Fortigate API – Check the Webfiltering license of multiple nodes

Fortigate – Check web filtering license status of multiple nodes

This guide will detail a few things. First of all it builds on the Fortigate API script here:Connecting to the Fortigate API using Python

Please read the above guide to see exactly how to connect to the fortigate API using the script.
It will enable us to provide the script with a list of fortigate IP addresses and complete the same command on all of them.
It does some level of error handling by skipping nodes if they don’t have the API endpoint.
It will also attempt to use an alternative http port if port 443 fails and run a ping check for reachability first.

Scenario

The scenario is this. You need to check a number of fortigate firewall’s on a regular basis and check for nodes which the web filtering license is due to expire soon on.
Enter the script, we basically feed the IP’s and run the script. It will output the details and I have left some of the somments in there with other endpoints so you can change and try them out also.

The script

Details

So to break down the script we have the following

The loop:

We loop through the fortigates as per below, we basically create an array of firewall ip addresses and the run a for loop.
This means for every entry in the array we will run some scripts

 

Functions

We have a couple of functions to test reachability of the devices, we therefore at the top of the script import some additional python modules, os for example.
The functions can be used to check the ping reachability and also test the ports before trying to connect. Without these the script hangs indefinately, there is a timeout on the port test function also which you can alter

 

API logic

The fortigate API used for this is the monitor API.
the endpoint is as follows and you can brwse to this using a web browser, simply log into the fortigate and once authenticated (Logged in) you cna enter the following in your address bar.
https://ipofthefortigate/api/v2/monitor/license/status

 

This will return a tonne of JSON which you can parse and use if you want. for the purpose of my script I only wanted to know the webfiltering expiry date, however it turns out this is only shown if the webfiltering is active, otherwise its not there and causes the script to fail , this is why within the loop we do some checks.

 

The Arrays

We use array here , we declare them outside the for loop and populate them within the loop, we can then output them as a one off at the end, again outside the for loop

The naming is as follows

 

Example output

This is some example output from the script,  there is a mix of values in here to show how they are handled

 

Summary

Hopefully this can be of some use and is easily tweakable, if you have any questions then please leave a comment and I will get back to you.

 

 

 

Leave A Comment

What’s happening in your mind about this post !

Your email address will not be published. Required fields are marked *