I'm currently making a ASP.NET C# Web Forms application using the Fortinet API, with the intent to block certain IP addresses or URLs from it.
The C# request returns HTTP 403 Forbidden error, while the cURL request POST successfully. This only happens with POST requests: GET requests work just fine both in .NET and cURL.
According to the documentation I've found online, the FortiNet API validates authentication using the X-CSRFTOKEN header for a POST request, and cookies for authentication. They are included in both requests. While I debugged, I've replaced the cookie values in my cookie.txt file used in my cURL request with the same ones contained in the cookies Dictionary value, and the result is the same: it passes with cURL, not with C#.
Here's my RestSharp request:
private IRestResponse createAddress(Dictionary<string, string> cookies, JObject data)
{
RestClient client = new RestClient(baseUri);
RestRequest request = new RestRequest("api/v2/cmdb/firewall/address", Method.POST);
request.AddHeader("Content-Type", "application/json");
foreach (KeyValuePair<string, string> cookie in cookies)
{
request.AddCookie(cookie.Key, cookie.Value);
}
request.AddHeader("X-CSRFTOKEN", cookies["ccsrftoken"]);
string json = JsonConvert.SerializeObject(data);
request.AddParameter("application/json", json, ParameterType.RequestBody);
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
return client.Execute(request);
}
Here's my JSON payload, contained in the JObject data in C#, and in the params.json file for cURL:
{
"vdom": "root",
"name": "address",
"json": {
"type": "fqdn",
"name": "lostininternet.com",
"fqdn": "lostininternet.com"
}
}
And here's my cURL Request:
curl -d "@params.json" -H "Content-Type: application/json" -H "X-CSRFTOKEN: XXXXXXXXXXXXXXXXXXXXXX" https://192.168.13.13/api/v2/cmdb/firewall/address/ -b cookie.txt --insecure --verbose
(the CSRFTOKEN value is redacted, but you get the idea...)
I've tried using HttpWebRequest instead of RestSharp, tried using a CookieContainer instead of adding them manually, with the same results every time.
Did anyone else have a similar issue?
I'm playing with the FortiOS 5.6.5 Rest API. I'm working with Powershell-which can include C# libraries. The server gives you the value as a Set-Cookie value when you authenticate, but you do not send it back as a cookie. You add the X-CSRFTOKEN as a request header. The value is not a cookie. Also, I found that Powershell added quotes to the string in my case, and removing the quotes fixed the issue for me. Another thing to note-if you have the wrong path - ie, forget to add the monitor api/cmdb path, then it may return a 403 error even if the token is correct.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.