FortiMail - REST API Reference

Version 6.2.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://fortiguard.com/

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

September 19, 2019

FortiMail 6.2.0 REST API Reference
06-620-000000-20190919
 TABLE OF CONTENTS

Change Log 4
Introduction 5
Enabling REST API support 6
Authentication 7
PKI authentication 8
To use PKI admin authentication 8
Password-based authentication 9
FortiMail REST API HTTP response codes 10
REST API for system level resources 11
REST API for domain level resources 12
REST API for administrative actions 13
REST API for file upload 14
Require file uploading authorization token 14
Upload local file with authorization token 14
Apply uploaded file on resource 15
Update firmware 15
Update configuration 15
Restore Block/Safe list 15
REST API for IP group management 17
Create a new IP group 17
Delete an IP group 17
Add a new member to an IP group 17
Delete a member from an IP group 18
Replace all members of an IP group 18
System resource list and URLs 19
Example commands 25
Admin login with PKI certificate-based authentication 25
Admin login with password-based authentication 25
To get domain information 25
To get domain information with password-based authentication 25
To get domain information with certificate-based authentication 25
Access control rule management 25
List access control rules 27
Create a new access control rule 27
Modify an existing access control rule 27
Delete an existing access control rule 27
Move existing access control rule 27
Whitelist/blacklist management 28

FortiMail 6.2.0 REST API Reference 3

Fortinet Technologies Inc.
Change Log

Date Change Description

2019-09-19 Initial release.

2020-01-14 Added REST API for IP group management on page 17.

FortiMail 6.2.0 REST API Reference 4

Fortinet Technologies Inc.
Introduction

This document provides the REST API information supported in FortiMail version 5.3.4 release. This document covers
the FortiMail GUI supported REST API reference only. These APIs can be used to retrieve, create, update and delete
configuration settings, to retrieve dynamic system statistics, and to perform basic administrative actions such as reboot
and shut down.
When using the APIs, the following conventions are followed:
l Http GET: To retrieve all resources or particular resource
l Http POST: To create a new resource or perform certain administrative actions
l Http PUT: To update an existing resource
l Http Delete: To delete an existing resource

FortiMail 6.2.0 REST API Reference 5

Fortinet Technologies Inc.
Enabling REST API support

By default, this feature is disabled on FortiMail. To enable it, use the following CLI command:
config system global
set rest-api enable
end

FortiMail 6.2.0 REST API Reference 6

Fortinet Technologies Inc.
Authentication

When making requests to FortiMail appliance using the REST API, you will need to pass the authentication. There are
two authentication options you can use:
l PKI certificate-based authentication
l Local user password-based authentication
You also need the appropriate admin profile to access the FortiMail resources.

FortiMail 6.2.0 REST API Reference 7

Fortinet Technologies Inc.
PKI authentication

For PKI certificate-based authentication, you must create two certificates using the same CA. One certificate will be
used for FML HTTP server and the other certificate will be associated with an admin user. Both the user certificates and
private key has to be moved to the PC running the script. The CA certificate needs to be copied to the PC as well.
Otherwise CURL will not be able to verify the FML certificate.

To use PKI admin authentication

1. Enable PKI mode with the following CLI command:

config system global
set pki-mode enable
end
2. Create a PKI user under User > PKI User.
3. Create an admin account using PKI authentication type under System > Administrator.
4. Split the PKCS12 certificate into cert and key. They will be used when you log in to FortiMail.
openssl pkcs12 -in test.p12 -out test.pem -nokeys
openssl pkcs12 -in test.p12 -out test.key nocerts -nodes

FortiMail 6.2.0 REST API Reference 8

Fortinet Technologies Inc.
Password-based authentication

To establish a valid authentication session, you must make a POST request to the FortiMail login handler with your
admin username and password. The POST request should contain JSON data with ‘name’ and ‘password’ fields:
l URL: http(s)://host_or_ip/api/v1/AdminLogin/
l Method: POST
l JSON: {“name”: “admin”, “password”: “****”}

If login is successful, the response will contain the authentication token in the APSCOOKIE cookie value. This cookie
value must be included in any further requests.

The permissions for the administrative account you use will affect which objects and
operations you'll have access to, so ensure the user has the permissions required for the
actions you wish to perform.

FortiMail 6.2.0 REST API Reference 9

Fortinet Technologies Inc.
FortiMail REST API HTTP response codes

FortiMail REST APIs use well-defined HTTP status codes to indicate query results to the API. Following are some of the
HTTP status codes used:

HTTP response code Description

200 - OK API request successful.

400 - Bad Request Bad request.

403 - Forbidden Request is missing authentication token or administrator is missing access profile
permissions.

404 - Not Found Unable to find the specified resource.

405 - Method Not Allowed Specified HTTP method is not allowed for this resource.

500 Internal server error.

FortiMail 6.2.0 REST API Reference 10

Fortinet Technologies Inc.
REST API for system level resources

FortiMail supports retrieval and modification of system level CMDB configuration settings as well as system level
statistics. The API can be accessed using the following URL:
http(s)://host_ip/api/v1/resource_name/resource_id/sub_resource_name/sub_resource_
id/
where:
l resource_name: Specifies the type of resource to query (such as SysInterface), required.
l resource_id: Unique ID of the resource as specified by resource_name (such as port1), optional. If not present,
returns entire list of resources.
l sub_resource_name: Some resources may have sub / child resources, use this to query sub resources,
optional.
l sub_resource_id: Unique ID of the sub resource as specified by sub_resource_name, optional. If not present,
returns entire list of sub resources.
Examples:
l …/api/v1/SysInterface/: Returns list of network interfaces
l …/api/v1/SysInterface/port1/: Return details of network interface ‘port1’
l …/api/v1/SysGlobal/: Returns details of global settings (only one instance)
l …/api/v1/ProfSession/inbound/ ProfSessionSenderWhitelist/: Returns sender whitelist/saftlist
of session profile ‘inbound’
For a full list of system level resources, refer to the Supported Resources List.

FortiMail 6.2.0 REST API Reference 11

Fortinet Technologies Inc.
REST API for domain level resources

FortiMail also supports retrieval and modification of domain level CMDB configuration settings. The API can be
accessed using the following URL:
http(s)://host_ip/api/v1/domain/domain_name/resource_name/resource_id/sub_r
esource_name/sub_resource_id/
It is very similar to the URL for system level resources, only two new tokens are added:
l domain: Required keyword, use to perform domain level queries
l domain_name: FQDN name of the domain to query (such as fortinet.com)
Examples:
l …/api/v1/domain/abc.com/ProfAntispam/: Returns list of antispam profiles for domain ‘abc.com’
l …/api/v1/domain/abc.com/PolicyRcpt/: Returns list of recipient based policies for domain ‘abc.com’
l …/api/v1/domain/abc.com/PolicyRecipient/1/: Returns details of recipient based policy ‘1’ for
domain ‘abc.com’
l …/api/v1/domain/abc.com/UserPreference/: Returns list of entries in user preferences for domain
‘abc.com’
For a full list of domain level resources, refer to the Supported Resources List.

FortiMail 6.2.0 REST API Reference 12

Fortinet Technologies Inc.
REST API for administrative actions

Apart from resources, FortiMail REST API supports basic administrative actions such as restarting / shutting down a
device. Use the following URL to send action request:
l URL: http(s)://host_ip/api/v1/SysStatusCommand/
l Method: POST
l JSON: {“action”: action_value}
Where action_value is one of the following integers:

1: Restart
2: Shut down
3: Reload

FortiMail 6.2.0 REST API Reference 13

Fortinet Technologies Inc.
REST API for file upload

There are three steps to upload a file to FortiMail through the REST API:
1. Require file uploading authorization token
2. Upload local file with authorization token
3. Apply uploaded file on resource

URL HTTP Summary

method

/resource/ POST Require authorization token. “Resource” is the name of the resource
on which the uploaded file will apply to. The request must set the
“reqAction” field to 22.

/uploadfile?token=tokenStr POST Upload file with authorization token.

/resource/ PUT Apply uploaded file on related resource.

Require file uploading authorization token

Example:
curl –v –H "Content-Type: application/json" -X POST -d '{"reqAction":22}’ http://host_or_
ip/api/v1/CentralRestoreFirmware --cookie cookie.txt

The “reqAction” field should be set to 22, which requires FortiMail to generate the file uploading authorization token.
“CentralRestoreFirmware” is the ID of the resource on which the uploaded file will apply to. For resources that support
sub resources, extra sub resource IDs should be added, which can always be set to “0”. For example, resource ID
“UserMaillist” supports sub resources, with an example URL of http://host_or_api/api/v1/UserMaillist/0
Response:
{“token”: “tokenStr”}

The “token” value is generated by FortiMail. This is used in the next step.

Upload local file with authorization token

Example:
curl -F 'testfile=@/tmp/file.diff'
http://host_or_ip/api/v1/uploadfile?token=tokenStr--cookie cookie.txt

In this example, “testfile” is a self-assigned ID to indicate the uploading action, “/tmp/file.diff” is the full path of the local
file you want to upload, and the “token” field should be set to the value provided in the previous step.
Response:

FortiMail 6.2.0 REST API Reference 14

Fortinet Technologies Inc.
 REST API for file upload

{“id”:”uploadedFileId”}

The “id” value is generated by FortiMail. This is used in the next step.

Apply uploaded file on resource

Update firmware

The resource used for updating the firmware is “CentralRestoreFirmware”.

URL HTTP Summary

method

/CentralRestoreFirmware/ PUT Set the “filename” field to the “id” value from the previous step.

Example:
curl -v -H "Content-Type: application/json" -X PUT -d '{"filename" : "uploadedFileId"}'
http://host_or_ip/api/v1/CentralRestoreFirmware --cookie cookie.txt

Update configuration

The resource used for updating the configuration is “CentralRestoreConfig”.

URL HTTP Summary

method

/CentralRestoreConfig/ PUT Set the “filename” field to the “id” value from the previous step.

Example:
curl -v -H "Content-Type: application/json" -X PUT –d '
{"source":0,"filename":"uploadedFileId","check_platform":1}' http://host_or_
ip/api/v1/CentralRestoreConfig --cookie cookie.txt

Restore Block/Safe list

System, domain, and personal block/safe lists can be restored. The resource used for these actions is “UserMaillist”.
Because “UserMaillist” supports sub resources, the URL used in the first step (Require file uploading authorization
token) should have the format, http://host_or_api/api/v1/UserMaillist/0.

URL HTTP Summary

method

/UserMaillist/system PUT System block list restore. Set the “extraParam” field to “blacklist”, and
set the “restore” field to “id”.

/UserMaillist/system PUT System safe list restore. Set the “extraParam” field to “whitelist”, and

FortiMail 6.2.0 REST API Reference 15

Fortinet Technologies Inc.
REST API for file upload

URL HTTP Summary

method

set the “restore” field to “id”.

/UserMaillist/domainname PUT Domain block list restore. Set the “extraParam” field to “blacklist”, and
set the “restore” field to “id”. “domainname” is the domain on which
the list will restore.

/UserMaillist/domainname PUT Domain safe list restore. Set the “extraParam” field to “whitelist”, and
set the “restore” field to “id”. “domainname” is the domain on which
the list will restore.

/UserMaillist/useraddress PUT Personal block list restore. Set the “extraParam” field to “blacklist”,
and set the “restore” field to “id”. “domainname” is the domain on
which the list will restore.

/UserMaillist/useraddress PUT Personal safe list restore. Set the “extraParam” field to “whitelist”,
and set the “restore” field to “id”. “domainname” is the domain on
which the list will restore.

Example for system block list restore:

curl -v -H "Content-Type: application/json" -X PUT –d '{"restore":"uploadedFileId",
"extraParam":"blacklist"}' http://host_or_ip/api/v1/UserMaillist/system --cookie
cookie.txt

Example for system safe list restore:

curl -v -H "Content-Type: application/json" -X PUT –d '{"restore":"uploadedFileId",
"extraParam":"whitelist"}' http://host_or_ip/api/v1/UserMaillist/system --cookie
cookie.txt

Example for domain (1.ca) block list restore:

curl -v -H "Content-Type: application/json" -X PUT –d '{"restore":"uploadedFileId",
"extraParam":"blacklist"}' http://host_or_ip/api/v1/UserMaillist/1.ca --cookie cookie.txt

Example for domain (1.ca) safe list restore:

curl -v -H "Content-Type: application/json" -X PUT –d '{"restore":"uploadedFileId",
"extraParam":"whitelist"}' http://host_or_ip/api/v1/UserMaillist/1.ca --cookie cookie.tx

Example for personal ([email protected]) block list restore:

curl -v -H "Content-Type: application/json" -X PUT –d '{"restore":"uploadedFileId",
"extraParam":"blacklist"}' http://host_or_ip/api/v1/UserMaillist/[email protected] --cookie
cookie.txt

Example for personal ([email protected]) safe list restore:

curl -v -H "Content-Type: application/json" -X PUT –d '{"restore":"uploadedFileId",
"extraParam":"whitelist"}' http://host_or_ip/api/v1/UserMaillist/[email protected] --cookie
cookie.txt

FortiMail 6.2.0 REST API Reference 16

Fortinet Technologies Inc.
REST API for IP group management

IP groups and the members of each group can be created, deleted, and managed through the REST API.

REST API only supports IP range values. The IP/netmask format is not accepted.

Create a new IP group

URL HTTP method

http(s)://ip_or_hostname/api/v1/ProfIp_address_group/new_group_ POST
name

Delete an IP group

URL HTTP method

http(s)://ip_or_hostname/api/v1/ProfIp_address_group/group_to_ DELETE
delete

Add a new member to an IP group

Note that members can only be added when expressed as an IP range.

URL HTTP method

http://ip_or_hostname/api/v1/profip_address_group/group_ POST
name/ProfIp_address_groupIpAddressGroupMember/member_ip_range

Example:

In the following example, the IP range 172.20.200.11-172.20.200.30 is added to the IP group named group3:
http://ip_or_hostname/api/v1/ProfIp_address_group/group3/ProfIp_address_
groupIpAddressGroupMember/172.20.200.11-172.20.200.30

FortiMail 6.2.0 REST API Reference 17

Fortinet Technologies Inc.
REST API for IP group management

Delete a member from an IP group

URL HTTP method

http://ip_or_hostname/api/v1/ProfIp_address_group/group_ DELETE
name/ProfIp_address_groupIpAddressGroupMember/member_ip_range

Replace all members of an IP group

URL HTTP method

http://ip_or_hostname/api/v1/ProfIp_address_group/group_ PUT or POST
name/ProfIp_address_groupIpAddressGroupMember/

JSON data:

{ "reqAction":10, // set to 10 to replace all existing members

"reqObjCount":n, // size of the new member list
"mkey_0":"ip_range_1", // first new member
"mkey_1":"ip_range_2", // second new member
...
"mkey_[n-1]":"ip_range_n" // nth new member
}

Example:

The following URL and will clear the member list for the IP group group3, then add two new members:
http://ip_or_hostname/api/v1/ProfIp_address_group/group3/ProfIp_address_
groupIpAddressGroupMember/
JSON data:
{ "reqAction":10,
"reqObjCount":2,
"mkey_0":"172.20.110.10-172.20.110.20",
"mkey_1":"172.20.130.10-172.20.130.30"
}

FortiMail 6.2.0 REST API Reference 18

Fortinet Technologies Inc.
System resource list and URLs

Resources marked with * also apply to domain level REST APIs.

URL HTTP method Summary

/Addressbook/ * GET, POST, PUT, DELETE Contacts

/AddressbookGroup/ * GET, POST, PUT, DELETE Contact groups

/ArchAccount/ GET, POST, PUT, DELETE Archive accounts

/ArchExempt/ GET, POST, PUT, DELETE Archive exempt policy

/ArchJournalSource/ GET, POST, PUT, DELETE Archive journaling source

/ArchPolicy/ GET, POST, PUT, DELETE Archive policy

/AsBounceverifyKey/ GET, POST, PUT, DELETE Bounce verification keys

/AsDeepheader/ GET, PUT Deep header analysis

settings

/AsGreylist/ GET Greylist

/AsGreylisyAutoexempt/ GET Auto exempt greylist

/AsMsisdnReputationAuto_blacklist/ GET Endpoint reputation auto

blocklist

/AsMsisdnReputationBlacklist/ GET, DELETE Endpoint reputation blocklist

/AsMsisdnReputationExempt/ GET, DELETE Endpoint reputation exempt

list

/AsSenderReputation/ GET Sender reputation list

/AsSpamreport/ GET, PUT Quarantine / spam report

settings

/AsUrl_fgas_exempt_list/ GET, POST, PUT, DELETE URL exempt list

/CalResource/ * GET, POST, PUT, DELETE

/CalendarServer/ GET, PUT Calendar server settings

/CentralBackupConfig/ GET, PUT Central backup configuration

/CentralConfigList/ GET, DELETE Central backup list

/ContentScanRules/ GET, POST, PUT, DELETE DLP content scan rules

FortiMail 6.2.0 REST API Reference 19

Fortinet Technologies Inc.
System resource list and URLs

URL HTTP method Summary

/ContentScanRulesConditions/ GET, POST, PUT, DELETE DLP content scan rule

conditions

/ContentScanRulesExceptions/ GET, POST, PUT, DELETE DLP content scan rule

exceptions

/domain/ GET, POST, PUT, DELETE Protected domain settings

/DomainSettingSenderAddrRateCtrlExempt/ GET, POST, PUT, DELETE Sender rate control exempt

list for specified domain
settings

/DomainSpamReportRcpt/ GET, PUT Domain level quarantine /

spam report settings

/FilePattern/ * GET, POST, PUT, DELETE File patterns / filters

/FileSignature/ GET, POST, PUT, DELETE File signatures for AV scan

/Fingerprint_doc/ GET, DELETE Fingerprint document list

/LogAltMMailto/ GET, POST, DELETE Alert email accounts

/LogAltMSetting/ GET, PUT Alert email settings

/LogReport_config/ GET, POST, PUT, DELETE Log report configurations

/LogReportFile/ GET, DELETE Log report files

/LogSetLocal/ GET, PUT Local log settings

/MailSetStrgNfs/ GET, PUT Mail storage settings

/MailSetStrgRemote_storage_ibe/ GET, PUT Centralized IBE storage

settings

/MailSetStrgServer/ GET, PUT Centralized quarantine

storage settings

/MailSetSystemquarantine/ GET, PUT System quarantine settings

/MailSetSystemquarantineFolder/ GET, POST, PUT, DELETE System quarantine folders

/PolicyIp/ GET, POST, PUT, DELETE IP policies

/PolicyRecipient/ * GET, POST, PUT, DELETE Recipient policies

/ProfAntispam/ * GET, POST, PUT, DELETE AntiSpam profiles

/ProfAntispam_action/ * GET, POST, PUT, DELETE AntiSpam action profiles

/ProfAntispamBannedwords/ * GET, POST, PUT, DELETE AntiSpam profile banned

words

/ProfAntispamDnsblServer/ * GET, POST, PUT, DELETE AntiSpam profile DNSBL

servers

FortiMail 6.2.0 REST API Reference 20

Fortinet Technologies Inc.
System resource list and URLs

URL HTTP method Summary

/ProfAntispamSurblServer/ * GET, POST, PUT, DELETE AntiSpam profile SURBL

servers

/ProfAntispamWhitelistwords/ * GET, POST, PUT, DELETE AntiSpam profile safelist

words

/ProfAntivirus/ * GET, POST, PUT, DELETE AntiVirus profiles

/ProfAntivirus_action/ * GET, POST, PUT, DELETE AntiVirus action profiles

/ProfAuthImap/ * GET, POST, PUT, DELETE IMAP authentication profiles

/ProfAuthPop3/ * GET, POST, PUT, DELETE POP3 authentication profiles

/ProfAuthRadius/ * GET, POST, PUT, DELETE RADIUS authentication

profiles

/ProfAuthSmtp/ * GET, POST, PUT, DELETE SMTP authentication profiles

/ProfCertificate_binding/ GET, POST, PUT, DELETE Certificate binding profiles

/ProfContent/ * GET, POST, PUT, DELETE Content profiles

/ProfContent_action/ * GET, POST, PUT, DELETE Content action profiles

/ProfContentAttachment/ * GET, POST, PUT, DELETE Content profile attachment

scan rules

/ProfContentMonitor/ * GET, POST, PUT, DELETE Content monitor profile

/ProfDictionary/ GET, POST, PUT, DELETE Dictionary profiles

/ProfDictionary_group/ GET, POST, PUT, DELETE Dictionary group

/ProfDictionaryDictionaryItem/ GET, POST, PUT, DELETE Dictionary profile dictionary

entries

/ProfDlp/ GET, POST, PUT, DELETE DLP profiles

/ProfDlpContentScan/ GET, POST, PUT, DELETE DLP profile content scan

settings

/ProfEmail_address_group/ GET, POST, PUT, DELETE Email address groups

/ProfEncryption/ GET, POST, PUT, DELETE Encryption profiles

/ProfIp_address_group/ GET, POST, PUT, DELETE IP address groups

/ProfIp_pool/ GET, POST, PUT, DELETE IP pools

/ProfLdap/ GET, POST, PUT, DELETE LDAP profiles

/ProfMisc/ * GET, POST, PUT, DELETE Resource profiles

/ProfNotification/ GET, POST, PUT, DELETE Notification profiles

/ProfSessionRecipientWhitelist/ GET, POST, PUT, DELETE Session profile recipient

safelist

FortiMail 6.2.0 REST API Reference 21

Fortinet Technologies Inc.
System resource list and URLs

URL HTTP method Summary

/ProfSessionRemovedHeader/ GET, POST, PUT, DELETE Session profile removed

headers

/ProfSessionSenderBlacklist/ GET, POST, PUT, DELETE Session profile sender

blocklist

/ProfSessionSenderWhitelist/ GET, POST, PUT, DELETE Session profile sender

safelist

/ProfTls/ GET, POST, PUT, DELETE TLS profiles

/ProfUri_filter/ GET, POST, PUT, DELETE URI filter profiles

/RaidSystem/ GET Raid system status

/RaidSystemArray/ GET Raid array information

/RaidSystemDisk/ GET Raid disk information

/SemailDbDomain/ GET, DELETE IBE domains

/SemailDbUser/ GET, DELETE IBE users

/Sensitive_dataCompliance/ GET DLP standard compliance

data

/Sensitive_dataFingerprint/ GET, POST, PUT, DELETE DLP fingerprint data

/Sensitive_dataFingerprint_source/ GET, POST, PUT, DELETE DLP fingerprint source

/Sensitive_dataFingerprintDocument/ GET, DELETE DLP fingerprint documents

/SysAccprofile/ GET, POST, PUT, DELETE Admin access profiles

/SysAdmin/ GET, POST, PUT, DELETE System administrators

/SysAntispam/ GET, PUT System AntiSpam settings

/SysAppearance/ GET, PUT System appearance settings

/SysAutoupdate/ GET, PUT FortiGuard AntiVirus auto

update settings

/SysBackup_restore/ GET, PUT Mail data auto backup

settings

/SysBurstRestore/ PUT Restore mail data from

backup

/SysDateSetting/ GET, PUT System date

/SysDdns/ GET, POST, PUT, DELETE DDNS servers

/SysDisclaimer/ GET, PUT System disclaimer settings

/SysDisclaimer_exclude/ GET, POST, PUT, DELETE Disclaimer exclusion list

/SysDns/ GET, PUT System DNS server settings

FortiMail 6.2.0 REST API Reference 22

Fortinet Technologies Inc.
System resource list and URLs

URL HTTP method Summary

/SysEncryptionIbe/ GET, PUT IBE encryption settings

/SysEncryptionIbe_auth/ GET, POST, PUT, DELETE IBE user authentication list

/SysFortiguard/ GET, PUT FortiGuard AntiSpam

settings

/SysFortisandbox/ GET, PUT FortiSandbox settings

/SysGlobal/ GET, PUT System global settings

/SysHa/ GET, PUT HA settings

/SysHaInterface/ GET, PUT HA interface settings

/SysHaService/ GET, PUT HA service monitor settings

/SysHaStatus/ GET HA status

/SysInterface/ GET, POST, PUT, DELETE Network interface list

/SysLink_monitor/ GET, PUT Link monitor settings

/SysLink_monitorInterface/ GET, PUT Link monitor interface

settings

/SysMailserver/ GET, PUT Mail server settings

/SysRemote_mail_server/ GET, POST, PUT, DELETE Remote email servers

/SysRoute/ GET, POST, PUT, DELETE Network routing list

/SysSched_backup/ GET, PUT System configuration

scheduled backup settings

/SysScheduledLocalBackup/ GET, PUT Scheduled local backup list

/SysSnmpCommunity/ GET, POST, PUT, DELETE SNMP communities

/SysSnmpCommunityHost/ GET, POST, PUT, DELETE Hosts for a SNMP community

/SysSnmpSnmpv3_user/ GET, POST, PUT, DELETE SNMP users

/SysSnmpSnmpv3_userHost/ GET, POST, PUT, DELETE Notification hosts for a SNMP

user

/SysSnmpSysinfo/ GET, PUT SNMP system information

settngs

/SysSnmpThreshold/ GET, PUT SNMP threshold settings

/SysStatisticSummary/ GET Mail statistics summary

/SysStatusCommand/ POST Restart / Shut donw / Reload

system command

/SysStatusLicinfo/ GET System AS / AV license

status

FortiMail 6.2.0 REST API Reference 23

Fortinet Technologies Inc.
System resource list and URLs

URL HTTP method Summary

/SysStatusLicinfoLicenses/ GET Feature license list

/SysStatusSysinfo/ GET System status information

/SysStatusUsage/ GET System resource usage

/SysTimeManual/ GET, PUT System time & zone settings

/SysTimeNtp/ GET, PUT System NTP server settings

/SysWccpSettings/ GET, PUT FortiGate WCCP settings

/UserAlias/ * GET, POST, PUT, DELETE User aliases

/UserMail/ * GET, POST, PUT, DELETE Mail users

/UserMap/ * GET, POST, PUT, DELETE Address maps

/UserPki/ GET, POST, PUT, DELETE PKI users

/UserUser_group/ * GET, POST, PUT, DELETE User groups

FortiMail 6.2.0 REST API Reference 24

Fortinet Technologies Inc.
Example commands

This section contains various example commands that you may encounter.

Admin login with PKI certificate-based authentication

curl -v -c cookie.txt --cert test.pem --key test.key --cacert CA.cer -X POST -k https://ip_or_
host/api/v1/AdminLogin

If login is successful, the cookies will be save to cookie.txt, which will be used in the below commands.

Admin login with password-based authentication

curl -v -H "Content-Type: application/json" -X POST -d '{"name":"admin","password":"*****"}'

https://ip_or_host/api/v1/AdminLogin -c cookie.txt

If login is successful, the cookies will be save to cookie.txt, which will be used in the below commands.

To get domain information

If you log in to FortiMail with a PKI certificate, you must use both the cookie and certificate together to run the command
sessions. If you log in with user name and password, you only need to use the cookie to run the command sessions. For
example:

To get domain information with password-based authentication

curl -k -v --cookie cookie.txt https://ip_or_host/api/v1/Domain

To get domain information with certificate-based authentication

curl -k -v --cookie cookie.txt --cacert CA.cer https://ip_or_host/api/v1/Domain

Access control rule management

Supported values for 'action' attribute of ACL. If not set, the default action is reject:

1 - safe-relay

FortiMail 6.2.0 REST API Reference 25

Fortinet Technologies Inc.
Example commands

2 - relay
3 - reject
4 - discard
5 - safe

Supported values for 'recipient-pattern-type' and 'sender-pattern-type' attributes of ACL:

0 - default / wild-card
1 - regular expression
2 - email group
3 - ldap group

Supported values for 'authenticated' attribute of ACL:

0 - any
1 - authenticated
2 - not-authenticated

Supported values for 'sender-ip-type' attribute of ACL:

0 - ip mask
1 - ip group

Supported values for 'sortingDirection' attribute of applicable JSON requests (i.e. ACL rule):

1 - enabled/sorting
2 - disabled/no sorting

Supported values for 'reqAction' attribute of all JSON requests:

1 - GET
2 - CREATE
3 - DELETE
5 - UPDATET
14 - MOVE

If reqAction is present in JSON, it takes precedence over HTTP method header (i.e. HTTP
GET/POST/PUT/DELETE).

FortiMail 6.2.0 REST API Reference 26

Fortinet Technologies Inc.
 Example commands

List access control rules

To list ACL rules in original order:

curl -v -b cookie.txt -v -H "Content-Type: application/json" -X PUT -d '

{"reqAction":1,"sortingDirection":2}' http://ip_or_host/api/v1/MailSetAccessRule

To list ACL rules in descending order:

curl -v -b cookie.txt -v -H "Content-Type: application/json" -X PUT -d '

{"reqAction":1,"sortingDirection":1}' http://ip_or_host/api/v1/MailSetAccessRule

Create a new access control rule

curl -v -H "Content-Type: application/json" -X POST -d '{"status":true,"sender_
pattern":"*@example.com","sender_ip_mask":"192.168. 1.1/32", "action":2}' -b cookie.txt
http://ip_or_host/api/v1/MailSetAccessRule/0 --No mkey is required

Modify an existing access control rule

curl -v -H "Content-Type: application/json" -X PUT -d '{"action":3}' -b cookie.txt http://ip_
or_host/api/v1/MailSetAccessRule/1 --"1" is the mkey --Set access rule "1" action to
“Reject”

Delete an existing access control rule

curl -v -H "Content-Type: application/json" -X DELETE -b cookie.txt http://ip_or_
host/api/v1/MailSetAccessRule/3 --Delete Access Control Rule "3"

Move existing access control rule

You can move a rule up one place, down one place, before another rule, or after another rule. To move a rule to the top
or bottom, you can find the first. or last rule ID (mkey) and move the rule before the first rule or after the last rule.
reqAction: 14 -- required, only one value: 14 means to move
moveAction : up -- required, 4 values: up/down/before/after
mmkey: 3 – required, ID of the ACL rule to be moved
refMkey: 2 – required, reference ID of the ACL rule when moving before/after this ID

To move rule"3" up one place:

curl -v -H "Content-Type: application/json" -X PUT -d '

{"reqAction":"14","mmkey":3,"moveAction":"up"}' -b cookie.txt http://ip_or_
host/api/v1/MailSetAccessRule

FortiMail 6.2.0 REST API Reference 27

Fortinet Technologies Inc.
Example commands

To move rule "3" after rule "2":

curl -v -H "Content-Type: application/json" -X PUT -d '

{"reqAction":"14","mmkey":3,"moveAction":"after",”refMkey”:2}' -b cookie.txt http://ip_
or_host/api/v1/MailSetAccessRule

Whitelist/blacklist management

To get the system level whitelist:

curl -v -b cookie -H "Content-Type: application/json" -X POST -d '

{"reqAction":"1","extraParam":"whitelist"}' http://IP_Host/api/v1/UserMaillist/system/

To create a new system level whitelist entry:

curl -v -b cookie -H "Content-Type: application/json" -X POST -d '{"extraParam":"whitelist",

"listitems":"My5jYQ=="}' http://IP_Host/api/v1/UserMaillist/system/

To delete a system level whitelist entry:

curl -v -b cookie -H "Content-Type: application/json" -X POST -d '{"reqAction": 3,

"extraParam":"whitelist", "listitems":"My5jYQ=="}' http://IP_
Host/api/v1/UserMaillist/system/

FortiMail 6.2.0 REST API Reference 28

Fortinet Technologies Inc.
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.