Skip to main content

Fortinet FortiGate Discovery

The Infracast Fortinet plugin uses the FortiOS REST API to discover firewall configuration including interfaces, firewall policies, address objects, routing tables, and VPN tunnels. Authentication uses a FortiGate REST API key. Both standalone FortiGate appliances and VDOM-segmented deployments are supported.

How It Works

  1. Infracast connects to the FortiGate management IP over HTTPS using a REST API key
  2. System information is collected first (hostname, FortiOS version, serial, platform)
  3. The plugin sequentially discovers interfaces, firewall policies, address objects, routes, and VPN tunnels
  4. If VDOMs are in use, discovery is scoped to the configured VDOM (default: root)

Prerequisites

  • HTTPS access (TCP/443) from the Infracast collector to the FortiGate management IP
  • FortiGate REST API key with read-only permissions
  • FortiOS 6.4 or later (REST API v2+)

Creating a Read-Only API Key

Step 1: Create a read-only administrator profile

  1. Navigate to System → Admin Profiles → Create New
  2. Name: infracast-readonly
  3. Set all permissions to Read (not Write or None)
  4. Click OK

Step 2: Create a REST API admin user

  1. Navigate to System → Administrators → Create New → REST API Admin
  2. Username: infracast
  3. Admin Profile: infracast-readonly
  4. PKI Group: (leave empty)
  5. Trusted Hosts: enter the Infracast collector IP (e.g., 10.0.100.50/32) — strongly recommended
  6. Click OK
  7. Copy the generated API key — it is shown only once

Via FortiOS CLI:

# SSH to the FortiGate
ssh admin@fortigate.example.com

# Create the admin profile
config system accprofile
  edit infracast-readonly
    set scope global
    set netgrp read
    set fwgrp read
    set vpngrp read
    set sysgrp read
    set loggrp read
    set routegrp read
  next
end

# Create the REST API admin
config system api-user
  edit infracast
    set accprofile infracast-readonly
    set vdom root
    config trusthost
      edit 1
        set ipv4-trusthost 10.0.100.50 255.255.255.255
      next
    end
  next
end

The API key is generated and displayed once. Save it securely.

tip

Always configure trusthost entries to restrict API access to only the Infracast collector's IP address. This prevents API key abuse from other hosts.

Registering the Credential in Infracast

infracast creds add \
  --plugin fortinet \
  --name "fortigate-prod" \
  --type api-key \
  --host "fortigate.example.com" \
  --api-key-file /run/secrets/fortigate-api-key

Configuring the Discovery Job

infracast.yaml
discovery:
  jobs:
    - name: fortinet-prod
      plugin: fortinet
      credential: fortigate-prod
      schedule: "0 */4 * * *"   # every 4 hours
      config:
        host: "fortigate.example.com"
        api_key: ""              # leave empty; read from credential
        # VDOM to discover (default: root). Set to "global" for global objects.
        vdom: "root"
        # verify_tls: set to "true" with a valid management cert
        verify_tls: "false"

What Gets Discovered

Resource TypeDescription
fortinet.deviceFortiGate appliance (hostname, FortiOS version, serial number, platform model)
fortinet.interfaceNetwork interface (name, type, IP/mask, alias, VDOM, status, MTU, VLAN ID)
fortinet.firewall_policyFirewall policy rule (policy ID, name, source/dest interface, address objects, services, action, schedule, NAT, logging)
fortinet.address_objectAddress object (name, type, subnet/FQDN/IP range, VDOM, comment)
fortinet.routeRouting table entry (destination, gateway, interface, distance, priority, type)
fortinet.vpn_tunnelIPsec or SSL VPN tunnel (name, type, remote gateway, status, phase1/phase2 config)

Edges link firewall policies to their source and destination address objects, and routes to their egress interfaces.

Troubleshooting

401 Unauthorized or Permission denied

Symptom: Error: API call failed: 401 or Permission denied

Checks:

  1. Verify the API key is correct and has not expired
  2. Verify the request is coming from a trusted host (if trusthost is configured, the collector IP must match)
  3. Check the admin profile has at least read permissions for all categories
# Test the API key
curl -sk -H "Authorization: Bearer YOUR_API_KEY" \
  "https://fortigate.example.com/api/v2/monitor/system/status" | jq '.version'

TLS certificate errors

Symptom: Error: x509: certificate signed by unknown authority

Options:

  • Set verify_tls: "false" for lab/internal deployments
  • Or install a valid certificate on the FortiGate management interface (System → Certificates)

VDOM not found

Symptom: Error: VDOM 'production' not found

Fix: List available VDOMs and update the job config:

curl -sk -H "Authorization: Bearer YOUR_KEY" \
  "https://fortigate.example.com/api/v2/cmdb/system/vdom" | jq '.[].name'

Firewall policies missing

Symptom: Policies exist in the GUI but are not discovered

Cause: Policies may be in a VDOM not covered by the current job config.

Fix: Run a separate job for each VDOM, or check if the API key's admin profile is scoped to global:

discovery:
  jobs:
    - name: fortinet-vdom-dmz
      plugin: fortinet
      config:
        vdom: "DMZ"