FortiGate API POST Request returns 403 Forbidden with C# RestSharp

Question

I'm currently making a ASP.NET C# Web Forms application using the Fortinet API, with the intent to block certain IP addresses or URLs from it.

The C# request returns HTTP 403 Forbidden error, while the cURL request POST successfully. This only happens with POST requests: GET requests work just fine both in .NET and cURL.

According to the documentation I've found online, the FortiNet API validates authentication using the X-CSRFTOKEN header for a POST request, and cookies for authentication. They are included in both requests. While I debugged, I've replaced the cookie values in my cookie.txt file used in my cURL request with the same ones contained in the cookies Dictionary value, and the result is the same: it passes with cURL, not with C#.

Here's my RestSharp request:

private IRestResponse createAddress(Dictionary<string, string> cookies, JObject data)
{
    RestClient client = new RestClient(baseUri);
    RestRequest request = new RestRequest("api/v2/cmdb/firewall/address", Method.POST);
    request.AddHeader("Content-Type", "application/json");

    foreach (KeyValuePair<string, string> cookie in cookies)
    {
        request.AddCookie(cookie.Key, cookie.Value);
    }
    request.AddHeader("X-CSRFTOKEN", cookies["ccsrftoken"]);

    string json = JsonConvert.SerializeObject(data);
    request.AddParameter("application/json", json, ParameterType.RequestBody);

    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
    ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;

    return client.Execute(request);
}

Here's my JSON payload, contained in the JObject data in C#, and in the params.json file for cURL:

{
    "vdom": "root",
    "name": "address",
    "json": {
        "type": "fqdn",
        "name": "lostininternet.com",
        "fqdn": "lostininternet.com"
    }
}

And here's my cURL Request:

curl -d "@params.json" -H "Content-Type: application/json" -H "X-CSRFTOKEN: XXXXXXXXXXXXXXXXXXXXXX" https://192.168.13.13/api/v2/cmdb/firewall/address/ -b cookie.txt --insecure --verbose

(the CSRFTOKEN value is redacted, but you get the idea...)

I've tried using HttpWebRequest instead of RestSharp, tried using a CookieContainer instead of adding them manually, with the same results every time.

Did anyone else have a similar issue?

Answer 1

I'm playing with the FortiOS 5.6.5 Rest API. I'm working with Powershell-which can include C# libraries. The server gives you the value as a Set-Cookie value when you authenticate, but you do not send it back as a cookie. You add the X-CSRFTOKEN as a request header. The value is not a cookie. Also, I found that Powershell added quotes to the string in my case, and removing the quotes fixed the issue for me. Another thing to note-if you have the wrong path - ie, forget to add the monitor api/cmdb path, then it may return a 403 error even if the token is correct.