiGuard

botnet database.
system/botnet-domains/stat/ GET List statistics on domain-based botnet entries in FortiGuard

botnet database.
system/botnet-domains/hits/ GET List hit botnet domains with hit count > 0.
system/ha-statistics/select/ GET List of statistics for members of HA cluster.
system/ha-history/select/ GET Get HA cluster historical logs.

Monitor API 39
system/ha-checksums/select/ GET List of checksums for members of HA cluster.
system/ha-peer/select/ GET Get configuration of peer(s) in HA cluster. Uptime is expressed

in seconds.
system/ha-peer/update/ POST Update configuration of peer in HA cluster.
system/ha-peer/disconnect/ POST Update configuration of peer in HA cluster.
system/link-monitor/select/ GET Retrieve per-interface statistics for active link monitors.
system/compliance/run/ POST Immediately run compliance checks for the selected VDOM.
system/config/restore/ POST Restore system configuration from uploaded file or from USB.
system/config/backup/ GET Backup system config
system/config/usb-filelist/ GET List configuration files available on connected USB drive.
system/sandbox/stats/ GET Retrieve sandbox statistics.
system/sandbox/status/ GET Retrieve sandbox status.
system/sandbox/test-connect/ GET Test the connectivity of a given FortiSandbox IP.
system/object/usage/ GET Retrieve all objects that are currently using as well as objects

that can use the given object.
system/object-tagging/usage/ GET Retrieve usage count for tags in all tag categories.
system/status/select/ GET Retrieve basic system status.
system/timezone/select/ GET Get world timezone and daylight saving time.
system/vmlicense/upload/ POST Update VM license using uploaded file. Reboots immediately if

successful.
system/sensor-info/select/ GET Retrieve system sensor status.
system/security-rating/select/ GET Retrieve a Security Rating result. Without file specified, returns

the most recent result.
system/security-rating/history/ GET Retrieve Security Rating history.
system/security-rating/trigger/ POST Trigger a Security Rating.
system/security-rating/status/ GET Check if a Security Rating is currently running.
system/security-rating/lang/ GET Returns the requested Security Rating language mapping.
system/fortiguard- GET Retrieve blacklist information for a specified IP.

blacklist/select/
system/check-port- GET Check whether a list of TCP port ranges is available for a

availability/select/ certain service.
system/external-resource/entry- GET Retrieve resource file status with a list of valid/invalid entries

list/ (skip empty and comment lines) for the specific external
resource.

Monitor API 40
extender- GET Retrieve statistics for specific configured FortiExtender units.

controller/extender/select/
extender- POST Reset a specific FortiExtender unit.

controller/extender/reset/
system/sdn-connector/status/ GET Retrieve connection status for SDN connectors.
system/sdn-connector/validate- POST Validate a string representing a private key from GCP in PEM

gcp-key/ format.
user/firewall/select/ GET List authenticated firewall users.
user/firewall/deauth/ POST Deauthenticate single, multiple, or all firewall users.
user/banned/select/ GET Return a list of all banned users by IP.
user/banned/clear_users/ POST Immediately clear a list of specific banned users by IP.
user/banned/add_users/ POST Immediately add one or more users to the banned list.
user/banned/clear_all/ POST Immediately clear all banned users.
user/fortitoken/select/ GET Retrieve a map of FortiTokens and their status.
user/fortitoken/activate/ POST Activate a set of FortiTokens by serial number.
user/detected-device/select/ GET Retrieve a list of detected devices.
user/device/select/ GET Retrieve a list of detected devices.
user/device-type/select/ GET Retrieve a list of device types.
user/device-category/select/ GET Retrieve a list of device categories.
user/fortitoken/refresh/ POST Refresh a set of FortiTokens by serial number.
user/fortitoken/provision/ POST Provision a set of FortiTokens by serial number.
user/fortitoken/send-activation/ POST Send a FortiToken activation code to a user via SMS or Email.
user/fortitoken/import-trial/ POST Import trial mobile FortiTokens.
user/fortitoken/import-mobile/ POST Import a list of tokens from FortiGuard to the FortiGate unit.
user/fortitoken/import-seed/ POST Import a FortiToken seed file.
user/fsso/refresh-server/ POST Refresh remote agent group list for all fsso agents.
user/fsso/select/ GET Get a list of fsso and fsso polling status.
user/radius/test-connect/ POST Test the connectivity of the given RADIUS server and,

optionally, the validity of a username & password.
user/tacacs-plus/test/ POST Test the connectivity of the given TACACS+ server.
utm/rating-lookup/select/ GET Lookup FortiGuard rating for a specific URL.

Monitor API 41
utm/app-lookup/select/ GET Query remote FortiFlow database to resolve hosts to

application control entries.
utm/application- GET Retrieve a list of application control categories.

categories/select/
utm/antivirus/stats/ GET Retrieve antivirus scanning statistics.
virtual-wan/health-check/select/ GET Retrieve health-check statistics for each SD-WAN link.
virtual-wan/members/select/ GET Retrieve interface statistics for each SD-WAN link.
webfilter/override/select/ GET List all administrative and user initiated webfilter overrides.
webfilter/override/delete/ POST Delete a configured webfilter override.
webfilter/malicious-urls/select/ GET List all URLs in FortiSandbox malicious URL database.
webfilter/malicious-urls/stat/ GET Retrieve statistics for the FortiSandbox malicious URL

database.
webfilter/category-quota/select/ GET Retrieve quota usage statistics for webfilter categories.
webfilter/category-quota/reset/ POST Reset webfilter quota for user or IP.
webfilter/fortiguard- GET Return FortiGuard web filter categories.

categories/select/
webfilter/trusted-urls/select/ GET List all URLs in FortiGuard trusted URL database.
vpn/ipsec/select/ GET Return an array of active IPsec VPNs.
vpn/ipsec/tunnel_up/ POST Bring up a specific IPsec VPN tunnel.
vpn/ipsec/tunnel_down/ POST Bring down a specific IPsec VPN tunnel.
vpn/ipsec/tunnel_reset_stats/ POST Reset statistics for a specific IPsec VPN tunnel.
vpn/one-click/members/ GET Get information on devices registered in the Overlay Controller

VPN cloud assisted group.
vpn/one-click/status/ GET Get the last status message from FortiCloud Overlay

Controller VPN cloud service.
vpn/ssl/select/ GET Retrieve a list of all SSL-VPN sessions and sub-sessions.
vpn/ssl/clear_tunnel/ POST Remove all active tunnel sessions in current virtual domain.
vpn/ssl/delete/ POST Terminate the provided SSL-VPN session.
vpn/ssl/stats/ GET Return statistics about the SSL-VPN.
vpn-certificate/ca/import/ POST Import CA certificate.
vpn-certificate/crl/import/ POST Import certificate revocation lists (CRL) from file content.
vpn-certificate/local/import/ POST Import local certificate.

Monitor API 42
vpn-certificate/remote/import/ POST Import remote certificate.
vpn-certificate/csr/generate/ POST Generate a certificate signing request (CSR) and a private key.

The CSR can be retrieved / downloaded from CLI, GUI and
REST API.
wanopt/history/select/ GET Retrieve WAN opt. statistics history.
wanopt/history/reset/ POST Reset WAN opt. statistics.
wanopt/webcache/select/ GET Retrieve webcache statistics history.
wanopt/webcache/reset/ POST Reset webcache statistics.
wanopt/peer_stats/select/ GET Retrieve a list of WAN opt peer statistics.
wanopt/peer_stats/reset/ POST Reset WAN opt peer statistics.
webproxy/pacfile/download/ GET Download webproxy PAC file.
webcache/stats/select/ GET Retrieve webcache statistics.
webcache/stats/reset/ POST Reset all webcache statistics.
wifi/client/select/ GET Retrieve a list of connected WiFi clients.
wifi/managed_ap/select/ GET Retrieve a list of managed FortiAPs.
wifi/managed_ap/set_status/ POST Update administrative state for a given FortiAP (enable or

disable authorization).
wifi/firmware/select/ GET Retrieve a list of current and recommended firmware for

FortiAPs in use.
wifi/firmware/download/ POST Download FortiAP firmware from FortiGuard to the FortiGate

according to FortiAP image ID.
wifi/firmware/push/ POST Push FortiAP firmware to the given device.
wifi/firmware/upload/ POST Upload FortiAP firmware to the management FortiGate and

then push to target FortiAPs.
wifi/managed_ap/restart/ POST Restart a given FortiAP.
wifi/ap_status/select/ GET Retrieve statistics for all managed FortiAPs.
wifi/interfering_ap/select/ GET Retrieve a list of interfering APs for one FortiAP radio.
wifi/euclid/select/ GET Retrieve presence analytics statistics.
wifi/euclid/reset/ POST Reset presence analytics statistics.
wifi/rogue_ap/select/ GET Retrieve a list of detected rogue APs.
wifi/rogue_ap/clear_all/ POST Clear all detected rogue APs.
wifi/rogue_ap/set_status/ POST Mark detected APs as rogue APs.
wifi/spectrum/select/ GET Retrieve spectrum analysis information for a specific FortiAP.

Monitor API 43
endpoint-control
profile: xml
Summary List XML representation for each endpoint-control profile.
URI endpoint-control/profile/xml/
HTTP Method GET
Action xml
Access Group utmgrp.endpoint-control
Response Type array
Extra parameters
mkey string Name of endpoint-control profile. No
registration-password: check
Summary Check if provided registration password is valid for current VDOM.
URI endpoint-control/registration-password/check/
HTTP Method POST
Action check
Response Type boolean
Extra parameters
password string Registration password to test. Yes
record-list: select
Summary List endpoint records.
URI endpoint-control/record-list/select/
HTTP Method GET
Action select

Monitor API 44
Response Type array
Extra parameters
intf_name string Filter: Name of interface where the endpoint was detected. No
registration: summary
Summary Summary of FortiClient registrations.
URI endpoint-control/registration/summary/
HTTP Method GET
Action summary
registration: quarantine
Summary Quarantine endpoint by FortiClient UID or MAC.
URI endpoint-control/registration/quarantine/
HTTP Method POST
Action quarantine
Extra parameters
uid array Array of FortiClient UIDs to quarantine. No
uid string Single FortiClient UID to quarantine. No
mac array Array of MACs to quarantine. No
mac string Single MAC to quarantine. No
registration: unquarantine
Summary Unquarantine endpoint by FortiClient UID or MAC.

Monitor API 45
URI endpoint-control/registration/unquarantine/
HTTP Method POST
Action unquarantine
Extra parameters
uid array Array of FortiClient UIDs to unquarantine. No
uid string Single FortiClient UID to unquarantine. No
mac array Array of MACs to unquarantine. No
mac string Single MAC to unquarantine. No
registration: block
Summary Block endpoint by FortiClient UID or MAC.
URI endpoint-control/registration/block/
HTTP Method POST
Action block
Extra parameters
uid array Array of FortiClient UIDs to block. No
uid string Single FortiClient UID to block. No
mac array Array of MACs to block. No
mac string Single MAC to block. No
registration: unblock
Summary Unblock endpoint by FortiClient UID or MAC.
URI endpoint-control/registration/unblock/
HTTP Method POST
Action unblock

Monitor API 46
Extra parameters
uid array Array of FortiClient UIDs to unblock. No
uid string Single FortiClient UID to unblock. No
mac array Array of MACs to unblock. No
mac string Single MAC to unblock. No
registration: deregister
Summary Deregister endpoint by FortiClient UID or MAC.
URI endpoint-control/registration/deregister/
HTTP Method POST
Action deregister
Extra parameters
uid array Array of FortiClient UIDs to deregister. No
uid string Single FortiClient UID to deregister. No
mac array Array of MACs to deregister. No
mac string Single MAC to deregister. No
installer: select
Summary List available FortiClient installers.
URI endpoint-control/installer/select/
HTTP Method GET
Action select
Extra parameters
min_version string Filter: Minimum installer version. (String of the format n[.n[.n]]). No

Monitor API 47
installer: download
Summary Download a FortiClient installer via FortiGuard.
URI endpoint-control/installer/download/
HTTP Method GET
Action download
Extra parameters
mkey string Name of installer (image_id). Yes
avatar: download
Summary Download an endpoint avatar image.
URI endpoint-control/avatar/download/
HTTP Method GET
Action download
Extra parameters
uid string Single FortiClient UID. No
user string User name of the endpoint. No
alias string Alias of the device. Used to lookup device avatar when endpoint No

avatar is not available.
default string Default avatar name ['authuser'|'unauthuser'|'authuser_ No

72'|'unauthuser_72']. Default avatar when endpoint / device avatar is
not available. If default is not set, Not found 404 is returned.

Monitor API 48
firewall
health: select
Summary List configured load balance server health monitors.
URI firewall/health/select/
HTTP Method GET
Action select
Access Group sysgrp.cfg
Response Type array
local-in: select
Summary List implicit and explicit local-in firewall policies.
URI firewall/local-in/select/
HTTP Method GET
Action select
Access Group fwgrp.policy
Response Type array
acl: select
Summary List counters for all IPv4 ACL.
URI firewall/acl/select/
HTTP Method GET
Action select
acl: clear_counters
Summary Reset counters for one or more IPv4 ACLs by policy ID.
URI firewall/acl/clear_counters/
HTTP Method POST
Action clear_counters

Monitor API 49
Extra parameters
policy array Array of policy IDs to reset. No
policy int Single policy ID to reset. No
acl6: select
Summary List counters for all IPv6 ACL.
URI firewall/acl6/select/
HTTP Method GET
Action select
acl6: clear_counters
Summary Reset counters for one or more IPv6 ACLs by policy ID.
URI firewall/acl6/clear_counters/
HTTP Method POST
Extra parameters
internet-service-match: select
Summary List internet services that exist at a given IP or Subnet.
URI firewall/internet-service-match/select/
HTTP Method GET
Action select
Access Group fwgrp.address
Response Type array

Monitor API 50
Extra parameters
ip string IP (in dot-decimal notation). Yes
mask string IP Mask (in dot-decimal notation). Yes
internet-service-details: select
Summary List all details for a given Internet Service ID.
URI firewall/internet-service-details/select/
HTTP Method GET
Action select
Extra parameters
id int ID of the Internet Service to get details for. Yes
policy: select
Summary List traffic statistics for IPv4 policies.
URI firewall/policy/select/
HTTP Method GET
Action select
Response Type array
Extra parameters
policyid int Filter: Policy ID. No
policy: reset
Summary Reset traffic statistics for all IPv4 policies.

Monitor API 51
URI firewall/policy/reset/
HTTP Method POST
Action reset
policy: clear_counters
Summary Reset traffic statistics for one or more IPv4 policies by policy ID.
URI firewall/policy/clear_counters/
HTTP Method POST
Extra parameters
policy6: select
Summary List traffic statistics for IPv6 policies.
URI firewall/policy6/select/
HTTP Method GET
Action select
Response Type array
Extra parameters

Monitor API 52
policy6: reset
Summary Reset traffic statistics for all IPv6 policies.
URI firewall/policy6/reset/
HTTP Method POST
Action reset
policy6: clear_counters
Summary Reset traffic statistics for one or more IPv6 policies by policy ID.
URI firewall/policy6/clear_counters/
HTTP Method POST
Extra parameters
proxy-policy: select
Summary List traffic statistics for all explicit proxy policies.
URI firewall/proxy-policy/select/
HTTP Method GET
Action select
proxy-policy: clear_counters
Summary Reset traffic statistics for one or more explicit proxy policies by policy ID.
URI firewall/proxy-policy/clear_counters/
HTTP Method POST

Monitor API 53
Extra parameters
policy-lookup: select
Summary Performs a policy lookup by creating a dummy packet and asking the kernel which
policy would be hit.
URI firewall/policy-lookup/select/
HTTP Method GET
Action select
Extra parameters
ipv6 boolean Perform an IPv6 lookup? No
srcintf string Source interface. Yes
sourceport int Source port. No
sourceip string Source IP. No
protocol string Protocol. Yes
dest string Destination IP/FQDN. Yes
destport int Destination port. No
icmptype int ICMP type. No
icmpcode int ICMP code. No
session: select
Summary List all active firewall sessions (optionally filtered).

Monitor API 54
URI firewall/session/select/
HTTP Method GET
Action select
Response Type array
Extra parameters
ip_version string IP version [*ipv4 | ipv6 | ipboth]. No
count int Maximum number of entries to return. Valid range is [20, 1000]; if Yes

a value is specified out of that range, it will be rounded up or
down.
summary boolean Enable/disable inclusion of session summary (setup rate, total No

sessions, etc).
sourceport int Filter: Source port. No
policytype string Filter: Policy type [policy|policy6]. No
application int Filter: Application ID. No
application string Filter: Application PROTO/PORT. (e.g. "TCP/443") No
protocol string Filter: Protocol name [all|igmp|tcp|udp|icmp|etc]. No
destport int Filter: Destination port. No
srcintf string Filter: Source interface name. No
dstintf string Filter: Destination interface name. No
srcintfrole array Filter: Source interface roles. No
dstintfrole array Filter: Destination interface roles. No
source string Filter: Source IP address. No
destination string Filter: Destination IP address. No
username string Filter: Authenticated username. No
shaper string Filter: Forward traffic shaper name. No
country string Filter: Destination country name. No
natsourceaddress string Filter: NAT source address. No
natsourceport string Filter: NAT source port. No

Monitor API 55
session: clear_all
Summary Immediately clear all active IPv4 and IPv6 sessions and IPS sessions of current
VDOM.
URI firewall/session/clear_all/
HTTP Method POST
Action clear_all
Response Type int
session: close
Summary Close a specific firewall session that matches all provided criteria.
URI firewall/session/close/
HTTP Method POST
Action close
Extra parameters
pro string Protocol name [tcp|udp|icmp|...]. Yes
saddr string Source address. Yes
daddr string Destination address. Yes
sport int Source port. Yes
dport int Destination port. Yes
shaper: select
Summary List of statistics for configured firewall shared traffic shapers.
URI firewall/shaper/select/
HTTP Method GET
Action select
Access Group fwgrp.others
Response Type array

Monitor API 56
shaper: reset
Summary Reset statistics for all configured traffic shapers.
URI firewall/shaper/reset/
HTTP Method POST
Action reset
per-ip-shaper: select
Summary List of statistics for configured firewall per-IP traffic shapers.
URI firewall/per-ip-shaper/select/
HTTP Method GET
Action select
Response Type array
per-ip-shaper: reset
Summary Reset statistics for all configured firewall per-IP traffic shapers.
URI firewall/per-ip-shaper/reset/
HTTP Method POST
Action reset
load-balance: select
Summary List all firewall load balance servers.
URI firewall/load-balance/select/
HTTP Method GET
Action select
Response Type array

Monitor API 57
Extra parameters
count int Maximum number of entries to return. Yes
address-fqdns: select
Summary List of FQDN address objects and the IPs they resolved to.
URI firewall/address-fqdns/select/
HTTP Method GET
Action select
address-fqdns6: select
Summary List of IPv6 FQDN address objects and the IPs they resolved to.
URI firewall/address-fqdns6/select/
HTTP Method GET
Action select
ippool: select
Summary List IPv4 pool statistics.
URI firewall/ippool/select/
HTTP Method GET
Action select

Monitor API 58
address-dynamic: select
Summary List of Fabric Connector address objects and the IPs they resolve to.
URI firewall/address-dynamic/select/
HTTP Method GET
Action select
address6-dynamic: select
Summary List of IPv6 Fabric Connector address objects and the IPs they resolve to.
URI firewall/address6-dynamic/select/
HTTP Method GET
Action select
geoip
geoip-query: select
Summary Retrieve location details for IPs queried against FortiGuard's geoip service.
URI geoip/geoip-query/select/
HTTP Method GET
Action select
Extra parameters
ip_addresses string One or more IP address strings to query for location details. Yes

Monitor API 59
ips
rate-based: select
Summary Returns a list of rate-based signatures in IPS package.
URI ips/rate-based/select/
HTTP Method GET
Action select
Access Group utmgrp.ips
Response Type array
license
status: select
Summary Get current license & registration status.
URI license/status/select/
HTTP Method GET
Action select
database: upgrade
Summary Upgrade a license database on this device using uploaded file.
URI license/database/upgrade/
HTTP Method POST
Action upgrade
Access Group sysgrp.upd
Extra parameters
db_name string Security service database name [ips_appctrl|antivirus|...] Yes

Monitor API 60
file_content string Provided when uploading a file: base64 encoded file data. Must not No

contain whitespace or other invalid base64 characters. Must be
included in HTTP body.
forticare-resellers: select
Summary Get current FortiCare resellers for the requested country.
URI license/forticare-resellers/select/
HTTP Method GET
Action select
Extra parameters
country_code int FortiGuard country code No
forticare-org-list: select
Summary Get FortiCare organization size and industry lists.
URI license/forticare-org-list/select/
HTTP Method GET
Action select
log
current-disk-usage: select
Summary Return current used, free and total disk bytes.
URI log/current-disk-usage/select/
HTTP Method GET

Monitor API 61
Action select
Access Group loggrp.data-access
device: state
Summary Retrieve information on state of log devices.
URI log/device/state/
HTTP Method GET
Action state
forticloud: select
Summary Return FortiCloud log status.
URI log/forticloud/select/
HTTP Method GET
Action select
Access Group loggrp.config
fortianalyzer: select
Summary Return FortiAnalyzer/FortiManager log status.
URI log/fortianalyzer/select/
HTTP Method GET
Action select
Extra parameters
server string FortiAnalyzer/FortiManager address. No

Monitor API 62
fortianalyzer-queue: select
Summary Retrieve information on FortiAnalyzer's queue state. Note:- FortiAnalyzer logs are
queued only if upload-option is realtime.
URI log/fortianalyzer-queue/select/
HTTP Method GET
Action select
Extra parameters
scope string Scope from which to retrieve FortiAnalyzer's queue state No

[vdom*|global].
hourly-disk-usage: select
Summary Return historic hourly disk usage in bytes.
URI log/hourly-disk-usage/select/
HTTP Method GET
Action select
historic-daily-remote-logs: select
Summary Returns the amount of logs in bytes sent daily to a remote logging service
(FortiCloud or FortiAnalyzer).
URI log/historic-daily-remote-logs/select/
HTTP Method GET
Action select

Monitor API 63
Extra parameters
server string Service name [forticloud | fortianalyzer]. Yes
stats: select
Summary Return number of logs sent by category per day for a specific log device.
URI log/stats/select/
HTTP Method GET
Action select
Response Type array
Extra parameters
dev string Log device [*memory | disk | fortianalyzer | forticloud]. No
stats: reset
Summary Reset logging statistics for all log devices.
URI log/stats/reset/
HTTP Method POST
Action reset
forticloud-report: download
Summary Download PDF report from FortiCloud.
URI log/forticloud-report/download/
HTTP Method GET
Action download

Monitor API 64
Extra parameters
mkey int FortiCloud Report ID. Yes
inline int Set to 1 to download the report inline. No
ips-archive: download
Summary Download IPS/application control packet capture files. Uses configured log
display device.
URI log/ips-archive/download/
HTTP Method GET
Action download
Extra parameters
mkey int IPS archive ID. Yes
pcap_no int Packet capture roll number (required when log device is 'disk') No
pcap_category int Packet capture category (required when log device is 'disk') No
policy-archive: download
Summary Download policy-based packet capture archive.
URI log/policy-archive/download/
HTTP Method GET
Action download
Extra parameters
mkey int Session ID (from traffic log). Yes

Monitor API 65
srcip string Source IP. Yes
dstip string Destination IP. Yes
av-archive: download
Summary Download file quarantined by AntiVirus.
URI log/av-archive/download/
HTTP Method GET
Action download
Extra parameters
mkey string Checksum for quarantined file. Yes
event: select
Summary List all event log descriptions.
URI log/event/select/
HTTP Method GET
Action select
Access Group any
Response Type array
registration
forticloud: login
Summary Login to FortiCloud.
URI registration/forticloud/login/
HTTP Method POST

Monitor API 66
Action login
Extra parameters
email string Account email. Yes
password string Account password. Yes
send_logs boolean Send logs to FortiCloud. No
domain string FortiCloud domain. No
forticloud: create
Summary Create a FortiCloud account.
URI registration/forticloud/create/
HTTP Method POST
Action create
Extra parameters
send_logs boolean Send logs to FortiCloud. No
forticloud: logout
Summary Logout from FortiCloud.
URI registration/forticloud/logout/
HTTP Method POST
Action logout

Monitor API 67
forticloud: disclaimer
Summary Retrieve the FortiCloud disclaimer.
URI registration/forticloud/disclaimer/
HTTP Method GET
Action disclaimer
forticloud: domains
Summary Retrieve a list of FortiCloud login domains.
URI registration/forticloud/domains/
HTTP Method GET
Action domains
forticare: login
Summary Login to FortiCare.
URI registration/forticare/login/
HTTP Method POST
Action login
Extra parameters
reseller_name string Reseller name. Yes
reseller_id int Reseller ID. Yes

Monitor API 68
forticare: create
Summary Create a new FortiCare account.
URI registration/forticare/create/
HTTP Method POST
Action create
Extra parameters
first_name string First name. Yes
last_name string Last name. Yes
title string Title. No
company string Company. Yes
address string Address. Yes
city string City. Yes
country_code int Country code. Yes
state string State/Province. Yes
state_code string State/Province code. No
postal_code string Postal code. Yes
phone string Phone number. Yes
fax string Fax number. No
industry string Industry. Yes
industry_id int Industry ID. Yes
orgsize_id int Organization size ID. Yes
reseller_name string Reseller name. Yes
reseller_id int Reseller ID. Yes

Monitor API 69
forticare: add-license
Summary Add a FortiCare license.
URI registration/forticare/add-license/
HTTP Method POST
Action add-license
Extra parameters
registration_ string FortiCare contract number. Yes

code
router
ipv4: select
Summary List all active IPv4 routing table entries.
URI router/ipv4/select/
HTTP Method GET
Action select
Access Group netgrp.route-cfg
Response Type array
Extra parameters
count int Maximum number of entries to return (Default for all routes). No
ip_mask string Filter: IP/netmask. No
gateway string Filter: gateway. No
type string Filter: route type. No
interface string Filter: interface name. No

Monitor API 70
ipv6: select
Summary List all active IPv6 routing table entries.
URI router/ipv6/select/
HTTP Method GET
Action select
Response Type array
Extra parameters
count int Maximum number of entries to return (Default for all routes). No
statistics: select
Summary Retrieve routing table statistics, including number of matched routes.
URI router/statistics/select/
HTTP Method GET
Action select
Extra parameters
ip_version int IP version (4|6). If not present, IPv4 and IPv6 will be returned. No

Monitor API 71
lookup: select
Summary Performs a route lookup by querying the routing table.
URI router/lookup/select/
HTTP Method GET
Action select
Extra parameters
ipv6 boolean Perform an IPv6 lookup? No
destination string Destination IP/FQDN Yes
policy: select
Summary Retrieve a list of active IPv4 policy routes.
URI router/policy/select/
HTTP Method GET
Action select
Extra parameters
count_only boolean Returns the number of IPv4 policy routes only. No
policy6: select
Summary Retrieve a list of active IPv6 policy routes.
URI router/policy6/select/
HTTP Method GET

Monitor API 72
Action select
Extra parameters
count_only boolean Returns the number of IPv6 policy routes only. No
system
admin: toggle-vdom-mode
Summary Toggles VDOM mode on/off. Enables or disables VDOM mode if it is disabled or
enabled respectively.
URI system/admin/toggle-vdom-mode/
HTTP Method POST
Action toggle-vdom-mode
api-user: generate-key
Summary Generate a new api-key for the specified api-key-auth admin. The old api-key will
be replaced. The response contains the only chance to read the new api-key
plaintext in the api_key field.
URI system/api-user/generate-key/
HTTP Method POST
Action generate-key
Access Group sysgrp.admin
Extra parameters
api-user string Generate a new token for this api-user. Yes

Monitor API 73
config-revision: select
Summary Returns a list of system configuration revisions.
URI system/config-revision/select/
HTTP Method GET
Action select
config-revision: update-comments
Summary Updates comments for a system configuration file.
URI system/config-revision/update-comments/
HTTP Method POST
Action update-comments
Extra parameters
config_id int Configuration id. No
comments string Configuration comments. No
config-revision: delete
Summary Deletes one or more system configuration revisions.
URI system/config-revision/delete/
HTTP Method POST
Action delete

Monitor API 74
Extra parameters
config_ids array List of configuration ids. Yes
config-revision: file
Summary Download a specific configuration revision.
URI system/config-revision/file/
HTTP Method GET
Action file
Extra parameters
config-revision: info
Summary Retrieve meta information for a specific configuration revision.
URI system/config-revision/info/
HTTP Method GET
Action info
Extra parameters
config-revision: save
Summary Create a new config revision checkpoint.

Monitor API 75
URI system/config-revision/save/
HTTP Method POST
Action save
Extra parameters
comments string Optional revision comments No
current-admins: select
Summary Return a list of currently logged in administrators.
URI system/current-admins/select/
HTTP Method GET
Action select
Response Type array
disconnect-admins: select
Summary Disconnects logged in administrators.
URI system/disconnect-admins/select/
HTTP Method POST
Action select
Extra parameters
id int Admin ID No
method string Login method used to connect admin to FortiGate. No
admins array List of objects with admin id and method. No

Monitor API 76
time: set
Summary Sets current system time stamp.
URI system/time/set/
HTTP Method POST
Action set
Extra parameters
year int Specifies the year for setting/updating time manually. Yes
month int Specifies the month (0 - 11) for setting/updating time manually. Yes
day int Specifies the day for setting/updating time manually. Yes
hour int Specifies the hour (0 - 23) for setting/updating time manually. Yes
minute int Specifies the minute (0 - 59) for setting/updating time manually. Yes
second int Specifies the second (0 - 59) for setting/updating time manually. Yes
time: select
Summary Gets current system time stamp.
URI system/time/select/
HTTP Method GET
Action select
os: reboot
Summary Immediately reboot this device.
URI system/os/reboot/
HTTP Method POST
Action reboot

Monitor API 77
Extra parameters
event_log_ string Message to be logged in event log. No

message
os: shutdown
Summary Immediately shutdown this device.
URI system/os/shutdown/
HTTP Method POST
Action shutdown
Extra parameters
event_log_ string Message to be logged in event log. No

message
global-resources: select
Summary Retrieve current usage of global resources as well as both the default and user
configured maximum values.
URI system/global-resources/select/
HTTP Method GET
Action select
vdom-resource: select
Summary Retrieve VDOM resource information, including CPU and memory usage.

Monitor API 78
URI system/vdom-resource/select/
HTTP Method GET
Action select
dhcp: select
Summary Returns a list of all DHCP IPv4 and IPv6 DHCP leases.
URI system/dhcp/select/
HTTP Method GET
Action select
Access Group netgrp.cfg
Response Type array
Extra parameters
ipv6 boolean Include IPv6 addresses in the response. No
dhcp: revoke
Summary Revoke IPv4 DHCP leases.
URI system/dhcp/revoke/
HTTP Method POST
Action revoke
Extra parameters
ip array Optional list of addresses to revoke. Defaults to all addresses if not No
provided.
dhcp6: revoke
Summary Revoke IPv6 DHCP leases.

Monitor API 79
URI system/dhcp6/revoke/
HTTP Method POST
Action revoke
Extra parameters
ip array Optional list of addresses to revoke. Defaults to all addresses if not No
provided.
firmware: select
Summary Retrieve a list of firmware images available to use for upgrade on this device.
URI system/firmware/select/
HTTP Method GET
Action select
Access Group sysgrp.mnt
firmware: upgrade
Summary Upgrade firmware image on this device using uploaded file.
URI system/firmware/upgrade/
HTTP Method POST
Action upgrade
Extra parameters
source string Firmware file data source [upload|usb|fortiguard]. Yes
filename string Name of file on fortiguard or USB disk to upgrade to. No
format_ boolean Set to true to format boot partition before upgrade. No

partition

Monitor API 80

firmware: upgrade-paths
Summary Retrieve a list of supported firmware upgrade paths.
URI system/firmware/upgrade-paths/
HTTP Method GET
Action upgrade-paths
fsck: start
Summary Set file system check flag so that it will be executed on next device reboot.
URI system/fsck/start/
HTTP Method POST
Action start
storage: select
Summary Retrieve information for the non-boot disk.
URI system/storage/select/
HTTP Method GET
Action select
change-password: select
Summary Save admin and guest-admin passwords.
URI system/change-password/select/
HTTP Method POST
Action select
Access Group any

Monitor API 81
Extra parameters
mkey string User ID for password change. No
old_password string Old password. No
new_password string New password. No
password-policy-conform: select
Summary Check whether password conforms to the password policy.
URI system/password-policy-conform/select/
HTTP Method POST
Action select
Access Group any
Extra parameters
mkey string User ID for password change. No
apply_to string Password Policy ID. No
password string Password. No
old_password string Old password. No
csf: select
Summary Retrieve a full tree of downstream FortiGates registered to the Security Fabric.
URI system/csf/select/
HTTP Method GET
Action select
Access Group secfabgrp

Monitor API 82
csf: pending-authorizations
Summary Retrieve FortiGates with pending authorizations for joining the Security Fabric.
Note:- This list is currently available on Security Fabric root only.
URI system/csf/pending-authorizations/
HTTP Method GET
Action pending-authorizations
Response Type array
modem: select
Summary Retrieve statistics for internal/external configured modem.
URI system/modem/select/
HTTP Method GET
Action select
modem: reset
Summary Reset statistics for internal/external configured modem.
URI system/modem/reset/
HTTP Method POST
Action reset
modem: connect
Summary Trigger a connect for the configured modem.
URI system/modem/connect/
HTTP Method POST
Action connect

Monitor API 83
modem: disconnect
Summary Trigger a disconnect for the configured modem.
URI system/modem/disconnect/
HTTP Method POST
Action disconnect
modem: update
Summary Update supported modem list from FortiGuard.
URI system/modem/update/
HTTP Method POST
Action update
3g-modem: select
Summary List all 3G modems available via FortiGuard.
URI system/3g-modem/select/
HTTP Method GET
Action select
resource: usage
Summary Retreive current and historical usage data for a provided resource.
URI system/resource/usage/
HTTP Method GET
Action usage

Monitor API 84
Extra parameters
resource string Resource to get usage data for [cpu|memory|disk|sessions|lograte]. No

Defaults to all resources if not provided.
interval string Time interval of resource usage [1-min|10-min|30-min|1-hour|12- No

hour|24-hour]. Defaults to all intervals if not provided.
sniffer: select
Summary Return a list of all configured packet captures.
URI system/sniffer/select/
HTTP Method GET
Action select
Access Group netgrp.packet-capture
Response Type array
sniffer: restart
Summary Restart specified packet capture.
URI system/sniffer/restart/
HTTP Method POST
Action restart
Response Type array
Extra parameters
mkey int ID of packet capture entry. Yes
sniffer: start
Summary Start specified packet capture.
URI system/sniffer/start/
HTTP Method POST

Monitor API 85
Action start
Response Type array
Extra parameters
sniffer: stop
Summary Stop specified packet capture.
URI system/sniffer/stop/
HTTP Method POST
Action stop
Response Type array
Extra parameters
sniffer: download
Summary Download a stored packet capture.
URI system/sniffer/download/
HTTP Method GET
Action download
Extra parameters

Monitor API 86
automation-stitch: stats
Summary Stats for automation stitches.
URI system/automation-stitch/stats/
HTTP Method GET
Action stats
Access Group any
Response Type array
Extra parameters
mkey string Filter: Automation stitch name. No
automation-stitch: test
Summary Triggers an automation stitch for testing purposes.
URI system/automation-stitch/test/
HTTP Method POST
Action test
Access Group any
Extra parameters
mkey string ID of automation stitch to trigger. Yes
log string Log message to send with the event. No
switch-controller
managed-switch: select
Summary Retrieve statistics for configured FortiSwitches
URI switch-controller/managed-switch/select/
HTTP Method GET

Monitor API 87
Action select
Access Group wifi
Response Type array
Extra parameters
mkey string Filter: FortiSwitch ID. No
poe boolean Filter: Retrieve PoE statistics for ports of configured FortiSwitches. No

Port power usage is in Watt units.
port_stats boolean Filter: Retrieve tx/rx statistics for ports of configured FortiSwitches. No
managed-switch: update
Summary Update administrative state for a given FortiSwitch (enable or disable
authorization).
URI switch-controller/managed-switch/update/
HTTP Method POST
Action update
Access Group wifi
Extra parameters
mkey string FortiSwitch name. No
admin string New FortiSwitch administrative state [enable|disable|discovered]. No
managed-switch: restart
Summary Restart a given FortiSwitch.
URI switch-controller/managed-switch/restart/
HTTP Method POST
Action restart
Access Group wifi

Monitor API 88
Extra parameters
mkey string Name of managed FortiSwitch. Yes
managed-switch: poe-reset
Summary Reset PoE on a given FortiSwitch's port.
URI switch-controller/managed-switch/poe-reset/
HTTP Method POST
Action poe-reset
Access Group wifi
Extra parameters
port string Name of port to reset PoE on. Yes
managed-switch: faceplate-xml
Summary Retrieve XML for rendering FortiSwitch faceplate widget.
URI switch-controller/managed-switch/faceplate-xml/
HTTP Method GET
Action faceplate-xml
Access Group wifi
Response Type array
Extra parameters
mkey string Name of managed FortiSwitch. No
managed-switch: factory-reset
Summary Send 'Factory Reset' command to a given FortiSwitch.

Monitor API 89
URI switch-controller/managed-switch/factory-reset/
HTTP Method POST
Action factory-reset
Access Group wifi
Extra parameters
managed-switch: dhcp-snooping
Summary Retrieve DHCP servers monitored by FortiSwitches.
URI switch-controller/managed-switch/dhcp-snooping/
HTTP Method GET
Action dhcp-snooping
Access Group wifi
Response Type array
fsw-firmware: select
Summary Retrieve a list of recommended firmware for managed FortiSwitches.
URI switch-controller/fsw-firmware/select/
HTTP Method GET
Action select
Access Group wifi
Extra parameters
mkey string Filter: FortiSwitch ID. No
timeout string FortiGuard connection timeout (defaults to 3 seconds). No

Monitor API 90
fsw-firmware: download
Summary Download FortiSwitch firmware from FortiGuard to the FortiGate according to
FortiSwitch image ID.
URI switch-controller/fsw-firmware/download/
HTTP Method POST
Action download
Access Group wifi
Extra parameters
image_id string FortiSwitch image ID. Yes
fsw-firmware: push
Summary Push FortiSwitch firmware to the given device.
URI switch-controller/fsw-firmware/push/
HTTP Method POST
Action push
Access Group wifi
Extra parameters
serial string The target device's serial. Yes
image_id string FortiSwitch image ID. Yes
fsw-firmware: upload
Summary Upload FortiSwitch firmware to the management FortiGate and then push to
target FortiSwitches.
URI switch-controller/fsw-firmware/upload/
HTTP Method POST

Monitor API 91
Action upload
Access Group wifi
Extra parameters
serials array A list of target devices' serials. No
serials string The target device's serial. No

detected-device: select
Summary Retrieve a list of devices detected on all switches.
URI switch-controller/detected-device/select/
HTTP Method GET
Action select
Access Group wifi
Response Type array
validate-switch-prefix: select
Summary Validate a FortiSwitch serial number prefix.
URI switch-controller/validate-switch-prefix/select/
HTTP Method GET
Action select
Access Group wifi
Extra parameters
prefix string Prefix of FortiSwitch serial number. No

Monitor API 92
interface: select
Summary Retrieve statistics for all system interfaces.
URI system/interface/select/
HTTP Method GET
Action select
Response Type array
Extra parameters
interface_ string Filter: interface name. No

name
include_vlan boolean Enable to include VLANs in result list. No
interface: dhcp-status
Summary Retrieve the DHCP client status of an interface.
URI system/interface/dhcp-status/
HTTP Method GET
Action dhcp-status
Extra parameters
mkey string Name of the interface. Yes
interface: dhcp-renew
Summary Renew DHCP lease of an interface.
URI system/interface/dhcp-renew/
HTTP Method POST

Monitor API 93
Action dhcp-renew
Extra parameters
mkey string Name of the interface. Yes
available-interfaces: select
Summary Retrieve a list of all interfaces along with some meta information regarding their
availability.
URI system/available-interfaces/select/
HTTP Method GET
Action select
Access Group any
Response Type array
Extra parameters
view_type string Optionally include additional information for interfaces. This No

parameter can be repeated multiple times. 'poe': Includes PoE
information for supported ports. 'ha': Includes extra meta
information useful when dealing with interfaces related to HA
configuration. Interfaces that are used by an HA cluster as
management interfaces are also included in this view. 'zone':
Includes extra meta information for determining zone membership
eligibility.'vwp': Includes extra meta information for determining
virtual wire pair eligibility.'sdwan': Includes extra meta information
for determining SD-WAN eligibility.'switch': Includes extra meta
information for determining switch eligibility.'hard-switch': Includes
extra meta information for determining hard-switch eligibility.
acquired-dns: select
Summary Retrieve a list of interfaces and their acquired DNS servers.
URI system/acquired-dns/select/

Monitor API 94
HTTP Method GET
Action select
Access Group any
Response Type array
resolve-fqdn: select
Summary Resolves the provided FQDNs to FQDN -> IP mappings.
URI system/resolve-fqdn/select/
HTTP Method GET
Action select
Access Group any
Extra parameters
ipv6 boolean Resolve for the AAAA record? No
fqdn string FQDN Yes
fqdn array List of FQDNs to be resolved No
nat46-ippools: select
Summary Retrieve a list of all IPv6 IP pools that are valid for NAT 46 policies.
URI system/nat46-ippools/select/
HTTP Method GET
Action select
Access Group any
Response Type array
usb-log: select
Summary Retrieve information about connected USB drives, including estimated log sizes.
URI system/usb-log/select/

Monitor API 95
HTTP Method GET
Action select
usb-log: start
Summary Start backup of logs from current VDOM to USB drive.
URI system/usb-log/start/
HTTP Method POST
Action start
usb-log: stop
Summary Stop backup of logs to USB drive.
URI system/usb-log/stop/
HTTP Method POST
Action stop
usb-device: eject
Summary Eject USB drives for safe removal.
URI system/usb-device/eject/
HTTP Method POST
Action eject
ipconf: select
Summary Determine if there is an IP conflict for a specific IP using ARP.
URI system/ipconf/select/
HTTP Method GET
Action select

Monitor API 96
Response Type array
Extra parameters
devs array List of interfaces to check for conflict. Yes
ipaddr string IPv4 address to check for conflict. Yes
fortiguard: update
Summary Immediately update status for FortiGuard services.
URI system/fortiguard/update/
HTTP Method POST
Action update
fortiguard: clear-statistics
Summary Immediately clear all FortiGuard statistics.
URI system/fortiguard/clear-statistics/
HTTP Method POST
Action clear-statistics
fortiguard: test-availability
Summary Test availability of FortiGuard services.
URI system/fortiguard/test-availability/
HTTP Method POST
Action test-availability

Monitor API 97
fortiguard: server-info
Summary Get FortiGuard server list and information.
URI system/fortiguard/server-info/
HTTP Method GET
Action server-info
fortimanager: status
Summary Get FortiManager status.
URI system/fortimanager/status/
HTTP Method GET
Action status
fortimanager: config
Summary Configure FortiManager IP. Register FortiManager if 'fortimanager_ip' is
provided. Unregister FortiManager if only 'unregister' parameter is specified and
set to true.
URI system/fortimanager/config/
HTTP Method POST
Action config
Extra parameters
fortimanager_ string FortiManager IP address. No

ip
unregister boolean Unregister the FortiManager (default=false). No

Monitor API 98
fortimanager: backup-summary
Summary Get FortiManager backup summary.
URI system/fortimanager/backup-summary/
HTTP Method GET
Action backup-summary
Access Group fwgrp
fortimanager: backup-action
Summary Import or update from FortiManager objects.
URI system/fortimanager/backup-action/
HTTP Method POST
Action backup-action
Access Group fwgrp
Extra parameters
operation string Operation to perform on the given CMDB objects [import|update]. Yes
objects array Array of CMDB tables and mkeys. Yes
fortimanager: backup-details
Summary Get the properties of a FortiManager object.
URI system/fortimanager/backup-details/
HTTP Method GET
Action backup-details
Access Group fwgrp

Monitor API 99
Extra parameters
mkey string Object name. Yes
datasource string Object datasource. Yes
available-certificates: select
Summary Get available certificates.
URI system/available-certificates/select/
HTTP Method GET
Action select
Access Group any
Extra parameters
scope string Scope of certificate [vdom*|global]. No
certificate: download
Summary Download certificate.
URI system/certificate/download/
HTTP Method GET
Action download
Access Group vpngrp
Extra parameters
mkey string Name of certificate. Yes
type string Type of certificate [local|csr|remote|ca|crl]. Yes
scope string Scope of certificate [vdom*|global]. No

Monitor API 100
debug: download
Summary Download debug report for technical support.
URI system/debug/download/
HTTP Method GET
Action download
com-log: dump
Summary Dump system com-log to file.
URI system/com-log/dump/
HTTP Method POST
Action dump
com-log: update
Summary Fetch system com-log file dump progress.
URI system/com-log/update/
HTTP Method GET
Action update
com-log: download
Summary Download com-log file (after file dump is complete).
URI system/com-log/download/
HTTP Method GET
Action download

Monitor API 101
botnet: stat
Summary Retrieve statistics for FortiGuard botnet database.
URI system/botnet/stat/
HTTP Method GET
Action stat
botnet: select
Summary List all known IP-based botnet entries in FortiGuard botnet database.
URI system/botnet/select/
HTTP Method GET
Action select
Response Type array
Extra parameters
include_hit_ boolean Include entries with hits only. No

only
botnet-domains: select
Summary List all known domain-based botnet entries in FortiGuard botnet database.
URI system/botnet-domains/select/
HTTP Method GET
Action select

Monitor API 102
Response Type array
Extra parameters
botnet-domains: stat
Summary List statistics on domain-based botnet entries in FortiGuard botnet database.
URI system/botnet-domains/stat/
HTTP Method GET
Action stat
botnet-domains: hits
Summary List hit botnet domains with hit count > 0.
URI system/botnet-domains/hits/
HTTP Method GET
Action hits
Response Type array
ha-statistics: select
Summary List of statistics for members of HA cluster.
URI system/ha-statistics/select/
HTTP Method GET
Action select

Monitor API 103
Response Type array
ha-history: select
Summary Get HA cluster historical logs.
URI system/ha-history/select/
HTTP Method GET
Action select
ha-checksums: select
Summary List of checksums for members of HA cluster.
URI system/ha-checksums/select/
HTTP Method GET
Action select
Response Type array
ha-peer: select
Summary Get configuration of peer(s) in HA cluster. Uptime is expressed in seconds.
URI system/ha-peer/select/
HTTP Method GET
Action select
Response Type array

Monitor API 104
Extra parameters
serial_no string Serial number of the HA member. If not specified, fetch information No

for all HA members
vcluster_id int Virtual cluster number. If not specified, fetch information for all No

active vclusters
ha-peer: update
Summary Update configuration of peer in HA cluster.
URI system/ha-peer/update/
HTTP Method POST
Action update
Extra parameters
serial_no string Serial number of the HA member. Yes
vcluster_id int Virtual cluster number. No
priority int Priority to assign to HA member. No
hostname string Name to assign the HA member. No
ha-peer: disconnect
Summary Update configuration of peer in HA cluster.
URI system/ha-peer/disconnect/
HTTP Method POST
Action disconnect

Monitor API 105
Extra parameters
serial_no string Serial number of the HA member. Yes
interface string Name of the interface which should be assigned for management. Yes
ip string IP to assign to the selected interface. Yes
mask string Full network mask to assign to the selected interface. Yes
link-monitor: select
Summary Retrieve per-interface statistics for active link monitors.
URI system/link-monitor/select/
HTTP Method GET
Action select
Extra parameters
mkey string Name of link monitor. No
compliance: run
Summary Immediately run compliance checks for the selected VDOM.
URI system/compliance/run/
HTTP Method POST
Action run
config: restore
Summary Restore system configuration from uploaded file or from USB.
URI system/config/restore/
HTTP Method POST
Action restore

Monitor API 106
Extra parameters
source string Configuration file data source [upload | usb | revision]. Yes
usb_filename string When using 'usb' source: the filename to restore from the connected No

USB device.
config_id int When using 'revision' source: valid ID of configuration stored on disk No

to revert to.
password string Password to decrypt configuration data. No
scope string Specify global or VDOM only restore [global | vdom]. Yes
vdom string If 'vdom' scope specified, the name of the VDOM to restore No

configuration.

config: backup
Summary Backup system config
URI system/config/backup/
HTTP Method GET
Action backup
Extra parameters
destination string Configuration file destination [file* | usb] No
usb_filename string When using 'usb' destination: the filename to save to on the No

connected USB device
password string Password to encrypt configuration data. No
scope string Specify global or VDOM only backup [global | vdom]. Yes
vdom string If 'vdom' scope specified, the name of the VDOM to backup No

configuration.

Monitor API 107
config: usb-filelist
Summary List configuration files available on connected USB drive.
URI system/config/usb-filelist/
HTTP Method GET
Action usb-filelist
Response Type array
sandbox: stats
Summary Retrieve sandbox statistics.
URI system/sandbox/stats/
HTTP Method GET
Action stats
sandbox: status
Summary Retrieve sandbox status.
URI system/sandbox/status/
HTTP Method GET
Action status
sandbox: test-connect
Summary Test the connectivity of a given FortiSandbox IP.
URI system/sandbox/test-connect/
HTTP Method GET
Action test-connect

Monitor API 108
Extra parameters
server string IP of the FortiSandbox to test. Yes
object: usage
Summary Retrieve all objects that are currently using as well as objects that can use the
given object.
URI system/object/usage/
HTTP Method GET
Action usage
Access Group any
Extra parameters
q_path string The CMDB table's path No
q_name string The CMDB table's name No
qtypes array List of CMDB table qTypes No
mkey string The mkey for the object Yes
object-tagging: usage
Summary Retrieve usage count for tags in all tag categories.
URI system/object-tagging/usage/
HTTP Method GET
Action usage
Access Group any
Response Type array
status: select
Summary Retrieve basic system status.
URI system/status/select/

Monitor API 109
HTTP Method GET
Action select
Access Group any
timezone: select
Summary Get world timezone and daylight saving time.
URI system/timezone/select/
HTTP Method GET
Action select
Access Group any
Response Type array
vmlicense: upload
Summary Update VM license using uploaded file. Reboots immediately if successful.
URI system/vmlicense/upload/
HTTP Method POST
Action upload
Extra parameters

sensor-info: select
Summary Retrieve system sensor status.
URI system/sensor-info/select/
HTTP Method GET

Monitor API 110
Action select
security-rating: select
Summary Retrieve a Security Rating result. Without file specified, returns the most recent
result.
URI system/security-rating/select/
HTTP Method GET
Action select
Extra parameters
id int Security Rating result ID. No
security-rating: history
Summary Retrieve Security Rating history.
URI system/security-rating/history/
HTTP Method GET
Action history
security-rating: trigger
Summary Trigger a Security Rating.
URI system/security-rating/trigger/
HTTP Method POST
Action trigger

Monitor API 111
security-rating: status
Summary Check if a Security Rating is currently running.
URI system/security-rating/status/
HTTP Method GET
Action status
security-rating: lang
Summary Returns the requested Security Rating language mapping.
URI system/security-rating/lang/
HTTP Method GET
Action lang
Extra parameters
key string Requested language mapping (en, fr, big5, euc-kr, GB2312, pg, sp, No

x-sjis).
fortiguard-blacklist: select
Summary Retrieve blacklist information for a specified IP.
URI system/fortiguard-blacklist/select/
HTTP Method GET
Action select

Monitor API 112
Extra parameters
ip string IPv4 address to check against. Yes
timeout int Timeout period in seconds (defaults to 5). No
check-port-availability: select
Summary Check whether a list of TCP port ranges is available for a certain service.
URI system/check-port-availability/select/
HTTP Method GET
Action select
Response Type array
Extra parameters
port_ranges array List of TCP port range objects to check against. Yes
service string The service in which the ports could be available. 'service' options No

are [reserved | sysglobal | webproxy | ftpproxy | sslvpn | slaprobe |
fsso | ftm_push]. If 'service' is not specified, the port ranges
availability is checked against all services.
external-resource: entry-list
Summary Retrieve resource file status with a list of valid/invalid entries (skip empty and
comment lines) for the specific external resource.
URI system/external-resource/entry-list/
HTTP Method GET
Action entry-list

Monitor API 113
Extra parameters
mkey string The external resource name to query. Yes
status_only boolean Retrieve resource file status only and skip entries. No
extender-controller
extender: select
Summary Retrieve statistics for specific configured FortiExtender units.
URI extender-controller/extender/select/
HTTP Method GET
Action select
Response Type array
Extra parameters
id array List of FortiExtender IDs to query. Yes
extender: reset
Summary Reset a specific FortiExtender unit.
URI extender-controller/extender/reset/
HTTP Method POST
Action reset
Extra parameters
id string FortiExtender ID to reset. Yes

Monitor API 114
sdn-connector: status
Summary Retrieve connection status for SDN connectors.
URI system/sdn-connector/status/
HTTP Method GET
Action status
Response Type array
Extra parameters
mkey string Filter: SDN Connector ID. No
type string Filter: SDN Connector type. No
sdn-connector: validate-gcp-key
Summary Validate a string representing a private key from GCP in PEM format.
URI system/sdn-connector/validate-gcp-key/
HTTP Method POST
Action validate-gcp-key
Access Group any
Extra parameters
private-key string Private key in PEM format. Yes
user
firewall: select
Summary List authenticated firewall users.
URI user/firewall/select/

Monitor API 115
HTTP Method GET
Action select
Access Group authgrp
Response Type array
Extra parameters
ipv4 boolean Include IPv4 user (default=true). No
ipv6 boolean Include IPv6 users. No
firewall: deauth
Summary Deauthenticate single, multiple, or all firewall users.
URI user/firewall/deauth/
HTTP Method POST
Action deauth
Extra parameters
user_type string User type [proxy|firewall]. Required for both proxy and firewall users. No
id int User ID. Required for both proxy and firewall users. No
ip string User IP address. Required for both proxy and firewall users. No
ip_version string IP version [ip4|ip6]. Only required if user_type is firewall. No
method string Authentication method [fsso|rsso|ntlm|firewall|wsso|fsso_citrix|sso_ No

guest]. Only required if user_type is firewall.
all boolean Set to true to deauthenticate all users. Other parameters will be No

ignored.
users array Array of user objects to deauthenticate. Use this to deauthenticate No

multiple users at once. Each object should include the above
properties.

Monitor API 116
banned: select
Summary Return a list of all banned users by IP.
URI user/banned/select/
HTTP Method GET
Action select
banned: clear_users
Summary Immediately clear a list of specific banned users by IP.
URI user/banned/clear_users/
HTTP Method POST
Action clear_users
Extra parameters
ip_addresses array List of banned user IPs to clear. IPv4 and IPv6 addresses are Yes

allowed.
banned: add_users
Summary Immediately add one or more users to the banned list.
URI user/banned/add_users/
HTTP Method POST
Action add_users
Extra parameters
ip_addresses array List of IP Addresses to ban. IPv4 and IPv6 addresses are allowed. Yes
expiry int Time until expiry in seconds. 0 for indefinite ban. No

Monitor API 117
banned: clear_all
Summary Immediately clear all banned users.
URI user/banned/clear_all/
HTTP Method POST
Action clear_all
fortitoken: select
Summary Retrieve a map of FortiTokens and their status.
URI user/fortitoken/select/
HTTP Method GET
Action select
fortitoken: activate
Summary Activate a set of FortiTokens by serial number.
URI user/fortitoken/activate/
HTTP Method POST
Action activate
Response Type array
Extra parameters
tokens array List of FortiToken serial numbers to activate. If omitted, all tokens No

will be used.
detected-device: select
Summary Retrieve a list of detected devices.

Monitor API 118
URI user/detected-device/select/
HTTP Method GET
Action select
Response Type array
Extra parameters
expand_child_ boolean Include child devices as separate entries in the list. No

macs
with_ boolean Retrieve compliance status. No

compliance
with_dhcp boolean Retrieve DHCP lease information. No
with_endpoint boolean Retrieve FortiClient endpoint information. No
with_ boolean Retrieve advanced FortiClient endpoint information. No

endpoint_
advanced
with_fortilink boolean Retrieve FortiLink information. No
with_fortiap boolean Retrieve FortiAP information. No
device: select
Summary Retrieve a list of detected devices.
URI user/device/select/
HTTP Method GET
Action select
Response Type array
Extra parameters
master_only boolean List of master device only. No

Monitor API 119
compliance_ boolean Add compliance status to indicate if a device is 'exempt' or 'non- No

visibility compliant' by interface's FortiClient host check.
intf_name string Filter: Name of interface where the device was detected. Only No

available when compliance_visibility is true.
master_mac string Filter: Master MAC of a device. Multiple entries could be returned. No
device-type: select
Summary Retrieve a list of device types.
URI user/device-type/select/
HTTP Method GET
Action select
Access Group any
Response Type array
device-category: select
Summary Retrieve a list of device categories.
URI user/device-category/select/
HTTP Method GET
Action select
Access Group any
Response Type array
fortitoken: refresh
Summary Refresh a set of FortiTokens by serial number.
URI user/fortitoken/refresh/
HTTP Method POST
Action refresh
Response Type array

Monitor API 120
Extra parameters
tokens array List of FortiToken serial numbers to refresh. If omitted, all tokens No

will be used.
fortitoken: provision
Summary Provision a set of FortiTokens by serial number.
URI user/fortitoken/provision/
HTTP Method POST
Action provision
Response Type array
Extra parameters
tokens array List of FortiToken serial numbers to provision. If omitted, all tokens No

will be used.
fortitoken: send-activation
Summary Send a FortiToken activation code to a user via SMS or Email.
URI user/fortitoken/send-activation/
HTTP Method POST
Action send-activation
Extra parameters
token string FortiToken serial number. The token must be assigned to a Yes

user/admin.
method string Method to send activation code [email|sms]. If not set, SMS will be No

attempted first, then email.

Monitor API 121
email string Override email address. No
sms_phone string Override SMS phone number. SMS provider must be set in the No

assigned user/admin.
fortitoken: import-trial
Summary Import trial mobile FortiTokens.
URI user/fortitoken/import-trial/
HTTP Method POST
Action import-trial
fortitoken: import-mobile
Summary Import a list of tokens from FortiGuard to the FortiGate unit.
URI user/fortitoken/import-mobile/
HTTP Method POST
Action import-mobile
Extra parameters
code string Activation code on redemption certificate. Yes
fortitoken: import-seed
Summary Import a FortiToken seed file.
URI user/fortitoken/import-seed/
HTTP Method POST
Action import-seed

Monitor API 122
Extra parameters

fsso: refresh-server
Summary Refresh remote agent group list for all fsso agents.
URI user/fsso/refresh-server/
HTTP Method POST
Action refresh-server
fsso: select
Summary Get a list of fsso and fsso polling status.
URI user/fsso/select/
HTTP Method GET
Action select
radius: test-connect
Summary Test the connectivity of the given RADIUS server and, optionally, the validity of a
username & password.
URI user/radius/test-connect/
HTTP Method POST
Action test-connect

Monitor API 123
Extra parameters
mkey string Name of FortiGate's RADIUS object whose settings to test. No
ordinal string If 'mkey' is provided, the server-secret pair to use from the object: No

'primary', 'secondary' or 'tertiary'. Defaults to 'primary'.
server string Host name or IP of a RADIUS server. If 'mkey' is provided, this No

overrides the 'server' value in the object.
secret string Secret password for the RADIUS server. If 'mkey' is provided, this No

overrides the 'secret' value in the object.
user string User name whose access to check. No
password string User's password. No
tacacs-plus: test
Summary Test the connectivity of the given TACACS+ server.
URI user/tacacs-plus/test/
HTTP Method POST
Action test
Extra parameters
mkey string Name of FortiGate's TACACS+ object whose settings to test. No
ordinal string If 'mkey' is provided, the server-key pair to use from the object: No

'primary', 'secondary' or 'tertiary'. Defaults to 'primary'.
server string Host name of IP of a TACACS+ server. If 'mkey' is provided, this No

overrides the 'server' value in the object.
secret string Secret key for the TACACS+ server. If 'mkey' is provided, this No

overrides the 'key' value in the object.
port int Port number of the TACACS+ server. If 'mkey' is provided, this No

overrides the 'port' value in the object. Defaults to 49.
source_ip string Source IP for communications to TACACS+ server. If 'mkey' is No

provided, this overrides the 'source-ip' value in the object.

Monitor API 124
utm
rating-lookup: select
Summary Lookup FortiGuard rating for a specific URL.
URI utm/rating-lookup/select/
HTTP Method GET
Action select
Access Group utmgrp.webfilter
Extra parameters
url string URL to query. Yes
url array List of URLs to query. No
app-lookup: select
Summary Query remote FortiFlow database to resolve hosts to application control entries.
URI utm/app-lookup/select/
HTTP Method GET
Action select
Access Group any
Response Type array
Extra parameters
hosts array List of hosts to resolve. No
application-categories: select
Summary Retrieve a list of application control categories.
URI utm/application-categories/select/
HTTP Method GET

Monitor API 125
Action select
Access Group any
Response Type array
antivirus: stats
Summary Retrieve antivirus scanning statistics.
URI utm/antivirus/stats/
HTTP Method GET
Action stats
Access Group utmgrp.antivirus
virtual-wan
health-check: select
Summary Retrieve health-check statistics for each SD-WAN link.
URI virtual-wan/health-check/select/
HTTP Method GET
Action select
members: select
Summary Retrieve interface statistics for each SD-WAN link.
URI virtual-wan/members/select/
HTTP Method GET
Action select

Monitor API 126
webfilter
override: select
Summary List all administrative and user initiated webfilter overrides.
URI webfilter/override/select/
HTTP Method GET
Action select
override: delete
Summary Delete a configured webfilter override.
URI webfilter/override/delete/
HTTP Method POST
Action delete
Extra parameters
mkey string ID of webfilter override to delete. No
malicious-urls: select
Summary List all URLs in FortiSandbox malicious URL database.
URI webfilter/malicious-urls/select/
HTTP Method GET
Action select

Monitor API 127
malicious-urls: stat
Summary Retrieve statistics for the FortiSandbox malicious URL database.
URI webfilter/malicious-urls/stat/
HTTP Method GET
Action stat
category-quota: select
Summary Retrieve quota usage statistics for webfilter categories.
URI webfilter/category-quota/select/
HTTP Method GET
Action select
Extra parameters
profile string Webfilter profile. No
user string User or IP (required if profile specified). No
category-quota: reset
Summary Reset webfilter quota for user or IP.
URI webfilter/category-quota/reset/
HTTP Method POST
Action reset

Monitor API 128
Extra parameters
profile string Webfilter profile to reset. No
user string User or IP to reset with. No
fortiguard-categories: select
Summary Return FortiGuard web filter categories.
URI webfilter/fortiguard-categories/select/
HTTP Method GET
Action select
Access Group any
Response Type array
Extra parameters
include_ boolean Include Unrated category in result list. No

unrated
convert_ boolean Convert Unrated category id to the one for CLI use. No

unrated_id
trusted-urls: select
Summary List all URLs in FortiGuard trusted URL database.
URI webfilter/trusted-urls/select/
HTTP Method GET
Action select

Monitor API 129
vpn
ipsec: select
Summary Return an array of active IPsec VPNs.
URI vpn/ipsec/select/
HTTP Method GET
Action select
Access Group vpngrp
Response Type array
Extra parameters
tunnel string Filter for a specific IPsec tunnel name. No
ipsec: tunnel_up
Summary Bring up a specific IPsec VPN tunnel.
URI vpn/ipsec/tunnel_up/
HTTP Method POST
Action tunnel_up
Access Group vpngrp
Extra parameters
p1name string IPsec phase1 name. Yes
p2serial int IPsec phase2 serial. No
ipsec: tunnel_down
Summary Bring down a specific IPsec VPN tunnel.

Monitor API 130
URI vpn/ipsec/tunnel_down/
HTTP Method POST
Action tunnel_down
Access Group vpngrp
Extra parameters
p2serial int IPsec phase2 serial. No
ipsec: tunnel_reset_stats
Summary Reset statistics for a specific IPsec VPN tunnel.
URI vpn/ipsec/tunnel_reset_stats/
HTTP Method POST
Action tunnel_reset_stats
Access Group vpngrp
Extra parameters
one-click: members
Summary Get information on devices registered in the Overlay Controller VPN cloud
assisted group.
URI vpn/one-click/members/
HTTP Method GET
Action members
Access Group vpngrp
Response Type array

Monitor API 131
one-click: status
Summary Get the last status message from FortiCloud Overlay Controller VPN cloud
service.
URI vpn/one-click/status/
HTTP Method GET
Action status
Access Group vpngrp
ssl: select
Summary Retrieve a list of all SSL-VPN sessions and sub-sessions.
URI vpn/ssl/select/
HTTP Method GET
Action select
Access Group vpngrp
ssl: clear_tunnel
Summary Remove all active tunnel sessions in current virtual domain.
URI vpn/ssl/clear_tunnel/
HTTP Method POST
Action clear_tunnel
Access Group vpngrp
ssl: delete
Summary Terminate the provided SSL-VPN session.
URI vpn/ssl/delete/
HTTP Method POST
Action delete
Access Group vpngrp

Monitor API 132
Extra parameters
type string The session type [websession|subsession]. Yes
index int The session index. Yes
ssl: stats
Summary Return statistics about the SSL-VPN.
URI vpn/ssl/stats/
HTTP Method GET
Action stats
Access Group vpngrp
vpn-certificate
ca: import
Summary Import CA certificate.
URI vpn-certificate/ca/import/
HTTP Method POST
Action import
Access Group vpngrp
Extra parameters
import_method string Method of importing CA certificate.[file|scep] Yes
scep_url string SCEP server URL. Required for import via SCEP No
scep_ca_id string SCEP server CA identifier for import via SCEP. No
scope string Scope of CA certificate [vdom*|global]. Global scope is only No

accessible for global administrators


Monitor API 133
crl: import
Summary Import certificate revocation lists (CRL) from file content.
URI vpn-certificate/crl/import/
HTTP Method POST
Action import
Access Group vpngrp
Extra parameters
scope string Scope of CRL [vdom*|global]. Global scope is only accessible for No

global administrators

local: import
Summary Import local certificate.
URI vpn-certificate/local/import/
HTTP Method POST
Action import
Access Group vpngrp
Extra parameters
type string Type of certificate.[local|pkcs12|regular] Yes
certname string Certificate name for pkcs12 and regular certificate types. No
password string Optional password for pkcs12 and regular certificate types. No
key_file_ string Key content encoded in BASE64 for regular certificate type. No

content
scope string Scope of local certificate [vdom*|global]. Global scope is only No

accessible for global administrators

Monitor API 134

remote: import
Summary Import remote certificate.
URI vpn-certificate/remote/import/
HTTP Method POST
Action import
Access Group vpngrp
Extra parameters

csr: generate
Summary Generate a certificate signing request (CSR) and a private key. The CSR can be
retrieved / downloaded from CLI, GUI and REST API.
URI vpn-certificate/csr/generate/
HTTP Method POST
Action generate
Access Group vpngrp
Extra parameters
certname string Certicate name. Used to retrieve / download the CSR. Not included Yes

in CSR and key content.

Monitor API 135
subject string Subject (Host IP/Domain Name/E-Mail). Common Name (CN) of the Yes

certificate subject.
keytype string Generate a RSA or an elliptic curve certificate request [rsa|ec]. The Yes

Elliptic Curve option is unavailable if the FortiGate is a Low
Encryption Device (LENC)
keysize int Key size.[1024|1536|2048|4096]. 512 only if the FortiGate is a Low No

Encryption Device (LENC). Required when keytype is RSA.
curvename string Elliptic curve name. [secp256r1|secp384r1|secp521r1]. Unavailable No

if the FortiGate is a Low Encryption Device (LENC). Required when
keytype is ec.
orgunits array List of organization units. Organization Units (OU) of the certificate No

subject.
org string Organization (O) of the certificate subject. No
city string Locality (L) of the certificate subject. No
state string State (ST) of the certificate subject. No
countrycode string Country (C) of the certificate subject. No
email string Email of the certificate subject. No
sub_alt_name string Subject alternative name (SAN) of the certificate. No
password string Password / pass phrase for the private key. If not provided, No

FortiGate generates a random one.
scep_url string SCEP server URL. If provided, use the url to enroll the csr through No

SCEP.
scep_password string SCEP challenge password. Some SCEP servers may require No

challege password. Provide it when SCEP server requires.
scope string Scope of CSR [vdom*|global]. Global scope is only accessible for No

global administrators
wanopt
history: select
Summary Retrieve WAN opt. statistics history.
URI wanopt/history/select/
HTTP Method GET
Action select
Access Group wanoptgrp

Monitor API 136
Extra parameters
period string Statistics period [10-min*|hour|day|week|30-day]. No
history: reset
Summary Reset WAN opt. statistics.
URI wanopt/history/reset/
HTTP Method POST
Action reset
webcache: select
Summary Retrieve webcache statistics history.
URI wanopt/webcache/select/
HTTP Method GET
Action select
Extra parameters
period string Statistics period [10-min*|hour|day|week|30-day]. No
webcache: reset
Summary Reset webcache statistics.
URI wanopt/webcache/reset/
HTTP Method POST
Action reset

Monitor API 137
peer_stats: select
Summary Retrieve a list of WAN opt peer statistics.
URI wanopt/peer_stats/select/
HTTP Method GET
Action select
peer_stats: reset
Summary Reset WAN opt peer statistics.
URI wanopt/peer_stats/reset/
HTTP Method POST
Action reset
webproxy
pacfile: download
Summary Download webproxy PAC file.
URI webproxy/pacfile/download/
HTTP Method GET
Action download
webcache
stats: select
Summary Retrieve webcache statistics.
URI webcache/stats/select/
HTTP Method GET

Monitor API 138
Action select
Response Type array
Extra parameters
period string Statistics period [10min|hour|day|month]. No
stats: reset
Summary Reset all webcache statistics.
URI webcache/stats/reset/
HTTP Method POST
Action reset
wifi
client: select
Summary Retrieve a list of connected WiFi clients.
URI wifi/client/select/
HTTP Method GET
Action select
Access Group wifi
Response Type array
Extra parameters
type string Request type [all*|fail-login]. No

Monitor API 139
managed_ap: select
Summary Retrieve a list of managed FortiAPs.
URI wifi/managed_ap/select/
HTTP Method GET
Action select
Access Group wifi
Response Type array
Extra parameters
wtp_id string Filter: single managed FortiAP by ID. No
incl_local boolean Enable to include the local FortiWiFi device in the results. No
managed_ap: set_status
Summary Update administrative state for a given FortiAP (enable or disable authorization).
URI wifi/managed_ap/set_status/
HTTP Method POST
Action set_status
Access Group wifi
Extra parameters
wtpname string FortiAP name. No
admin string New FortiAP administrative state [enable|disable|discovered]. No
firmware: select
Summary Retrieve a list of current and recommended firmware for FortiAPs in use.
URI wifi/firmware/select/
HTTP Method GET
Action select

Monitor API 140
Access Group wifi
Extra parameters
timeout string FortiGuard connection timeout (defaults to 2 seconds). No
firmware: download
Summary Download FortiAP firmware from FortiGuard to the FortiGate according to
FortiAP image ID.
URI wifi/firmware/download/
HTTP Method POST
Action download
Access Group wifi
Extra parameters
image_id string FortiAP image ID. Yes
firmware: push
Summary Push FortiAP firmware to the given device.
URI wifi/firmware/push/
HTTP Method POST
Action push
Access Group wifi
Extra parameters
serial string The target device's serial. Yes
image_id string FortiAP image ID. Yes

Monitor API 141
firmware: upload
Summary Upload FortiAP firmware to the management FortiGate and then push to target
FortiAPs.
URI wifi/firmware/upload/
HTTP Method POST
Action upload
Access Group wifi
Extra parameters
serials array A list of target devices' serials. No
serials string The target device's serial. No

managed_ap: restart
Summary Restart a given FortiAP.
URI wifi/managed_ap/restart/
HTTP Method POST
Action restart
Access Group wifi
Extra parameters
wtpname string FortiAP name. No
ap_status: select
Summary Retrieve statistics for all managed FortiAPs.
URI wifi/ap_status/select/

Monitor API 142
HTTP Method GET
Action select
Access Group wifi
interfering_ap: select
Summary Retrieve a list of interfering APs for one FortiAP radio.
URI wifi/interfering_ap/select/
HTTP Method GET
Action select
Access Group wifi
Response Type array
Extra parameters
wtp string FortiAP ID to query. No
radio int Radio ID. No
euclid: select
Summary Retrieve presence analytics statistics.
URI wifi/euclid/select/
HTTP Method GET
Action select
Access Group wifi
euclid: reset
Summary Reset presence analytics statistics.
URI wifi/euclid/reset/
HTTP Method POST

Monitor API 143
Action reset
Access Group wifi
rogue_ap: select
Summary Retrieve a list of detected rogue APs.
URI wifi/rogue_ap/select/
HTTP Method GET
Action select
Access Group wifi
Response Type array
Extra parameters
rogue_ap: clear_all
Summary Clear all detected rogue APs.
URI wifi/rogue_ap/clear_all/
HTTP Method POST
Action clear_all
Access Group wifi
rogue_ap: set_status
Summary Mark detected APs as rogue APs.
URI wifi/rogue_ap/set_status/
HTTP Method POST
Action set_status
Access Group wifi

Monitor API 144
Extra parameters
bssid array List of rogue AP MAC addresses. No
ssid array Corresponding list of rogue AP SSIDs. No
status string Status to assign matching APs No

[unclassified|rogue|accepted|suppressed].
spectrum: select
Summary Retrieve spectrum analysis information for a specific FortiAP.
URI wifi/spectrum/select/
HTTP Method GET
Action select
Access Group wifi
Extra parameters
wtp_id string FortiAP ID to query. Yes
Examples
Method URL URL Body Data Access Description

Parameters Group
GET /api/v2/monitor/ ?vdom=root fwgrp.policy List traffic statistics for all

firewall/policy IPv4 policies, vdom root
GET /api/v2/monitor/ ?vdom=* fwgrp.policy List traffic statistics for all

firewall/policy IPv4 policies, all
accessible vdoms
POST /api/v2/monitor/ ?vdom=root fwgrp.policy Reset traffic statistics for

firewall/policy/reset all IPv4 policies, vdom root
POST /api/v2/monitor/ ?vdom=* fwgrp.policy Reset traffic statistics for

firewall/policy/reset all IPv4 policies, all
accessible vdoms

Monitor API 145
Method URL URL Body Data Access Description

Parameters Group
POST /api/v2/monitor/ ?vdom=root {'policy': 1,} fwgrp.policy Reset traffic statistics for

firewall/policy6/ single IPv4 policy, vdom
clear_counters root
POST /api/v2/monitor/ ?vdom=root {'policy': [1, 2]} fwgrp.policy Reset traffic statistics for

firewall/policy6/ multiple IPv4 policies,
clear_counters vdom root
GET /api/v2/monitor/ ?vdom=root& sysgrp List the first active ipv4

firewall/session ip_version=ipv4& firewall sessions, vdom
start=0&count= root
1&summary=True
POST /api/v2/monitor/ ?vdom=root sysgrp Immediately clear all

firewall/session/ active IPv4 and IPv6
clear_all sessions, vdom root
POST /api/v2/monitor/ ?vdom=root {'pro': "udp", 'saddr': sysgrp Immediately close specific

firewall/session/ "192.168.100.110", session matched with the
close 'daddr': "96.45.33. filter, vdom root
73", 'sport': 55933,
'dport': 8888}
POST /api/v2/monitor/ sysgrp Immediately reboot this

system/os/ device
reboot
POST /api/v2/monitor/ sysgrp Immediately shutdown this

system/os/ device
shutdown

Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

FortiOS 6.0.4 REST API Reference PDF

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

FortiOS 6.0.4 REST API Reference PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiOS 6.0.4 REST API Reference PDF

Uploaded by

Copyright:

Available Formats

FortiOS - REST API Reference

January 10, 2018

FortiOS REST API Reference Fortinet Inc.

FortiOS REST API Reference Fortinet Inc.

FortiOS REST API Reference Fortinet Inc.

Method URI Description Change Summary

GET /system/sandbox/test-connect/ Test the connectivity of a given New API

GET /user/device-type/select/ Retrieve a list of device types. New API

FortiOS REST API Reference Fortinet Inc.

Method URI Description Change Summary

GET /firewall/session/select List all active firewall sessions Added a new parameter

GET /firewall/session/select List all active firewall sessions Updated protocol parameter type

GET /router/policy/select Retrieve a list of active IPv4 Added new parameters : start,

GET /router/policy6/select Retrieve a list of active IPv6 Added new parameters : start,

GET /vpn/one-click/members Get information on devices Updated summary to use the new

GET /vpn/one-click/status Get the last status message Updated summary to use the new

Method URI Description Change

GET /firewall/session-top/select/ List of top sessions by specified grouping Removed API

FortiOS REST API Reference Fortinet Inc.

Key Type Description

username String The admin username.

secretkey String The password for that admin.

ajax Int (1) Required: Format the response for easier parsing. Enable using 1.

FortiOS REST API Reference Fortinet Inc.

FortiOS REST API Reference Fortinet Inc.

config system api-user

FortiOS REST API Reference Fortinet Inc.

Request Body data Description

POST /api/v2/monitor/system/api- {'api-user':"api- "Generate a new api-key for the specified

The user needs to explicitly add the following field to the request header: 'Authorization': 'Bearer ' +

Method URL Body Description

GET /api/v2/cmdb/firewall/address ?vdom=root&access_ Retrieve all

FortiOS REST API Reference Fortinet Inc.

FortiOS REST API Reference Fortinet Inc.

This will produce the following output when the REST API for IPv4 policy statistics is queried:

FortiOS REST API Reference Fortinet Inc.

FortiOS REST API Reference Fortinet Inc.

CLI Command path name mkey child_ child_ Full URL

configure vdom system vdom /api/v2/cmdb/system/vdom/

configure vdom, edit vdom1 system vdom vdom1 /api/v2/cmdb/system/

configure firewall schedule firewall. recurring /api/v2/cmdb/

configure firewall policy firewall policy /api/v2/cmdb/firewall/policy/

configure firewall policy, firewall policy 1 /api/v2/cmdb/firewall/policy/1/

configure firewall policy, firewall policy 1 srcintf /api/v2/cmdb/firewall/

configure firewall policy, firewall policy 1 srcintf lan /api/v2/cmdb/firewall/

FortiOS REST API Reference Fortinet Inc.

URL parameter Example Description

vdom=root GET /api/v2/cmdb/firewall/address/?vdom=root Return result/apply changes

vdom=root,vdom1 GET /api/v2/cmdb/firewall/address/?vdom=root,vdom1 Return result/apply changes

vdom=root&vdom=vdom1 GET Return result/apply changes

vdom=* GET /api/v2/cmdb/firewall/address/?vdom=* Return a list of results/apply

URL parameter Example Description

action=schema GET /api/v2/cmdb/firewall/policy Return schema of the resource table

action=default GET /api/v2/cmdb/firewall/policy Return default attributes of the resource

FortiOS REST API Reference Fortinet Inc.

URL parameter Example Description

action=move PUT /api/v2/cmdb/firewall/policy/1 Move policy 1 to after policy 2