token authentication broken since upgrade to FMG 7.2.7

[parkerbrother1]

Environment FMG: 7.2.7 Terraform: 1.9.6 terraform-provider-fortimanager: 1.12.1

Previously was using version 7.2.4 without issues. Since upgrading to 7.2.7 started getting permission issues:

Error: Error reading WanTemplate resource: err -11: No permission for the resource

Error: Error reading ObjectFirewallAddress resource: err -11: No permission for the resource

Rest API admin account has Super_User permissions with rpc read-write enabled. Tried regenerating token. Switching to username/password fixes the issue.

[MaxxLiu22]

Hi @parkerbrother1 ,

Thank you for bringing this issue to my attention. I’ve encountered a similar situation before, where the API user became invalid after a version switch. However, I was unable to reproduce the issue during the upgrade from 7.2.4 to 7.2.7. Another potential cause might be the existence of an invalid API session, which you can check through the GUI dashboard. Additionally, please ensure the permissions are correctly set here.

If possible, could you kindly enable the debug function on your FMG to gather some additional information? You can use the following commands:

diagnose debug service main 255
diagnose debug enable

My experience creating an identical API user may also help reactivate the old one. Please let me know if this doesn’t resolve your concern, and I’ll be happy to assist further.

Thanks, Maxx

[parkerbrother1]

I tried creating a new API user and recreating the existing one. Finally I started an empty terraform project and started importing objects one by one. That worked for a couple of objects then I started getting the same error messages.

Request [/usr/local/apache2/bin/httpd:5699:480]: { "client": "\/usr\/local\/apache2\/bin\/httpd:5699", "id": 480, "method": "get", "params": [{ "data": null, "url": "\/pm\/config\/adom\/root\/obj\/firewall\/address\/SERVER_PKI"}], "session": "USCX1ZvuX3u\/ROLaByf0lsgC2D2rjQs1f2dOnUZwkHPS9LXBsF\/\/37SUTZ66M72tP3A\/gpD2XTaAi6AxqSmuZw==", "src": "10.0.0.200", "verbose": 1} Request [/usr/local/apache2/bin/httpd:5699:481]: { "client": "\/usr\/local\/apache2\/bin\/httpd:5699", "id": 481, "method": "get", "params": [{ "data": null, "url": "\/pm\/config\/adom\/root\/obj\/firewall\/address\/SERVER_DC"}], "src": "10.0.0.200", "verbose": 1} Request [/usr/local/apache2/bin/httpd:5699:482]: { "client": "\/usr\/local\/apache2\/bin\/httpd:5699", "id": 482, "method": "get", "params": [{ "data": null, "url": "\/pm\/config\/adom\/root\/obj\/firewall\/address\/SERVER_NPS"}], "session": "USCX1ZvuX3u\/ROLaByf0lsgC2D2rjQs1f2dOnUZwkHPS9LXBsF\/\/37SUTZ66M72tP3A\/gpD2XTaAi6AxqSmuZw==", "src": "10.0.0.200", "verbose": 1} Request [/usr/local/apache2/bin/httpd:5699:483]: { "client": "\/usr\/local\/apache2\/bin\/httpd:5699", "id": 483, "method": "get", "params": [{ "data": null, "url": "\/pm\/pkg\/adom\/root\/Hub"}], "session": "USCX1ZvuX3u\/ROLaByf0lsgC2D2rjQs1f2dOnUZwkHPS9LXBsF\/\/37SUTZ66M72tP3A\/gpD2XTaAi6AxqSmuZw==", "src": "10.0.0.200", "verbose": 1} Response [/usr/local/apache2/bin/httpd:5699:481]: { "id": 481, "result": [{ "status": { "code": -11, "message": "No permission for the resource"}, "url": "\/pm\/config\/adom\/root\/obj\/firewall\/address\/SERVER_DC"}]}

Error: Error reading PackagesFirewallPolicy resource: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

[MaxxLiu22]

Hi @parkerbrother1 ,

Thank you for the information! I was able to replicate the issue, and it appears there may be a problem with concurrent sessions for the same API user. I’ve reported this to the relevant team for further investigation.

In the meantime, could you please consider using the username/password authentication method or set -parallelism=1 to avoid running in parallel? Your understanding is greatly appreciated!

terraform apply -parallelism=1

Thanks, Maxx

[parkerbrother1]

Hi @MaxxLiu22

-parallelism=1 does the trick! Thanks.