FortiSandbox - JSON API Reference

Version 3.2.2
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://fortiguard.com/

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

December 17, 2020

FortiSandbox 3.2.2 JSON API Reference
34-322-675922-20201217
 TABLE OF CONTENTS

JSON API 5
API Messages 5
1. Login 5
2. Logout 6
3. Get system information 6
4. Get configurations of sniffer 8
5. General options, including cloud upload and VM network access settings 8
6. Set configurations of sniffer 9
7. Set general options, including cloud upload and vm network access settings 10
8. Get scanning statistics for last 7 days 11
9. Get a copy of backed up config file, in base64 format 12
10. Query file verdict through its SHA256 checksum 13
11-1. Upload file (on-demand submit for filesize < 20MB) 15
11-2. Upload large file (on-demand submit for filesize > 20MB) 16
12. Upload URL file (on-demand submit) 17
13. Query file rating through its SHA256 checksum—a simple version 18
14. Query URL rating 19
15. Query job verdict detail through its job ID 20
16. Cancel a job submission 22
17. Get job ID list for one submission 23
18. Get job behavior details for a file 23
19. Register (login) a FGT/FML/(others) device to FortiSandbox 24
20. Delete (actually hide) a device from FortiSandbox 25
21. Get malware package, malicious URL package, or botnet package 26
22. Download list of SHA256, SHA1, MD5, or URL from malware package or URL
package 27
23. Get AV-Rescan results 28
24. Return all installed VM name and their clone number 30
25. Allow user to add/delete checksums to allow/block (white/black) list 31
26. Mark a sample as false negative/false positive 32
27. Configure system hostname 33
28. Configure system timezone 33
29. Configure system time and NTP server 36
30. Configure system interface 36
31. Configure system DNS 37
32. Configure system routing 38
33. Configure system administrator 39
34. Configure system LDAP 40
35. Configure system RADIUS 41
36. Configure system FortiGuard 42
37. Configure system mail 43
38. Configure system log server 45
39. Configure scan profile 46
40. Configure scan benign URLs 47
41. Configure scan job archive 48
42. Configure YARA rule 49

FortiSandbox 3.2.2 JSON API Reference 3

Fortinet Technologies Inc.
 43. Get multiple file verdicts by submit multiple SHA256/SHA1/MD5 50
45. Get configured user defined file extensions and exclusion list of user configured file
extensions 52
49. Get original file sample 53
50. Get PDF report 54
51. Set admin profiles 54
52. Get job ID by time and score 55
53. Login with token 56
Change Log 58

FortiSandbox 3.2.2 JSON API Reference 4

Fortinet Technologies Inc.
JSON API

FortiSandbox provides customers the ability to automate some key features and processes using a simple API. This
section will provide some basic examples that will allow you to submit a file or URL, as well as query the FortiSandbox
for the results of a scan.
Using this API can allow you to extend the functionality of your FortiSandbox in many ways. Some potential scenarios
you may wish to use the API for include:
l Submitting files using a simple script: you may have a large number of files you want to scan outside of regular
operating hours. These could be previously-quarantined files captured through your endpoint clients. By writing a
simple submission script, you eliminate the need to have someone physically submit these through the GUI.
l Submitting files from third-party tools: you may have other infrastructure in place (threat feeds, etc.) that you want
to integrate with your FortiSandbox. The API would allow you to submit files and query results in near real-time.

API Messages

In the following API, the "message" field value can be "INVALID_JSON_DATA", "MISSING_PARAM", "INVALID_
REQUEST", or "UNSUPPORTED_VER"

1. Login

log in request.
{
"method": "exec",
"params": [
{
"url": "/sys/login/user",
"data": [
{
"user": "admin",
"passwd": "123456"
}
]
}
],
"id": 1,
"ver": "2.0"
},

log in response.
{
"id": 1,
"ver": "2.0",
"result": {
"url": "/sys/login/user",
"status": {

FortiSandbox 3.2.2 JSON API Reference 5

Fortinet Technologies Inc.
 JSON API

"code": 0,
"message": "OK"
},
},
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI="
}

Notes and Comments:

message "OK", or "WRONG_CREDENTIAL", "TIME_OUT", "TOO_MANY_FAILED_RETRY" ,

"WRONG_DATA"

2. Logout

log out request.

{
"method": "exec",
"params": [
{
"url": "/sys/logout",
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 2,
"ver": "2.0"
},

log out response.

{
"id": 2,
"ver": "2.0",
"result": {
"url": "/sys/logout",
"status": {
"code": 0,
"message": "OK"
}
}
}

Notes and Comments:

message "OK" or "SYSTEM_ERROR"

3. Get system information

get general sys status.

{
"method": "get",
"params": [

FortiSandbox 3.2.2 JSON API Reference 6

Fortinet Technologies Inc.
JSON API

{
"url": "/sys/status",
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 3,
"ver": "2.0"
}

get sys status response.

{
"id": 3,
"ver": "2.0",
"result":{
"url": "/sys/status",
"status":{
"code":0,
"message":"OK"
},
"data":{...}
}
}

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

data "64-bit Applications":"No",

"Admin Domain Configuration":"Enabled",
"BIOS version":"04000002",
"Branch Point":"42",
"System time":"Tue Dec 17 14:22:37 PST 2013",
"Daylight Time Saving":"Yes",
"FIPS-CC mode":"disabled",
"Hostname":"host_name",
"License Status": 1,
/* only available for VM model, 1 means valid, 0 means invalid */
"Platform Full Name":"FortiSandbox-3000D",
"Platform Type":"FSA3000D",
"Release Version Information":"Interim",
"Serial-Number":"FSA3KD3A14000038",
"Time Zone":"(GMT-8:00) Pacific Time (US & Canada).",
"Version":"FSA3000D v2.0,build0023,150120 (Interim)",
"Major": 1,
"Minor": 2,
"Patch": 0,
"Build": 42,
"win_lic_activated" : 1,
"fdn_server_accessible" : 1,
"vm_network_accessible" : 1,
"cloud_server_accessible" : 1,
"wf_server_accessible" : 1
/* 1 means activated or accessible, 0 means not yet */

FortiSandbox 3.2.2 JSON API Reference 7

Fortinet Technologies Inc.
 JSON API

4. Get configurations of sniffer

{
"method": "get",
"params": [
{
"url": "/config/scan/devsniffer",
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 4,
"ver": "2.3"
}
{
"id": 4,
"ver": "2.3",
"result": {
"url": "/config/scan/devsniffer",
"status": {
"code": 0,
"message": "OK"
},
"data": {...}
}
}

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

data "file_detection": 1 /* Enable file based detection */

"network_alert_detection" : 1, /* 1- enabled, 0-disabled */
"sniffer_port" : "port2,port4", /* comma separated port list */
"keep_incomplete_file": 1, /* 1- yes, 0-no */
"max_file_size" : 2048, /* in kB */
"service_type": ["HTTP","SMTP","POP3","FTP","IMAP","SMB","OTHER"],
"file_type":
["allfiletype","allarchive","exe","pdf","doc","ppt","flash","jar",
"java","com", "js","html","emlbdy"]

5. General options, including cloud upload and VM network access settings

{
"method": "get",
"params": [
{
"url": "/config/scan/options",
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 5,
"ver": "2.0"
}
{
"id": 5,

FortiSandbox 3.2.2 JSON API Reference 8

Fortinet Technologies Inc.
 JSON API

"ver": "2.0",
"result": {
"url": "/config/scan/options",
"status": {
"code": 0,
"message": "OK"
},
"data": {...}
}
}

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

data "cloud_upload" : 1,
/*1- enabled, 0-disabled */
"vm_network_access" : 1 ,
/*1- enabled, 0-disabled */
"log_device_submission" : 1 ,
/*1- enabled, 0-disabled */
"rej_dup_device_submission" : 1 ,
/*1- enabled, 0-disabled */
"del_clean_file" : 10 ,
/*-1- disabled, >0 delete after x minutes */
"del_job_info" : 10,
/*-1- disabled, >0 delete after x minutes */
"archive_job" : 1
/*0- disabled, 1- enabled */

6. Set configurations of sniffer

{
"method": "set",
"params": [
{
"url": "/config/scan/devsniffer",
"file_detection": 1
"network_alert_detection" : 1,
"sniffer_port" : "port2,port3",
"keep_incomplete_file": 1,
"conserve_mode": 1,
"/* 1-yes, 0-no */
"max_file_size" : 2048, (KB)
"service_type": ["HTTP","SMTP","POP3","FTP","IMAP","SMB","OTHER"],
"file_type":
["allfiletype","allarchive","exe","pdf","doc","ppt","flash","jar","java","com","j
s","html","emlbdy"]
"scan_url": 1
"checked_cus_ftype": ["checked_ftype"]
"unchecked_cus_ftype": ["unchecked_ftype"]
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 6,

FortiSandbox 3.2.2 JSON API Reference 9

Fortinet Technologies Inc.
 JSON API

"ver": "2.3.1"
}
{
"id": 6,
"ver": "2.3.1",
"result": {
"url": "/config/scan/devsniffer",
"status": {
"code": 0,
"message": "OK"
}
}
}

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

7. Set general options, including cloud upload and vm network access settings
{
"method": "set",
"params": [
{
"url": "/config/scan/options",
"cloud_upload" : 1,
"fdn_stats_upload" : 1,
"vm_network_access" : 1,
"vm_gateway": "172.17.58.3",
"vm_dns": "8.8.8.8",
"vm_proxy_enable": 1,
"vm_proxy_server": "172.17.17.17",
"vm_proxy_port": "8080",
"vm_proxy_type": "0",
/* "0":HTTP Connect, "1":HTTP Relay, "2":Sockv4, "3":Sockv5 */
"vm_proxy_uname": "admin",
"vm_proxy_password": "admin123",
"vm_proxy_debug": 0,
/* all vm_* options are not configurable for AWS model */
"url_callback_detection" : 1,
/* url_callback_detection is not configurable for AWS model */
"url_submit_webfilter" : 1,
"log_device_submission" : 1,
"rej_dup_device_submission" : 1,
"/* 1-yes, 0-no */
"del_clean_file" : 10 ,
"del_bad_file" : 10 ,
"del_job_info" : 10,
"del_bad_job_info" : 10
"default_password" : ["mypassword1", "mypassword2"]
"default_pdf_office_password" : "mypassword1"
"disable_cloud_query" : 1
"disable_av_rescan" : 1
"log_adapter_submission" : 1
"log_netshare_submission" : 1

FortiSandbox 3.2.2 JSON API Reference 10

Fortinet Technologies Inc.
 JSON API

"log_icap_submission" : 1
"log_bcc_submission" : 1
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 7,
"ver": "2.4.1"
}
{
"id": 7,
"ver": "3.0.2"
"result": {
"url": "/config/scan/options",
"status": {
"code": 0,
"message": "OK"
}
}
}

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

8. Get scanning statistics for last 7 days

{
"method": "get",
"params": [
{
"url": "/scan/stat/last_7day",
"period": 7*24*60
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 8,
"ver": "2.1.1"
}
{
"id": 8,
"ver": "2.1.1",
"result": {
"url": "/scan/stat/last_7day",
"status": {
"code": 0,
"message": "OK"
},
"data": {...}
}
}

FortiSandbox 3.2.2 JSON API Reference 11

Fortinet Technologies Inc.
 JSON API

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

data "malicious" : 1,
/* total # of malicious files detected in last 7 days, or -1, which means n/a
*/
/*If 'period' is provided, the data is from 'period' ago to now. Otherwise,
the data is for last 7 days. */
"suspicious_high" : 2,
/* total # of high-risk suspicious files detected in last 7 days, or -1, which
means n/a */
/*If 'period' is provided, the data is from 'period' ago to now. Otherwise,
the data is for last 7 days. */
"suspicious_medium" : 3,
/* total # of medium-risk suspicious files detected in last 7 days, or -1,
which means n/a */
/*If 'period' is provided, the data is from 'period' ago to now. Otherwise,
the data is for last 7 days. */
"suspicious_low" : 4,
/* total # of low-risk suspicious files detected in last 7 days, or -1, which
means n/a */
/*If 'period' is provided, the data is from 'period' ago to now. Otherwise,
the data is for last 7 days. */
"pending" : 5,
/* total # of pending jobs, or -1, which means n/a */
"processing" : 6,
/* total # of currently processing jobs, or -1, which means n/a */

9. Get a copy of backed up config file, in base64 format

{
"method": "exec",
"params": [
{
"url": "/backup/config",
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 9,
"ver": 2.0"
}
{
"id": 9,
"ver": "2.0",
"result": {
"url": "/backup/config",
"status": {
"code": 0,
"message": "OK"
},
"data": {...}
}
}

FortiSandbox 3.2.2 JSON API Reference 12

Fortinet Technologies Inc.
 JSON API

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

data "file":"TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBv
bmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz
IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBh
bmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2YgdGhl
IG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ug
b2YgZGVsaWdodCBpbiB0aGUgY29udGludWVkIGFu
ZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yg
a25vd2xlZGdlLCBleGNlZWRzIHRoZSBzaG9ydCB2
ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3Vy
ZS4="
/*backup config file content, in base64 encoding. Client side should
decode it then save to a file

10. Query file verdict through its SHA256 checksum

Note: A simple version is /scan/result/filerating

Note: For zip file, only after all of its children finish scan, can the zip file have a rating.
Note: The rating, malware_name and vid results are array
{
"method": "get",
"params": [
{
"url": "/scan/result/file",
"checksum":"the_files_checksum",
"ctype":"sha1"
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 10,
"ver": "2.1"
}
{
"id": 10,
"ver": "2.1",
"result": {
"url": "/scan/result/file",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"jid" : [jid_1, jid_2],
"rating" : ["Malicious","High Risk"],
"score" : 1,
"start_ts": 1377618931,
"finish_ts":1377618961
"malware_name": ["virus 1", "virus 2"],
"vid": [virus_id_1, virsu_id_2],
"behavior_info": 0,
"false_positive_negative": [0,1,2]

FortiSandbox 3.2.2 JSON API Reference 13

Fortinet Technologies Inc.
JSON API

"untrusted": 1,
"now":1377618931
"ftype": "[file_type1, file_type2]"
}
}
}

Notes and Comments:

ctype Checksum type: "sha1" or "sha256"

message "OK" or "INVALID_SESSION", "INVALID_PARAM" or "DATA_NOT_EXIST". If the value is 'DATA_

NOT_EXIST', it means no record is found for this checksum, or the scan has not finished; if the
value is "INVALID_PARAM", it means the input checksum is wrong

jid For a zip file, the result is an array of children's job ids. If jid is [] and rating is ["Clean"], it means the
file is not a supported file type and the file is dropped. In this case, start_ts and finish_ts will be the
UTC time the file is dropped.

rating For a zip file, the result is an array of of the following, which denotes types of ratings of its children:
l Unknown,

l Clean,

l Malicious,

l High Risk,

l Medium Risk,

l Low Risk,

For a single file, array size is 1

score For a zip file, the result is the bitwise combination of the following:
l RISK_CLEAN=0

l RISK_MALICIOUS=1

l RISK_HIGH=2

l RISK_MEDIUM=3

l RISK_LOW=4

For a single file, it will be one of above value

start_ts Start scan time, UTC

finish_ts Finish scan time, UTC

vid Detailed information of virus can be found at

http://www.fortiguard.com/encyclopedia/virus/#id=virus_id

behavior_info If detailed behavior information is available. 0: not available, 1: available

false_ 0: not false positive or false negative, 1: false positive, 2: false negative, order is corresponding
positive_ order of JID
negative

untrusted 0: the result can be trusted

1:since this files' scan, scan environment has changed

now FortiSandbox's time, UTC

ftype File type of file, e.g., "exe", "pdf", "Unknown"

FortiSandbox 3.2.2 JSON API Reference 14

Fortinet Technologies Inc.
 JSON API

11-1. Upload file (on-demand submit for filesize < 20MB)

{
"method": "set",
"params": [
{
"file": "dGhpcyBpcyBhIHRlc3QhCg==",
"filename": "dGVzdC50eHQ=",
"skip_steps": "1,2,4,8",
"url": "/alert/ondemand/submit-file",
"type": "file"
"overwrite_vm_list":"WIN7X86VM,WINXPVM"
"archive_password": "pa!@s(*word1\n pa%^&*,word2",
"malpkg": "1",
"meta": {"meta_filename": meta_filename, "meta_url": meta_url},
"timeout": "3600",
"vrecord": '0',
"enable_ai": '0',
"forcedvm": 0
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 11,
"ver": "2.5"
}
{
"id": 11,
"ver": "2.5",
"result": {
"url": "/alert/ondemand/submit-file",
"status": {
"message": "OK",
"code": 0
"data": {
"msg": "File was submitted successfully",
"error": "",
"sid":[the_submission_id]
}
}
}

Notes and Comments:

file Encoded (base64) file contents (binary). Max. allowed file size is 200M

filename Encoded (base64) filename in which 'file' field's content will be saved on FSA

skip_steps Do not use this parameter if no step to skip. 1 = Skip AV, 2= Skip Cloud, 4= Skip sandboxing,
8= Skip Static Scan.

overwrite_vm_list All VM name can be available by another JSON API /alert/ondemand/hcmvminfo. The clone
number of those VMs should be bigger than zero, the JSON API /alert/ondemand/hcmvminfo
handles it. If this field is not set, default ones will be used.

FortiSandbox 3.2.2 JSON API Reference 15

Fortinet Technologies Inc.
 JSON API

archive_password (Optional) Provide password(s) if it is needed for extracting archived file. Otherwise, ignore
this field, or leave it as empty string. Multiple passwords are seperated by "\n". Non-ASCII
passwords are invalid.

malpkg (Optional) set the value as "1" to require to add the sample to malware package if it satisfy
the malware critia. By default, the value is "0".

meta (Optional) meta_filename (base64_encoded) is file name from FGTs. meta_url (base64_
encoded) is URL sending from FGTs.

timeout Cancel processing a submission if FortiCloud request when timeout.

status "message": "OK",

"OK", "FILENAME_NOT_FOUND", "FILE_DATA_NOT_FOUND", "FILE_TYPE_NOT_
FOUND","FILE_NOT_ENCODED", "FILENAME_NOT_ENCODED", "OVERSIZED_
FILE","INVALID_SESSION", "SYSTEM_ERROR"
"code": 0

sid The id for this submission that user can use to cancel pending jobs from it

11-2. Upload large file (on-demand submit for filesize > 20MB)
{
"file": filepath 'application/octet-stream'
"data" : {
"url": "/alert/ondemand/submit-file",
"type": "file",
"skip_steps": "",
"overwrite_vm_list": "",
"malpkg": 0,
"vrecord": "0",
"forcedvm": 0,
"enable_ai": 0,
"archive_password": "",
"timeout": "3600",
"meta_url": "",
"meta_filename": "",
"session": ""
}

{
"id": 0,
"result": {
"data": {
"error": "",
"msg": "File was submitted successfully",
"sid": [the_submission_id]
},
"status": {
"code": 0,
"message": "OK"
},
"url": "/alert/ondemand/submit-file"
},

FortiSandbox 3.2.2 JSON API Reference 16

Fortinet Technologies Inc.
 JSON API

"ver": "3.0"
}

12. Upload URL file (on-demand submit)

{
"method": "set",
"params": [
{
"file": "dGhpcyBpcyBhIHRlc3QhCg==",
"filename": "dGVzdC50eHQ=",
"url": "/alert/ondemand/submit-file",
"type": "url",
"timeout": "60",
"depth": "1"
"overwrite_vm_list":"WIN7X86VM,WINXPVM"
"malpkg": "1"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 12,
"ver": "2.2"
}
{
"id": 12,
"ver": "2.2",
"result": {
"url": "/alert/ondemand/submit-file",
"status": {
"message": "OK",
"code": 0
},
"data": {
"msg": "File was submitted successfully",
"error": "",
"sid":[the_submission_id]
}
}
}

Notes and Comments:

file Encoded (base64) file contents (binary). The file should contain a list of URL, one per line.
Each URL should have lenth less of 1.5K Bytes

filename Encoded (base64) filename into which 'file' field's content will be saved on FSA

timeout How long the scan will be, in seconds. This is a subjective number. For example,if the web
site has many pages, or the the network bandwidth to the web site is slow, timeout value
should be bigger

depth The depth of web links to scan. 0 is the origianl URL, 1 is to crawl into links in the orignal URL
also

FortiSandbox 3.2.2 JSON API Reference 17

Fortinet Technologies Inc.
 JSON API

overwrite_vm_list All VM name can be available by another RPC JSON API /alert/ondemand/hcmvminfo. The
clone number of those VMs should be bigger than zero, the RPC JSON API
/alert/ondemand/hcmvminfo handles it. If this field is not set, default ones will be used

malpkg (Optional) set the value as "1" to require to add the sample to malware package if it satisfy
the malware critia. By default, the value is "0".

sid The id for this submission that user can use to cancel pending jobs from it

message "OK", "FILENAME_NOT_FOUND", "FILE_DATA_NOT_FOUND", "FILE_TYPE_NOT_

FOUND", "FILE_NOT_ENCODED", "FILENAME_NOT_ENCODED", "OVERSIZED_FILE",
"INVALID_SESSION", "SYSTEM_ERROR".

13. Query file rating through its SHA256 checksum—a simple version
{
"method": "get",
"params": [
{
"url": "/scan/result/filerating",
"checksum":"the_files_checksum",
"ctype":"sha1"
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 13,
"ver": "2.1"
}
{
"id": 13,
"ver": "2.1",
"result": {
"url": "/scan/result/filerating",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"rating" : ["Malicious","High Risk"],
"start_ts": 1377618931,
"finish_ts":1377618961
"untrusted": 1,
"now":1377618931
}
}
}

Notes and Comments:

ctype Checksum type: "sha1" or "sha256"

FortiSandbox 3.2.2 JSON API Reference 18

Fortinet Technologies Inc.
 JSON API

message 'OK', 'INVALID_SESSION', 'INVALID_PARAM' or 'DATA_NOT_EXIST'. If the value is 'DATA_

NOT_EXIST', it means no record is found for this sha256, or the scan has not finished; if the
value is "INVALID_PARAM", it means the input checksum is wrong.

rating For a zip file, the result is an array of of the following, which denotes types of ratings of its
children:
l Unknown,

l Clean,

l Malicious,

l High Risk,

l Medium Risk,

l Low Risk,

For a single file, array size is 1. If rating is ["Clean"] and start_ts =0 and finish_ts =0, it means
the file is not a supported file type and the file is dropped

start_ts Start scan time, UTC

finish_ts Finish scan time, UTC

untrusted 0: the result can be trusted,

1:since this files' scan, scan environment has changed

now FortiSandbox's time, UTC

14. Query URL rating

{
"method": "get",
"params": [
{
"url": "/scan/result/urlrating",
"address":[url_a, url_b]
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 14,
"ver": "2.5"
}
{
"id": 14,
"ver": "2.4",
"result": {
"url": "/scan/result/urlrating",
"status": {
"code": 0,
"message": "OK"
},
"data": [{
"url" : "http://www.henrydu.com/",
"rating" : "Malicious",
"start_ts": 1377618931,
"finish_ts":1377618961
"untrusted": 1,
"now":1377618931,

FortiSandbox 3.2.2 JSON API Reference 19

Fortinet Technologies Inc.
 JSON API

"behavior_info":0
},
{
"url" : "http://www.abc.com",
},]
}
}

Notes and Comments:

message "OK" or "INVALID_SESSION" or "DATA_NOT_EXIST". If the value is 'DATA_NOT_EXIST', it

means no record is found for this sha256,or the scan has not finished

address Need to be an exact match. It's fine to leave out the http(s):// prefix

rating Unknown,
Clean,
Malicious,
High Risk,
Medium Risk,
Low Risk,
For a single file, array size is 1

detail_page The link to view details

start_ts Start scan time, UTC

finish_ts Finish scan time, UTC

untrusted 0: the result can be trusted,

1:since this files' scan, scan environment has changed

behavior_info 0: There is no analytic report for this URL.

1: There is an analytic report for this URL.

now FortiSandbox's time, UTC

15. Query job verdict detail through its job ID

{
"method": "get",
"params": [
{
"url": "/scan/result/job",
"jid":"the_jobid"
}
],
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 15,
"ver": "2.1"
}
{
"id": 15,
"ver": "2.1",

FortiSandbox 3.2.2 JSON API Reference 20

Fortinet Technologies Inc.
JSON API

"result": {
"url": "/scan/result/job",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"rating" : "Malicious"
"score" : 1,
"sha256": "the_files_sha256_checksum",
"sha1": "the_files_sha1_checksum",
"start_ts": 1377618931,
"finish_ts":1377618961
"malware_name": "virus name",
"vid": virus_id,
"detection_os": "[os_name1, os_name2]",,
"rating_source":
"catetory": "Backdoor",
"untrusted": 1,,
"now":1377618931,,
"detail_url": "the_job_detail_page_link",
"download_url": "eNrLKCkpsNLXN7Q00jM0s9AzN9AztDDRT0ss1",
"false_positive_negative": 0
"ftype": "[file_type1, file_type2]"
}
}
}

Notes and Comments:

message "OK" or "INVALID_SESSION" or "DATA_NOT_EXIST". If the value is 'DATA_NOT_EXIST', it

means no record is found for this job id,or the scan has not finished

rating One of the following:

l Unknown,

l Clean,

l Malicious,

l High Risk,

l Medium Risk,

l Low Risk,

score One of the following:

l RISK_CLEAN=0

l RISK_MALICIOUS=1

l RISK_HIGH=2

l RISK_MEDIUM=3

l RISK_LOW=4

start_ts Start scan time, UTC

finish_ts Finish scan time, UTC

malware_name Virus name if it's a known virus

FortiSandbox 3.2.2 JSON API Reference 21

Fortinet Technologies Inc.
 JSON API

vid Detailed information of virus can be found at

http://www.fortiguard.com/encyclopedia/virus/#id=virus_id

rating_source One of "AV Scan", "Cloud Query", "Sandboxing", "Static Scan", "Other"

catetory One of: 'Clean', 'Unknown', 'Infector', 'Worm', 'Botnet', 'Hijack', 'Stealer', 'Backdoor', 'Injector',
'Rootkit', 'Adware', 'Dropper', 'Downloader', 'Trojan', 'Riskware', 'Grayware', or 'Attacker'.

untrusted 0: the result can be trusted,

1:since this files' scan, scan environment has changed

now FortiSandbox's time, UTC

download_url Base64 encode download URL

false_positive_ Not false positive or false negative, 1: false positive, 2: false negative
negative

ftype File type of file, e.g., "exe", "pdf", "Unknown"

16. Cancel a job submission

{
"method": "exec",
"params": [
{
"url": "/alert/ondemand/cancel-submission",
"sid": sid,
"reason":the_reason
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 16,
"ver": "2.0"
}
{
"id": 16,
"ver": "2.0"
"result": {
"url": "/alert/ondemand/cancel-submission",
"status": {
"code": 0,
"message": "OK"
}
}
}

Notes and Comments:

sid The submission id got from submit-file. The command is useful if a file containing a big
number of urls takes long time to scan and needs to be cancelled

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

FortiSandbox 3.2.2 JSON API Reference 22

Fortinet Technologies Inc.
 JSON API

17. Get job ID list for one submission

{
"method": "get",
"params": [
{
"url": "/scan/result/get-jobs-of-submission",
"sid": sid
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 17,
"ver": "2.0"
}
{
"id": 17,
"ver": "2.0"
"result": {
"url": "/scan/result/get-jobs-of-submission",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"jids" : [jid1,jid2],
"total_jids" : 1000
}
}
}

Notes and Comments:

message "OK", or "INVALID_SESSION", "SYSTEM_ERROR"

sid The submission ID got from submit-file. The command is get all job ids associated with one
submission

total_jids Total number of jobs for the submission. The maximum number of subfiles in the archive is
1000.

18. Get job behavior details for a file

{
"method": "get",
"params": [
{
"url": "/scan/result/get-job-behavior",
"checksum":"the_files_checksum",
"ctype":"sha1"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 18,
"ver": "3.1"

FortiSandbox 3.2.2 JSON API Reference 23

Fortinet Technologies Inc.
 JSON API

}
{
"id": 18,
"ver": "3.1"
"result": {
"url": "/scan/result/get-job-behavior",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"behavior_files" : "TWFuIGlzIGRpc3Rpbmd1aXxxxx"
}
}
}

Notes and Comments:

ctype Checksum type: "sha1", "sha256", "md5"

rtype Result type: "std", "tree", "stix"

stype Submission type: "submission", "jobonly"

rtype Result type: "std", "tree",

stype Submission type: "submission", "jobonly"

message "OK", "DATA_NOT_EXIST", "INVALID_PARAM", "INVALID_SESSION", "SYSTEM_ERROR".

If the value is "INVALID_PARAM", it means the input checksum is wrong. If behavior is not
available, data part will be empty.

behavior_files Behavior files in JSON format, archived in gz format and base64 encoded. If the queried file
is an archive file, the children's job behaviors will be combined to one file, then zipped.

19. Register (login) a FGT/FML/(others) device to FortiSandbox

{
"method": "post",
"params": [
{
"url": "/scan/device/device-login",
"serial":"Device_SN"
"hostname":"Device_Name"
"ipv4":"172.17.58.60"
"vdom":"root"
"send_weekly_report":"0"
"send_notifications":"0"
"inherit_auth":"0"
"email":"[email protected]"
"authorize":"0"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 19,
"ver": "2.0"

FortiSandbox 3.2.2 JSON API Reference 24

Fortinet Technologies Inc.
 JSON API

}
{
"id": 19,
"ver": "2.0"
"result": {
"url": "/scan/device/device-login",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"device_id" : 1,
"serial" : "Device_SN"
}
}
}

Notes and Comments:

vdom root is default vdom, other vdom name will inherit this device.

send_weekly_ data = 1 send, 0 otherwise

report

send_notifications data = 1 send, 0 otherwise

inherit_auth data = 1 inherit authorization, 0 otherwise

authorize data = 1 authorized directly without FSA admin to authorize manually, 0 otherwise

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

20. Delete (actually hide) a device from FortiSandbox

{
"method": "post",
"params": [
{
"url": "/scan/device/device-delete",
"serial":"Device_SN"
"vdom":"root"
"remove_scan_results":"0"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 20,
"ver": "2.0"
}
{
"id": 20,
"ver": "2.0"
"result": {
"url": "/scan/device/device-delete",
"status": {
"code": 0,
"message": "OK"

FortiSandbox 3.2.2 JSON API Reference 25

Fortinet Technologies Inc.
 JSON API

},
"data": {
"delete_name" : "Device_Name",
}
}
}

Notes and Comments:

remove_scan_ data = 1, delete this device and all related scan results in DB, 0 otherwise.
results

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

delete_name Removed the device serial.

21. Get malware package, malicious URL package, or botnet package

{
"method": "post",
"params": [
{
"url": "/scan/device/get-malpkg",
"type":0,
"major":2,
"minor":100
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 21,
"ver": "2.2.1"
}
{
"id": 21,
"ver": "2.2.1"
"result": {
"url": "/scan/device/get-malpkg",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"malpkg" : "TWFuIGlzIGRpc3Rpbmd1aXxxxx",
"md5sum" : "b0ed36a4b6282b566328a...",
"major":2,
"minor":101,
"all_pkgs": {
0:"TWFuIGlzIGRpc3Rpbmd1aXxxxx",
1:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaaaa",
4:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaddd",
5:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaeee",
6:"TWFuIGlzIGRpc3Rpbmd1aXxxxxafff",
7:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaggg,
8:"TWFuIGlzIGRpc3Rpbmd1aXxxxxahhh,
9:"TWFuIGlzIGRpc3Rpbmd1aXxxxxaiii,

FortiSandbox 3.2.2 JSON API Reference 26

Fortinet Technologies Inc.
 JSON API

}
}
}
}

Notes and Comments:

type 0:FSA_FILE_MALWARE_PKG;
1:FSA_FILE_URL_PKG;
2:FSA_FILE_BOTNET_PKG;
4:Malware Package. Pure maliciuos level;
5:Malware Package. Mliciuos + High level;
6:Malware Package. Mliciuos + High + Medium level;
7:URL Package. Pure maliciuos level;
8:URL Package. Mliciuos + High level;
9:URL Package. Mliciuos + High + Medium level;
100:All malware Packages at once;
101:All malware URL Packages at once

major Package major number

minor Package minor number

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR", "NO_NEW_PACKAGE

malpkg Binary file for the package

md5sum md5sum of the package

major Package major number

minor Package minor number

all_pkgs If type is 100 all_pkgs contains content for type 0,4,5,6; if type is 101, all_pkgs contains
content for type 1,7,8,9

22. Download list of SHA256, SHA1, MD5, or URL from malware package or URL
package
{
"method": "post",
"params": [
{
"url": "/scan/device/download-malpkg-text",
"type":0,
"lazy":0,
"major":2,
"minor":100
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 22,
"ver": "2.4.1"

FortiSandbox 3.2.2 JSON API Reference 27

Fortinet Technologies Inc.
 JSON API

}
{
"id": 22,
"ver": "2.4.1"
"result": {
"url": "/scan/device/download-malpkg-text",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"download_file" : "TWFuIGlzIGRpc3Rpbmd1aXxxxx",
"md5sum" : "b0ed36a4b6282b566328a...",
"major":2,
"minor":101
}
}
}

Notes and Comments:

type 0:SHA256;
1:SHA1;
2:MD5;
3:URL;
4:FILE HASH STIX; (ignore version number)
5:URL STIX; (ignore version number)

lazy 0: use specified major and minor number; 1: get the latest version.

major Package major number

minor Package minor number

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR", "NO_PACKAGE"

download_file Text file, based64 encoded, STIX package is ZIP file

md5sum md5sum of the file

major Package major number

minor Package minor number

23. Get AV-Rescan results

{
"method": "post",
"params": [
{
"url": "/scan/result/get-avrescan",
"need_av_ver":0,
"stime":1454438805,
"etime":1454448805
}

FortiSandbox 3.2.2 JSON API Reference 28

Fortinet Technologies Inc.
JSON API

],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 23,
"ver": "2.1"
}
{
"id": 23,
"ver": "2.1"
"result": {
"url": "/scan/result/get-avrescan",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"avadb_ver" : "00028.00854",
"rescan_list" : [
{"rating" : "Malicious",
"score" : 1,
"sha256": "the_files_sha256_checksum",
"sha1": "the_files_sha1_checksum",
"start_ts": 1377618931,
"finish_ts":1377618961
"malware_name": "virus name",
"vid": virus_id,
"detection_os": "[os_name1, os_name2]",
"rating_source": "AV Scan",
"catetory": "Backdoor",
"untrusted": 1,
"now":1377618931,
"detail_url": "the_job_detail_page_link",
"download_url": "eNrLKCkpsNLXN7Q00jM0s9AzN9AztDDRT0ss1",
"false_positive_negative": 0
"ftype": "[file_type1, file_type2]"
},
]
}
}
}

Notes and Comments:

need_av_ver 0: False, 1: True. If true, only return AV version

stime Start epoch time

etime End epoch time

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR", "NO_AVRESCAN_

RESULT"

rating One of the following:

l 'Unknown',

l 'Clean',

l 'Malicious',

FortiSandbox 3.2.2 JSON API Reference 29

Fortinet Technologies Inc.
 JSON API

l 'High Risk',
l 'Medium Risk',
l 'Low Risk'

score One of the following:

l RISK_CLEAN=0

l RISK_MALICIOUS=1

l RISK_HIGH=2

l RISK_MEDIUM=3

l RISK_LOW=4

start_ts Start scan time, UTC

finish_ts Finish scan time, UTC

malware_name Virus name if it's a known virus

vid Detailed information of virus can be found at

http://www.fortiguard.com/encyclopedia/virus/#id=virus_id

rating_source One of
l "AV Scan",

l "Cloud Query",

l "Sandboxing",

l "Static Scan",

l "Other"

category One of: 'Clean', 'Unknown', 'Infector', 'Worm', 'Botnet', 'Hijack', 'Stealer', 'Backdoor', 'Injector',
'Rootkit', 'Adware', 'Dropper', 'Downloader', 'Trojan', 'Riskware', 'Grayware', or 'Attacker'.

untrusted 0: the result can be trusted,

1:since this files' scan, scan environment has changed

now FortiSandbox's time, UTC

detail_url base64 encode download URL

download_url base64 encoded download URL

false_positive_ 0: not false positive or false negative, 1: false positive, 2: false negative
negative

ftype File type of file, e.g., "exe", "pdf", "Unknown"

24. Return all installed VM name and their clone number

{
"method": "get", or "post"
"params": [
{
"url": "/alert/ondemand/hcmvminfo"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 24,

FortiSandbox 3.2.2 JSON API Reference 30

Fortinet Technologies Inc.
 JSON API

"ver": "2.2"
}
{
"id": 24,
"ver": "2.2"
"result": {
"url": "/alert/ondemand/hcmvminfo",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"vm-list":[
{"id": 4,
"name": "WINXPVM1",
"version": 6,
"clonenum": 2,
"status":"activated"
},
{"id": 8,
"name": "WIN7X86VM",
"version": 6,
"clonenum": 2,
"status":"activated"
},
...
]
}
}
}

Notes and Comments:

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

25. Allow user to add/delete checksums to allow/block (white/black) list

{
"method": "post",
"params": [
{
"url": "/scan/policy/black-white-list",
"list_type": "white",
"checksum_type": "md5",
"action": "append",
"upload_file": "dGhpcyBpcyBhIHRlc3QhCg=="
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 25,
"ver": "2.2.1"
}
{
"id": 25,
"ver": "2.2.1"

FortiSandbox 3.2.2 JSON API Reference 31

Fortinet Technologies Inc.
 JSON API

"result": {
"url": "/scan/policy/black-white-list",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "The action (append) was executed successfully for (white) list",
"error": "",
"download_file":"dGhpcyBpcyBhIHRlc3QhCg==",
}
}
}

Notes and Comments:

list_type The list_type should only be in ["white", "black"].

checksum_type The checksum_type should only be in ["md5", "sha1", "sha256", "domain", "url", "url_regex"].

action The action should only be in ["append", "replace", "clear", "download", "delete"].

upload_file Encoded (base64) file contents (checksum). Maximum allowed file size is 200M

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

26. Mark a sample as false negative/false positive

{
"method": "post",
"params": [
{
"url": "/analysis/details/submit-feedback",
"jid": "2829727883009566742",
"comments": "comments for FN/FP",
"cloud_submit": 0,
"sha256":"88ac682b7c3ee5ab8a5f63256fa0de374b0b667e851bbc6e62bd2ae18fb84afe",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 26,
"ver": "2.3"
}
{
"id": 26,
"ver": "2.3"
"result": {
"url": "/analysis/details/submit-feedback",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "Feedback was submitted successfully.",
"error": "",
}

FortiSandbox 3.2.2 JSON API Reference 32

Fortinet Technologies Inc.
 JSON API

}
}

Notes and Comments:

jid The Job ID.

comments Comments can not be empty.

cloud_submit 0: not submit, otherwise, Submit feedback to community cloud.

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

27. Configure system hostname

{
"method": "post",
"params": [
{
"url": "/config/system/hostname",
"hostname": "new_hostname",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 27,
"ver": "2.3"
}
{
"id": 27,
"ver": "2.3"
"result": {
"url": "/config/system/hostname",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"hostname": "new_hostname or original_hostname",{
"msg": "Hostname was changed to new_hostname successfully.",
"error": "",
}
}
}

Notes and Comments:

hostname New hostname, original hostname will returned if empty.

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

28. Configure system timezone

{

FortiSandbox 3.2.2 JSON API Reference 33

Fortinet Technologies Inc.
JSON API

"method": "post",
"params": [
{
"url": "/config/system/timezone",
"tzid": "new_tzid",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 28,
"ver": "2.3"
}
timezones = [
{
"id": 28,
"ver": "2.3"
"result": {
"url": "/config/system/timezone",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"timezone": "(GMT-8:00)Pacific Time(US&Canada)",
"msg": "Timezone was changed to (GMT-8:00)Pacific Time(US&Canada) successfully",
"error": "",
}
}
}

Notes and Comments:

tzid New timezone ID, original timezone will returned if empty.

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

Timezone id is defined as:

["0", "(GMT-12:00)Eniwetok,Kwajalein", "Kwajalein"],
["1", "(GMT-11:00)Midway Island, Samoa", "Pacific/Midway"],
["2", "(GMT-10:00)Hawaii", "US/Hawaii"],
["3", "(GMT-9:00)Alaska", "US/Alaska"],
["4", "(GMT-8:00)Pacific Time(US&Canada)", "PST8PDT"],
["5", "(GMT-7:00)Arizona", "US/Arizona"],
["6", "(GMT-7:00)Mountain Time(US&Canada)", "MST7MDT"],
["7", "(GMT-6:00)Central America", "America/Belize"],
["8", "(GMT-6:00)Central Time", "CST6CDT"],
["9", "(GMT-6:00)Mexico City", "America/Mexico_City"],
["10", "(GMT-6:00)Saskatchewan", "Canada/Saskatchewan"],
["11", "(GMT-5:00)Bogota,Lima,Quito", "America/Bogota"],
["12", "(GMT-5:00)Eastern Time(US & Canada)", "EST5EDT"],
["13", "(GMT-5:00)Indiana(East)", "US/East-Indiana"],
["70", "(GMT-4:30)Caracas", "America/Caracas"],
["14", "(GMT-4:00)Atlantic Time(Canada)", "Canada/Atlantic"],
["15", "(GMT-4:00)La Paz", "America/La_Paz"],
["16", "(GMT-4:00)Santiago", "America/Santiago"],
["72", "(GMT-4:00)San Luis, Argentina", "America/Argentina/San_Luis"],
["17", "(GMT-3:30)Newfoundland", "Canada/Newfoundland"],

FortiSandbox 3.2.2 JSON API Reference 34

Fortinet Technologies Inc.
JSON API

["18", "(GMT-3:00)Brasilia", "Brazil/East"],

["19", "(GMT-3:00)Buenos Aires, Georgetown", "America/Buenos_Aires"],
["73", "(GMT-3:00)San Juan, Argentina", "America/Argentina/San_Juan"],
["20", "(GMT-3:00)Greenland", "America/Danmarkshavn"],
["21", "(GMT-2:00)Mid-Atlantic", "Atlantic/South_Georgia"],
["22", "(GMT-1:00)Azores", "Atlantic/Azores"],
["23", "(GMT-1:00)Cape Verde Is.", "Atlantic/Cape_Verde"],
["24", "(GMT)Casablanca, Monrouia", "Africa/Casablanca"],
["25", "(GMT)Greenwich Mean Time: Dublin,Edinburgh,Lisbon,London", "Europe/London"],
["71", "(UTC)Coordinated Universal Time", "UTC"],
["26", "(GMT+1:00)Amsterdam,Berlin,Bern,Rome,Stockholm,Vienna", "Europe/Amsterdam"],
["27", "(GMT+1:00)Belgrade,Bratislava,Budapest,Ljubljana,Prague", "Europe/Belgrade"],
["28", "(GMT+1:00)Brussels,Copenhagen,Madrid,Paris", "Europe/Brussels"],
["29", "(GMT+1:00)Sarajevo,Skopje,Sofija,Vilnius,Warsaw,Zagreb", "Europe/Sarajevo"],
["30", "(GMT+1:00)West Central Africa", "Africa/Algiers"],
["31", "(GMT+2:00)Athens,Istanbul,Minsk", "Europe/Athens"],
["32", "(GMT+2:00)Bucharest", "Europe/Bucharest"],
["33", "(GMT+2:00)Cairo", "Africa/Cairo"],
["34", "(GMT+2:00)Harare,Pretoria", "Africa/Harare"],
["35", "(GMT+2:00)Helsinki,Riga,Tallinn", "Europe/Helsinki"],
["36", "(GMT+2:00)Jerusalem", "Asia/Jerusalem"],
["37", "(GMT+3:00)Baghdad", "Asia/Baghdad"],
["38", "(GMT+3:00)Kuwait,Riyadh", "Asia/Kuwait"],
["39", "(GMT+3:00)Moscow,St.Petersburg,Volgograd", "Europe/Moscow"],
["40", "(GMT+3:00)Nairobi", "Africa/Nairobi"],
["41", "(GMT+3:30)Tehran", "Asia/Tehran"],
["42", "(GMT+4:00)Abu Dhabi,Muscat", "Asia/Muscat"],
["43", "(GMT+4:00)Baku,Tbilisi,Yerevan", "Asia/Baku"],
["44", "(GMT+4:30)Kabul", "Asia/Kabul"],
["45", "(GMT+5:00)Ekaterinburg", "Asia/Yekaterinburg"],
["46", "(GMT+5:00)Islamabad,Karachi,Tashkent", "Asia/Karachi"],
["47", "(GMT+5:30)Calcutta,Chennai,Mumbai,New Delhi", "Asia/Calcutta"],
["48", "(GMT+5:45)Katmandu", "Asia/Katmandu"],
["49", "(GMT+6:00)Almaty,Novosibirsk", "Asia/Almaty"],
["50", "(GMT+6:00)Astana,Dhaka", "Asia/Dhaka"],
["51", "(GMT+6:00)Sri Jayawardenepura", "Asia/Colombo"],
["52", "(GMT+6:30)Rangoon", "Asia/Rangoon"],
["53", "(GMT+7:00)Bangkok,Hanoi,Jakarta", "Asia/Bangkok"],
["54", "(GMT+7:00)Krasnoyarsk", "Asia/Krasnoyarsk"],
["55", "(GMT+8:00)Beijing,ChongQing,HongKong,Urumgi", "Asia/Chongqing"],
["56", "(GMT+8:00)Irkutsk,Ulaan Bataar", "Asia/Irkutsk"],
["57", "(GMT+8:00)Kuala Lumpur,Singapore", "Asia/Kuala_Lumpur"],
["58", "(GMT+8:00)Perth", "Australia/Perth"],
["59", "(GMT+8:00)Taipei", "Asia/Taipei"],
["60", "(GMT+9:00)Osaka,Sapporo,Tokyo,Seoul", "Asia/Tokyo"],
["61", "(GMT+9:00)Yakutsk", "Asia/Yakutsk"],
["62", "(GMT+9:30)Adelaide,Darwin", "Australia/Adelaide"],
["63", "(GMT+10:00)Brisbane", "Australia/Brisbane"],
["64", "(GMT+10:00)Canberra,Melbourne,Sydney", "Australia/Canberra"],
["65", "(GMT+10:00)Guam,Port Moresby,Hobart,Vladivostok", "Pacific/Guam"],
["66", "(GMT+11:00)Magadan,Solomon Is.,New Caledonia", "Asia/Magadan"],
["67", "(GMT+12:00)Auckland,Wellington", "Pacific/Auckland"],
["68", "(GMT+12:00)Fiji,Kamchatka,Marshall Is.", "Pacific/Fiji"],
["69", "(GMT+13:00)Nuku'alofa", "Pacific/Tongatapu"],

FortiSandbox 3.2.2 JSON API Reference 35

Fortinet Technologies Inc.
 JSON API

29. Configure system time and NTP server

{
"method": "post",
"params": [
{
"url": "/config/system/ntp",
"year": "2016",
"month": "06",
"day": "15",
"hour":"15",
"minute": "0",
"second": "0",
"useNTP": 0,
"ntp_server": "0.pool.ntp.org",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 29,
"ver": "2.3"
}
{
"id": 29,
"ver": "2.3"
"result": {
"url": "/config/system/ntp",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "Time and NTP configuration was changed successfully.",
"error": "",
}
}
}

Notes and Comments:

hostname New hostname, original hostname will returned if empty.

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

30. Configure system interface

{
"method": "post",
"params": [
{
"url": "/config/system/interface",
"port": "port1",
"ipv4": "192.168.100.100/255.255.255.0",
"ipv6": "2001:192:168::1/64",
"up_down": "up",

FortiSandbox 3.2.2 JSON API Reference 36

Fortinet Technologies Inc.
 JSON API

"http_access: "0",
"ssh_access": "0",
"telnet_access": "0",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 30,
"ver": "2.3"
}
{
"id": 30,
"ver": "2.3"
"result": {
"url": "/config/system/interface",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "Network interface configuration was successfully updated",
"error": "",
}
}
}

Notes and Comments:

ipv6 Optional

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

up_down "up", or "down"

http_access "0": not allow, "1": allow

ssh_access "0": not allow, "1": allow

telnet_access "0": not allow, "1": allow

31. Configure system DNS

{
"method": "post",
"params": [
{
"url": "/config/system/dns",
"primary": "172.16.100.80",
"secondary": "8.8.8.8",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 31,
"ver": "2.3"
}
{
"id": 31,

FortiSandbox 3.2.2 JSON API Reference 37

Fortinet Technologies Inc.
 JSON API

"ver": "2.3"
"result": {
"url": "/config/system/dns",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "DNS configuration was successfully updated.",
"error": "",
}
}
}

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

32. Configure system routing

{
"method": "post",
"params": [
{
"url": "/config/system/routing",
"action": "create",
"destination": "172.16.68.0/24",
"device": "port1",
"gateway": "172.17.94.97",
"orig_destination": "",
"orig_device": "",
"orig_gateway": "",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 32,
"ver": "2.3"
}
{
"id": 32,
"ver": "2.3"
"result": {
"url": "/config/system/routing",
"status": {
"code": 0,
"message": "OK"
},
"data": {
"msg": "",
"error": "",
}
}
}

FortiSandbox 3.2.2 JSON API Reference 38

Fortinet Technologies Inc.
 JSON API

Notes and Comments:

action create: destination, device and gateway should be provided.

update: all information should be provided.
delete: orig_destination, orig_device, orig_gateway should be provided.

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

33. Configure system administrator

{
"method": "post",
"params": [
{
"url": "/config/system/administrator",
"action": "create",
"bind_type":0,
"username": "new_user",
"password": "password",
"pwd_changed": 0,
"old_password": "oldpass",
"user_type": 0,
"server": "ldap-or-radius-server.local",
"priviledge": 1,
"profile": "Super Admin",
"language": "en-us",
"trusted_host1":"",
"trusted_host2":"",
"trusted_host3":"",
"trusted_ipv6_host1":"",
"trusted_ipv6_host2":"",
"trusted_ipv6_host3":"",
"comments":"",
"download_orig_file":0,
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 33,
"ver": "2.3"
}
{
"id": 33,
"ver": "2.3"
"result": {
"url": "/config/system/administrator",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "Administrators were successfully added.",
"error": "",
}
}

FortiSandbox 3.2.2 JSON API Reference 39

Fortinet Technologies Inc.
 JSON API

Notes and Comments:

action "create", "update", "delete"

bind_type 0:Simple, 1:Anonymous, 2:Regular

pwd_changed For update. 0: not, 1: changed.

old_password Only for update.

user_type 0:LOCAL, 1:LDAP, 2:RADIUS.

profile Admin profile name

priviledge 0: READONLY, 1:READ/WRITE

language Either "en-us" for English, or "ja" for Japanese.

download_orig_file 0:NO(unchecked), 1:YES(checked)

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

34. Configure system LDAP

{
"method": "post",
"params": [
{
"url": "/config/system/ldap",
"action": "create",
"name": "ldap_name",
"username": "new_user",
"password": "password",
"address": "address",
"port": 636,
"cn": "accounts",
"dn": "corp.company.com",
"isSecure": 0,
"proto": 2,
"ca": "",
"pwd_changed":0
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 34,
"ver": "2.3"
}
{
"id": 34,
"ver": "2.3"
"result": {
"url": "/config/system/ldap",
"status": {
"code": 0,
"message": "OK"

FortiSandbox 3.2.2 JSON API Reference 40

Fortinet Technologies Inc.
 JSON API

},
"data":{
"msg": "New LDAP server was successfully added.",
"error": "",
}
}
}

Notes and Comments:

action "create", "update", "delete"

username For regluar bind type

password For regluar bind type

isSecure 0: No(unchecked), 1:YES(checked)

proto 0:NON_SECURE, 1:STARTTLS, 2:LDAPS

pwd_changed For regular bind type, 0: No, 1: Yes

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

35. Configure system RADIUS

{
"method": "post",
"params": [
{
"url": "/config/system/radius",
"action": "create",
"name": "radius_name",
"auth_type": 0,
"primary_server": "192.168.100.100",
"secondary_server": "192.168.100.101",
"port": 1812,
"primary_secret": "pwd1234",
"secondary_secret": "pwd4567",
"nas_ip": "172.16.66.66",
"primary_secret_changed": 0,
"secondary_secret_changed": 0,
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 35,
"ver": "2.3"
}
{
"id": 35,
"ver": "2.3"
"result": {
"url": "/config/system/ldap",
"status": {
"code": 0,
"message": "OK"

FortiSandbox 3.2.2 JSON API Reference 41

Fortinet Technologies Inc.
 JSON API

},
"data": {
"msg": "New RADIUS server was successfully added.",
"error": "",
}
}
}

Notes and Comments:

action "create", "update", "delete"

auth_type 0:ANY_BIND, 1:PAP_BIND, 2:CHAP_BIND, 3:MSV2_BIND

primary_secret_ 0:not changed, 1:changed

changed

secondary_secret_ 0:not changed, 1:changed

changed

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

36. Configure system FortiGuard

{
"method": "post",
"params": [
{
"url": "/config/system/fortiguard",
"fdn_overwrite": "0",
"overwrite_server": "192.168.100.205",
"webfiltering_overwrite":"0",
"wfoverwrite_server":"192.168.100.206:53",
"cloud_overwrite":"0",
"cloudserver":"172.17.18.19:53",
"fdnproxy_enable":"0",
"fdn_proxy_type":"0",
"fdn_proxy_server":"",
"fdn_proxy_port":"",
"fdn_proxy_uname":"",
"fdn_proxy_pwd":"",
"wfproxy_enable":"0",
"wf_proxy_server":"",
"wf_proxy_port":"",
"wf_proxy_uname":"",
"wf_proxy_pwd":"",
"cloudproxy_enable":"0",
"cloud_proxy_server":"",
"cloud_proxy_port":"",
"cloud_proxy_uname":"",
"cloud_proxy_pwd":"",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 36,

FortiSandbox 3.2.2 JSON API Reference 42

Fortinet Technologies Inc.
 JSON API

"ver": "2.3"
}
{
"id": 36,
"ver": "2.3"
"result": {
"url": "/config/system/fortiguard",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "FortiGuard service was successfully updated.",
"error": "",
}
}
}

Notes and Comments:

fdn_overwrite "0": uncheck, "1": check

wfoverwrite_server Port is needed. 53 or 8888

cloudserver Required. 53 or 8888

fdnproxy_enable "0":disable, "1", enable

fdn_proxy_type "0":HTTP, "1":SOCKSv4, "3":SOCKSv5

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

37. Configure system mail

{
"method": "post",
"params": [
{
"url": "/config/system/mail",
"smtp":"mail.fortinet.com",
"port":"25",
"account":"[email protected]",
"loginuser":"admin",
"password":"admin1234",
"pwd_changed":0,
"send_mail": "0",
"send_mail_to_dv": "0",
"mail_rating_filter":['2','16','8','4'],
"receiver": "[email protected]",
"send_reqmail":"0",
"reqreceiver":"[email protected]",
"use_fqdn_name_as_ip":"0",
"fqdn_name": "adbc.com",
"send_pdf":"0",
"send_pdf_to_vdom":"0",
"report_rating_filter":['2','16','8','4', '1'],

FortiSandbox 3.2.2 JSON API Reference 43

Fortinet Technologies Inc.
JSON API

"pdf_sum_receiver":"",
"pdf_detail_receiver":"",
"report_schedule_type":"",
"report_week_day":"",
"report_hour_step":"",
"report_day_hour":"",
"report_week_hour":"",
"report_period_days":"",
"report_period_hours":"",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 37,
"ver": "2.3"
}
{
"id": 37,
"ver": "2.3"
"result": {
"url": ""/config/system/mail",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "Mail configuration was successfully updated.",
"error": "",
}
}
}

Notes and Comments:

pwd_changed 0:unchanged, 1:changed

send_mail "0": uncheck, "1": check

send_mail_to_dv "0": uncheck, "1": check

mail_rating_filter It has to be an array of: 2: Malicious; 16: High Suspicious; 8: Medium Suspicious; 4: Low
Suspicious

send_reqmail "0": uncheck, "1": check

use_fqdn_name_ "0": uncheck, "1": check

as_ip

send_pdf "0":disable, "1", enable

send_pdf_to_vdom "0":disable, "1", enable

report_rating_filter It has to be an array of: 2: Malicious; 16: High Suspicious; 8: Medium Suspicious; 4: Low
Suspicious

report_schedule_ '0':'HOURLY', '1':'DAILY', '2':'WEEKLY'

type

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

FortiSandbox 3.2.2 JSON API Reference 44

Fortinet Technologies Inc.
 JSON API

38. Configure system log server

{
"method": "post",
"params": [
{
"/config/system/logserver",
"action": "create",
"type": "0",
"name": "log server name",
"server": "172.17.17.17",
"port": "514",
"enable": "1",
"alert":"1",
"critical":"1",
"error":"1",
"warning":"1",
"info":"1",
"debug":"1",
"alert_clean":"0",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 38,
"ver": "2.4"
}
{
"id": 38,
"ver": "2.4"
"result": {
"url": "/config/system/logserver",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "Log server configuration was successfully updated.",
"error": "",
}
}
}

Notes and Comments:

action "create", "update" or "delete"

type '0':'SYS_LOG', '1':'FAZ', '2':'CEF'

enable '0':disabled, '1':enabled

alert_clean '0':disabled, '1': Alert logs will include jobs with Clean rating.

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

FortiSandbox 3.2.2 JSON API Reference 45

Fortinet Technologies Inc.
 JSON API

39. Configure scan profile

{
"method": "post",
"params": [
{
"url": "/config/scan/vmprofile",
"static_extensions": {
0:{'ext':'enable', 'filter_dll':'enable'},
1:{'ext':'enable', 'filter_pdf':'enable'},
2:{'ext':'enable'},
3:{'ext':'enable', 'filter_swf':'enable'},
4:{'ext':'enable', 'filter_js':'enable', 'filter_htm':'enable'},
5:{'ext':'enable'},
6:{'ext':'enable'},
97:{'ext':'enable', 'filter_url':'enable'},
98:{'ext':'enable'}
},
"url_setting": {
"depth": 0,
"max": -1,
"timeout": 60
},
"user_defined_exts": {
"action":"add",
"exts":['ext1', 'ext2'],
},
"vmexts": [
{
"name":"winxpvm",
"action":"add",
"exts":["ppsx","ppt",ppam"],
},
{
"name":"androidvm",
"action":"add",
"exts":["apk"],
},
],
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 39,
"ver": "2.3"
}
{
"id": 39,
"ver": "2.3"
"result": {
"url": "/config/scan/vmprofile",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "Scan profile configuration was successfully updated.",
"error": "",

FortiSandbox 3.2.2 JSON API Reference 46

Fortinet Technologies Inc.
 JSON API

}
}
}

Notes and Comments:

static_extensions 0: Executables/DLL/VBS/BAT/PS1/JAR/MSI files

1: PDF files
2: Microsoft Office files (Word, Excel, PowerPoint files etc)
3: Adobe Flash files
4: Static Web files
5: Archive files (with extension of .7z, .xz, .bz2, .gz, .tar, .zip, .rar, .Z etc)
6: Android files
97: URL detection
98: User defined extensions

depth 0, 1, 2, 3, 4 or 5

max Between -1 to 10000

timeout Larger than 30

action "add", "delete", "replace_all"

vmexts exts Combinations of the following list : exe, php, tiff, 7z, gif, png, tnef, asf, htm, ppsx, unk, cdf,
ico, ppt, vcf, com, jpeg, pptx, xls, com1, jpg, qt, xlsx, dll, mov, rar, zip, doc, mp3, rm, docx,
mp4, rtf, pdf, swf, jar, dotx, docm, dotm, xltx, xlsm, xltm, xlsb, xlam, potx, sldx, pptm, ppsm,
potm, ppam, sldm, onetoc, thmx, bat, cmd, vbs, ps1, js, tar, gz, xz, bz2, arj, cab, tgz, txt, z,
msi, msg, asp, jsp, kgb, url, dot, xlt, pps, pot, upx, apk, WEBLink, lnk, jarlib, lzh

name Case is non-sensitive, get from WebUI

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

40. Configure scan benign URLs

{
"method": "post",
"params": [
{
"url": "/config/scan/benign_url",
"cat_dict": {
"Abortion":"benign",
"Advocacy Organizations":"benign",
"Alcohol":"benign",
"Alcohol and Tobacco":"benign",
"Child Abuse":"suspicious",
"Dating":"benign",
"Discrimination":"benign",
"Drug Abuse":"suspicious",
"Explicit Violence":"benign",
"Extremist Groups":"benign",
"Gambling":"benign",

FortiSandbox 3.2.2 JSON API Reference 47

Fortinet Technologies Inc.
 JSON API

"Grayware":"suspicious",
"Hacking":"suspicious",
"Homosexuality":"benign",
"Illegal or Unethical":"benign",
"Marijuana":"benign",
"Nudity and Risque":"benign",
"Occult":"benign",
"Other Adult Materials":"benign",
"Plagiarism":"benign",
"Pornography":"benign",
"Tobacco":"benign",
"Weapons (Sales)":"benign",
},
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 40,
"ver": "2.3"
}
{
"id": 40,
"ver": "2.3"
"result": {
"url": "/config/scan/benign_url",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "Benign URL configuration was successfully updated.",
"error": "",
}
}
}

Notes and Comments:

cat_dict : Abortion Benign, or suspicious

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

41. Configure scan job archive

{
"method": "post",
"params": [
{
"url": "/config/scan/job_archive",
"enable": 1,
"pwd_changed":0,
"server_name":"rpc_test_server_name",
"server_path":"/path1/path2",
"sharetype":'0',
"yara_file": "username":"username",
"password":"password",

FortiSandbox 3.2.2 JSON API Reference 48

Fortinet Technologies Inc.
 JSON API

"filename":"0",
"folder":"0",
"metadata":1,
"tracerlog":1,
"malicious":1,
"suspicious":1,
"clean_rating":1,
"other":1,
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 41,
"ver": "2.3"
}
{
"id": 41,
"ver": "2.3"
"result": {
"url": "/config/scan/job_archive",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"msg": "Archive configuration was successfully updated.",
"error": "",
}
}
}

Notes and Comments:

sharetype 0:SMBv1.0,1:SMBv2.0,2:SMBv2.1,3:SMBv3.0,4:FIFS,5:NFSv2,6:NFSv3,7:NFSv4,8:Azure
File Share, 9:S3 Bucket

filename "0":'Scan Job ID as File Name', "1":'Original File Name'

folder "0": FLAT, "1": TIME, "2": RATING

metadata 0:disable, 1:enable

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

42. Configure YARA rule

{
"method": "post",
"params": [
{
"url": "/config/scan/yara",
"action": "import",
"yara_name":"yara-name",
"default_description":"yara description",
"risk_level":5,
"file_type":["any"],
"yara_file": "dGhpcyBpcyBhIHRlc3QhCg==",

FortiSandbox 3.2.2 JSON API Reference 49

Fortinet Technologies Inc.
 JSON API

"yara_id":"2880877873479829661",
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 42,
"ver": "2.4"
}
{
"id": 42,
"ver": "2.4"
"result": {
"url": "/config/scan/yara",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"yara_id": "2880877873479829661",
"msg": "Yara configuration was successfully updated.",
"error": "",
}
}
}

Notes and Comments:

action "import", "update", "delete", "activate", "deactivate"

risk_level Rules risk level, between 0 to 10.

As a guideline, 0~1:Clean; 2~4:Low Risk; 5~7:Medium Risk; 8~10:High Risk

file_type "any", "exe", "dll", "com", "ppt", "pptx", "xls","xlsx", "doc", "docx", "msg", "rtf", "pdf", "swf"

yara_file Encoded (base64) file contents

yara_id "update", "delete", "activate" or "deactivate"

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

43. Get multiple file verdicts by submit multiple SHA256/SHA1/MD5

{
"method": "post",
"params": [
{
"url": "/scan/result/multifile",
"ctype": "sha256",
"checksum": ['f5e17ed3be9e9fa12360d67af93b33ac8299434369714b44f4c0482432b41b6e',
'b34af9dc65a3fe82ade27fae290df13a087c4f532272ce3dcb5f851d31db2c04',]
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 43,
"ver": "2.4"
}
{

FortiSandbox 3.2.2 JSON API Reference 50

Fortinet Technologies Inc.
JSON API

"id": 43,
"ver": "2.4"
"result": {
"url": "/scan/result/multifile",
"status": {
"code": 0,
"message": "OK"
},
"data":[{
"checksum": "f5e17ed3be9e9fa12360d67af93b33ac8299434369714b44f4c0482432b41b6e",
"kidsum": 1,
"sid": 3108940681876575659,
"job_list": [
{"jid": 3110452159542566741,
"rating" : "Malicious",
"score": 1,
"start_ts": 1377618931,
"finish_ts":1377618961,
"rsrcid": "AV Scanner",
"malware_name": "virus 1",
"vid": virus_id_1,
"behavior_info": 0,
"false_positive_negative": 0,
"untrusted": 1,
"ftype": "Unknown",
},
{"jid": jid_2,
"rating" : "High Risk",
"score": 1,
"start_ts": 1377618931,
"finish_ts":1377618961,
"malware_name": "virus 2",
"vid": virus_id_2,
"behavior_info": 1,
"false_positive_negative": 2,
"untrusted": 0,
"ftype": "Unknown",
},
],
"now":1377618931
},
{
"checksum": "b34af9dc65a3fe82ade27fae290df13a087c4f532272ce3dcb5f851d31db2c04",
"now":1377618931,
},
]
}
}

Notes and Comments:

ctype checksum type: "sha1", "sha256", "md5"

checksum Maximum 100 checksum

FortiSandbox 3.2.2 JSON API Reference 51

Fortinet Technologies Inc.
 JSON API

message "OK", "INVALID_DATA", "INVALID_SESSION", "SYSTEM_ERROR"

checksum the checksum is the queried checksum.

job_list For a zip file, the result is an array of children's job ids. If jid is [] and rating is ["Clean"], it
means the file is not a supported file type and the file is dropped. In this case, start_ts and
finish_ts will be the UTC time the file is dropped.

rating For a zip file, the result is an array of of the following, which denotes types of ratings of its
children:
Unknown,
Clean,
Malicious,
High Risk,
Medium Risk,
Low Risk,
For a single file, array size is 1

score For a zip file, the result is the bitwise combination of the following:
RISK_UNKNOWN=0
RISK_CLEAN=1
RISK_MALICIOUS=2
RISK_LOW=4
RISK_MEDIUM=8
RISK_HIGH=16
For a single file, it will be one of above value

start_ts start scan time, UTC

finish_ts finish scan time, UTC

vid detailed information of virus can be found at

http://www.fortiguard.com/encyclopedia/virus/#id=virus_id

behavior_info if detailed behavior information is available. 0: not available, 1: available

false_positive_ 0: not false positive or false negative, 1: false positive, 2: false negative, order is
negative corresponding order of JID

untrusted 0: the result can be trusted

1: since this files' scan, scan environment has changed

now FortiSandbox's time, UTC

ftype File type of file, e.g., "exe", "pdf", "Unknown"

45. Get configured user defined file extensions and exclusion list of user
configured file extensions
{
"method": "get",
"params": [

FortiSandbox 3.2.2 JSON API Reference 52

Fortinet Technologies Inc.
 JSON API

{
"url": "/config/scan/file_exts"
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 45,
"ver": "2.4"
}
{
"id": 45,
"ver": "2.4"
"result": {
"url": "/config/scan/file_exts",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"user-defined-exts": "ext1 ext2 ext3 mydef",
"exclusion-list": "docx pdf"
}
}
}

Notes and Comments:

message "OK", "INVALID_SESSION"

49. Get original file sample

{
"method": "get",
"params": [
{
"url": "/scan/result/get-avsample"
"jid": 3496445442339405684
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 49,
"ver": "2.5"
}
{
"id": 49,
"ver": "2.5"
"result": {
"url": "/scan/result/get-avsample",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"avsample": "base64_encoded_zip_file",
"filename": "original_file_name"
}

FortiSandbox 3.2.2 JSON API Reference 53

Fortinet Technologies Inc.
 JSON API

}
}

Notes and Comments:

message "OK", "INVALID_SESSION", "INVALID_JOB_ID", "INVALID_DATA"

50. Get PDF report

{
"method": "get",
"params": [
{
"url": "/scan/result/get-pdf-report",
"qtype": 'jid' or 'sha256',
"qval": 3496445442339405684 or
'90877c1f6e7c97fb11249dc28dd16a3a3ddfac935d4f38c69307a71d96c8ef45'
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 50,
"ver": "2.5"
}
{
"id": 50,
"ver": "2.5"
"result": {
"url": "/scan/result/get-pdf-report",
"status": {
"code": 0,
"message": "OK"
},
"data":{
"report": "base64_encoded_pdf_file",
"report_name": "original_file_name"
}
}
}

Notes and Comments:

message "OK", "INVALID_SESSION", "INVALID_JOB_ID", "INVALID_DATA"

51. Set admin profiles

{
"id": "51",
"method": "post",
"params": [
{
"url": "/scan/result/admin-profile",
"action": "delete",

FortiSandbox 3.2.2 JSON API Reference 54

Fortinet Technologies Inc.
 JSON API

"comment": "YOUR COMMENT",

"privileges": {
"scan_searches": 1,
"fortiview": 1,
"vm": 3,
"cluster": 1,
"log_local_config": 1,
"report_access": 1,
"network": 1,
"system": 1,
"dl_orig": 4,
"record_video": 1,
"log_servers": 1,
"maintenance": 1,
"json_api": 1,
"url_detection": 1,
"operation_center": 1,
"file_detection": 2,
"logs_reports": 1,
"network_alerts": 2,
"threats_analysis": 1,
"ha_cluster": 1,
"packages": 1,
"jobdetail": 1,
"on_demand": 1,
"interaction": 1,
"file_inputs": 1,
"admin": 1,
"report_center": 1,
"log_events": 1,
"dashboard": 1,
"slaves": 1,
"scan_policy": 1,
"scan_input": 1
},
"name": "ADMINPROFILENAME"
}
],
"session": "cff2331cfccf11e88a20484d7e9c2dd0",
"ver": "2.3"
}

Notes and Comments:

action "create", "update", "delete"

priviledges 1: None/Disable, 2:Read Only, 3:READ/WRITE, 4:Enable

name The name of admin_profile which you whant to do changing/naming

For using delete No need to put privileges on the json

52. Get job ID by time and score

{

FortiSandbox 3.2.2 JSON API Reference 55

Fortinet Technologies Inc.
 JSON API

"method": "get",
"params": [
{
"url": "/scan/result/jids",
"score": job score,
"start_ts": "2018-01-01 16:00:00", start time
"end_ts": "2018-01-01 17:00:00", end time
}
],
"session": "gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI=",
"id": 52,
"ver": "2.5"
}
{
"id": 52,
"ver": "2.5"
"result": {
"url": "/scan/result/jids",
"status": {
"message": "OK"
"code": 0,
},
"data":{
"jid": [],
}
}
}

Notes and Comments:

message "OK", "INVALID_SESSION", "INVALID_PARAM", "DATA_NOT_EXIST"

jid Job IDs

53. Login with token

{
"method": "exec",
"params": [
{
"url": "/sys/login/token",
"token": "LOGIN_TOKEN"
}
],
"id": 53,
"ver": "2.3"
},

{
"id": 53,
"ver": "2.3",
"result": {
"url": "/sys/login/token",
"status": {

FortiSandbox 3.2.2 JSON API Reference 56

Fortinet Technologies Inc.
JSON API

"code": 0,
"message": "OK"
}
}
"session":"gzKj2PsMZ+4Hhs8Q9Ra+br+YStvpqWz\/8e291G1j1GI="
}

Notes and Comments:

message "OK", "TOKEN_NOT_EXISTS", "TOKEN_NOT_MATCH", "WRONG_DATA"

FortiSandbox 3.2.2 JSON API Reference 57

Fortinet Technologies Inc.
Change Log

Date Change Description

2020-12-17 Initial release.

FortiSandbox 3.2.2 JSON API Reference 58

Fortinet Technologies Inc.
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.