search

FortiPower / PowerFGT

PowerShell module to manage Fortinet (FortiGate) Firewall
Apache License 2.0
107 stars 36 forks source link

Invoke-FGTRestMethod - Bad Gateway When Trying To Create Custom Service #245

Closed Timond closed 6 months ago

Timond commented 7 months ago

Hi Guys,

I've had great success with the Invoke-FGTRestMethod command for the majority of API calls, however, when trying to create a custom service we see the following:

$body = '{ "name": "TESTSERVICE", "tcp-portrange": "80-443", "comment": "COMMENTHERE", "color": "0" }'

Invoke-FGTRestMethod -vdom "vd_CAFEBEEF" -body "$body" -uri "api/v2/cmdb/firewall.service/custom" -method POST -Verbose

VERBOSE: https://10.68.6.17:20443/api/v2/cmdb/firewall.service/custom?&vdom=vd_CAFEBEEF VERBOSE: "{\r\n \"name\": \"MyCustomService\",\r\n \"tcp-portrange\": \"80-85 443-445\",\r\n \"udp-portrange\": \"443\",\r\n \"comment\": \"This Is A Comment\"\r\n}\r\n" VERBOSE: Requested HTTP/1.1 POST with 188-byte payload VERBOSE: Received HTTP/1.1 138-byte response of content type text/html WARNING: The FortiGate API sends an error message:
WARNING: Error description (code): (502) WARNING: Error details:

Error

Bad Gateway

Exception: C:\Users\unCHOOL\Documents\PowerShell\Modules\PowerFGT\0.8.0\Private\RestMethod.ps1:208:13 Line | 208 | throw "Unable to use FortiGate API" | ~~~~~~~ | Unable to use FortiGate API

Timond commented 7 months ago

When using CURL, the API call seems to work fine.

curl --location 'https://10.68.6.17:20443/api/v2/cmdb/firewall.service/custom?null=null&vdom=vd_CAFEBEEF' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer mxxxxxxxxxn' \ --data '{ "name": "TESTSERVICE", "tcp-portrange": "80-443", "comment": "COMMENTHERE", "color": "0" } '

{ "http_method":"POST", "revision":"1a7a444cbaa97f14041bc8b257bc2f21", "revision_changed":true, "old_revision":"f5bcd298d0f7833ab1f92e3fac9e71bd", "mkey":"TESTSERVICE", "status":"success", "http_status":200, "vdom":"vd_CAFEBEEF", "path":"firewall.service", "name":"custom", "serial":"FG1xxxxx191", "version":"v7.2.7", "build":1577 }

From what I can tell, it's something to do with the formatting of the body variable. I believe it may be the way that the double quotes are being escaped.

Is there a certain way we need to escape double quotes for POST calls using the Invoke-FGTRestMethod cmdlet?

alagoutte commented 7 months ago

Hi Tim,

You don't forget to add vdom info ?

the $body look good ! You can look this PR #204 adding this function...

you can use on this debug on fortigate CLI 👍 

diagnose debug enable
diagnose debug application httpsd -1
Timond commented 7 months ago

Hi Alagoutte,

Thanks for the reply.

I'll check out that PR, thanks.

I think the issue must be to do with the way Invoke-FGTRestMethod is sending the body in the request. As you can see when I use CURL directly with the exact same body string, it works without any errors.

e.g.

$body = '{"name": "MyCustomService","tcp-portrange": "80","udp-portrange": "443","comment": "This Is A Comment"}'
    curl -k --location "https://10.68.6.17:20443/api/v2/cmdb/firewall.service/custom?null=null&vdom=vd_CAFEBEEF" `
    --header 'Content-Type: application/json' `
    --header 'Authorization: Bearer mHdxxxxxxc15wjn' `
    --data $body

Response:

{
  "http_method":"POST",
  "revision":"baca0e0ebcaefd348f9b566d1cf559ed",
  "revision_changed":true,
  "old_revision":"bd13061e04ad440c993bcbe83b9de3eb",
  "mkey":"MyCustomService",
  "status":"success",
  "http_status":200,
  "vdom":"vd_CAFEBEEF",
  "path":"firewall.service",
  "name":"custom",
  "serial":"FGxxx00191",
  "version":"v7.2.7",
  "build":1577
}

And then we can see the custom service is added correctly to the Fortigate.

In the PR it looks like the body variable isn't actually a string, but rather a custom "psobject", with added "NoteProperty" members. Does this mean the Invoke-FGTRestMethod cmdlet doesn't support a normal string as the body variable, but instead requires an object like in the PR?

Thanks!

alagoutte commented 7 months ago

Hi @Timond

Yes, it is not an string for body (like cURL) but array(/PSobject) with value, you are using this :

$body = @{"name" = "MyCustomService"; "tcp-portrange"= "80"; "udp-portrange"= "443"; "comment"= "This Is A Comment"}

it will be work 

Invoke-FGTRestMethod -body $body -uri "api/v2/cmdb/firewall.service/custom" -method POST -Verbose
VERBOSE: https://10.200.4.142:443/api/v2/cmdb/firewall.service/custom?
VERBOSE: {
  "name": "MyCustomService",
  "comment": "This Is A Comment",
  "tcp-portrange": "80",
  "udp-portrange": "443"
}
VERBOSE: Requested HTTP/1.1 POST with 99-byte payload
VERBOSE: Received HTTP/1.1 360-byte response of content type application/json
VERBOSE: Content encoding: utf-8

http_method      : POST
revision         : ce450c0c51cabaabe5039eee24416efb
revision_changed : True
old_revision     : 653702910c2d1fe4aa9bcf67678b2ea9
mkey             : MyCustomService
status           : success
http_status      : 200
vdom             : root
path             : firewall.service
name             : custom
serial           : FGVM02TM24001885
version          : v7.4.3
build            : 2573
Timond commented 7 months ago

Awesome, perfect. Thank you so much for the help!

On Mon, Apr 15, 2024 at 9:02 PM Alexis La Goutte @.***> wrote:

Hi @Timond https://github.com/Timond

Yes, it is not an string for body (like cURL) but array(/PSobject) with value, you are using this :

$body = @{"name" = "MyCustomService"; "tcp-portrange"= "80"; "udp-portrange"= "443"; "comment"= "This Is A Comment"}

it will be work

Invoke-FGTRestMethod -body $body -uri "api/v2/cmdb/firewall.service/custom" -method POST -Verbose VERBOSE: https://10.200.4.142:443/api/v2/cmdb/firewall.service/custom? VERBOSE: { "name": "MyCustomService", "comment": "This Is A Comment", "tcp-portrange": "80", "udp-portrange": "443" } VERBOSE: Requested HTTP/1.1 POST with 99-byte payload VERBOSE: Received HTTP/1.1 360-byte response of content type application/json VERBOSE: Content encoding: utf-8

http_method : POST revision : ce450c0c51cabaabe5039eee24416efb revision_changed : True old_revision : 653702910c2d1fe4aa9bcf67678b2ea9 mkey : MyCustomService status : success http_status : 200 vdom : root path : firewall.service name : custom serial : FGVM02TM24001885 version : v7.4.3 build : 2573

— Reply to this email directly, view it on GitHub https://github.com/FortiPower/PowerFGT/issues/245#issuecomment-2056556702, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABH6KR5O4HTEJ4VQUEFONFDY5OXVRAVCNFSM6AAAAABF55M4XSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJWGU2TMNZQGI . You are receiving this because you were mentioned.Message ID: @.***>