JSON API Reference

FortiSandbox 4.0.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

April 19, 2021

FortiSandbox 4.0.0 JSON API Reference
34-400-672731-20210419
 TABLE OF CONTENTS

JSON API 5
API Messages 5
1. Login 5
2. Logout 6
3. Get system information 6
4. Get configurations of sniffer 8
5. General options, including cloud upload and VM network access settings 8
6. Set configurations of sniffer 9
7. Set general options, including cloud upload and vm network access settings 10
8. Get scanning statistics for last 7 days 12
9. Get a copy of backed up config file, in base64 format 13
10. Query file verdict through its SHA256 checksum 14
11-1. Upload file (on-demand submit for filesize < 20MB) 15
11-2. Upload large file (on-demand submit for filesize > 20MB) 17
12. Upload URL file (on-demand submit) 18
13. Query file rating through its SHA256 checksum—a simple version 19
14. Query URL rating 20
15. Query job verdict detail through its job ID 22
16. Cancel a job submission 23
17. Get job ID list for one submission 24
18. Get job behavior details for a file 25
19. Register (login) a FGT/FML/(others) device to FortiSandbox 26
20. Delete (actually hide) a device from FortiSandbox 27
21. Get latest malware package or malicious URL package 27
22. Download list of SHA256, SHA1, MD5, or URL from malware package or URL
package 29
23. Get AV-Rescan results (for customized rescan results only) 30
24. Return all installed VM name and their clone number 32
25. Allow user to add/delete checksums to allow/block (white/black) list 33
26. Mark a sample as false negative/false positive 34
27. Configure system hostname 35
28. Configure system timezone 35
29. Configure system time and NTP server 37
30. Configure system interface 38
31. Configure system DNS 39
32. Configure system routing 40
33. Configure system administrator 41
34. Configure system LDAP 42
35. Configure system RADIUS 44
36. Configure system FortiGuard 45
37. Configure system mail 46
38. Configure system log server 48
39. Configure scan profile 49
40. Configure scan benign URLs 51
41. Configure scan job archive 52
42. Configure YARA rule 53

FortiSandbox 4.0.0 JSON API Reference 3

Fortinet Technologies Inc.
 43. Get multiple file verdicts by submit multiple SHA256/SHA1/MD5 54
45. Get configured user defined file extensions and exclusion list of user configured
file extensions 56
49. Get original file sample 57
50. Get PDF report 57
51. Set admin profiles 58
52. Get job ID by time and score 59
53. Login with token 60
Change Log 62

FortiSandbox 4.0.0 JSON API Reference 4

Fortinet Technologies Inc.
JSON API

FortiSandbox provides customers the ability to automate some key features and processes using a simple API. This
section will provide some basic examples that will allow you to submit a file or URL, as well as query the FortiSandbox for
the results of a scan.
Using this API can allow you to extend the functionality of your FortiSandbox in many ways. Some potential scenarios
you may wish to use the API for include:
l Submitting files using a simple script: you may have a large number of files you want to scan outside of regular
operating hours. These could be previously-quarantined files captured through your endpoint clients. By writing a
simple submission script, you eliminate the need to have someone physically submit these through the GUI.
l Submitting files from third-party tools: you may have other infrastructure in place (threat feeds, etc.) that you want to
integrate with your FortiSandbox. The API would allow you to submit files and query results in near real-time.

API Messages

In the following API, the "message" field value can be "INVALID_JSON_DATA", "MISSING_PARAM", "INVALID_
REQUEST", or "UNSUPPORTED_VER"

1. Login

log in request.
{
"method": "exec",
"params": [
{
"url": "/sys/login/user",
"user": "admin",
"passwd": "123456"
}
]
}
],
"id": 1,
"ver": "2.3"
},

log in response.
{
"id": 1,
"ver": "2.0",
"result": {
"url": "/sys/login/user",
"status": {
"code": 0,
"message": "OK"

FortiSandbox 4.0.0 JSON API Reference 5

Fortinet Technologies Inc.
 JSON API

},
},
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI="
}

Notes and Comments:

message "OK", or "WRONG_CREDENTIAL", "TIME_OUT", "TOO_MANY_FAILED_RETRY" ,

"WRONG_DATA"

2. Logout

log out request.

{
"method": "exec",
"params": [
{
"url": "/sys/logout",
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 2,
"ver": "2.0"
},

log out response.

{
"id": 2,
"ver": "2.0",
"result": {
"url": "/sys/logout",
"status": {
"code": 0,
"message": "OK"
}
}
}

Notes and Comments:

message "OK" or "SYSTEM_ERROR"

3. Get system information

get general sys status.

{
"method": "get",
"params": [
{
"url": "/sys/status",

FortiSandbox 4.0.0 JSON API Reference 6

Fortinet Technologies Inc.
JSON API

}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 3,
"ver": "2.0"
}

get sys status response.

{
"id": 3,
"ver": "2.0",
"result":{
"url": "/sys/status",
"status":{
"code":0,
"message":"OK"
},
"data":{...}
}
}

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

data "64-bit Applications":"No",

"Admin Domain Configuration":"Enabled",
"BIOS version":"04000002",
"Branch Point":"42",
"System time":"Tue Dec 17 14:22:37 PST 2013",
"Daylight Time Saving":"Yes",
"FIPS-CC mode":"disabled",
"Hostname":"host_name",
"License Status": 1,
/* only available for VM model, 1 means valid, 0 means invalid */
"Platform Full Name":"FortiSandbox-3000D",
"Platform Type":"FSA3000D",
"Release Version Information":"Interim",
"Serial-Number":"FSA3KD3A14000038",
"Time Zone":"(GMT-8:00) Pacific Time (US & Canada).",
"Version":"FSA3000D v2.0,build0023,150120 (Interim)",
"Major": 1,
"Minor": 2,
"Patch": 0,
"Build": 42,
"win_lic_activated" : 1,
"fdn_server_accessible" : 1,
"vm_network_accessible" : 1,
"cloud_server_accessible" : 1,
"wf_server_accessible" : 1
/* 1 means activated or accessible, 0 means not yet */

FortiSandbox 4.0.0 JSON API Reference 7

Fortinet Technologies Inc.
 JSON API

4. Get configurations of sniffer

{
"method": "get",
"params": [
{
"url": "/config/scan/devsniffer",
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 4,
"ver": "2.3"
}
{
"id": 4,
"ver": "2.3",
"result": {
"url": "/config/scan/devsniffer",
"status": {
"code": 0,
"message": "OK"
},
"data": {...}
}
}

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

data "file_detection": 1 /* Enable file based detection */

"network_alert_detection" : 1, /* 1- enabled, 0-disabled */
"sniffer_port" : "port2,port4", /* comma separated port list */
"keep_incomplete_file": 1, /* 1- yes, 0-no */
"max_file_size" : 2048, /* in kB */
"service_type": ["HTTP","SMTP","POP3","FTP","IMAP","SMB","OTHER"],
"file_type":
["allfiletype","allarchive","exe","pdf","doc","ppt","flash","jar",
"java","com", "js","html","emlbdy"]

5. General options, including cloud upload and VM network access settings

{
"method": "get",
"params": [
{
"url": "/config/scan/options",
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 5,
"ver": "2.0"
}
{
"id": 5,

FortiSandbox 4.0.0 JSON API Reference 8

Fortinet Technologies Inc.
 JSON API

"ver": "2.0",
"result": {
"url": "/config/scan/options",
"status": {
"code": 0,
"message": "OK"
},
"data": {...}
}
}

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

data "cloud_upload" : 1,
/*1- enabled, 0-disabled */
"vm_network_access" : 1 ,
/*1- enabled, 0-disabled */
"log_device_submission" : 1 ,
/*1- enabled, 0-disabled */
"rej_dup_device_submission" : 1 ,
/*1- enabled, 0-disabled */
"del_clean_file" : 10 ,
/*-1- disabled, >0 delete after x minutes */
"del_job_info" : 10,
/*-1- disabled, >0 delete after x minutes */
"archive_job" : 1
/*0- disabled, 1- enabled */

6. Set configurations of sniffer

{
"method": "set",
"params": [
{
"url": "/config/scan/devsniffer",
"file_detection": 1
"network_alert_detection" : 1,
"sniffer_port" : "port2,port3",
"keep_incomplete_file": 1,
"conserve_mode": 1,
"/* 1-yes, 0-no */
"max_file_size" : 2048, (KB)
"service_type": ["HTTP","SMTP","POP3","FTP","IMAP","SMB","OTHER"],
"file_type":
["allfiletype","allarchive","exe","pdf","doc","ppt","flash","jar","java","com"
,"js","html","emlbdy"]
"scan_url": 1
"checked_cus_ftype": ["checked_ftype"]
"unchecked_cus_ftype": ["unchecked_ftype"]
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 6,

FortiSandbox 4.0.0 JSON API Reference 9

Fortinet Technologies Inc.
 JSON API

"ver": "2.3.1"
}
{
"id": 6,
"ver": "2.3.1",
"result": {
"url": "/config/scan/devsniffer",
"status": {
"code": 0,
"message": "OK"
}
}
}

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

7. Set general options, including cloud upload and vm network access settings
{
"method": "set",
"params": [
{
"url": "/config/scan/options",
"cloud_upload" : 1,
"fdn_stats_upload" : 1,
"vm_network_access" : 1,
"vm_gateway": "172.17.58.3",
"vm_dns": "8.8.8.8",
"vm_proxy_enable": 1,
"vm_proxy_server": "172.17.17.17",
"vm_proxy_port": "8080",
"vm_proxy_type": "0",
/* "0":HTTP Connect, "1":HTTP Relay, "2":Sockv4, "3":Sockv5 */
"vm_proxy_uname": "admin",
"vm_proxy_password": "admin123",
"vm_proxy_debug": 0,
/* all vm_* options are not configurable for AWS model */
"url_callback_detection" : 1,
/* url_callback_detection is not configurable for AWS model */
"url_submit_webfilter" : 1,
"log_device_submission" : 1,
"rej_dup_device_submission" : 1,
"/* 1-yes, 0-no */
"del_clean_file" : 10 ,
"del_bad_file" : 10 ,
"del_job_info" : 10,
"del_bad_job_info" : 10
"default_password" : ["mypassword1", "mypassword2"]
"default_pdf_office_password" : "mypassword1"
"disable_cloud_query" : 1
"disable_av_rescan" : 1
"log_adapter_submission" : 1
"log_netshare_submission" : 1

FortiSandbox 4.0.0 JSON API Reference 10

Fortinet Technologies Inc.
JSON API

"log_icap_submission" : 1
"log_mta_submission" : 1,
"log_bcc_submission" : 1
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 7,
"ver": "2.4.1"
}
{
"id": 7,
"ver": "3.0.2"
"result": {
"url": "/config/scan/options",
"status": {
"code": 0,
"message": "OK"
}
}
}

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

data "cloud_upload" : 1,
/* 1- enabled, 0-disabled. This field is ignored when setting on a non-
primary or standalone unit.*/
"fdn_stats_upload" : 1,
/* 1- enabled, 0-disabled. This field is ignored when setting on a non-
primary or standalone unit.*/
"vm_network_access" : 1,
/* 1- enabled, 0-disabled, not valid for AWS model */
"vm_gateway": "172.17.58.3",
/* supported from FSA v2.3, not valid for AWS model */
"vm_dns": "8.8.8.8",
/* not valid for AWS model */
"vm_proxy_enable": 1,
/* not valid for AWS model */
"vm_proxy_server": "172.17.17.17",
/* not valid for AWS model */
"vm_proxy_port": "8080",
/* not valid for AWS model */
"vm_proxy_type": "0",
/* "0":HTTP Connect, "1":HTTP Relay */
/* "2":Sockv4, "3":Sockv5 */
/* not valid for AWS model */
"vm_proxy_uname": "admin",
/* not valid for AWS model */
"vm_proxy_password": "admin123",
/* not valid for AWS model */
"vm_proxy_debug": 0,
/* 1- enabled, 0-disabled, not valid for AWS model */
"url_submit_webfilter" : 1 ,
/* 1- enabled, 0-disabled This field is ignored when setting on a non-
primary or standalone unit.*/

FortiSandbox 4.0.0 JSON API Reference 11

Fortinet Technologies Inc.
 JSON API

"del_clean_file" : 10 ,
/* -1- disabled, >0 delete after x minutes */
"del_bad_file" : 10 ,
/* -1- disabled, >0 delete after x minutes */
"del_job_info" : 10 ,
/* -1- disabled, >0 delete after x minutes */
"del_bad_job_info" : 10 ,
/* -1- disabled, >0 delete after x minutes */
"default_password" : ["pwd1","pwd2"],
/* empty list means disabled */
"default_pdf_office_password" : "mypassword",
/* empty string means disabled, only 1 password is allowed */

8. Get scanning statistics for last 7 days

{
"method": "get",
"params": [
{
"url": "/scan/stat/last_7day",
"period": 7*24*60
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 8,
"ver": "2.1.1"
}
{
"id": 8,
"ver": "2.1.1",
"result": {
"url": "/scan/stat/last_7day",
"status": {
"code": 0,
"message": "OK"
},
"data": {...}
}
}

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

data "malicious" : 1,
/* total # of malicious files detected in last 7 days, or -1, which means
n/a */
/*If 'period' is provided, the data is from 'period' ago to now. Otherwise,
the data is for last 7 days. */
"suspicious_high" : 2,
/* total # of high-risk suspicious files detected in last 7 days, or -1,
which means n/a */
/*If 'period' is provided, the data is from 'period' ago to now. Otherwise,
the data is for last 7 days. */

FortiSandbox 4.0.0 JSON API Reference 12

Fortinet Technologies Inc.
 JSON API

"suspicious_medium" : 3,
/* total # of medium-risk suspicious files detected in last 7 days, or -1,
which means n/a */
/*If 'period' is provided, the data is from 'period' ago to now. Otherwise,
the data is for last 7 days. */
"suspicious_low" : 4,
/* total # of low-risk suspicious files detected in last 7 days, or -1,
which means n/a */
/*If 'period' is provided, the data is from 'period' ago to now. Otherwise,
the data is for last 7 days. */
"pending" : 5,
/* total # of pending jobs, or -1, which means n/a */
"processing" : 6,
/* total # of currently processing jobs, or -1, which means n/a */

9. Get a copy of backed up config file, in base64 format

{
"method": "exec",
"params": [
{
"url": "/backup/config",
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 9,
"ver": 2.0"
}
{
"id": 9,
"ver": "2.0",
"result": {
"url": "/backup/config",
"status": {
"code": 0,
"message": "OK"
},
"data": {...}
}
}

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

data "file":"TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFz
b24sIGJ1dCBieSB0aGlzIHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlci
BhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2YgdGhlIG1pbmQsIHRoYXQg
YnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGludW
VkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdl
LCBleGNlZWRzIHRoZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbC
BwbGVhc3VyZS4="
/*backup config file content, in base64 encoding. Client side should
decode it then save to a file

FortiSandbox 4.0.0 JSON API Reference 13

Fortinet Technologies Inc.
 JSON API

10. Query file verdict through its SHA256 checksum

Note: A simple version is /scan/result/filerating

Note: For zip file, only after all of its children finish scan, can the zip file have a rating.
Note: The rating, malware_name and vid results are array
{
"method": "get",
"params": [
{
"url": "/scan/result/file",
"checksum":"the_files_checksum",
"ctype":"sha1"
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 10,
"ver": "2.1"
}
{
"id": 10,
"ver": "2.1",
"result": {
"url": "/scan/result/file",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"jid" : [jid_1, jid_2],
"rating" : ["Malicious","High Risk"],
"score" : 1,
"start_ts": 1377618931,
"finish_ts":1377618961
"malware_name": ["virus 1", "virus 2"],
"vid": [virus_id_1, virsu_id_2],
"behavior_info": 0,
"false_positive_negative": [0,1,2]
"untrusted": 1,
"now":1377618931
"ftype": "[file_type1, file_type2]"
}
}
}

Notes and Comments:

ctype Checksum type: "sha1" or "sha256"

message "OK" or "INVALID_SESSION", "INVALID_PARAM" or "DATA_NOT_EXIST". If the value is 'DATA_

NOT_EXIST', it means no record is found for this checksum, or the scan has not finished; if the
value is "INVALID_PARAM", it means the input checksum is wrong

FortiSandbox 4.0.0 JSON API Reference 14

Fortinet Technologies Inc.
 JSON API

jid For a zip file, the result is an array of children's job ids. If jid is [] and rating is ["Clean"], it means the
file is not a supported file type and the file is dropped. In this case, start_ts and finish_ts will be the
UTC time the file is dropped.

rating For a zip file, the result is an array of of the following, which denotes types of ratings of its children:
l Unknown,

l Clean,

l Malicious,

l High Risk,

l Medium Risk,

l Low Risk,

For a single file, array size is 1

score For a zip file, the result is the bitwise combination of the following:
l RISK_UNKNOWN -1

l RISK_CLEAN 0

l RISK_MALICIOUS 1

l RISK_HIGH 2

l RISK_MEDIUM 3

l RISK_LOW 4

For a single file, it will be one of above value

start_ts Start scan time, UTC

finish_ts Finish scan time, UTC

vid Detailed information of virus can be found at

http://www.fortiguard.com/encyclopedia/virus/#id=virus_id

behavior_info If detailed behavior information is available. 0: not available, 1: available

false_ 0: not false positive or false negative, 1: false positive, 2: false negative, order is corresponding
positive_ order of JID
negative

untrusted 0: the result can be trusted

1:since this files' scan, scan environment has changed

now FortiSandbox's time, UTC

ftype File type of file, e.g., "exe", "pdf", "Unknown"

11-1. Upload file (on-demand submit for filesize < 20MB)

{
"method": "set",
"params": [
{
"file": "dGhpcyBpcyBhIHRlc3QhCg==",
"filename": "dGVzdC50eHQ=",
"skip_steps": "1,2,4,8",
"url": "/alert/ondemand/submit-file",
"type": "file"
"overwrite_vm_list":"WIN7X86VM,WINXPVM"

FortiSandbox 4.0.0 JSON API Reference 15

Fortinet Technologies Inc.
JSON API

"archive_password": "pa!@s(*word1\n pa%^&*,word2",

"malpkg": "1",
"meta": {"meta_filename": meta_filename, "meta_url": meta_url},
"timeout": "3600",
"vrecord": '0',
"enable_ai": '0',
"forcedvm": 0
"comments": "This is a comment"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 11,
"ver": "2.5"
}
{
"id": 11,
"ver": "2.5",
"result": {
"url": "/alert/ondemand/submit-file",
"status": {
"message": "OK",
"code": 0
"data": {
"msg": "File was submitted successfully",
"error": "",
"sid":[the_submission_id]
}
}
}

Notes and Comments:

file Encoded (base64) file contents (binary). Max. allowed file size is 200M

filename Encoded (base64) filename in which 'file' field's content will be saved on FSA

skip_steps Do not use this parameter if no step to skip. 1 = Skip AV, 2= Skip Cloud, 4= Skip sandboxing,
8= Skip Static Scan.

url URL is required.

overwrite_vm_list All VM name can be available by another JSON API /alert/ondemand/hcmvminfo. The clone
number of those VMs should be bigger than zero, the JSON API /alert/ondemand/hcmvminfo
handles it. If this field is not set, default ones will be used.

archive_password (Optional) Provide password(s) if it is needed for extracting archived file. Otherwise, ignore
this field, or leave it as empty string. Multiple passwords are seperated by "\n". Non-ASCII
passwords are invalid.

malpkg (Optional) set the value as "1" to require to add the sample to malware package if it satisfy the
malware critia. By default, the value is "0".

meta (Optional) meta_filename (base64_encoded) is file name from FGTs. meta_url (base64_
encoded) is URL sending from FGTs.

timeout Cancel processing a submission when timeout before entering VM.

FortiSandbox 4.0.0 JSON API Reference 16

Fortinet Technologies Inc.
 JSON API

forcedvm 1: force the file to be scanned in VM, 0: do not force the VM scan.

comments Comment field, max characters allowed: 255.

status "message": "OK",

"OK", "FILENAME_NOT_FOUND", "FILE_DATA_NOT_FOUND", "FILE_TYPE_NOT_
FOUND","FILE_NOT_ENCODED", "FILENAME_NOT_ENCODED", "OVERSIZED_
FILE","INVALID_SESSION", "SYSTEM_ERROR"
"code": 0

sid The id for this submission that user can use to cancel pending jobs from it

11-2. Upload large file (on-demand submit for filesize > 20MB)
{
"file": filepath 'application/octet-stream'
"data" : {
"url": "/alert/ondemand/submit-file",
"type": "file",
"skip_steps": "",
"overwrite_vm_list": "",
"malpkg": 0,
"vrecord": "0",
"forcedvm": 0,
"enable_ai": 0,
"archive_password": "",
"timeout": "3600",
"comments": "This is a comment"
"meta_url": "",
"meta_filename": "",
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI="
}

{
"id": 0,
"result": {
"data": {
"error": "",
"msg": "File was submitted successfully",
"sid": [the_submission_id]
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/alert/ondemand/submit-file"
},
"ver": "4.0"
}

FortiSandbox 4.0.0 JSON API Reference 17

Fortinet Technologies Inc.
 JSON API

Notes and Comments:

This API uses the multipart MIME data, that is, the client tool has to invoke the multipart.
Two key value pairs are needed:
l file=<file to be submitted> - type=multipart/form-data
l data=<data.json to be submitted> - type=application/json

url Required field.

meta_url URL sending from FortiGate.

meta_filename (Optional) Filename from FortiGate.

session Required field.

For notes about other fields, see the 11-1. Upload file (on-demand submit for filesize < 20MB) Notes and Comments: on
page 16.

Example using curl CLI Linux command:

curl -k -i -X POST -F "[email protected];type=multipart/form-data" -F

"data=<data.json;type=application/json" https://<ip_addr>/jsonrpc/

12. Upload URL file (on-demand submit)

{
"method": "set",
"params": [
{
"file": "dGhpcyBpcyBhIHRlc3QhCg==",
"filename": "dGVzdC50eHQ=",
"url": "/alert/ondemand/submit-file",
"type": "url",
"timeout": "60",
"depth": "1"
"overwrite_vm_list":"WIN7X86VM,WINXPVM"
"vrecord": "1",
"enable_ai": "1",
"forcedvm": 0
"comments": "This is a comment"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 12,
"ver": "2.2"
}
{
"id": 12,
"ver": "2.2",
"result": {
"url": "/alert/ondemand/submit-file",
"status": {
"message": "OK",
"code": 0

FortiSandbox 4.0.0 JSON API Reference 18

Fortinet Technologies Inc.
 JSON API

},
"data": {
"msg": "File was submitted successfully",
"error": "",
"sid":[the_submission_id]
}
}
}

Notes and Comments:

file Encoded (base64) file contents (binary). The file should contain a list of URL, one per line.
Each URL should have lenth less of 1.5K Bytes

filename Encoded (base64) filename into which 'file' field's content will be saved on FSA

timeout How long the scan will be, in seconds. This is a subjective number. For example,if the web site
has many pages, or the the network bandwidth to the web site is slow, timeout value should
be bigger

depth The depth of web links to scan. 0 is the origianl URL, 1 is to crawl into links in the orignal URL
also

overwrite_vm_list All VM name can be available by another RPC JSON API /alert/ondemand/hcmvminfo. The
clone number of those VMs should be bigger than zero, the RPC JSON API
/alert/ondemand/hcmvminfo handles it. If this field is not set, default ones will be used

vrecord 1: record video of the VM scan process, 0: do not record video.

enable_ai 1: enable AI scanning, 0: do not involve AI scanning.

forcedvm 1: force the file to be scanned in VM, 0: do not force the VM scan.

comments Comment field, max characters allowed: 255.

sid The id for this submission that user can use to cancel pending jobs from it

message "OK", "FILENAME_NOT_FOUND", "FILE_DATA_NOT_FOUND", "FILE_TYPE_NOT_

FOUND", "FILE_NOT_ENCODED", "FILENAME_NOT_ENCODED", "OVERSIZED_FILE",
"INVALID_SESSION", "SYSTEM_ERROR".

13. Query file rating through its SHA256 checksum—a simple version
{
"method": "get",
"params": [
{
"url": "/scan/result/filerating",
"checksum":"the_files_checksum",
"ctype":"sha1"
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 13,
"ver": "2.1"
}

FortiSandbox 4.0.0 JSON API Reference 19

Fortinet Technologies Inc.
 JSON API

{
"id": 13,
"ver": "2.1",
"result": {
"url": "/scan/result/filerating",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"rating" : ["Malicious","High Risk"],
"start_ts": 1377618931,
"finish_ts":1377618961
"untrusted": 1,
"now":1377618931
}
}
}

Notes and Comments:

ctype Checksum type: "sha1" or "sha256"

message 'OK', 'INVALID_SESSION', 'INVALID_PARAM' or 'DATA_NOT_EXIST'. If the value is 'DATA_

NOT_EXIST', it means no record is found for this sha256, or the scan has not finished; if the
value is "INVALID_PARAM", it means the input checksum is wrong.

rating For a zip file, the result is an array of of the following, which denotes types of ratings of its
children:
l Unknown,

l Clean,

l Malicious,

l High Risk,

l Medium Risk,

l Low Risk,

For a single file, array size is 1. If rating is ["Clean"] and start_ts =0 and finish_ts =0, it means
the file is not a supported file type and the file is dropped

start_ts Start scan time, UTC

finish_ts Finish scan time, UTC

untrusted 0: the result can be trusted,

1:since this files' scan, scan environment has changed

now FortiSandbox's time, UTC

14. Query URL rating

{
"method": "get",
"params": [
{
"url": "/scan/result/urlrating",

FortiSandbox 4.0.0 JSON API Reference 20

Fortinet Technologies Inc.
JSON API

"address":[url_a, url_b]
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 14,
"ver": "2.5"
}
{
"id": 14,
"ver": "2.4",
"result": {
"url": "/scan/result/urlrating",
"status": {
"code": 0,
"message": "OK"
},
"data": [{
"url" : "http://www.henrydu.com/",
"rating" : "Malicious",
"start_ts": 1377618931,
"finish_ts":1377618961
"untrusted": 1,
"now":1377618931,
"behavior_info":0
},
{
"url" : "http://www.abc.com",
},]
}
}

Notes and Comments:

message "OK" or "INVALID_SESSION" or "DATA_NOT_EXIST". If the value is 'DATA_NOT_EXIST', it

means no record is found for this sha256,or the scan has not finished

address Need to be an exact match. It's fine to leave out the http(s):// prefix

rating Unknown,
Clean,
Malicious,
High Risk,
Medium Risk,
Low Risk,
For a single file, array size is 1

detail_page The link to view details

start_ts Start scan time, UTC

finish_ts Finish scan time, UTC

untrusted 0: the result can be trusted,

1:since this files' scan, scan environment has changed

FortiSandbox 4.0.0 JSON API Reference 21

Fortinet Technologies Inc.
 JSON API

behavior_info 0: There is no analytic report for this URL.

1: There is an analytic report for this URL.

now FortiSandbox's time, UTC

15. Query job verdict detail through its job ID

{
"method": "get",
"params": [
{
"url": "/scan/result/job",
"jid":"the_jobid"
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 15,
"ver": "2.1"
}
{
"id": 15,
"ver": "2.1",
"result": {
"url": "/scan/result/job",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"rating" : "Malicious"
"score" : 1,
"sha256": "the_files_sha256_checksum",
"sha1": "the_files_sha1_checksum",
"start_ts": 1377618931,
"finish_ts":1377618961
"malware_name": "virus name",
"vid": virus_id,
"detection_os": "[os_name1, os_name2]",,
"rating_source":
"catetory": "Backdoor",
"untrusted": 1,,
"now":1377618931,,
"detail_url": "the_job_detail_page_link",
"download_url": "eNrLKCkpsNLXN7Q00jM0s9AzN9AztDDRT0ss1",
"false_positive_negative": 0
"ftype": "[file_type1, file_type2]"
}
}
}

FortiSandbox 4.0.0 JSON API Reference 22

Fortinet Technologies Inc.
 JSON API

Notes and Comments:

message "OK" or "INVALID_SESSION" or "DATA_NOT_EXIST". If the value is 'DATA_NOT_EXIST', it

means no record is found for this job id,or the scan has not finished

rating One of the following:

l Unknown,

l Clean,

l Malicious,

l High Risk,

l Medium Risk,

l Low Risk,

score One of the following:

l RISK_UNKNOWN -1

l RISK_CLEAN 0

l RISK_MALICIOUS 1

l RISK_HIGH 2

l RISK_MEDIUM 3

l RISK_LOW 4

start_ts Start scan time, UTC

finish_ts Finish scan time, UTC

malware_name Virus name if it's a known virus

vid Detailed information of virus can be found at

http://www.fortiguard.com/encyclopedia/virus/#id=virus_id

rating_source One of "AV Scan", "Cloud Query", "Sandboxing", "Static Scan", "Other"

category One of: 'Clean', 'Unknown', 'Infector', 'Worm', 'Botnet', 'Hijack', 'Stealer', 'Backdoor', 'Injector',
'Rootkit', 'Adware', 'Dropper', 'Downloader', 'Trojan', 'Riskware', 'Grayware', or 'Attacker'.

untrusted 0: the result can be trusted,

1:since this files' scan, scan environment has changed

now FortiSandbox's time, UTC

download_url Base64 encode download URL

false_positive_ Not false positive or false negative, 1: false positive, 2: false negative
negative

ftype File type of file, e.g., "exe", "pdf", "Unknown"

16. Cancel a job submission

{
"method": "exec",
"params": [
{
"url": "/alert/ondemand/cancel-submission",
"sid": sid,

FortiSandbox 4.0.0 JSON API Reference 23

Fortinet Technologies Inc.
 JSON API

"reason":the_reason
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 16,
"ver": "2.0"
}
{
"id": 16,
"ver": "2.0"
"result": {
"url": "/alert/ondemand/cancel-submission",
"status": {
"code": 0,
"message": "OK"
}
}
}

Notes and Comments:

sid The submission id got from submit-file. The command is useful if a file containing a big
number of urls takes long time to scan and needs to be cancelled

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

17. Get job ID list for one submission

{
"method": "get",
"params": [
{
"url": "/scan/result/get-jobs-of-submission",
"sid": sid
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 17,
"ver": "2.0"
}
{
"id": 17,
"ver": "2.0"
"result": {
"url": "/scan/result/get-jobs-of-submission",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"jids" : [jid1,jid2],
"total_jids" : 1000
}
}
}

FortiSandbox 4.0.0 JSON API Reference 24

Fortinet Technologies Inc.
 JSON API

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

sid The submission ID got from submit-file. The command is get all job ids associated with one
submission

total_jids Total number of jobs for the submission. The maximum number of subfiles in the archive is
1000.

18. Get job behavior details for a file

{
"method": "get",
"params": [
{
"url": "/scan/result/get-job-behavior",
"checksum":"the_files_checksum",
"ctype":"sha1"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 18,
"ver": "3.1"
}
{
"id": 18,
"ver": "3.1"
"result": {
"url": "/scan/result/get-job-behavior",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"behavior_files" : "TWFuIGlzIGRpc3Rpbmd1aXxxxx"
}
}
}

Notes and Comments:

ctype Checksum type: "sha1", "sha256", "md5"

rtype Result type: "std", "tree", "stix"

stype Submission type: "submission", "jobonly"

rtype Result type: "std", "tree",

stype Submission type: "submission", "jobonly"

FortiSandbox 4.0.0 JSON API Reference 25

Fortinet Technologies Inc.
 JSON API

message "OK", "DATA_NOT_EXIST", "INVALID_PARAM", "INVALID_SESSION", "SYSTEM_

ERROR". If the value is "INVALID_PARAM", it means the input checksum is wrong. If
behavior is not available, data part will be empty.

behavior_files Behavior files in JSON format, archived in gz format and base64 encoded. If the queried file is
an archive file, the children's job behaviors will be combined to one file, then zipped.

19. Register (login) a FGT/FML/(others) device to FortiSandbox

{
"method": "post",
"params": [
{
"url": "/scan/device/device-login",
"serial":"Device_SN"
"hostname":"Device_Name"
"ipv4":"172.17.58.60"
"vdom":"root"
"send_weekly_report":"0"
"send_notifications":"0"
"inherit_auth":"0"
"email":"[email protected]"
"authorize":"0"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 19,
"ver": "2.0"
}
{
"id": 19,
"ver": "2.0"
"result": {
"url": "/scan/device/device-login",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"device_id" : 1,
"serial" : "Device_SN"
}
}
}

Notes and Comments:

vdom root is default vdom, other vdom name will inherit this device.

send_weekly_ data = 1 send, 0 otherwise

report

send_notifications data = 1 send, 0 otherwise

FortiSandbox 4.0.0 JSON API Reference 26

Fortinet Technologies Inc.
 JSON API

inherit_auth data = 1 inherit authorization, 0 otherwise

authorize data = 1 authorized directly without FSA admin to authorize manually, 0 otherwise

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

20. Delete (actually hide) a device from FortiSandbox

{
"method": "post",
"params": [
{
"url": "/scan/device/device-delete",
"serial":"Device_SN"
"vdom":"root"
"remove_scan_results":"0"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 20,
"ver": "2.0"
}
{
"id": 20,
"ver": "2.0"
"result": {
"url": "/scan/device/device-delete",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"delete_name" : "Device_Name",
}
}
}

Notes and Comments:

remove_scan_ data = 1, delete this device and all related scan results in DB, 0 otherwise.
results

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

delete_name Removed the device serial.

21. Get latest malware package or malicious URL package

{
"method": "post",
"params": [
{
"url": "/scan/device/get-malpkg",

FortiSandbox 4.0.0 JSON API Reference 27

Fortinet Technologies Inc.
JSON API

"type":0,
"major":2,
"minor":100
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 21,
"ver": "2.2.1"
}
{
"id": 21,
"ver": "2.2.1"
"result": {
"url": "/scan/device/get-malpkg",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"malpkg" : "TWFuIGlzIGRpc3Rpbmd1aXxxxx",
"md5sum" : "b0ed36a4b6282b566328a...",
"major":2,
"minor":101,
"all_pkgs": {
0:"TWFuIGlzIGRpc3Rpbmd1aXxxxx",
1:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaaaa",
4:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaddd",
5:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaeee",
6:"TWFuIGlzIGRpc3Rpbmd1aXxxxxafff",
7:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaggg,
8:"TWFuIGlzIGRpc3Rpbmd1aXxxxxahhh,
9:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaiii,
}
}
}
}

Notes and Comments:

type 0:FSA_FILE_MALWARE_PKG;
1:FSA_FILE_URL_PKG;
2:FSA_FILE_BOTNET_PKG;
4:Malware Package. Pure maliciuos level;
5:Malware Package. Mliciuos + High level;
6:Malware Package. Mliciuos + High + Medium level;
7:URL Package. Pure maliciuos level;
8:URL Package. Mliciuos + High level;
9:URL Package. Mliciuos + High + Medium level;
100:All malware Packages at once;
101:All malware URL Packages at once

FortiSandbox 4.0.0 JSON API Reference 28

Fortinet Technologies Inc.
 JSON API

major If submitted major or minor is lower than the most recent version, most recent major/minor
package is returned.
minor If submitted major or minor is the same as the most recent version, no new package is
returned.

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR", "NO_NEW_PACKAGE

malpkg Binary file for the package

md5sum md5sum of the package

major Package major number

minor Package minor number

all_pkgs If type is 100 all_pkgs contains content for type 0,4,5,6; if type is 101, all_pkgs contains
content for type 1,7,8,9

22. Download list of SHA256, SHA1, MD5, or URL from malware package or URL
package
{
"method": "post",
"params": [
{
"url": "/scan/device/download-malpkg-text",
"type":0,
"lazy":0,
"major":2,
"minor":100
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 22,
"ver": "2.4.1"
}
{
"id": 22,
"ver": "2.4.1"
"result": {
"url": "/scan/device/download-malpkg-text",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"download_file" : "TWFuIGlzIGRpc3Rpbmd1aXxxxx",
"md5sum" : "b0ed36a4b6282b566328a...",
"major":2,
"minor":101
}
}
}

FortiSandbox 4.0.0 JSON API Reference 29

Fortinet Technologies Inc.
 JSON API

Notes and Comments:

type 0:SHA256;
1:SHA1;
2:MD5;
3:URL;
4:FILE HASH STIX; (ignore version number)
5:URL STIX; (ignore version number)

lazy 0: use specified major and minor number; 1: get the latest version.

major Package major number

minor Package minor number

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR", "NO_PACKAGE"

download_file Text file, based64 encoded, STIX package is ZIP file

md5sum md5sum of the file

23. Get AV-Rescan results (for customized rescan results only)

{
"method": "post",
"params": [
{
"url": "/scan/result/get-avrescan",
"need_av_ver":0,
"stime":1454438805,
"etime":1454448805
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 23,
"ver": "2.1"
}
{
"id": 23,
"ver": "2.1"
"result": {
"url": "/scan/result/get-avrescan",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"avadb_ver" : "00028.00854",
"rescan_list" : [
{"rating" : "Malicious",
"score" : 1,
"sha256": "the_files_sha256_checksum",
"sha1": "the_files_sha1_checksum",
"start_ts": 1377618931,
"finish_ts":1377618961

FortiSandbox 4.0.0 JSON API Reference 30

Fortinet Technologies Inc.
JSON API

"malware_name": "virus name",

"vid": virus_id,
"detection_os": "[os_name1, os_name2]",
"rating_source": "AV Scan",
"catetory": "Backdoor",
"untrusted": 1,
"now":1377618931,
"detail_url": "the_job_detail_page_link",
"download_url": "eNrLKCkpsNLXN7Q00jM0s9AzN9AztDDRT0ss1",
"false_positive_negative": 0
"ftype": "[file_type1, file_type2]"
},
]
}
}
}

Notes and Comments:

need_av_ver 0: False, 1: True. If true, only return AV version

stime Start epoch time

etime End epoch time

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR", "NO_AVRESCAN_

RESULT"

rating One of the following:

l 'Unknown',

l 'Clean',

l 'Malicious',

l 'High Risk',

l 'Medium Risk',

l 'Low Risk'

score One of the following:

l RISK_UNKNOWN -1

l RISK_CLEAN 0

l RISK_MALICIOUS 1

l RISK_HIGH 2

l RISK_MEDIUM 3

l RISK_LOW 4

start_ts Start scan time, UTC

finish_ts Finish scan time, UTC

malware_name Virus name if it's a known virus

vid Detailed information of virus can be found at

http://www.fortiguard.com/encyclopedia/virus/#id=virus_id

rating_source One of
l "AV Scan",

FortiSandbox 4.0.0 JSON API Reference 31

Fortinet Technologies Inc.
 JSON API

l "Cloud Query",
l "Sandboxing",
l "Static Scan",
l "Other"

category One of: 'Clean', 'Unknown', 'Infector', 'Worm', 'Botnet', 'Hijack', 'Stealer', 'Backdoor', 'Injector',
'Rootkit', 'Adware', 'Dropper', 'Downloader', 'Trojan', 'Riskware', 'Grayware', or 'Attacker'.

untrusted 0: the result can be trusted,

1:since this files' scan, scan environment has changed

now FortiSandbox's time, UTC

detail_url base64 encode download URL

download_url base64 encoded download URL

false_positive_ 0: not false positive or false negative, 1: false positive, 2: false negative
negative

ftype File type of file, e.g., "exe", "pdf", "Unknown"

24. Return all installed VM name and their clone number

{
"method": "get", or "post"
"params": [
{
"url": "/alert/ondemand/hcmvminfo"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 24,
"ver": "2.2"
}
{
"id": 24,
"ver": "2.2"
"result": {
"url": "/alert/ondemand/hcmvminfo",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"vm-list":[
{"id": 4,
"name": "WINXPVM1",
"version": 6,
"clonenum": 2,
"status":"activated"
},
{"id": 8,
"name": "WIN7X86VM",
"version": 6,
"clonenum": 2,

FortiSandbox 4.0.0 JSON API Reference 32

Fortinet Technologies Inc.
 JSON API

"status":"activated"
},
...
]
}
}
}

Notes and Comments:

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

25. Allow user to add/delete checksums to allow/block (white/black) list

{
"method": "post",
"params": [
{
"url": "/scan/policy/block-allow-list",
"list_type": "allow",
"checksum_type": "md5",
"action": "append",
"upload_file": "dGhpcyBpcyBhIHRlc3QhCg=="
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 25,
"ver": "4.0"
}
{
"id": 25,
"ver": "4.0"
"result": {
"url": "/scan/policy/block-allow-list",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "The action to (append) (MD5) file was successful.",
"error": "",
"download_file":"dGhpcyBpcyBhIHRlc3QhCg==",
}
}
}

Notes and Comments:

list_type The list_type should only be in ["allow", "block"].

checksum_type The checksum_type should only be in ["md5", "sha1", "sha256", "domain", "url", "url_regex"].

action The action should only be in ["append", "replace", "clear", "download", "delete"].

FortiSandbox 4.0.0 JSON API Reference 33

Fortinet Technologies Inc.
 JSON API

upload_file Encoded (base64) file contents (checksum). Maximum allowed file size is 200M
upload_file not required for download, clear action

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

26. Mark a sample as false negative/false positive

{
"method": "post",
"params": [
{
"url": "/analysis/details/submit-feedback",
"jid": "2829727883009566742",
"comments": "comments for FN/FP",
"cloud_submit": 0,
"sha256":"88ac682b7c3ee5ab8a5f63256fa0de374b0b667e851bbc6e62bd2ae18fb84afe",
"md5sum" : "b0ed36a4b6282b566328a...",
"contact_email": "[email protected]",
"type": 0
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 26,
"ver": "2.3"
}
{
"id": 26,
"ver": "2.3"
"result": {
"url": "/analysis/details/submit-feedback",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "Feedback was submitted successfully.",
"error": "",
}
}
}

Notes and Comments:

jid The Job ID.

comments Comments cannot be empty.

cloud_submit 0: not submit, otherwise, submit feedback to community cloud.

URL submission to community cloud is not supported.
If cloud_submit is 1 and jid is URL type, an error message URL_SUBMISSION_IS_NOT_
SUPPORTED appears.

FortiSandbox 4.0.0 JSON API Reference 34

Fortinet Technologies Inc.
 JSON API

type 1: Review for Clean(FP). 2: Review for Suspicious(FN). 0: Reset back to clean/malicious.

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR", “URL_SUBMISSION_

TO_CLOUD_IS_NOT_SUPPORTED”

27. Configure system hostname

{
"method": "post",
"params": [
{
"url": "/config/system/hostname",
"hostname": "new_hostname",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 27,
"ver": "2.3"
}
{
"id": 27,
"ver": "2.3"
"result": {
"url": "/config/system/hostname",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"hostname": "new_hostname or original_hostname",{
"msg": "Hostname was changed to new_hostname successfully.",
"error": "",
}
}
}

Notes and Comments:

hostname New hostname, original hostname will returned if empty.

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

28. Configure system timezone

{
"method": "post",
"params": [
{
"url": "/config/system/timezone",
"tzid": "new_tzid",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",

FortiSandbox 4.0.0 JSON API Reference 35

Fortinet Technologies Inc.
JSON API

"id": 28,
"ver": "2.3"
}
timezones = [
{
"id": 28,
"ver": "2.3"
"result": {
"url": "/config/system/timezone",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"timezone": "(GMT-8:00)Pacific Time(US&Canada)",
"msg": "Timezone was changed to (GMT-8:00)Pacific Time(US&Canada) successfully",
"error": "",
}
}
}

Notes and Comments:

tzid New timezone ID, original timezone will returned if empty.

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

Timezone id is defined as:

["0", "(GMT-12:00)Eniwetok,Kwajalein", "Kwajalein"],
["1", "(GMT-11:00)Midway Island, Samoa", "Pacific/Midway"],
["2", "(GMT-10:00)Hawaii", "US/Hawaii"],
["3", "(GMT-9:00)Alaska", "US/Alaska"],
["4", "(GMT-8:00)Pacific Time(US&Canada)", "PST8PDT"],
["5", "(GMT-7:00)Arizona", "US/Arizona"],
["6", "(GMT-7:00)Mountain Time(US&Canada)", "MST7MDT"],
["7", "(GMT-6:00)Central America", "America/Belize"],
["8", "(GMT-6:00)Central Time", "CST6CDT"],
["9", "(GMT-6:00)Mexico City", "America/Mexico_City"],
["10", "(GMT-6:00)Saskatchewan", "Canada/Saskatchewan"],
["11", "(GMT-5:00)Bogota,Lima,Quito", "America/Bogota"],
["12", "(GMT-5:00)Eastern Time(US & Canada)", "EST5EDT"],
["13", "(GMT-5:00)Indiana(East)", "US/East-Indiana"],
["70", "(GMT-4:30)Caracas", "America/Caracas"],
["14", "(GMT-4:00)Atlantic Time(Canada)", "Canada/Atlantic"],
["15", "(GMT-4:00)La Paz", "America/La_Paz"],
["16", "(GMT-4:00)Santiago", "America/Santiago"],
["72", "(GMT-4:00)San Luis, Argentina", "America/Argentina/San_Luis"],
["17", "(GMT-3:30)Newfoundland", "Canada/Newfoundland"],
["18", "(GMT-3:00)Brasilia", "Brazil/East"],
["19", "(GMT-3:00)Buenos Aires, Georgetown", "America/Buenos_Aires"],
["73", "(GMT-3:00)San Juan, Argentina", "America/Argentina/San_Juan"],
["20", "(GMT-3:00)Greenland", "America/Danmarkshavn"],
["21", "(GMT-2:00)Mid-Atlantic", "Atlantic/South_Georgia"],
["22", "(GMT-1:00)Azores", "Atlantic/Azores"],
["23", "(GMT-1:00)Cape Verde Is.", "Atlantic/Cape_Verde"],
["24", "(GMT)Casablanca, Monrouia", "Africa/Casablanca"],

FortiSandbox 4.0.0 JSON API Reference 36

Fortinet Technologies Inc.
 JSON API

["25", "(GMT)Greenwich Mean Time: Dublin,Edinburgh,Lisbon,London", "Europe/London"],

["71", "(UTC)Coordinated Universal Time", "UTC"],
["26", "(GMT+1:00)Amsterdam,Berlin,Bern,Rome,Stockholm,Vienna", "Europe/Amsterdam"],
["27", "(GMT+1:00)Belgrade,Bratislava,Budapest,Ljubljana,Prague", "Europe/Belgrade"],
["28", "(GMT+1:00)Brussels,Copenhagen,Madrid,Paris", "Europe/Brussels"],
["29", "(GMT+1:00)Sarajevo,Skopje,Sofija,Vilnius,Warsaw,Zagreb", "Europe/Sarajevo"],
["30", "(GMT+1:00)West Central Africa", "Africa/Algiers"],
["31", "(GMT+2:00)Athens,Istanbul,Minsk", "Europe/Athens"],
["32", "(GMT+2:00)Bucharest", "Europe/Bucharest"],
["33", "(GMT+2:00)Cairo", "Africa/Cairo"],
["34", "(GMT+2:00)Harare,Pretoria", "Africa/Harare"],
["35", "(GMT+2:00)Helsinki,Riga,Tallinn", "Europe/Helsinki"],
["36", "(GMT+2:00)Jerusalem", "Asia/Jerusalem"],
["37", "(GMT+3:00)Baghdad", "Asia/Baghdad"],
["38", "(GMT+3:00)Kuwait,Riyadh", "Asia/Kuwait"],
["39", "(GMT+3:00)Moscow,St.Petersburg,Volgograd", "Europe/Moscow"],
["40", "(GMT+3:00)Nairobi", "Africa/Nairobi"],
["41", "(GMT+3:30)Tehran", "Asia/Tehran"],
["42", "(GMT+4:00)Abu Dhabi,Muscat", "Asia/Muscat"],
["43", "(GMT+4:00)Baku,Tbilisi,Yerevan", "Asia/Baku"],
["44", "(GMT+4:30)Kabul", "Asia/Kabul"],
["45", "(GMT+5:00)Ekaterinburg", "Asia/Yekaterinburg"],
["46", "(GMT+5:00)Islamabad,Karachi,Tashkent", "Asia/Karachi"],
["47", "(GMT+5:30)Calcutta,Chennai,Mumbai,New Delhi", "Asia/Calcutta"],
["48", "(GMT+5:45)Katmandu", "Asia/Katmandu"],
["49", "(GMT+6:00)Almaty,Novosibirsk", "Asia/Almaty"],
["50", "(GMT+6:00)Astana,Dhaka", "Asia/Dhaka"],
["51", "(GMT+6:00)Sri Jayawardenepura", "Asia/Colombo"],
["52", "(GMT+6:30)Rangoon", "Asia/Rangoon"],
["53", "(GMT+7:00)Bangkok,Hanoi,Jakarta", "Asia/Bangkok"],
["54", "(GMT+7:00)Krasnoyarsk", "Asia/Krasnoyarsk"],
["55", "(GMT+8:00)Beijing,ChongQing,HongKong,Urumgi", "Asia/Chongqing"],
["56", "(GMT+8:00)Irkutsk,Ulaan Bataar", "Asia/Irkutsk"],
["57", "(GMT+8:00)Kuala Lumpur,Singapore", "Asia/Kuala_Lumpur"],
["58", "(GMT+8:00)Perth", "Australia/Perth"],
["59", "(GMT+8:00)Taipei", "Asia/Taipei"],
["60", "(GMT+9:00)Osaka,Sapporo,Tokyo,Seoul", "Asia/Tokyo"],
["61", "(GMT+9:00)Yakutsk", "Asia/Yakutsk"],
["62", "(GMT+9:30)Adelaide,Darwin", "Australia/Adelaide"],
["63", "(GMT+10:00)Brisbane", "Australia/Brisbane"],
["64", "(GMT+10:00)Canberra,Melbourne,Sydney", "Australia/Canberra"],
["65", "(GMT+10:00)Guam,Port Moresby,Hobart,Vladivostok", "Pacific/Guam"],
["66", "(GMT+11:00)Magadan,Solomon Is.,New Caledonia", "Asia/Magadan"],
["67", "(GMT+12:00)Auckland,Wellington", "Pacific/Auckland"],
["68", "(GMT+12:00)Fiji,Kamchatka,Marshall Is.", "Pacific/Fiji"],
["69", "(GMT+13:00)Nuku'alofa", "Pacific/Tongatapu"],

29. Configure system time and NTP server

{
"method": "post",
"params": [
{
"url": "/config/system/ntp",
"year": "2016",
"month": "06",

FortiSandbox 4.0.0 JSON API Reference 37

Fortinet Technologies Inc.
 JSON API

"day": "15",
"hour":"15",
"minute": "0",
"second": "0",
"useNTP": 0,
"ntp_server": "0.pool.ntp.org",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 29,
"ver": "2.3"
}
{
"id": 29,
"ver": "2.3"
"result": {
"url": "/config/system/ntp",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "Time and NTP configuration was changed successfully.",
"error": "",
}
}
}

Notes and Comments:

hostname New hostname, original hostname will returned if empty.

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

30. Configure system interface

{
"method": "post",
"params": [
{
"url": "/config/system/interface",
"port": "port1",
"ipv4": "192.168.100.100/255.255.255.0",
"ipv6": "2001:192:168::1/64",
"up_down": "up",
"http_access: "0",
"ssh_access": "0",
"telnet_access": "0",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 30,
"ver": "2.3"
}
{

FortiSandbox 4.0.0 JSON API Reference 38

Fortinet Technologies Inc.
 JSON API

"id": 30,
"ver": "2.3"
"result": {
"url": "/config/system/interface",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "Network interface configuration was successfully updated",
"error": "",
}
}
}

Notes and Comments:

ipv6 Optional

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

up_down "up", or "down"

http_access "0": not allow, "1": allow

ssh_access "0": not allow, "1": allow

telnet_access "0": not allow, "1": allow

31. Configure system DNS

{
"method": "post",
"params": [
{
"url": "/config/system/dns",
"primary": "172.16.100.80",
"secondary": "8.8.8.8",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 31,
"ver": "2.3"
}
{
"id": 31,
"ver": "2.3"
"result": {
"url": "/config/system/dns",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "DNS configuration was successfully updated.",
"error": "",

FortiSandbox 4.0.0 JSON API Reference 39

Fortinet Technologies Inc.
 JSON API

}
}
}

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

32. Configure system routing

{
"method": "post",
"params": [
{
"url": "/config/system/routing",
"action": "create",
"destination": "172.16.68.0/24",
"device": "port1",
"gateway": "172.17.94.97",
"orig_destination": "",
"orig_device": "",
"orig_gateway": "",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 32,
"ver": "2.3"
}
{
"id": 32,
"ver": "2.3"
"result": {
"url": "/config/system/routing",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "",
"error": "",
}
}
}

Notes and Comments:

action create: destination, device and gateway should be provided.

update: all information should be provided.
delete: orig_destination, orig_device, orig_gateway should be provided.

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

FortiSandbox 4.0.0 JSON API Reference 40

Fortinet Technologies Inc.
 JSON API

33. Configure system administrator

{
"method": "post",
"params": [
{
"url": "/config/system/administrator",
"action": "create",
"bind_type":0,
"username": "new_user",
"password": "password",
"pwd_changed": 0,
"old_password": "oldpass",
"user_type": 0,
"server": "ldap-or-radius-server.local",
"privilege": 1,
"profile": "Super Admin",
"language": "en-us",
"trusted_host1":"",
"trusted_host2":"",
"trusted_host3":"",
"trusted_ipv6_host1":"",
"trusted_ipv6_host2":"",
"trusted_ipv6_host3":"",
"comments":"",
"download_orig_file":0,
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 33,
"ver": "2.3"
}
{
"id": 33,
"ver": "2.3"
"result": {
"url": "/config/system/administrator",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "Administrators were successfully added.",
"error": "",
}
}
}

Notes and Comments:

action "create", "update", "delete"

bind_type 0:Simple, 1:Anonymous, 2:Regular

pwd_changed For update. 0: not, 1: changed.

FortiSandbox 4.0.0 JSON API Reference 41

Fortinet Technologies Inc.
 JSON API

old_password Only for update.

user_type 0:LOCAL, 1:LDAP, 2:RADIUS.

profile Admin profile name

privilege 0: READONLY, 1:READ/WRITE

language Either "en-us" for English, or "ja" for Japanese.

download_orig_file 0:NO(unchecked), 1:YES(checked)

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

34. Configure system LDAP

Using the post method

{
"method": "post",
"params": [
{
"url": "/config/system/ldap",
"action": "create",
"name": "ldap_name",
"bind_type": 0,
"username": "new_user",
"password": "password",
"pwd_changed":0
"address": "address",
"port": 636,
"cn": "accounts",
"dn": "corp.company.com",
"isSecure": 0,
"proto": 2,
"ca": "",
"attributes":"attr",
"connect_timeout":599,
"filter":"filter",
"group":"group",
"member_of_attr":"memberof",
"profile_attr":"profile",
"secondary_server":"second_server",
"tertiary_server":"third_server"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 34,
"ver":"4.0"
}
{
"id": 34,
"ver":"4.0"
"result": {
"url": "/config/system/ldap",
"status": {

FortiSandbox 4.0.0 JSON API Reference 42

Fortinet Technologies Inc.
JSON API

"code": 0,
"message": "OK"
},
"data":{
"msg": "New LDAP server was successfully added.",
"error": "",
}
}
}

Using the get method

{
"method": "get",
"params": [
{
"url": "/config/system/ldap"
}
],
"session": "",
"id": 34,
"ver": "4.0"
}
{
'id': 34,
'result': {
'data': [
{
'address': '9.9.7.50',
'attributes': 'abc attr',
'bind_type': 0,
'cacert': 'abc_ca',
'cn': 'abc',
'con_type': 2,
'connect_timeout': 600,
'dn': 'dc=hat,dc=shoe',
'filter': 'abc_filter',
'group': 'abc_group',
'member_of_attr': 'abc_memberof',
'name': 'somewhere',
'port': 636,
'profile_attr': 'abc_profile',
'regular_password': '',
'regular_user': '',
'secondary_server': 'abc_2nd_server',
'tertiary_server': 'abc_3rd_server'
},
{
'address': '33.44.55.66',
'attributes': 'xyz attr',
'bind_type': 1,
'cacert': 'xyz_ca',
'cn': 'xyz',
'con_type': 0,
'connect_timeout': 480,
'dn': 'dc=coat,dc=sweater',
'filter': 'xyz_filter',

FortiSandbox 4.0.0 JSON API Reference 43

Fortinet Technologies Inc.
 JSON API

'group': 'xyz_group',
'member_of_attr': 'xyz_memberof',
'name': 'somehow',
'port': 389,
'profile_attr': 'xyz_profile',
'regular_password': '',
'regular_user': '',
'secondary_server': 'xyz_2nd_server',
'tertiary_server': 'xyz_3rd_server'
}
],
'status': {
'code': 0, 'message': 'OK'
},
'url': '/config/system/ldap'
},
'ver': '4.0'
}

Notes and Comments:

action "create", "update", "delete"

bind_type 0:Simple, 1:Anonymous, 2:Regular

username For regluar bind type

password For regluar bind type

pwd_changed For regular bind type and action='update', 0: No, 1: Yes

isSecure 0: No(unchecked), 1:YES(checked)

This field is not needed for JSON API requests.

proto 0:NON_SECURE, 1:STARTTLS, 2:LDAPS

pwd_changed For regular bind type, 0: No, 1: Yes

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

35. Configure system RADIUS

{
"method": "post",
"params": [
{
"url": "/config/system/radius",
"action": "create",
"name": "radius_name",
"auth_type": 0,
"primary_server": "192.168.100.100",
"secondary_server": "192.168.100.101",
"port": 1812,
"primary_secret": "pwd1234",
"secondary_secret": "pwd4567",
"nas_ip": "172.16.66.66",

FortiSandbox 4.0.0 JSON API Reference 44

Fortinet Technologies Inc.
 JSON API

"primary_secret_changed": 0,
"secondary_secret_changed": 0,
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 35,
"ver": "2.3"
}
{
"id": 35,
"ver": "2.3"
"result": {
"url": "/config/system/ldap",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "New RADIUS server was successfully added.",
"error": "",
}
}
}

Notes and Comments:

action "create", "update", "delete"

auth_type 0:ANY_BIND, 1:PAP_BIND, 2:CHAP_BIND, 3:MSV2_BIND

primary_secret_ 0:not changed, 1:changed

changed

secondary_secret_ 0:not changed, 1:changed

changed

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

36. Configure system FortiGuard

{
"method": "post",
"params": [
{
"url": "/config/system/fortiguard",
"fdn_overwrite": "0",
"overwrite_server": "192.168.100.205",
"webfiltering_overwrite":"0",
"wfoverwrite_server":"192.168.100.206:53",
"cloud_overwrite":"0",
"cloudserver":"172.17.18.19:53",
"fdnproxy_enable":"0",
"fdn_proxy_type":"0",
"fdn_proxy_server":"",
"fdn_proxy_port":"",

FortiSandbox 4.0.0 JSON API Reference 45

Fortinet Technologies Inc.
 JSON API

"fdn_proxy_uname":"",
"fdn_proxy_pwd":"",
"wfproxy_enable":"0",
"wf_proxy_server":"",
"wf_proxy_port":"",
"wf_proxy_uname":"",
"wf_proxy_pwd":"",
"cloudproxy_enable":"0",
"cloud_proxy_server":"",
"cloud_proxy_port":"",
"cloud_proxy_uname":"",
"cloud_proxy_pwd":"",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 36,
"ver": "2.3"
}
{
"id": 36,
"ver": "2.3"
"result": {
"url": "/config/system/fortiguard",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "FortiGuard service was successfully updated.",
"error": "",
}
}
}

Notes and Comments:

fdn_overwrite "0": uncheck, "1": check

wfoverwrite_server Port is needed. 53 or 8888

cloudserver Required. 53 or 8888

fdnproxy_enable "0":disable, "1", enable

fdn_proxy_type "0":HTTP, "1":SOCKSv4, "3":SOCKSv5

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

37. Configure system mail

{
"method": "post",
"params": [
{
"url": "/config/system/mail",
"smtp":"mail.fortinet.com",

FortiSandbox 4.0.0 JSON API Reference 46

Fortinet Technologies Inc.
JSON API

"port":"25",
"account":"[email protected]",
"loginuser":"admin",
"password":"admin1234",
"pwd_changed":0,
"send_mail": "0",
"send_mail_to_dv": "0",
"mail_rating_filter":['2','16','8','4'],
"receiver": "[email protected]",
"send_reqmail":"0",
"reqreceiver":"[email protected]",
"use_fqdn_name_as_ip":"0",
"fqdn_name": "adbc.com",
"send_system_usage_mail": "0",
"system_usage_receivers_list": "[email protected]",
"cpu_threshold": "99",
"ram_threshold": "99",
"disk_threshold": "99",
"ramdisk_threshold": "99",
"vm_threshold": "99"
"total_pending_jobs_threshold": "100",
"average_scan_time_threshold": "100",
"system_check_interval": "10"
"send_pdf":"0",
"send_pdf_to_vdom":"0",
"report_rating_filter":['2','16','8','4', '1'],
"pdf_sum_receiver":"",
"pdf_detail_receiver":"",
"report_schedule_type":"",
"report_week_day":"",
"report_hour_step":"",
"report_day_hour":"",
"report_week_hour":"",
"report_period_days":"",
"report_period_hours":"",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 37,
"ver": "2.3"
}
{
"id": 37,
"ver": "2.3"
"result": {
"url": ""/config/system/mail",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "Mail configuration was successfully updated.",
"error": "",
}
}
}

FortiSandbox 4.0.0 JSON API Reference 47

Fortinet Technologies Inc.
 JSON API

Notes and Comments:

pwd_changed 0:unchanged, 1:changed

send_mail "0": uncheck, "1": check

send_mail_to_dv "0": uncheck, "1": check

mail_rating_filter It has to be an array of: 2: Malicious; 16: High Suspicious; 8: Medium Suspicious;
4: Low Suspicious

send_reqmail "0": uncheck, "1": check

use_fqdn_name_as_ip "0": uncheck, "1": check

send_system_usage_mail "0": uncheck, "1": check

send_pdf "0":disable, "1", enable

send_pdf_to_vdom "0":disable, "1", enable

report_rating_filter It has to be an array of: 2: Malicious; 16: High Suspicious; 8: Medium Suspicious;
4: Low Suspicious

report_schedule_type '0':'HOURLY', '1':'DAILY', '2':'WEEKLY'

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

38. Configure system log server

{
"method": "post",
"params": [
{
"url":"/config/system/logserver",
"/config/system/logserver",
"action": "create",
"type": "0",
"name": "log server name",
"server": "172.17.17.17",
"port": "514",
"enable": "1",
"alert":"1",
"critical":"1",
"error":"1",
"warning":"1",
"info":"1",
"debug":"1",
"alert_clean":"0",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 38,
"ver": "2.4"
}
{
"id": 38,

FortiSandbox 4.0.0 JSON API Reference 48

Fortinet Technologies Inc.
 JSON API

"ver": "2.4"
"result": {
"url": "/config/system/logserver",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "Log server configuration was successfully updated.",
"error": "",
}
}
}

Notes and Comments:

action "create", "update" or "delete"

type '0':'syslog_udp', '1':'FAZ', '2':'CEF', '3':'syslog_tcp'

enable '0':disabled, '1':enabled

alert_clean '0':disabled, '1': Alert logs will include jobs with Clean rating.

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

39. Configure scan profile

{
"method": "post",
"params": [
{
"url": "/config/scan/vmprofile",
"static_extensions": {
0:{'ext':'enable', 'filter_dll':'enable'},
1:{'ext':'enable', 'filter_pdf':'enable'},
2:{'ext':'enable'},
3:{'ext':'enable', 'filter_swf':'enable'},
4:{'ext':'enable', 'filter_js':'enable', 'filter_htm':'enable'},
5:{'ext':'enable'},
6:{'ext':'enable'},
97:{'ext':'enable', 'filter_url':'enable'},
98:{'ext':'enable'}
},
"url_setting": {
"depth": 0,
"max": -1,
"timeout": 60
},
"user_defined_exts": {
"action":"add",
"exts":['ext1', 'ext2'],
},
"vmexts": [
{
"name":"winxpvm",

FortiSandbox 4.0.0 JSON API Reference 49

Fortinet Technologies Inc.
JSON API

"action":"add",
"exts":["ppsx","ppt",ppam"],
},
{
"name":"androidvm",
"action":"add",
"exts":["apk"],
},
],
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 39,
"ver": "2.3"
}
{
"id": 39,
"ver": "2.3"
"result": {
"url": "/config/scan/vmprofile",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "Scan profile configuration was successfully updated.",
"error": "",
}
}
}

Notes and Comments:

static_extensions 0: Executables/DLL/VBS/BAT/PS1/JAR/MSI files

1: PDF files
2: Microsoft Office files (Word, Excel, PowerPoint files etc)
3: Adobe Flash files
4: Static Web files
5: Archive files (with extension of .7z, .xz, .bz2, .gz, .tar, .zip, .rar, .Z etc)
6: Android files
97: URL detection
98: User defined extensions

depth 0, 1, 2, 3, 4 or 5

max Between -1 to 10000

timeout Larger than 30

action "add", "delete", "replace_all"

FortiSandbox 4.0.0 JSON API Reference 50

Fortinet Technologies Inc.
 JSON API

vmexts exts Combinations of the following list : exe, php, tiff, 7z, gif, png, tnef, asf, htm, ppsx, unk, cdf, ico,
ppt, vcf, com, jpeg, pptx, xls, com1, jpg, qt, xlsx, dll, mov, rar, zip, doc, mp3, rm, docx, mp4, rtf,
pdf, swf, jar, dotx, docm, dotm, xltx, xlsm, xltm, xlsb, xlam, potx, sldx, pptm, ppsm, potm,
ppam, sldm, onetoc, thmx, bat, cmd, vbs, ps1, js, tar, gz, xz, bz2, arj, cab, tgz, txt, z, msi, msg,
asp, jsp, kgb, url, dot, xlt, pps, pot, upx, apk, WEBLink, lnk, jarlib, lzh

name Case is non-sensitive, get from WebUI

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

40. Configure scan benign URLs

'set_scan_benign_url': {
'id': 40,
'method': 'post',
'params': [
{
'url': '/config/scan/benign_url',
'cat_dict': {
'Abortion': 'benign',
'Advocacy Organizations': 'benign',
'Alcohol': 'benign',
'Alcohol and Tobacco': 'benign',
'Child Abuse': 'benign',
'Dating': 'benign',
'Discrimination': 'benign',
'Drug Abuse': 'benign',
'Explicit Violence': 'benign',
'Extremist Groups': 'benign',
'Gambling': 'benign',
'Grayware': 'benign',
'Hacking': 'benign',
'Homosexuality': 'benign',
'Illegal or Unethical': 'benign',
'Marijuana': 'benign',
'Nonexists': 'benign',
'Nudity and Risque': 'benign',
'Occult': 'benign',
'Other Adult Materials': 'benign',
'Plagiarism': 'benign',
'Pornography': 'benign',
'Tobacco': 'benign',
'Weapons (Sales)': 'benign',
"Dynamic DNS":"benign",
"Newly Registered Domain":"benign"
},
}
],
'session': 'SessionID',
'ver': '2.3',
},

FortiSandbox 4.0.0 JSON API Reference 51

Fortinet Technologies Inc.
 JSON API

Notes and Comments:

cat_dict : Abortion Benign, or suspicious

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

41. Configure scan job archive

{
"method": "post",
"params": [
{
"url": "/config/scan/job_archive",
"enable": 1,
"pwd_changed":0,
"server_name":"rpc_test_server_name",
"server_path":"/path1/path2",
"sharetype":'0',
"username":"username",
"password":"password",
"archive_file_pwd":1,
"archive_file_pwd":"password",
"filename":"0",
"folder":"0",
"metadata":1,
"tracerlog":1,
"malicious":1,
"suspicious":1,
"clean_rating":1,
"other":1,
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 41,
"ver": "2.3"
}
{
"id": 41,
"ver": "2.3"
"result": {
"url": "/config/scan/job_archive",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "Archive configuration was successfully updated.",
"error": "",
}
}
}

FortiSandbox 4.0.0 JSON API Reference 52

Fortinet Technologies Inc.
 JSON API

Notes and Comments:

sharetype 0:SMBv1.0,1:SMBv2.0,2:SMBv2.1,3:SMBv3.0,4:FIFS,5:NFSv2,6:NFSv3,7:NFSv4,8:Azure
File Share, 9:S3 Bucket

filename "0":'Scan Job ID as File Name', "1":'Original File Name'

folder "0": FLAT, "1": TIME, "2": RATING

metadata 0:disable, 1:enable

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

42. Configure YARA rule

{
"method": "post",
"params": [
{
"url": "/config/scan/yara",
"action": "import",
"yara_name":"yara-name",
"default_description":"yara description",
"risk_level":5,
"file_type":["any"],
"yara_file": "dGhpcyBpcyBhIHRlc3QhCg==",
"yara_id":"2880877873479829661",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 42,
"ver": "2.4"
}
{
"id": 42,
"ver": "2.4"
"result": {
"url": "/config/scan/yara",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"yara_id": "2880877873479829661",
"msg": "Yara configuration was successfully updated.",
"error": "",
}
}
}

Notes and Comments:

action "import", "update", "delete", "activate", "deactivate"

FortiSandbox 4.0.0 JSON API Reference 53

Fortinet Technologies Inc.
 JSON API

risk_level Rules risk level, between 0 to 10.

As a guideline, 0~1:Clean; 2~4:Low Risk; 5~7:Medium Risk; 8~10:High Risk

file_type "any", "exe", "dll", "com", "ppt", "pptx", "xls","xlsx", "doc", "docx", "msg", "rtf", "pdf", "swf"
Filetype memory for memory scan.

yara_file Encoded (base64) file contents

yara_id yara id

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

43. Get multiple file verdicts by submit multiple SHA256/SHA1/MD5

{
"method": "post",
"params": [
{
"url": "/scan/result/multifile",
"ctype": "sha256",
"checksum": ['f5e17ed3be9e9fa12360d67af93b33ac8299434369714b44f4c0482432b41b6e',
'b34af9dc65a3fe82ade27fae290df13a087c4f532272ce3dcb5f851d31db2c04',]
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 43,
"ver": "2.4"
}
{
"id": 43,
"ver": "2.4"
"result": {
"url": "/scan/result/multifile",
"status": {
"code": 0,
"message": "OK"
},
"data":[{
"checksum": "f5e17ed3be9e9fa12360d67af93b33ac8299434369714b44f4c0482432b41b6e",
"kidsum": 1,
"sid": 3108940681876575659,
"job_list": [
{"jid": 3110452159542566741,
"rating" : "Malicious",
"score": 1,
"start_ts": 1377618931,
"finish_ts":1377618961,
"rsrcid": "AV Scanner",
"malware_name": "virus 1",
"vid": virus_id_1,
"behavior_info": 0,
"false_positive_negative": 0,
"untrusted": 1,
"ftype": "Unknown",
},

FortiSandbox 4.0.0 JSON API Reference 54

Fortinet Technologies Inc.
JSON API

{"jid": jid_2,
"rating" : "High Risk",
"score": 1,
"start_ts": 1377618931,
"finish_ts":1377618961,
"malware_name": "virus 2",
"vid": virus_id_2,
"behavior_info": 1,
"false_positive_negative": 2,
"untrusted": 0,
"ftype": "Unknown",
},
],
"now":1377618931
},
{
"checksum": "b34af9dc65a3fe82ade27fae290df13a087c4f532272ce3dcb5f851d31db2c04",
"now":1377618931,
},
]
}
}

Notes and Comments:

ctype checksum type: "sha1", "sha256", "md5"

checksum Maximum 100 checksum

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

checksum the checksum is the queried checksum.

job_list For a zip file, the result is an array of children's job ids. If jid is [] and rating is ["Clean"], it
means the file is not a supported file type and the file is dropped. In this case, start_ts and
finish_ts will be the UTC time the file is dropped.

rating For a zip file, the result is an array of of the following, which denotes types of ratings of its
children:
Unknown,
Clean,
Malicious,
High Risk,
Medium Risk,
Low Risk,
For a single file, array size is 1

score For a zip file, the result is the bitwise combination of the following:
l RISK_UNKNOWN -1

l RISK_CLEAN 0

l RISK_MALICIOUS 1

l RISK_HIGH 2

l RISK_MEDIUM 3

FortiSandbox 4.0.0 JSON API Reference 55

Fortinet Technologies Inc.
 JSON API

l RISK_LOW 4

For a single file, it will be one of above value

start_ts start scan time, UTC

finish_ts finish scan time, UTC

vid detailed information of virus can be found at

http://www.fortiguard.com/encyclopedia/virus/#id=virus_id

behavior_info if detailed behavior information is available. 0: not available, 1: available

false_positive_ 0: not false positive or false negative, 1: false positive, 2: false negative, order is
negative corresponding order of JID

untrusted 0: the result can be trusted

1: since this files' scan, scan environment has changed

now FortiSandbox's time, UTC

ftype File type of file, e.g., "exe", "pdf", "Unknown"

45. Get configured user defined file extensions and exclusion list of user configured
file extensions
{
"method": "get",
"params": [
{
"url": "/config/scan/file_exts"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 45,
"ver": "2.4"
}
{
"id": 45,
"ver": "2.4"
"result": {
"url": "/config/scan/file_exts",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"user-defined-exts": "ext1 ext2 ext3 mydef",
"exclusion-list": "docx pdf"
}
}
}

Notes and Comments:

message "OK", "INVALID_SESSION"

FortiSandbox 4.0.0 JSON API Reference 56

Fortinet Technologies Inc.
 JSON API

49. Get original file sample

{
"method": "get",
"params": [
{
"url": "/scan/result/get-avsample"
"jid": 3496445442339405684
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 49,
"ver": "2.5"
}
{
"id": 49,
"ver": "2.5"
"result": {
"url": "/scan/result/get-avsample",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"avsample": "base64_encoded_zip_file",
"filename": "original_file_name"
}
}
}

Notes and Comments:

message "OK", "INVALID_SESSION", "INVALID_JOB_ID", "INVALID_DATA"

50. Get PDF report

{
"method": "get",
"params": [
{
"url": "/scan/result/get-pdf-report",
"qtype": 'jid' or 'sha256',
"qval": 3496445442339405684 or
'90877c1f6e7c97fb11249dc28dd16a3a3ddfac935d4f38c69307a71d96c8ef45'
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 50,
"ver": "2.5"
}
{
"id": 50,
"ver": "2.5"
"result": {

FortiSandbox 4.0.0 JSON API Reference 57

Fortinet Technologies Inc.
 JSON API

"url": "/scan/result/get-pdf-report",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"report": "base64_encoded_pdf_file",
"report_name": "original_file_name"
}
}
}

Notes and Comments:

message "OK", "INVALID_SESSION", "INVALID_JOB_ID", "INVALID_DATA"

51. Set admin profiles

{
"id": "51",
"method": "post",
"params": [
{
"url": "/scan/result/admin-profile",
"action": "create",
"comment": "",
"name": "profile_name",
"privileges": {
"status": 3,
"operation_center": 3,
"threats_analysis": 3,
"security_fabric": 3,
"jobqueue": 3,
"vm_jobs": 3,
"scan_searches": 3,
"overridden_verdicts": 3,
"on_demand": 3,
"scan_configuration": 3,
"vm_settings": 3,
"packages": 3,
"system": 3,
"admin": 3,
"network": 3,
"maintenance": 3,
"event_calendar": 3,
"job_view_settings": 3,
"ha_cluster": 3,
"logs_reports": 3,
"log_events": 3,
"summary_report": 3,
"report_center": 3,
"file_statistic": 3,
"network_alerts": 3,
"url_statistic": 3,
"log_servers": 3,

FortiSandbox 4.0.0 JSON API Reference 58

Fortinet Technologies Inc.
 JSON API

"log_settings": 3,
"mark_fpn": 4,
"dl_orig": 4,
"json_api": 4,
"allow_on_demand_scan_interaction": 4,
"allow_on_demand_scan_video_recording": 4
}
}
],
"session": "",
"ver": "4.0"
}
{
"id": 51,
"ver": "4.0",
"result": {
"url": "/scan/result/admin-profile",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "Admin profile was successfully updated."
}
}
}

Notes and Comments:

Saves to the admin_profiles, you can add any parameter for admin field inside "privileges".

action "create", "update", "delete"

privileges 1: None/Disable, 2:Read Only, 3:READ/WRITE, 4:Enable (apply to control access).

Default value for missing field are None/Disable.
Control access can only have value 1 or 4.
Other access can only have value 1-3.

name The name of admin_profile which you whant to do changing/naming

For using delete No need to put privileges on the json

52. Get job ID by time and score

{
"method": "get",
"params": [
{
"url": "/scan/result/jids",
"score": job score,
"start_ts": "2018-01-01 16:00:00", start time
"end_ts": "2018-01-01 17:00:00", end time
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",

FortiSandbox 4.0.0 JSON API Reference 59

Fortinet Technologies Inc.
 JSON API

"id": 52,
"ver": "2.5"
}
{
"id": 52,
"ver": "2.5"
"result": {
"url": "/scan/result/jids",
"status": {
"message": "OK"
"code": 0,
},
"data":{
"jid": [],
}
}
}

Notes and Comments:

score One of the following:

l RISK_UNKNOWN -1

l RISK_CLEAN 0

l RISK_MALICIOUS 1

l RISK_HIGH 2

l RISK_MEDIUM 3

l RISK_LOW 4

message "OK", "INVALID_SESSION", "INVALID_PARAM", "DATA_NOT_EXIST"

jid Job IDs

53. Login with token

{
"method": "exec",
"params": [
{
"url": "/sys/login/token",
"token": "LOGIN_TOKEN"
}
],
"id": 53,
"ver": "2.3"
},

{
"id": 53,
"ver": "2.3",
"result": {
"url": "/sys/login/token",
"status": {
"code": 0,

FortiSandbox 4.0.0 JSON API Reference 60

Fortinet Technologies Inc.
JSON API

"message": "OK"
}
}
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI="
}

Notes and Comments:

message "OK", "TOKEN_NOT_EXISTS", "TOKEN_NOT_MATCH", "WRONG_DATA"

FortiSandbox 4.0.0 JSON API Reference 61

Fortinet Technologies Inc.
Change Log

Date Change Description

2021-04-19 Initial release.

FortiSandbox 4.0.0 JSON API Reference 62

Fortinet Technologies Inc.
 www.fortinet.com

Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.