• Matt Sherif

FortiClient Cloud - API Access

I'd first like to start off this post by wishing everyone a happy and safe new year! It's been almost 3 months since my last post, things got a little crazy at the year end. Also took some time off to try and reset a bit. All that aside, this post's topic is one I have had a lot of questions on, but no definitive answers.


I was toying with the FortiCloud API, and was wondering if that was all we needed to gain access to the FortiClient Cloud API. In this post we take a look at what was needed to accomplish this. Note that this can change at ANY time, as this is not official Fortinet documentation, and is not yet officially documented. Use at your own risk.


Assumptions:


  • You have access to FNDN, the free access should be sufficient. If you do not have access, find 2 Fortinet Employees (Typically your Account Manager and SE) to sponsor your access - it takes about 3-5 days for the process to complete once you have two sponsors approve your access

  • You have a cloud access key; this is required - if you do not, you will need to reach out to your account team to have this provided. There's a degree of verification that is required given that this is publicly accessible

  • You're familiar with RESTful API/JSON APIs - I am merely dangerous with APIs, I have a solid conceptual understand, however practically I don't use these as often as I would like. So, if you find a way to build and improve on this content, please feel free to share, and I will share and provide credit

  • We will be using postman to test this access, you can use whatever tool you would like.

  • You have FortiClient Cloud (Cloud EMS) of some level


With all that said, let's dig into this!


First things first, Authentication:


Before we can do anything, we need to be allowed access to interact with the API. Generally, with on-prem EMS you would follow the API authentication process, however this gets thrown out the window since we have FortiCare/FortiCloud brokering access.


The process for authentication is similar to how it's done for FortiGate Cloud, however the URI for access is different. In this case we need to get a session id, in order to do that we need to perform a POST call against:


https://forticlient.forticloud.com/fct/api/public/v1/ems_api_cloud/login/


And your JSON should look something like this:

    {
        "access_key": "XXXXXX",
        "account_email": "forticare@email.address"
     }

The response should look similar to this:

    {
        "result": "login",
        "session_id": "XXXXXXX"
    }

The session ID is what we care about in this case, as it will accompany every request moving forward. All your requests from this point should point to:


https://forticlient.forticloud.com/fct/api/public/v1/ems_api + API_Path


For example, if you wanted to get a listing of endpoints - FNDN lists the API path as "/api/v1/endpoints/index" so the request URI would be:


https://forticlient.forticloud.com/fct/api/public/v1/ems_api/api/v1/endpoints/index


You will need to add an Authorization header for the session id, in postman it will look like this:


What the response from FortiClient Cloud looks like, note the Authorization header

Be sure to apply the requisite HTTP method (GET, POST, PUT, etc.) per the FortiClient EMS API.


Once you're done, don't forget to logout - doing so kills the session id. The API endpoint for that is:


https://forticlient.forticloud.com/fct/api/public/v1/ems_api_cloud/logout/


Be sure to use the POST HTTP method and include your session id in the header, so the correct session is logged out. You should receive a JSON response:

{
    "result": "logout"
}

I am sure Fortinet will release some additional documentation in the near future, but as it stands, we had to piece this information together from FNDN and some trial and error.


Thank you for reading, I hope this helps.


Madman out!

308 views

Recent Posts

See All

In assisting a customer with the AD FS configuration we encountered some difficulties in redirection. The particular issue looked like this: User would would type in the SSL VPN URL User would be redi