401 Authorization Error when post-login-banner option is set.

[robotman321]

I tried engaging support, but was told the Technical Team doesn't support the API even though its clear the issue stems from the use of the post-login-banner option being set. I am opening this issue up in hopes for clarity around the 401 response that i am getting using the fortiosapi library.

I also asked about this being a potential bug but got no response.

Thank you.

stdout from script:

$ python3 fortigateapi_test.py                                                                                                                                                                                                                                                 /usr/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings              InsecureRequestWarning)                                                                                                                                                                                                                                                      /usr/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)                                                                                                                                                                                                                                                      Traceback (most recent call last):                                                                                                                                                                                                                                               File "fortigateapi_test.py", line 19, in <module>                                                                                                                                                                                                                                fgt.login("REMOVED", "admin", "REMOVED")                                                                                                                                                                                                                             File "/usr/lib/python3.6/site-packages/fortiosapi/fortiosapi.py", line 187, in login
    raise e
  File "/usr/lib/python3.6/site-packages/fortiosapi/fortiosapi.py", line 182, in login
    self._fortiversion = resp_lic['version']
TypeError: 'Response' object is not subscriptable

Test script:

#!/usr/bin/env python

import sys
import pprint
import requests
import getpass
import logging
from fortiosapi import FortiOSAPI

formatter = logging.Formatter(
    '%(asctime)s %(name)-12s %(levelname)-8s %(message)s')
logger = logging.getLogger('fortiosapi')
hdlr = logging.FileHandler('testfortiosapi.log')
hdlr.setFormatter(formatter)
logger.addHandler(hdlr)
logger.setLevel(logging.DEBUG)
fgt = FortiOSAPI()

fgt.login("0.0.0.0", "admin", "PASSWORD-REMOVED")

resp = fgt.get('system', 'global', vdom="global")

logging.debug(resp)

fgt.logout()

output in testfortiosapi.log: (with post-login-banner set in config)

$ cat testfortiosapi.log
2019-08-02 12:08:14,596 fortiosapi   DEBUG    self._https is True
2019-08-02 12:08:15,130 fortiosapi   DEBUG    response content type : text/html; charset=utf-8
2019-08-02 12:08:15,131 fortiosapi   DEBUG    Request : POST on url : https://0.0.0.0/logincheck
2019-08-02 12:08:15,131 fortiosapi   DEBUG    Response : http code 200  reason : OK
2019-08-02 12:08:15,131 fortiosapi   DEBUG    raw response:  b'1document.location="/logindisclaimer?viewOnly&redir=%2Fng%2F";\n'
2019-08-02 12:08:15,131 fortiosapi   DEBUG    logincheck res : b'1document.location="/logindisclaimer?viewOnly&redir=%2Fng%2F";\n'
2019-08-02 12:08:15,131 fortiosapi   DEBUG    cookies are  : <RequestsCookieJar[<Cookie APSCOOKIE_2735489310="Era%3D0%26Payload%3DpV7NoyHomCpeJqN0m4AbTxH8yPX6wK55KUK0yj+6wM2zJ2dajUryWM%2FY07xYyRFV%0AOTMyCE%2FLuILhoOSgs0JjHf0sSCFa8rqGV5wgznkXVEao2NmbCfa4xIn+Q4MvdV2M%0AO9m
SnoRIkhNFvFaLhnViuQOXTZioG2dTOQ215XvWl55pHxwamOY5GOf2tF+pVbsk%0AKVY8uOcNubzSF9OS4d3Evw%3D%3D%0A%26AuthHash%3DOoktRdOfh0gy+tBD6F0d4KnJoY8A%0A" for 0.0.0.0/>, <Cookie ccsrftoken="53C3487D7463F6BAC67D3508291D0CE" for 0.0.0.0/>, <Cookie ccsrftoken_2735489310="5
3C3487D7463F6BAC67D3508291D0CE" for 0.0.0.0/>]>
2019-08-02 12:08:15,131 fortiosapi   DEBUG    csrftoken before update  : 53C3487D7463F6BAC67D3508291D0CE
2019-08-02 12:08:15,131 fortiosapi   DEBUG    csrftoken after update  : 53C3487D7463F6BAC67D3508291D0CE
2019-08-02 12:08:15,131 fortiosapi   DEBUG    New session header is: {'User-Agent': 'python-requests/2.21.0', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'X-CSRFTOKEN': '53C3487D7463F6BAC67D3508291D0CE'}
2019-08-02 12:08:15,131 fortiosapi   DEBUG    vdom is: global
2019-08-02 12:08:15,131 fortiosapi   DEBUG    in monitor url is https://0.0.0.0/api/v2/monitor/license/status?global=1
2019-08-02 12:08:15,231 fortiosapi   DEBUG    in MONITOR function
2019-08-02 12:08:15,231 fortiosapi   DEBUG    formating response
2019-08-02 12:08:15,232 fortiosapi   DEBUG    response content type : text/html; charset=iso-8859-1
2019-08-02 12:08:15,232 fortiosapi   DEBUG    Request : GET on url : https://0.0.0.0/api/v2/monitor/license/status?global=1
2019-08-02 12:08:15,232 fortiosapi   DEBUG    Response : http code 401  reason : Authorization Required
2019-08-02 12:08:15,232 fortiosapi   DEBUG    raw response:  b'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<HTML><HEAD>\n<TITLE>401 Authorization Required</TITLE>\n</HEAD><BODY>\n<H1>Authorization Required</H1>\nThis server could not verify that you\nare authoriz
ed to access the document\nrequested.  Either you supplied the wrong\ncredentials (e.g., bad password), or your\nbrowser doesn\'t understand how to supply\nthe credentials required.<P>\n<P>Additionally, a 401 Authorization Required\nerror was encountered while trying to
use an ErrorDocument to handle the request.\n</BODY></HTML>\n'
2019-08-02 12:08:15,233 fortiosapi   WARNING  in formatresponse res.content does not exist, should not occur
2019-08-02 12:08:15,233 fortiosapi   DEBUG    response monitor license: <Response [401]>

output in testfortiosapi.log: (WITHOUT post-login-banner set in config)

$ cat testfortiosapi.log                                                                                                                                                                                                                                              [23/2922]
2019-08-02 12:10:51,745 fortiosapi   DEBUG    self._https is True
2019-08-02 12:10:52,319 fortiosapi   DEBUG    response content type : text/html; charset=utf-8
2019-08-02 12:10:52,319 fortiosapi   DEBUG    Request : POST on url : https://0.0.0.0/logincheck
2019-08-02 12:10:52,320 fortiosapi   DEBUG    Response : http code 200  reason : OK
2019-08-02 12:10:52,320 fortiosapi   DEBUG    raw response:  b'1document.location="/ng/prompt?viewOnly&redir=%2Fng%2F";\n'
2019-08-02 12:10:52,320 fortiosapi   DEBUG    logincheck res : b'1document.location="/ng/prompt?viewOnly&redir=%2Fng%2F";\n'
2019-08-02 12:10:52,321 fortiosapi   DEBUG    cookies are  : <RequestsCookieJar[<Cookie APSCOOKIE_2735489310="Era%3D0%26Payload%3D4i3SPAe4WWmApRRwS242E7hW1LnOeSOMNsEzLqo5j3ZSpdO+0eZCIiCSng7RobQS%0AQA9yihBqmQSYebQHVaHZ%2FGlaqRVbHKiF7yXWOD8+00MuFTNkAQWlsgBYvmQFPL4Z%0ABBEhr
LQcySKtCXHCodZ1z5Udr7AATFTyPeJNlpa2SFAOD9uZFbTLEOQqCC96sosx%0Ar9Ci%2FhHTBvN02ScGmzYPvA%3D%3D%0A%26AuthHash%3Df9bq0VE8r4vdRGEIKOz+A8Md7tkA%0A" for 0.0.0.0/>, <Cookie ccsrftoken="248DF4DA959C5DBE8FF6F723B743CF9" for 0.0.0.0/>, <Cookie ccsrftoken_2735489310="2
48DF4DA959C5DBE8FF6F723B743CF9" for 0.0.0.0/>]>
2019-08-02 12:10:52,321 fortiosapi   DEBUG    csrftoken before update  : 248DF4DA959C5DBE8FF6F723B743CF9
2019-08-02 12:10:52,321 fortiosapi   DEBUG    csrftoken after update  : 248DF4DA959C5DBE8FF6F723B743CF9
2019-08-02 12:10:52,322 fortiosapi   DEBUG    New session header is: {'User-Agent': 'python-requests/2.21.0', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'X-CSRFTOKEN': '248DF4DA959C5DBE8FF6F723B743CF9'}
2019-08-02 12:10:52,322 fortiosapi   DEBUG    vdom is: global
2019-08-02 12:10:52,322 fortiosapi   DEBUG    in monitor url is https://0.0.0.0/api/v2/monitor/license/status?global=1
2019-08-02 12:10:52,469 fortiosapi   DEBUG    in MONITOR function
2019-08-02 12:10:52,469 fortiosapi   DEBUG    formating response
2019-08-02 12:10:52,469 fortiosapi   DEBUG    response content type : application/json
2019-08-02 12:10:52,469 fortiosapi   DEBUG    Request : GET on url : https://0.0.0.0/api/v2/monitor/license/status?global=1
2019-08-02 12:10:52,470 fortiosapi   DEBUG    Response : http code 200  reason : OK
2019-08-02 12:10:52,470 fortiosapi   DEBUG    raw response:  b'[\n  {\n    "http_method":"GET",\n    "results":{\n      "fortiguard":{\n        "connected":true,\n        "update_server_usa":false,\n        "server_address":"173.243.138.91:443",\n        "fortigate_wan_i
p":"0.0.0.0"\n      },\n      "forticare":{\n        "status":"registered",\n        "account":"michael.pitts@cloud5.com",\n        "support":{\n          "hardware":{\n            "status":"licensed",\n            "support_level":"Return To Factory",\n
 "expires":1650240000\n          },\n          "firmware":{\n            "status":"licensed",\n            "support_level":"Web\\/Online",\n            "expires":1650240000\n          },\n          "enhanced":{\n            "status":"licensed",\n            "support_leve
l":"8x5",\n            "expires":1650240000\n          }\n        },\n        "company":"Innflux",\n        "industry":""\n      },\n      "antivirus":{\n        "status":"licensed",\n        "version":"1.00000",\n        "expires":1650240000,\n        "last_update":1350
513960,\n        "db_status":"db_type_extended",\n        "engine":{\n          "version":"5.00361",\n          "last_update":1529466120,\n          "last_update_attempt":1555522659,\n          "last_update_result_status":"update_result_no_updates",\n          "last_upda
te_method_status":"update_method_manual"\n        }\n      },\n      "ips":{\n        "status":"licensed",\n        "version":"14.00596",\n        "expires":1650240000,\n        "last_update":1555522659,\n        "last_update_attempt":1555522659,\n        "last_update_re
sult_status":"update_result_success",\n        "last_update_method_status":"update_method_sched",\n        "db_status":"db_type_normal",\n        "engine":{\n          "version":"3.00539",\n          "last_update":1541488380,\n          "last_update_attempt":1555522659,\
n          "last_update_result_status":"update_result_no_updates",\n          "last_update_method_status":"update_method_manual"\n        },\n        "malicious_urls":{\n          "status":"licensed",\n          "version":"2.00376",\n          "expires":1650240000,\n
      "last_update":1564724233,\n          "last_update_attempt":1564760173,\n          "last_update_result_status":"update_result_no_updates",\n          "last_update_method_status":"update_method_sched"\n        }\n      },\n      "appctrl":{\n        "status":"license
d",\n        "version":"14.00596",\n        "expires":1650240000,\n        "last_update":1555522659,\n        "last_update_attempt":1555522659,\n        "last_update_result_status":"update_result_success",\n        "last_update_method_status":"update_method_sched"\n
 },\n      "botnet_ip":{\n        "status":"licensed",\n        "version":"4.00459",\n        "expires":1650240000,\n        "last_update":1555522659,\n        "last_update_attempt":1555522659,\n        "last_update_result_status":"update_result_success",\n        "last_
update_method_status":"update_method_sched"\n      },\n      "botnet_domain":{\n        "status":"licensed",\n        "version":"2.00296",\n        "expires":1650240000,\n        "last_update":1564695434,\n        "last_update_attempt":1564760173,\n        "last_update_r
esult_status":"update_result_no_updates",\n        "last_update_method_status":"update_method_sched"\n      },\n      "mobile_malware":{\n        "status":"licensed",\n        "version":"70.00425",\n        "expires":1650240000,\n        "last_update":1564760173,\n
  "last_update_attempt":1564760173,\n        "last_update_result_status":"update_result_success",\n        "last_update_method_status":"update_method_sched"\n      },\n      "internet_service_db":{\n        "status":"licensed",\n        "version":"7.00016",\n        "las
t_update":1564695434,\n        "last_update_attempt":1564760173,\n        "last_update_result_status":"update_result_no_updates",\n        "last_update_method_status":"update_method_sched"\n      },\n      "device_os_id":{\n        "status":"licensed",\n        "version"
:"1.00079",\n        "expires":1650240000,\n        "last_update":1560793814,\n        "last_update_attempt":1564760173,\n        "last_update_result_status":"update_result_no_updates",\n        "last_update_method_status":"update_method_sched"\n      },\n      "web_filt
ering":{\n        "status":"unavailable",\n        "category_list_version":8\n      },\n      "antispam":{\n        "status":"unavailable"\n      },\n      "industrial_db":{\n        "status":"pending",\n        "version":"6.00741",\n        "last_update":1448962200\n
   },\n      "vdom":{\n        "can_upgrade":false,\n        "used":1,\n        "max":10\n      },\n      "forticlient":{\n        "status":"free_license",\n        "can_upgrade":true,\n        "used":0,\n        "max":10\n      },\n      "forticloud":{\n        "status"
:"cloud_logged_out"\n      },\n      "sms":{\n        "status":"no_license",\n        "used":0,\n        "max":0\n      }\n    },\n    "vdom":"root",\n    "path":"license",\n    "name":"status",\n    "action":"select",\n    "status":"success",\n    "serial":"FGT60ETK1806
7969",\n    "version":"v5.6.8",\n    "build":1672\n  }\n]'
2019-08-02 12:10:52,471 fortiosapi   DEBUG    response monitor license: {'http_method': 'GET', 'results': {'fortiguard': {'connected': True, 'update_server_usa': False, 'server_address': '173.243.138.91:443', 'fortigate_wan_ip': '0.0.0.0'}, 'forticare': {'status':
 'registered', 'account': 'michael.pitts@cloud5.com', 'support': {'hardware': {'status': 'licensed', 'support_level': 'Return To Factory', 'expires': 1650240000}, 'firmware': {'status': 'licensed', 'support_level': 'Web/Online', 'expires': 1650240000}, 'enhanced': {'stat
us': 'licensed', 'support_level': '8x5', 'expires': 1650240000}}, 'company': 'Innflux', 'industry': ''}, 'antivirus': {'status': 'licensed', 'version': '1.00000', 'expires': 1650240000, 'last_update': 1350513960, 'db_status': 'db_type_extended', 'engine': {'version': '5.
00361', 'last_update': 1529466120, 'last_update_attempt': 1555522659, 'last_update_result_status': 'update_result_no_updates', 'last_update_method_status': 'update_method_manual'}}, 'ips': {'status': 'licensed', 'version': '14.00596', 'expires': 1650240000, 'last_update'
: 1555522659, 'last_update_attempt': 1555522659, 'last_update_result_status': 'update_result_success', 'last_update_method_status': 'update_method_sched', 'db_status': 'db_type_normal', 'engine': {'version': '3.00539', 'last_update': 1541488380, 'last_update_attempt': 15
55522659, 'last_update_result_status': 'update_result_no_updates', 'last_update_method_status': 'update_method_manual'}, 'malicious_urls': {'status': 'licensed', 'version': '2.00376', 'expires': 1650240000, 'last_update': 1564724233, 'last_update_attempt': 1564760173, 'l
ast_update_result_status': 'update_result_no_updates', 'last_update_method_status': 'update_method_sched'}}, 'appctrl': {'status': 'licensed', 'version': '14.00596', 'expires': 1650240000, 'last_update': 1555522659, 'last_update_attempt': 1555522659, 'last_update_result_
status': 'update_result_success', 'last_update_method_status': 'update_method_sched'}, 'botnet_ip': {'status': 'licensed', 'version': '4.00459', 'expires': 1650240000, 'last_update': 1555522659, 'last_update_attempt': 1555522659, 'last_update_result_status': 'update_resu
lt_success', 'last_update_method_status': 'update_method_sched'}, 'botnet_domain': {'status': 'licensed', 'version': '2.00296', 'expires': 1650240000, 'last_update': 1564695434, 'last_update_attempt': 1564760173, 'last_update_result_status': 'update_result_no_updates', '
last_update_method_status': 'update_method_sched'}, 'mobile_malware': {'status': 'licensed', 'version': '70.00425', 'expires': 1650240000, 'last_update': 1564760173, 'last_update_attempt': 1564760173, 'last_update_result_status': 'update_result_success', 'last_update_met
hod_status': 'update_method_sched'}, 'internet_service_db': {'status': 'licensed', 'version': '7.00016', 'last_update': 1564695434, 'last_update_attempt': 1564760173, 'last_update_result_status': 'update_result_no_updates', 'last_update_method_status': 'update_method_sch
ed'}, 'device_os_id': {'status': 'licensed', 'version': '1.00079', 'expires': 1650240000, 'last_update': 1560793814, 'last_update_attempt': 1564760173, 'last_update_result_status': 'update_result_no_updates', 'last_update_method_status': 'update_method_sched'}, 'web_filt
ering': {'status': 'unavailable', 'category_list_version': 8}, 'antispam': {'status': 'unavailable'}, 'industrial_db': {'status': 'pending', 'version': '6.00741', 'last_update': 1448962200}, 'vdom': {'can_upgrade': False, 'used': 1, 'max': 10}, 'forticlient': {'status':
'free_license', 'can_upgrade': True, 'used': 0, 'max': 10}, 'forticloud': {'status': 'cloud_logged_out'}, 'sms': {'status': 'no_license', 'used': 0, 'max': 0}}, 'vdom': 'global', 'path': 'license', 'name': 'status', 'action': 'select', 'status': 'success', 'serial': 'FGT
60ETK18067969', 'version': 'v5.6.8', 'build': 1672}
2019-08-02 12:10:52,471 fortiosapi   DEBUG    vdom is: global
2019-08-02 12:10:52,472 fortiosapi   DEBUG    urlbuild is https://0.0.0.0/api/v2/cmdb/system/global?global=1 with crsf: {'User-Agent': 'python-requests/2.21.0', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'X-CSRFTOKEN': '248DF4
DA959C5DBE8FF6F723B743CF9'}
2019-08-02 12:10:52,472 fortiosapi   DEBUG    Calling GET ( https://0.0.0.0/api/v2/cmdb/system/global?global=1, None)
2019-08-02 12:10:52,575 fortiosapi   DEBUG    in GET function
2019-08-02 12:10:52,575 fortiosapi   DEBUG    formating response
2019-08-02 12:10:52,575 fortiosapi   DEBUG    response content type : application/json
2019-08-02 12:10:52,575 fortiosapi   DEBUG    Request : GET on url : https://0.0.0.0/api/v2/cmdb/system/global?global=1
2019-08-02 12:10:52,575 fortiosapi   DEBUG    Response : http code 200  reason : OK
2019-08-02 12:10:52,575 fortiosapi   DEBUG    raw response:  b'[\n  {\n    "http_method":"GET",\n    "revision":"6.0.0.2735489310.1563504401",\n    "results":{\n      "language":"english",\n      "gui-ipv6":"disable",\n      "gui-certificates":"disable",\n      "gui-cust
om-language":"disable",\n      "gui-wireless-opensecurity":"disable",\n      "gui-display-hostname":"disable",\n      "gui-lines-per-page":50,\n      "admin-https-ssl-versions":"tlsv1-1 tlsv1-2",\n      "admintimeout":5,\n      "admin-console-timeout":0,\n      "admin-co
ncurrent":"enable",\n      "admin-lockout-threshold":3,\n      "admin-lockout-duration":60,\n      "refresh":0,\n      "interval":5,\n      "failtime":5,\n      "daily-restart":"disable",\n      "restart-time":"00:00",\n      "radius-port":1812,\n      "admin-login-max":
100,\n      "remoteauthtimeout":5,\n      "ldapconntimeout":500,\n      "batch-cmdb":"enable",\n      "dst":"enable",\n      "timezone":"04",\n      "ntpserver":"",\n      "ntpsync":"disable",\n      "syncinterval":0,\n      "traffic-priority":"tos",\n      "traffic-prio
rity-level":"medium",\n      "anti-replay":"strict",\n      "send-pmtu-icmp":"enable",\n      "honor-df":"enable",\n      "revision-image-auto-backup":"disable",\n      "revision-backup-on-logout":"disable",\n      "management-vdom":"root",\n      "hostname":"7078296677_
FW55001",\n      "alias":"FGT60ETK18067969",\n      "strong-crypto":"enable",\n      "ssh-cbc-cipher":"enable",\n      "ssh-hmac-md5":"enable",\n      "ssh-kex-sha1":"enable",\n      "ssl-static-key-ciphers":"enable",\n      "snat-route-change":"disable",\n      "cli-aud
it-log":"disable",\n      "dh-params":"2048",\n      "fds-statistics":"enable",\n      "fds-statistics-period":60,\n      "multicast-forward":"enable",\n      "mc-ttl-notchange":"disable",\n      "asymroute":"disable",\n      "tcp-option":"enable",\n      "lldp-transmiss
ion":"disable",\n      "proxy-auth-timeout":300,\n      "sys-perf-log-interval":5,\n      "check-protocol-header":"loose",\n      "vip-arp-range":"restricted",\n      "reset-sessionless-tcp":"disable",\n      "allow-traffic-redirect":"enable",\n      "strict-dirty-sessio
n-check":"enable",\n      "tcp-halfclose-timer":120,\n      "tcp-halfopen-timer":10,\n      "tcp-timewait-timer":1,\n      "udp-idle-timer":180,\n      "block-session-timer":30,\n      "ip-src-port-range":"1024-25000",\n      "pre-login-banner":"enable",\n      "post-log
in-banner":"disable",\n      "tftp":"enable",\n      "av-failopen":"pass",\n      "av-failopen-session":"disable",\n      "memory-use-threshold-extreme":95,\n      "memory-use-threshold-red":88,\n      "memory-use-threshold-green":82,\n      "check-reset-range":"disable"
,\n      "vdom-admin":"disable",\n      "long-vdom-name":"disable",\n      "admin-port":80,\n      "admin-sport":443,\n      "admin-https-redirect":"enable",\n      "admin-ssh-password":"enable",\n      "admin-ssh-port":22,\n      "admin-ssh-grace-time":120,\n      "admi
n-ssh-v1":"disable",\n      "admin-telnet-port":23,\n      "admin-maintainer":"enable",\n      "admin-reset-button":"enable",\n      "admin-server-cert":"Fortinet_Factory",\n      "user-server-cert":"Fortinet_Factory",\n      "admin-https-pki-required":"disable",\n
"wifi-certificate":"Fortinet_Wifi",\n      "wifi-ca-certificate":"Fortinet_Wifi_CA",\n      "auth-http-port":1000,\n      "auth-https-port":1003,\n      "auth-keepalive":"disable",\n      "policy-auth-concurrent":0,\n      "auth-session-limit":"block-new",\n      "auth-c
ert":"Fortinet_Factory",\n      "clt-cert-req":"disable",\n      "fortiservice-port":8013,\n      "endpoint-control-portal-port":8009,\n      "endpoint-control-fds-access":"enable",\n      "tp-mc-skip-policy":"disable",\n      "cfg-save":"automatic",\n      "cfg-revert-t
imeout":600,\n      "reboot-upon-config-restore":"enable",\n      "admin-scp":"disable",\n      "fortiguard-audit-result-submission":"enable",\n      "wireless-controller":"enable",\n      "wireless-controller-port":5246,\n      "fortiextender-data-port":25246,\n      "f
ortiextender":"disable",\n      "fortiextender-vlan-mode":"disable",\n      "switch-controller":"disable",\n      "switch-controller-reserved-network":"169.254.0.0 255.255.0.0",\n      "proxy-worker-count":2,\n      "scanunit-count":4,\n      "proxy-kxp-hardware-accelera
tion":"enable",\n      "proxy-cipher-hardware-acceleration":"enable",\n      "fgd-alert-subscription":"",\n      "ipsec-hmac-offload":"enable",\n      "ipv6-accept-dad":1,\n      "ipv6-allow-anycast-probe":"disable",\n      "csr-ca-attribute":"enable",\n      "wimax-4g-u
sb":"disable",\n      "cert-chain-max":8,\n      "sslvpn-max-worker-count":3,\n      "sslvpn-kxp-hardware-acceleration":"enable",\n      "sslvpn-cipher-hardware-acceleration":"enable",\n      "sslvpn-plugin-version-check":"enable",\n      "two-factor-ftk-expiry":60,\n
   "two-factor-email-expiry":60,\n      "two-factor-sms-expiry":60,\n      "two-factor-fac-expiry":60,\n      "two-factor-ftm-expiry":72,\n      "virtual-server-count":2,\n      "virtual-server-hardware-acceleration":"enable",\n      "wad-worker-count":4,\n      "login-t
imestamp":"disable",\n      "miglogd-children":0,\n      "special-file-23-support":"disable",\n      "log-uuid":"policy-only",\n      "log-ssl-connection":"disable",\n      "arp-max-entry":131072,\n      "ndp-max-entry":0,\n      "br-fdb-max-entry":8192,\n      "max-rout
e-cache-size":0,\n      "ipsec-asic-offload":"enable",\n      "device-idle-timeout":300,\n      "device-identification-active-scan-delay":90,\n      "compliance-check":"enable",\n      "compliance-check-time":"00:00:00",\n      "gui-device-latitude":"",\n      "gui-devic
e-longitude":"",\n      "private-data-encryption":"disable",\n      "auto-auth-extension-device":"enable",\n      "gui-theme":"green",\n      "igmp-state-limit":3200\n    },\n    "vdom":"root",\n    "path":"system",\n    "name":"global",\n    "status":"success",\n    "ht
tp_status":200,\n    "serial":"FGT60ETK18067969",\n    "version":"v5.6.8",\n    "build":1672\n  }\n]'
2019-08-02 12:10:52,662 fortiosapi   DEBUG    response content type : text/html; charset=utf-8
2019-08-02 12:10:52,662 fortiosapi   DEBUG    Request : POST on url : https://0.0.0.0/logout
2019-08-02 12:10:52,662 fortiosapi   DEBUG    Response : http code 200  reason : OK
2019-08-02 12:10:52,662 fortiosapi   DEBUG    raw response:  b'<script language="javascript">\ntop.location="/login";\n</script>\n'

[thomnico]

Hello,

Thanks for the very well documented bug report, greatly appreciated.

Post-login banner are only meaningfull to humans, program using API won't read it.

We do not plan to support this behavior, will happily review pull request with associated tests.

We recommend to have an API login with banner or even better a API token (which this lib supports). Documented on http://fndn.fortinet.net

Hope this helps,

[robotman321]

Thanks, I don't like the post-login-banner option myself, equally frustrating is that somehow this setting has a bearing over an API that will only be used by programs. However the clientele i'm working with have brand specific policies that require pre- and post-login banners.

I'll just have to unset this value at runtime using netmiko and then re-set it after the application succeeds, I was just hoping there had been some development from the api point of view that would have mitigated the unintended results of setting that value. Oh well. Thanks though.

[codyroche]

Hey, if you need to do this and are OK with writing your own API connection handler it shouldn't be too hard. Just follow-up the 200 you get from '/logindisclaimer?viewOnly&redir=%2Fng%2F' with a POST to '/logindisclaimer' and content of 'confirm=1&redir=%2Fng%2F'.

You can see the strings in the JavaScript on the authentication page and the method formatting in a Fiddler trace of the banner interactions.

It's not as nice as the API doing it for you, but it'll work if you want this to work without modifying the configuration every time you run your code.

[robotman321]

@codyroche that's actually perfect, I was going to investigate that today after putting out fires but you've done all of my work, thank you! Now i won't need to use a pre-release version of netmiko (hah!).

I really appreciate it, hopefully this helps someone else down the line (i can't be the only one, heh)

[codyroche]

Agreed, I just started with Fortinet APIs last week, but wanted to figure it out for the same reasons you mentioned. I can't always use an API key so it's a fun trick.

On Wed, Aug 7, 2019, 12:27 Brad Riemann notifications@github.com wrote:

@codyroche https://github.com/codyroche that's actually perfect, I was going to investigate that today after putting out fires but you've done all of my work, thank you! Now i won't need to use a pre-release version of netmiko (hah!).

I really appreciate it, hopefully this helps someone else down the line (i can't be the only one, heh)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/fortinet-solutions-cse/fortiosapi/issues/50?email_source=notifications&email_token=ACWAA2THOQJ5MGWEKHDANT3QDMAZTA5CNFSM4IJZKODKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3ZEJYA#issuecomment-519193824, or mute the thread https://github.com/notifications/unsubscribe-auth/ACWAA2XKRTDUJEPPER5YZSTQDMAZTANCNFSM4IJZKODA .

[thomnico]

@codyroche will accept a pull request on this project that implement what you describe (just saying)

I need to try but I assume you won't have the issue using the api-key user with keeping the banners in place for humans. It is not really a different user but a supported apit-token supported in the lib.

Hope this helps,

[codyroche]

@thomnico not sure when I'd have time, but I'd be interested.

[thomnico]

To both I am very curious to understand why using api-user is not an option ? Check https://docs2.fortinet.com/document/fortigate/6.2.1/cli-reference/16620/system-api-user

Find a login example here : https://github.com/fortinet-solutions-cse/fortiosapi-examples/blob/master/apilogin.py

[codyroche]

Hey @thomnico, It's not that I wouldn't prefer API authentication, but rather will the customer allow it. Since it's a static key option right now some environments won't like it. TACACS, LDAP, or RADIUS is generally preferred in those cases.

Using a client certificate is an option with the API that helps manage the risk, but doesn't help me if I'm just trying to do some rapid data collection. Same with ensuring that various API keys have limited access to the platforms, it just minimizes risk and doesn't address the locally configured static key completely.

It'd be nice if the Fortigate appliances would support OAuth, since it addresses a lot of the security complaints you get with static API keys. I don't see that happening any time soon though, right?

[thomnico]

Thanks for your perspective. Fortigate supports LDAP and RADIUS sso already.

Creating an API user with the least privileges is probably more important (and complex) than the method of authentication.

The goal of this GitHub it to provide easy programmable access to the API, Fortigate feature requests should be discussed with your Fortinet Rep.

Hope this helps,