FortiSandbox-4.0.0-JSON API Reference
FortiSandbox-4.0.0-JSON API Reference
FortiSandbox 4.0.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
FEEDBACK
Email: [email protected]
JSON API 5
API Messages 5
1. Login 5
2. Logout 6
3. Get system information 6
4. Get configurations of sniffer 8
5. General options, including cloud upload and VM network access settings 8
6. Set configurations of sniffer 9
7. Set general options, including cloud upload and vm network access settings 10
8. Get scanning statistics for last 7 days 12
9. Get a copy of backed up config file, in base64 format 13
10. Query file verdict through its SHA256 checksum 14
11-1. Upload file (on-demand submit for filesize < 20MB) 15
11-2. Upload large file (on-demand submit for filesize > 20MB) 17
12. Upload URL file (on-demand submit) 18
13. Query file rating through its SHA256 checksum—a simple version 19
14. Query URL rating 20
15. Query job verdict detail through its job ID 22
16. Cancel a job submission 23
17. Get job ID list for one submission 24
18. Get job behavior details for a file 25
19. Register (login) a FGT/FML/(others) device to FortiSandbox 26
20. Delete (actually hide) a device from FortiSandbox 27
21. Get latest malware package or malicious URL package 27
22. Download list of SHA256, SHA1, MD5, or URL from malware package or URL
package 29
23. Get AV-Rescan results (for customized rescan results only) 30
24. Return all installed VM name and their clone number 32
25. Allow user to add/delete checksums to allow/block (white/black) list 33
26. Mark a sample as false negative/false positive 34
27. Configure system hostname 35
28. Configure system timezone 35
29. Configure system time and NTP server 37
30. Configure system interface 38
31. Configure system DNS 39
32. Configure system routing 40
33. Configure system administrator 41
34. Configure system LDAP 42
35. Configure system RADIUS 44
36. Configure system FortiGuard 45
37. Configure system mail 46
38. Configure system log server 48
39. Configure scan profile 49
40. Configure scan benign URLs 51
41. Configure scan job archive 52
42. Configure YARA rule 53
FortiSandbox provides customers the ability to automate some key features and processes using a simple API. This
section will provide some basic examples that will allow you to submit a file or URL, as well as query the FortiSandbox for
the results of a scan.
Using this API can allow you to extend the functionality of your FortiSandbox in many ways. Some potential scenarios
you may wish to use the API for include:
l Submitting files using a simple script: you may have a large number of files you want to scan outside of regular
operating hours. These could be previously-quarantined files captured through your endpoint clients. By writing a
simple submission script, you eliminate the need to have someone physically submit these through the GUI.
l Submitting files from third-party tools: you may have other infrastructure in place (threat feeds, etc.) that you want to
integrate with your FortiSandbox. The API would allow you to submit files and query results in near real-time.
API Messages
In the following API, the "message" field value can be "INVALID_JSON_DATA", "MISSING_PARAM", "INVALID_
REQUEST", or "UNSUPPORTED_VER"
1. Login
log in request.
{
"method": "exec",
"params": [
{
"url": "/sys/login/user",
"user": "admin",
"passwd": "123456"
}
]
}
],
"id": 1,
"ver": "2.3"
},
log in response.
{
"id": 1,
"ver": "2.0",
"result": {
"url": "/sys/login/user",
"status": {
"code": 0,
"message": "OK"
},
},
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI="
}
2. Logout
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 3,
"ver": "2.0"
}
"ver": "2.0",
"result": {
"url": "/config/scan/options",
"status": {
"code": 0,
"message": "OK"
},
"data": {...}
}
}
data "cloud_upload" : 1,
/*1- enabled, 0-disabled */
"vm_network_access" : 1 ,
/*1- enabled, 0-disabled */
"log_device_submission" : 1 ,
/*1- enabled, 0-disabled */
"rej_dup_device_submission" : 1 ,
/*1- enabled, 0-disabled */
"del_clean_file" : 10 ,
/*-1- disabled, >0 delete after x minutes */
"del_job_info" : 10,
/*-1- disabled, >0 delete after x minutes */
"archive_job" : 1
/*0- disabled, 1- enabled */
"ver": "2.3.1"
}
{
"id": 6,
"ver": "2.3.1",
"result": {
"url": "/config/scan/devsniffer",
"status": {
"code": 0,
"message": "OK"
}
}
}
7. Set general options, including cloud upload and vm network access settings
{
"method": "set",
"params": [
{
"url": "/config/scan/options",
"cloud_upload" : 1,
"fdn_stats_upload" : 1,
"vm_network_access" : 1,
"vm_gateway": "172.17.58.3",
"vm_dns": "8.8.8.8",
"vm_proxy_enable": 1,
"vm_proxy_server": "172.17.17.17",
"vm_proxy_port": "8080",
"vm_proxy_type": "0",
/* "0":HTTP Connect, "1":HTTP Relay, "2":Sockv4, "3":Sockv5 */
"vm_proxy_uname": "admin",
"vm_proxy_password": "admin123",
"vm_proxy_debug": 0,
/* all vm_* options are not configurable for AWS model */
"url_callback_detection" : 1,
/* url_callback_detection is not configurable for AWS model */
"url_submit_webfilter" : 1,
"log_device_submission" : 1,
"rej_dup_device_submission" : 1,
"/* 1-yes, 0-no */
"del_clean_file" : 10 ,
"del_bad_file" : 10 ,
"del_job_info" : 10,
"del_bad_job_info" : 10
"default_password" : ["mypassword1", "mypassword2"]
"default_pdf_office_password" : "mypassword1"
"disable_cloud_query" : 1
"disable_av_rescan" : 1
"log_adapter_submission" : 1
"log_netshare_submission" : 1
"log_icap_submission" : 1
"log_mta_submission" : 1,
"log_bcc_submission" : 1
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 7,
"ver": "2.4.1"
}
{
"id": 7,
"ver": "3.0.2"
"result": {
"url": "/config/scan/options",
"status": {
"code": 0,
"message": "OK"
}
}
}
data "cloud_upload" : 1,
/* 1- enabled, 0-disabled. This field is ignored when setting on a non-
primary or standalone unit.*/
"fdn_stats_upload" : 1,
/* 1- enabled, 0-disabled. This field is ignored when setting on a non-
primary or standalone unit.*/
"vm_network_access" : 1,
/* 1- enabled, 0-disabled, not valid for AWS model */
"vm_gateway": "172.17.58.3",
/* supported from FSA v2.3, not valid for AWS model */
"vm_dns": "8.8.8.8",
/* not valid for AWS model */
"vm_proxy_enable": 1,
/* not valid for AWS model */
"vm_proxy_server": "172.17.17.17",
/* not valid for AWS model */
"vm_proxy_port": "8080",
/* not valid for AWS model */
"vm_proxy_type": "0",
/* "0":HTTP Connect, "1":HTTP Relay */
/* "2":Sockv4, "3":Sockv5 */
/* not valid for AWS model */
"vm_proxy_uname": "admin",
/* not valid for AWS model */
"vm_proxy_password": "admin123",
/* not valid for AWS model */
"vm_proxy_debug": 0,
/* 1- enabled, 0-disabled, not valid for AWS model */
"url_submit_webfilter" : 1 ,
/* 1- enabled, 0-disabled This field is ignored when setting on a non-
primary or standalone unit.*/
"del_clean_file" : 10 ,
/* -1- disabled, >0 delete after x minutes */
"del_bad_file" : 10 ,
/* -1- disabled, >0 delete after x minutes */
"del_job_info" : 10 ,
/* -1- disabled, >0 delete after x minutes */
"del_bad_job_info" : 10 ,
/* -1- disabled, >0 delete after x minutes */
"default_password" : ["pwd1","pwd2"],
/* empty list means disabled */
"default_pdf_office_password" : "mypassword",
/* empty string means disabled, only 1 password is allowed */
data "malicious" : 1,
/* total # of malicious files detected in last 7 days, or -1, which means
n/a */
/*If 'period' is provided, the data is from 'period' ago to now. Otherwise,
the data is for last 7 days. */
"suspicious_high" : 2,
/* total # of high-risk suspicious files detected in last 7 days, or -1,
which means n/a */
/*If 'period' is provided, the data is from 'period' ago to now. Otherwise,
the data is for last 7 days. */
"suspicious_medium" : 3,
/* total # of medium-risk suspicious files detected in last 7 days, or -1,
which means n/a */
/*If 'period' is provided, the data is from 'period' ago to now. Otherwise,
the data is for last 7 days. */
"suspicious_low" : 4,
/* total # of low-risk suspicious files detected in last 7 days, or -1,
which means n/a */
/*If 'period' is provided, the data is from 'period' ago to now. Otherwise,
the data is for last 7 days. */
"pending" : 5,
/* total # of pending jobs, or -1, which means n/a */
"processing" : 6,
/* total # of currently processing jobs, or -1, which means n/a */
data "file":"TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFz
b24sIGJ1dCBieSB0aGlzIHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlci
BhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2YgdGhlIG1pbmQsIHRoYXQg
YnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGludW
VkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdl
LCBleGNlZWRzIHRoZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbC
BwbGVhc3VyZS4="
/*backup config file content, in base64 encoding. Client side should
decode it then save to a file
jid For a zip file, the result is an array of children's job ids. If jid is [] and rating is ["Clean"], it means the
file is not a supported file type and the file is dropped. In this case, start_ts and finish_ts will be the
UTC time the file is dropped.
rating For a zip file, the result is an array of of the following, which denotes types of ratings of its children:
l Unknown,
l Clean,
l Malicious,
l High Risk,
l Medium Risk,
l Low Risk,
score For a zip file, the result is the bitwise combination of the following:
l RISK_UNKNOWN -1
l RISK_CLEAN 0
l RISK_MALICIOUS 1
l RISK_HIGH 2
l RISK_MEDIUM 3
l RISK_LOW 4
false_ 0: not false positive or false negative, 1: false positive, 2: false negative, order is corresponding
positive_ order of JID
negative
file Encoded (base64) file contents (binary). Max. allowed file size is 200M
filename Encoded (base64) filename in which 'file' field's content will be saved on FSA
skip_steps Do not use this parameter if no step to skip. 1 = Skip AV, 2= Skip Cloud, 4= Skip sandboxing,
8= Skip Static Scan.
overwrite_vm_list All VM name can be available by another JSON API /alert/ondemand/hcmvminfo. The clone
number of those VMs should be bigger than zero, the JSON API /alert/ondemand/hcmvminfo
handles it. If this field is not set, default ones will be used.
archive_password (Optional) Provide password(s) if it is needed for extracting archived file. Otherwise, ignore
this field, or leave it as empty string. Multiple passwords are seperated by "\n". Non-ASCII
passwords are invalid.
malpkg (Optional) set the value as "1" to require to add the sample to malware package if it satisfy the
malware critia. By default, the value is "0".
meta (Optional) meta_filename (base64_encoded) is file name from FGTs. meta_url (base64_
encoded) is URL sending from FGTs.
forcedvm 1: force the file to be scanned in VM, 0: do not force the VM scan.
sid The id for this submission that user can use to cancel pending jobs from it
11-2. Upload large file (on-demand submit for filesize > 20MB)
{
"file": filepath 'application/octet-stream'
"data" : {
"url": "/alert/ondemand/submit-file",
"type": "file",
"skip_steps": "",
"overwrite_vm_list": "",
"malpkg": 0,
"vrecord": "0",
"forcedvm": 0,
"enable_ai": 0,
"archive_password": "",
"timeout": "3600",
"comments": "This is a comment"
"meta_url": "",
"meta_filename": "",
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI="
}
{
"id": 0,
"result": {
"data": {
"error": "",
"msg": "File was submitted successfully",
"sid": [the_submission_id]
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/alert/ondemand/submit-file"
},
"ver": "4.0"
}
This API uses the multipart MIME data, that is, the client tool has to invoke the multipart.
Two key value pairs are needed:
l file=<file to be submitted> - type=multipart/form-data
l data=<data.json to be submitted> - type=application/json
For notes about other fields, see the 11-1. Upload file (on-demand submit for filesize < 20MB) Notes and Comments: on
page 16.
},
"data": {
"msg": "File was submitted successfully",
"error": "",
"sid":[the_submission_id]
}
}
}
file Encoded (base64) file contents (binary). The file should contain a list of URL, one per line.
Each URL should have lenth less of 1.5K Bytes
filename Encoded (base64) filename into which 'file' field's content will be saved on FSA
timeout How long the scan will be, in seconds. This is a subjective number. For example,if the web site
has many pages, or the the network bandwidth to the web site is slow, timeout value should
be bigger
depth The depth of web links to scan. 0 is the origianl URL, 1 is to crawl into links in the orignal URL
also
overwrite_vm_list All VM name can be available by another RPC JSON API /alert/ondemand/hcmvminfo. The
clone number of those VMs should be bigger than zero, the RPC JSON API
/alert/ondemand/hcmvminfo handles it. If this field is not set, default ones will be used
forcedvm 1: force the file to be scanned in VM, 0: do not force the VM scan.
sid The id for this submission that user can use to cancel pending jobs from it
13. Query file rating through its SHA256 checksum—a simple version
{
"method": "get",
"params": [
{
"url": "/scan/result/filerating",
"checksum":"the_files_checksum",
"ctype":"sha1"
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 13,
"ver": "2.1"
}
{
"id": 13,
"ver": "2.1",
"result": {
"url": "/scan/result/filerating",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"rating" : ["Malicious","High Risk"],
"start_ts": 1377618931,
"finish_ts":1377618961
"untrusted": 1,
"now":1377618931
}
}
}
rating For a zip file, the result is an array of of the following, which denotes types of ratings of its
children:
l Unknown,
l Clean,
l Malicious,
l High Risk,
l Medium Risk,
l Low Risk,
For a single file, array size is 1. If rating is ["Clean"] and start_ts =0 and finish_ts =0, it means
the file is not a supported file type and the file is dropped
"address":[url_a, url_b]
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 14,
"ver": "2.5"
}
{
"id": 14,
"ver": "2.4",
"result": {
"url": "/scan/result/urlrating",
"status": {
"code": 0,
"message": "OK"
},
"data": [{
"url" : "http://www.henrydu.com/",
"rating" : "Malicious",
"start_ts": 1377618931,
"finish_ts":1377618961
"untrusted": 1,
"now":1377618931,
"behavior_info":0
},
{
"url" : "http://www.abc.com",
},]
}
}
address Need to be an exact match. It's fine to leave out the http(s):// prefix
rating Unknown,
Clean,
Malicious,
High Risk,
Medium Risk,
Low Risk,
For a single file, array size is 1
l Clean,
l Malicious,
l High Risk,
l Medium Risk,
l Low Risk,
l RISK_CLEAN 0
l RISK_MALICIOUS 1
l RISK_HIGH 2
l RISK_MEDIUM 3
l RISK_LOW 4
rating_source One of "AV Scan", "Cloud Query", "Sandboxing", "Static Scan", "Other"
category One of: 'Clean', 'Unknown', 'Infector', 'Worm', 'Botnet', 'Hijack', 'Stealer', 'Backdoor', 'Injector',
'Rootkit', 'Adware', 'Dropper', 'Downloader', 'Trojan', 'Riskware', 'Grayware', or 'Attacker'.
false_positive_ Not false positive or false negative, 1: false positive, 2: false negative
negative
"reason":the_reason
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 16,
"ver": "2.0"
}
{
"id": 16,
"ver": "2.0"
"result": {
"url": "/alert/ondemand/cancel-submission",
"status": {
"code": 0,
"message": "OK"
}
}
}
sid The submission id got from submit-file. The command is useful if a file containing a big
number of urls takes long time to scan and needs to be cancelled
sid The submission ID got from submit-file. The command is get all job ids associated with one
submission
total_jids Total number of jobs for the submission. The maximum number of subfiles in the archive is
1000.
behavior_files Behavior files in JSON format, archived in gz format and base64 encoded. If the queried file is
an archive file, the children's job behaviors will be combined to one file, then zipped.
vdom root is default vdom, other vdom name will inherit this device.
authorize data = 1 authorized directly without FSA admin to authorize manually, 0 otherwise
remove_scan_ data = 1, delete this device and all related scan results in DB, 0 otherwise.
results
"type":0,
"major":2,
"minor":100
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 21,
"ver": "2.2.1"
}
{
"id": 21,
"ver": "2.2.1"
"result": {
"url": "/scan/device/get-malpkg",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"malpkg" : "TWFuIGlzIGRpc3Rpbmd1aXxxxx",
"md5sum" : "b0ed36a4b6282b566328a...",
"major":2,
"minor":101,
"all_pkgs": {
0:"TWFuIGlzIGRpc3Rpbmd1aXxxxx",
1:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaaaa",
4:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaddd",
5:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaeee",
6:"TWFuIGlzIGRpc3Rpbmd1aXxxxxafff",
7:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaggg,
8:"TWFuIGlzIGRpc3Rpbmd1aXxxxxahhh,
9:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaiii,
}
}
}
}
type 0:FSA_FILE_MALWARE_PKG;
1:FSA_FILE_URL_PKG;
2:FSA_FILE_BOTNET_PKG;
4:Malware Package. Pure maliciuos level;
5:Malware Package. Mliciuos + High level;
6:Malware Package. Mliciuos + High + Medium level;
7:URL Package. Pure maliciuos level;
8:URL Package. Mliciuos + High level;
9:URL Package. Mliciuos + High + Medium level;
100:All malware Packages at once;
101:All malware URL Packages at once
major If submitted major or minor is lower than the most recent version, most recent major/minor
package is returned.
minor If submitted major or minor is the same as the most recent version, no new package is
returned.
all_pkgs If type is 100 all_pkgs contains content for type 0,4,5,6; if type is 101, all_pkgs contains
content for type 1,7,8,9
22. Download list of SHA256, SHA1, MD5, or URL from malware package or URL
package
{
"method": "post",
"params": [
{
"url": "/scan/device/download-malpkg-text",
"type":0,
"lazy":0,
"major":2,
"minor":100
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 22,
"ver": "2.4.1"
}
{
"id": 22,
"ver": "2.4.1"
"result": {
"url": "/scan/device/download-malpkg-text",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"download_file" : "TWFuIGlzIGRpc3Rpbmd1aXxxxx",
"md5sum" : "b0ed36a4b6282b566328a...",
"major":2,
"minor":101
}
}
}
type 0:SHA256;
1:SHA1;
2:MD5;
3:URL;
4:FILE HASH STIX; (ignore version number)
5:URL STIX; (ignore version number)
lazy 0: use specified major and minor number; 1: get the latest version.
l 'Clean',
l 'Malicious',
l 'High Risk',
l 'Medium Risk',
l 'Low Risk'
l RISK_CLEAN 0
l RISK_MALICIOUS 1
l RISK_HIGH 2
l RISK_MEDIUM 3
l RISK_LOW 4
rating_source One of
l "AV Scan",
l "Cloud Query",
l "Sandboxing",
l "Static Scan",
l "Other"
category One of: 'Clean', 'Unknown', 'Infector', 'Worm', 'Botnet', 'Hijack', 'Stealer', 'Backdoor', 'Injector',
'Rootkit', 'Adware', 'Dropper', 'Downloader', 'Trojan', 'Riskware', 'Grayware', or 'Attacker'.
false_positive_ 0: not false positive or false negative, 1: false positive, 2: false negative
negative
"status":"activated"
},
...
]
}
}
}
checksum_type The checksum_type should only be in ["md5", "sha1", "sha256", "domain", "url", "url_regex"].
action The action should only be in ["append", "replace", "clear", "download", "delete"].
upload_file Encoded (base64) file contents (checksum). Maximum allowed file size is 200M
upload_file not required for download, clear action
type 1: Review for Clean(FP). 2: Review for Suspicious(FN). 0: Reset back to clean/malicious.
"id": 28,
"ver": "2.3"
}
timezones = [
{
"id": 28,
"ver": "2.3"
"result": {
"url": "/config/system/timezone",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"timezone": "(GMT-8:00)Pacific Time(US&Canada)",
"msg": "Timezone was changed to (GMT-8:00)Pacific Time(US&Canada) successfully",
"error": "",
}
}
}
"day": "15",
"hour":"15",
"minute": "0",
"second": "0",
"useNTP": 0,
"ntp_server": "0.pool.ntp.org",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 29,
"ver": "2.3"
}
{
"id": 29,
"ver": "2.3"
"result": {
"url": "/config/system/ntp",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "Time and NTP configuration was changed successfully.",
"error": "",
}
}
}
"id": 30,
"ver": "2.3"
"result": {
"url": "/config/system/interface",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "Network interface configuration was successfully updated",
"error": "",
}
}
}
ipv6 Optional
}
}
}
{
"method": "post",
"params": [
{
"url": "/config/system/ldap",
"action": "create",
"name": "ldap_name",
"bind_type": 0,
"username": "new_user",
"password": "password",
"pwd_changed":0
"address": "address",
"port": 636,
"cn": "accounts",
"dn": "corp.company.com",
"isSecure": 0,
"proto": 2,
"ca": "",
"attributes":"attr",
"connect_timeout":599,
"filter":"filter",
"group":"group",
"member_of_attr":"memberof",
"profile_attr":"profile",
"secondary_server":"second_server",
"tertiary_server":"third_server"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 34,
"ver":"4.0"
}
{
"id": 34,
"ver":"4.0"
"result": {
"url": "/config/system/ldap",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "New LDAP server was successfully added.",
"error": "",
}
}
}
{
"method": "get",
"params": [
{
"url": "/config/system/ldap"
}
],
"session": "",
"id": 34,
"ver": "4.0"
}
{
'id': 34,
'result': {
'data': [
{
'address': '9.9.7.50',
'attributes': 'abc attr',
'bind_type': 0,
'cacert': 'abc_ca',
'cn': 'abc',
'con_type': 2,
'connect_timeout': 600,
'dn': 'dc=hat,dc=shoe',
'filter': 'abc_filter',
'group': 'abc_group',
'member_of_attr': 'abc_memberof',
'name': 'somewhere',
'port': 636,
'profile_attr': 'abc_profile',
'regular_password': '',
'regular_user': '',
'secondary_server': 'abc_2nd_server',
'tertiary_server': 'abc_3rd_server'
},
{
'address': '33.44.55.66',
'attributes': 'xyz attr',
'bind_type': 1,
'cacert': 'xyz_ca',
'cn': 'xyz',
'con_type': 0,
'connect_timeout': 480,
'dn': 'dc=coat,dc=sweater',
'filter': 'xyz_filter',
'group': 'xyz_group',
'member_of_attr': 'xyz_memberof',
'name': 'somehow',
'port': 389,
'profile_attr': 'xyz_profile',
'regular_password': '',
'regular_user': '',
'secondary_server': 'xyz_2nd_server',
'tertiary_server': 'xyz_3rd_server'
}
],
'status': {
'code': 0, 'message': 'OK'
},
'url': '/config/system/ldap'
},
'ver': '4.0'
}
"primary_secret_changed": 0,
"secondary_secret_changed": 0,
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 35,
"ver": "2.3"
}
{
"id": 35,
"ver": "2.3"
"result": {
"url": "/config/system/ldap",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "New RADIUS server was successfully added.",
"error": "",
}
}
}
"fdn_proxy_uname":"",
"fdn_proxy_pwd":"",
"wfproxy_enable":"0",
"wf_proxy_server":"",
"wf_proxy_port":"",
"wf_proxy_uname":"",
"wf_proxy_pwd":"",
"cloudproxy_enable":"0",
"cloud_proxy_server":"",
"cloud_proxy_port":"",
"cloud_proxy_uname":"",
"cloud_proxy_pwd":"",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 36,
"ver": "2.3"
}
{
"id": 36,
"ver": "2.3"
"result": {
"url": "/config/system/fortiguard",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "FortiGuard service was successfully updated.",
"error": "",
}
}
}
"port":"25",
"account":"[email protected]",
"loginuser":"admin",
"password":"admin1234",
"pwd_changed":0,
"send_mail": "0",
"send_mail_to_dv": "0",
"mail_rating_filter":['2','16','8','4'],
"receiver": "[email protected]",
"send_reqmail":"0",
"reqreceiver":"[email protected]",
"use_fqdn_name_as_ip":"0",
"fqdn_name": "adbc.com",
"send_system_usage_mail": "0",
"system_usage_receivers_list": "[email protected]",
"cpu_threshold": "99",
"ram_threshold": "99",
"disk_threshold": "99",
"ramdisk_threshold": "99",
"vm_threshold": "99"
"total_pending_jobs_threshold": "100",
"average_scan_time_threshold": "100",
"system_check_interval": "10"
"send_pdf":"0",
"send_pdf_to_vdom":"0",
"report_rating_filter":['2','16','8','4', '1'],
"pdf_sum_receiver":"",
"pdf_detail_receiver":"",
"report_schedule_type":"",
"report_week_day":"",
"report_hour_step":"",
"report_day_hour":"",
"report_week_hour":"",
"report_period_days":"",
"report_period_hours":"",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 37,
"ver": "2.3"
}
{
"id": 37,
"ver": "2.3"
"result": {
"url": ""/config/system/mail",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "Mail configuration was successfully updated.",
"error": "",
}
}
}
mail_rating_filter It has to be an array of: 2: Malicious; 16: High Suspicious; 8: Medium Suspicious;
4: Low Suspicious
report_rating_filter It has to be an array of: 2: Malicious; 16: High Suspicious; 8: Medium Suspicious;
4: Low Suspicious
"ver": "2.4"
"result": {
"url": "/config/system/logserver",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "Log server configuration was successfully updated.",
"error": "",
}
}
}
alert_clean '0':disabled, '1': Alert logs will include jobs with Clean rating.
"action":"add",
"exts":["ppsx","ppt",ppam"],
},
{
"name":"androidvm",
"action":"add",
"exts":["apk"],
},
],
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 39,
"ver": "2.3"
}
{
"id": 39,
"ver": "2.3"
"result": {
"url": "/config/scan/vmprofile",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "Scan profile configuration was successfully updated.",
"error": "",
}
}
}
depth 0, 1, 2, 3, 4 or 5
vmexts exts Combinations of the following list : exe, php, tiff, 7z, gif, png, tnef, asf, htm, ppsx, unk, cdf, ico,
ppt, vcf, com, jpeg, pptx, xls, com1, jpg, qt, xlsx, dll, mov, rar, zip, doc, mp3, rm, docx, mp4, rtf,
pdf, swf, jar, dotx, docm, dotm, xltx, xlsm, xltm, xlsb, xlam, potx, sldx, pptm, ppsm, potm,
ppam, sldm, onetoc, thmx, bat, cmd, vbs, ps1, js, tar, gz, xz, bz2, arj, cab, tgz, txt, z, msi, msg,
asp, jsp, kgb, url, dot, xlt, pps, pot, upx, apk, WEBLink, lnk, jarlib, lzh
sharetype 0:SMBv1.0,1:SMBv2.0,2:SMBv2.1,3:SMBv3.0,4:FIFS,5:NFSv2,6:NFSv3,7:NFSv4,8:Azure
File Share, 9:S3 Bucket
file_type "any", "exe", "dll", "com", "ppt", "pptx", "xls","xlsx", "doc", "docx", "msg", "rtf", "pdf", "swf"
Filetype memory for memory scan.
yara_id yara id
{"jid": jid_2,
"rating" : "High Risk",
"score": 1,
"start_ts": 1377618931,
"finish_ts":1377618961,
"malware_name": "virus 2",
"vid": virus_id_2,
"behavior_info": 1,
"false_positive_negative": 2,
"untrusted": 0,
"ftype": "Unknown",
},
],
"now":1377618931
},
{
"checksum": "b34af9dc65a3fe82ade27fae290df13a087c4f532272ce3dcb5f851d31db2c04",
"now":1377618931,
},
]
}
}
job_list For a zip file, the result is an array of children's job ids. If jid is [] and rating is ["Clean"], it
means the file is not a supported file type and the file is dropped. In this case, start_ts and
finish_ts will be the UTC time the file is dropped.
rating For a zip file, the result is an array of of the following, which denotes types of ratings of its
children:
Unknown,
Clean,
Malicious,
High Risk,
Medium Risk,
Low Risk,
For a single file, array size is 1
score For a zip file, the result is the bitwise combination of the following:
l RISK_UNKNOWN -1
l RISK_CLEAN 0
l RISK_MALICIOUS 1
l RISK_HIGH 2
l RISK_MEDIUM 3
l RISK_LOW 4
false_positive_ 0: not false positive or false negative, 1: false positive, 2: false negative, order is
negative corresponding order of JID
45. Get configured user defined file extensions and exclusion list of user configured
file extensions
{
"method": "get",
"params": [
{
"url": "/config/scan/file_exts"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 45,
"ver": "2.4"
}
{
"id": 45,
"ver": "2.4"
"result": {
"url": "/config/scan/file_exts",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"user-defined-exts": "ext1 ext2 ext3 mydef",
"exclusion-list": "docx pdf"
}
}
}
"url": "/scan/result/get-pdf-report",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"report": "base64_encoded_pdf_file",
"report_name": "original_file_name"
}
}
}
"log_settings": 3,
"mark_fpn": 4,
"dl_orig": 4,
"json_api": 4,
"allow_on_demand_scan_interaction": 4,
"allow_on_demand_scan_video_recording": 4
}
}
],
"session": "",
"ver": "4.0"
}
{
"id": 51,
"ver": "4.0",
"result": {
"url": "/scan/result/admin-profile",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "Admin profile was successfully updated."
}
}
}
Saves to the admin_profiles, you can add any parameter for admin field inside "privileges".
"id": 52,
"ver": "2.5"
}
{
"id": 52,
"ver": "2.5"
"result": {
"url": "/scan/result/jids",
"status": {
"message": "OK"
"code": 0,
},
"data":{
"jid": [],
}
}
}
l RISK_CLEAN 0
l RISK_MALICIOUS 1
l RISK_HIGH 2
l RISK_MEDIUM 3
l RISK_LOW 4
{
"id": 53,
"ver": "2.3",
"result": {
"url": "/sys/login/token",
"status": {
"code": 0,
"message": "OK"
}
}
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI="
}
Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.