Description
The Fortinet FortiGate connector uses the FortiOS REST API over HTTPS to discover local administrator accounts on a FortiGate firewall or FortiManager. It authenticates using API key authentication and enumerates administrator profiles and their access permissions across virtual domains (VDOMs).
System Type Classification
| Field | Value |
|---|
| System Type | Infrastructure |
| Default Scan Priority | 200 |
Version Support
| OrbisID Edition | Supported |
|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|
| REST API (HTTPS) | 443 TCP | API key authentication via Authorization: Bearer header |
What OrbisID Discovers
| Data | Source |
|---|
| Administrator accounts | GET /api/v2/cmdb/system/admin |
| Admin profiles | GET /api/v2/cmdb/system/accprofile |
| VDOM assignments | vdom array per administrator |
| Memberships | Derived from admin-to-profile associations |
Connection Requirements
Required Permissions
Create a dedicated API administrator in FortiGate with a read-only profile.
Minimum permissions:
- Read-only system access profile with
sysgrp and loggrp read permissions
- API key generated from the administrator account
Credential Mapping
| OrbisID Field | Value |
|---|
credential.password | FortiGate API key (token) |
system.hostname | FortiGate management IP or FQDN |
Network Requirements
The OrbisID server must have HTTPS access to the FortiGate management interface on port 443. Self-signed certificates are accepted automatically.
Configuration Steps
- In FortiGate, navigate to System → Administrators → Create New → REST API Admin
- Assign a read-only admin profile and generate an API key
- Note the API key displayed (shown only once)
- Create a Credential in OrbisID:
- Password: FortiGate API key
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|
| Name | Descriptive name (e.g., FortiGate – Edge Firewall) |
| OS Type | FortinetFortigate |
| System Type | Infrastructure |
| Hostname | FortiGate management IP or hostname |
| Credential | The API key credential |
- Click Test Connection
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|
401 Unauthorized | Invalid or expired API key | Regenerate the API key in FortiGate |
| No accounts returned | Read-only profile missing permissions | Add system read permissions to the API admin profile |
| Cannot connect | REST API not enabled | Enable REST API under System → Feature Visibility |
| VDOM errors | Multi-VDOM mode not configured | Set the VDOM parameter in the API URL if applicable |