HFortix - Python SDK for Fortinet products (FortiOS, FortiManager, FortiAnalyzer)
Project description
HFortix - Fortinet Python SDK
Python client library for Fortinet products including FortiOS, FortiManager, and FortiAnalyzer.
๐ฏ Current Status
โ ๏ธ BETA STATUS: All implementations are functional but in beta. APIs work correctly but may have incomplete parameter coverage or undiscovered edge cases.
FortiOS 7.6.5 Coverage (December 19, 2025):
- CMDB API: 37 of 37 categories (100% coverage) - 500+ endpoints ๐ท Beta
- Monitor API: 32 of 32 categories (100% coverage) - 200+ endpoints ๐ท Beta
- Log API: 5 of 5 categories (100% coverage) - Log reading functionality ๐ท Beta
- Service API: 3 of 3 categories (100% coverage) - 21 methods ๐ท Beta
- Overall: 77 of 77 categories (100% coverage) - 750+ API methods ๐
Test Coverage: 226 test files (145 CMDB, 81 Monitor) with 75%+ pass rate (~50% of generated endpoints tested)
Note: All implementations remain in beta until version 1.0.0 with comprehensive unit test coverage.
๐ฅ Recent Highlights (December 2025):
- ๐ 100% API COVERAGE: Complete implementation of ALL documented FortiOS 7.6.5 API categories!
- ๐ MASSIVE EXPANSION: Generated 500+ new endpoints across 37 CMDB + 32 Monitor categories
- ๐ API Refactoring: All endpoints refactored with RESTful methods (.list(), .get(), .create(), .update(), .delete())
- โก Dual-Pattern Interface: Flexible syntax supporting both dictionary and keyword arguments
- ๐๏ธ Repository Organization: Clean structure with all dev tools
- โก Unified Module Generator: Single tool handles all edge cases (digit-prefixed names, certificates, nested resources)
- โจ Monitor API (v0.3.11): 6 categories with 50+ monitoring endpoints (firewall stats, sessions, EMS, etc.)
- โจ Log Configuration (v0.3.11): 56 endpoints for comprehensive logging setup
- โจ Firewall Expansion (v0.3.11): FTP proxy, ICAP, IPS, DoS policies, access-proxy (WAF)
๐ Documentation:
- User Guide: QUICKSTART.md - Getting started guide
- Async Guide: ASYNC_GUIDE.md - Async/await support documentation
- API Method Reference: ENDPOINT_METHODS.md - All 857 endpoints with available methods
- Helper Methods Guide: HELPER_METHODS.md - Safe existence checking and best practices
- API Coverage: API_COVERAGE.md - Implementation status by category
- Full Changelog: CHANGELOG.md - Complete version history
Latest Features (v0.3.15):
- โจ Async/Await Support: Full dual-mode support for async operations (NEW!)
- Single
FortiOSclass works in both sync and async modes - All 750+ API methods support async with
mode="async"parameter - All helper methods (
.exists()) work transparently in both modes - Async context manager support with
async with - Zero breaking changes - existing sync code continues to work
- Single
- โจ 288 Endpoints Updated: All
.exists()helper methods now async-aware - ๐๏ธ Refactored Architecture: Improved code quality and maintainability
- Protocol-based HTTP client interface (
IHTTPClient) for extensibility - Eliminated 744 lines of duplicated code (35% reduction)
- Shared base class (
BaseHTTPClient) for sync and async clients - Enhanced testability and consistency across sync/async modes
- Users can now provide custom HTTP client implementations
- Protocol-based HTTP client interface (
Also in v0.3.15:
- โจ Request ID / Correlation Tracking: Auto-generated or custom request IDs for distributed tracing
- โจ Circuit Breaker Pattern: Automatic fail-fast to prevent cascading failures (opens after 5 failures, auto-recovers)
- โจ Connection Pool Metrics: Monitor HTTP client health with
get_connection_stats()method - โจ Per-Endpoint Timeouts: Configure custom timeouts per endpoint with wildcard pattern support
- โจ Structured Logging: Machine-readable logs with extra fields (request_id, endpoint, method, status_code, duration)
- โจ 100% Backwards Compatible: All existing code works unchanged
Previous Release (v0.3.12):
- โจ HTTP/2 Support: Modern httpx library with connection multiplexing for improved performance
- โจ Automatic Retry Logic: Exponential backoff (1s, 2s, 4s, 8s, 30s max) for transient failures
- โจ Enhanced Reliability: Retries on connection errors, timeouts, rate limits (429), server errors (500-504)
- โจ Context Manager Support: Use
with HTTPClient(...) as client:for automatic cleanup - โจ Retry Statistics: Track retry attempts by reason and endpoint
- โจ Better Error Handling: Graceful fallback for non-JSON responses, improved logging
Previous Release (v0.3.11):
- โจ FTP Proxy Category: FTP proxy configuration (1 endpoint)
- explicit: FTP proxy explicit configuration with SSL/TLS support
- FTPS support, SSL certificate management, custom encryption
- 10 parameters: status, ports, IPs, security actions, SSL settings
- Test coverage: 5 test sections with comprehensive validation
- โจ Monitor API Categories: 6 categories implemented (18% coverage)
- firewall/: 39 endpoints for firewall monitoring
- Policy statistics, session monitoring, ACL counters
- Address objects, traffic shapers, GTP stats
- Special endpoints: policy-lookup (callable), clearpass-address (actions)
- endpoint-control/: 7 endpoints for FortiClient EMS monitoring
- azure/, casb/, extender-controller/, extension-controller/: Additional monitoring
- Test coverage: 39 firewall tests with 100% pass rate
- All endpoints support explicit parameters (no **kwargs)
- โจ Log Configuration Category: 56 endpoints for comprehensive logging setup
- Nested object pattern:
fgt.api.cmdb.log.disk.filter.get() - Multiple FortiAnalyzer, syslog, TACACS+ server support
- Custom fields, event filters, threat weights
- Nested object pattern:
- โจ ICAP Category: Complete ICAP integration (3 endpoints, 30+ parameters)
- โจ IPS Category: Full IPS management (8 endpoints)
- Custom signatures, sensors, decoders, rules
- โจ Monitoring & Report Categories: NPU-HPE monitoring, report layouts
- โจ Firewall Category Expansion: 29 endpoints with nested objects
- DoS policies, access-proxy (reverse proxy/WAF)
- Schedule, service, shaper, SSH/SSL configurations
Previous Release (v0.3.10):
- โจ Configurable Timeouts: Customize connection and read timeouts
connect_timeout: Connection establishment timeout (default: 10.0s)read_timeout: Response read timeout (default: 300.0s)- Example:
FortiOS(host='...', token='...', connect_timeout=30.0, read_timeout=600.0)
- โจ URL Encoding for Special Characters: Automatic encoding of special characters in object names
- Handles
/,@,:, spaces, and other special characters - Works with objects like
Test_NET_192.0.2.0/24(IP addresses with CIDR notation) - Applied to all 145 CMDB endpoint files automatically
- Handles
- โ Bug Fix: Fixed 404 errors when object names contain special characters
Previous Release (v0.3.9):
- โจ raw_json Parameter: All 200+ API methods now support
raw_json=Truefor full response access - โจ Logging System: Global and per-instance logging control
- โ Code Quality: 100% PEP 8 compliance (black + isort + flake8)
- โ Comprehensive Tests: 200+ test files covering all endpoints
Previous Releases:
- v0.3.8: Dual-pattern interface for all create/update methods
- v0.3.7: Packaging and layout improvements
- v0.3.6: Hidden internal CRUD methods for cleaner autocomplete
- v0.3.5: Enhanced IDE autocomplete with PEP 561 type hints
- v0.3.4: Unified import syntax documentation
- v0.3.0: Firewall endpoints expansion
๐ฏ Features
- Unified Package: Import all Fortinet products from a single package
- Type-Safe & Type-Checked: Full PEP 561 compliance with mypy/pyright support for IDE autocomplete
- Async/Await Support: Full dual-mode operation - works with both sync and async code
- Modular Architecture: Each product module can be used independently
- PyPI Installation:
pip install hfortix- simple and straightforward - Comprehensive Exception Handling: 387+ FortiOS error codes with detailed descriptions
- Automatic Retry Logic: Built-in retry mechanism with exponential backoff for transient failures
- HTTP/2 Support: Modern HTTP client with connection multiplexing for improved performance
- Circuit Breaker: Prevents cascade failures with automatic recovery
- Simplified APIs: Auto-conversion for common patterns (e.g., address group members)
- Well-Documented: Extensive API documentation and examples
- Modern Python: Type hints, PEP 585 compliance, Python 3.10+
๐ฆ Available Modules
| Module | Status | Description |
|---|---|---|
| FortiOS | โ Active | FortiGate firewall management API |
| FortiManager | โธ๏ธ Planned | Centralized management for FortiGate devices |
| FortiAnalyzer | โธ๏ธ Planned | Log analysis and reporting platform |
๐ Installation
From PyPI (Recommended)
pip install hfortix
๐ Quick Start
Basic Usage
from hfortix import FortiOS
# Initialize with API token (recommended)
fgt = FortiOS(
host='192.168.1.99',
token='your-api-token',
verify=False # Use True in production with valid SSL cert
)
# List firewall addresses
addresses = fgt.api.cmdb.firewall.address.list()
print(f"Found {len(addresses['results'])} addresses")
# Create a new address
result = fgt.api.cmdb.firewall.address.create(
name='web-server',
subnet='192.168.10.50/32',
comment='Production web server'
)
Raw JSON Response โจ
All API methods support raw_json parameter for full response access:
# Default behavior - returns just the results
addresses = fgt.api.cmdb.firewall.address.list()
print(addresses) # ['obj1', 'obj2', 'obj3']
# With raw_json=True - returns complete API response
response = fgt.api.cmdb.firewall.address.list(raw_json=True)
print(response['http_status']) # 200
print(response['status']) # 'success'
print(response['results']) # ['obj1', 'obj2', 'obj3']
print(response['serial']) # 'FGT60FTK19000001'
print(response['version']) # 'v7.6.5'
# Useful for error checking
result = fgt.api.cmdb.firewall.address.get('web-server', raw_json=True)
if result['http_status'] == 200:
print(f"Object found: {result['results']}")
else:
print(f"Error: {result.get('error', 'Unknown error')}")
Available on: All 45+ API methods (100% coverage)
Logging Control โจ
Control logging output globally or per-instance:
import hfortix
from hfortix import FortiOS
# Enable detailed logging globally for all instances
hfortix.set_log_level('DEBUG') # Very verbose - all requests/responses
hfortix.set_log_level('INFO') # Normal - request summaries
hfortix.set_log_level('WARNING') # Quiet - only warnings (default)
hfortix.set_log_level('ERROR') # Silent - only errors
hfortix.set_log_level('OFF') # No logging output
# Or enable logging for a specific instance
fgt = FortiOS('192.168.1.99', token='your-token', debug='info')
# Automatic sensitive data sanitization
# Tokens, passwords, and API keys are automatically masked in logs
Features:
- 5 log levels (DEBUG, INFO, WARNING, ERROR, OFF)
- Automatic sensitive data sanitization
- Request/response logging with timing
- Hierarchical loggers for fine-grained control
Advanced HTTP Features โจ NEW in v0.3.15
Enterprise-grade reliability and observability features:
from hfortix import FortiOS
fgt = FortiOS('192.168.1.99', token='your-token', verify=False)
# 1. Request correlation tracking (auto-generated or custom)
result = fgt._client.request(
"GET", "monitor", "system/status",
request_id="batch-update-2025-12-17"
)
# 2. Monitor connection pool health
stats = fgt._client.get_connection_stats()
print(f"Circuit breaker: {stats['circuit_breaker_state']}")
print(f"HTTP/2 enabled: {stats['http2_enabled']}")
# 3. Circuit breaker pattern (automatic fail-fast)
# Opens after 5 consecutive failures, auto-recovers after 60s
try:
result = fgt.api.monitor.system.status.get()
except RuntimeError as e:
if "Circuit breaker is OPEN" in str(e):
print("Service is down - failing fast")
fgt._client.reset_circuit_breaker() # Manual reset
# 4. Per-endpoint timeouts (custom timeouts for slow endpoints)
fgt._client.configure_endpoint_timeout('monitor/*', read=10.0)
fgt._client.configure_endpoint_timeout('cmdb/firewall/policy', read=600.0)
# 5. Structured logging (machine-readable logs with extra fields)
# All logs include: request_id, endpoint, method, status_code, duration
# Compatible with Elasticsearch, Splunk, CloudWatch
Benefits:
- Request Tracking: Trace requests across distributed systems
- Circuit Breaker: Prevent cascading failures during outages
- Metrics: Monitor connection pool health and performance
- Fine-tuned Timeouts: Different timeouts for fast/slow endpoints
- Structured Logs: Machine-readable for log aggregation tools
๐ Full documentation: docs/ADVANCED_HTTP_FEATURES.md
Dual-Pattern Interface โจ
HFortix supports flexible dual-pattern syntax - use dictionaries, keywords, or mix both:
# Pattern 1: Dictionary-based (great for templates)
config = {
'name': 'web-server',
'subnet': '192.168.10.50/32',
'comment': 'Production web server'
}
fgt.api.cmdb.firewall.address.create(data_dict=config)
# Pattern 2: Keyword-based (great for readability)
fgt.api.cmdb.firewall.address.create(
name='web-server',
subnet='192.168.10.50/32',
comment='Production web server'
)
# Pattern 3: Mixed (template + overrides)
base_config = load_template('address_template.json')
fgt.api.cmdb.firewall.address.create(
data_dict=base_config,
name=f'server-{site_id}', # Override name
comment=f'Site: {site_name}'
)
Available on: 43 methods across 13 categories (100% coverage)
- All CMDB create/update operations (38 endpoints)
- Service operations (5 methods)
Exception Handling
from hfortix import (
FortiOS,
APIError,
ResourceNotFoundError,
DuplicateEntryError
)
try:
result = fgt.api.cmdb.firewall.address.create(
name='test-address',
subnet='10.0.0.0/24'
)
except DuplicateEntryError as e:
print(f"Address already exists: {e}")
except ResourceNotFoundError as e:
print(f"Resource not found: {e}")
except APIError as e:
print(f"API Error: {e.message}")
print(f"HTTP Status: {e.http_status}")
print(f"Error Code: {e.error_code}")
๐๏ธ Project Structure
fortinet/
โโโ hfortix/ # Main package
โ โโโ __init__.py # Public API exports
โ โโโ exceptions.py # Base exceptions
โ โโโ exceptions_forti.py # FortiOS-specific error codes/helpers
โ โโโ py.typed # PEP 561 marker
โ โโโ FortiOS/
โ โโโ __init__.py
โ โโโ fortios.py # FortiOS client
โ โโโ http_client.py # Internal HTTP client
โ โโโ exceptions.py # FortiOS re-exports
โ โโโ api/
โ โโโ v2/
โ โโโ cmdb/ # Configuration endpoints
โ โโโ log/ # Log reading endpoints
โ โโโ service/ # Service operations
โ โโโ monitor/ # Monitoring endpoints
โโโ setup.py # Package configuration
โโโ pyproject.toml # Build system config
โโโ README.md # This file
โโโ QUICKSTART.md # Quick reference guide
โโโ API_COVERAGE.md # API implementation status
โโโ CHANGELOG.md # Version history
๐ Module Discovery
Check which modules are available:
from hfortix import get_available_modules
modules = get_available_modules()
print(modules)
# {'FortiOS': True, 'FortiManager': False, 'FortiAnalyzer': False}
๐ Examples
FortiOS - Firewall Address Management
from hfortix import FortiOS
fgt = FortiOS(host='192.168.1.99', token='your-token', verify=False)
# List addresses
addresses = fgt.api.cmdb.firewall.address.list()
# Create address
result = fgt.api.cmdb.firewall.address.create(
name='web-server',
subnet='10.0.1.100/32',
comment='Production web server'
)
# Update address
result = fgt.api.cmdb.firewall.address.update(
name='web-server',
comment='Updated comment'
)
# Delete address
result = fgt.api.cmdb.firewall.address.delete(name='web-server')
FortiOS - DoS Protection (NEW!)
# Create IPv4 DoS policy with simplified API
result = fgt.api.cmdb.firewall.dos_policy.create(
policyid=1,
name='protect-web-servers',
interface='port3', # Simple string format
srcaddr=['all'], # Simple list format
dstaddr=['web-servers'],
service=['HTTP', 'HTTPS'],
status='enable',
comments='Protect web farm from DoS attacks'
)
# API automatically converts to FortiGate format:
# interface='port3' โ {'q_origin_key': 'port3'}
# service=['HTTP'] โ [{'name': 'HTTP'}]
# Custom anomaly detection thresholds
result = fgt.api.cmdb.firewall.dos_policy.create(
policyid=2,
name='strict-dos-policy',
interface='wan1',
srcaddr=['all'],
dstaddr=['all'],
service=['ALL'],
anomaly=[
{'name': 'tcp_syn_flood', 'threshold': 500, 'action': 'block'},
{'name': 'udp_flood', 'threshold': 1000, 'action': 'block'}
]
)
FortiOS - Reverse Proxy/WAF (NEW!)
# Create access proxy (requires VIP with type='access-proxy')
result = fgt.api.cmdb.firewall.access_proxy.create(
name='web-proxy',
vip='web-vip', # VIP must be type='access-proxy'
auth_portal='enable',
log_blocked_traffic='enable',
http_supported_max_version='2.0',
svr_pool_multiplex='enable'
)
# Create virtual host with simplified API
result = fgt.api.cmdb.firewall.access_proxy_virtual_host.create(
name='api-vhost',
host='*.api.example.com',
host_type='wildcard',
ssl_certificate='Fortinet_Factory' # String auto-converts to list
)
# API automatically converts:
# ssl_certificate='cert' โ [{'name': 'cert'}]
FortiOS - Address & Address Group Management (NEW!)
# Create IPv4 address (subnet)
result = fgt.api.cmdb.firewall.address.create(
name='internal-net',
type='ipmask',
subnet='192.168.1.0/24',
comment='Internal network'
)
# Create IPv4 address (IP range)
result = fgt.api.cmdb.firewall.address.create(
name='dhcp-range',
type='iprange',
start_ip='192.168.1.100',
end_ip='192.168.1.200'
)
# Create IPv4 address (FQDN)
result = fgt.api.cmdb.firewall.address.create(
name='google-dns',
type='fqdn',
fqdn='dns.google.com'
)
# Create IPv6 address
result = fgt.api.cmdb.firewall.address6.create(
name='ipv6-internal',
type='ipprefix',
ip6='2001:db8::/32',
comment='IPv6 internal network'
)
# Create address group with simplified API
result = fgt.api.cmdb.firewall.addrgrp.create(
name='internal-networks',
member=['subnet1', 'subnet2', 'subnet3'], # Simple string list!
comment='All internal networks'
)
# API automatically converts:
# member=['addr1', 'addr2'] โ [{'name': 'addr1'}, {'name': 'addr2'}]
# Create IPv6 address group
result = fgt.api.cmdb.firewall.addrgrp6.create(
name='ipv6-internal-networks',
member=['ipv6-subnet1', 'ipv6-subnet2'],
comment='All internal IPv6 networks'
)
# Create IPv6 address template
result = fgt.api.cmdb.firewall.address6_template.create(
name='ipv6-subnet-template',
ip6='2001:db8::/32',
subnet_segment_count=2,
comment='IPv6 subnet template'
)
FortiOS - Schedule Management
# Create recurring schedule
result = fgt.api.cmdb.firewall.schedule.recurring.create(
name='business-hours',
day=['monday', 'tuesday', 'wednesday', 'thursday', 'friday'],
start='08:00',
end='18:00'
)
# Create one-time schedule
from datetime import datetime, timedelta
tomorrow = datetime.now() + timedelta(days=1)
start = f"09:00 {tomorrow.strftime('%Y/%m/%d')}"
end = f"17:00 {tomorrow.strftime('%Y/%m/%d')}"
result = fgt.api.cmdb.firewall.schedule.onetime.create(
name='maintenance-window',
start=start,
end=end,
color=5
)
FortiOS - Routing Protocols (Singleton Endpoints) โ ๏ธ
Important: Routing protocol configurations use a different pattern than collection endpoints.
Collection Endpoints (addresses, policies, etc.) support standard CRUD:
# Standard CRUD - simple and intuitive
fgt.api.cmdb.firewall.address.create(name='test', subnet='192.168.1.0/24')
fgt.api.cmdb.firewall.address.update(name='test', comment='updated')
fgt.api.cmdb.firewall.address.delete('test')
Singleton Endpoints (BGP, OSPF, RIP, ISIS, etc.) require GETโModifyโPUT pattern:
# BGP Neighbor Management - requires full config update
# Step 1: Get current BGP configuration
result = fgt.api.cmdb.router.bgp.get()
# Step 2: Extract config (handles different response formats)
if isinstance(result, list):
config = result[0] if result else {}
elif isinstance(result, dict) and 'results' in result:
config = result['results']
if isinstance(config, list):
config = config[0] if config else {}
else:
config = result
# Step 3: Modify nested objects (neighbors, networks, etc.)
neighbors = config.get('neighbor', [])
neighbors.append({
'ip': '10.0.0.1',
'remote-as': 65001,
'description': 'New BGP neighbor',
'shutdown': 'enable' # Disabled for safety
})
config['neighbor'] = neighbors
# Step 4: Send entire config back
result = fgt.api.cmdb.router.bgp.update(data_dict=config)
# Verify
config = fgt.api.cmdb.router.bgp.get()
# Extract config again (same as step 2)
neighbors = config.get('neighbor', []) if isinstance(config, dict) else []
print(f"BGP now has {len(neighbors)} neighbors")
# OSPF Network Management - same pattern
config = fgt.api.cmdb.router.ospf.get()
# Extract config (same pattern as BGP)
if isinstance(config, list):
config = config[0] if config else {}
networks = config.get('network', [])
networks.append({
'id': 9999,
'prefix': '192.168.1.0 255.255.255.0'
})
config['network'] = networks
fgt.api.cmdb.router.ospf.update(data_dict=config)
# RIP Network Management
config = fgt.api.cmdb.router.rip.get()
if isinstance(config, list):
config = config[0]
networks = config.get('network', [])
networks.append({'id': 1, 'prefix': '10.0.0.0 255.0.0.0'})
config['network'] = networks
fgt.api.cmdb.router.rip.update(data_dict=config)
Why This Pattern?
- FortiOS API design: Routing protocols are singleton objects (only one BGP/OSPF/RIP config per VDOM)
- Nested objects (neighbors, networks, areas) are managed as lists within the main config
- The API requires sending the entire configuration on updates to maintain consistency
Future Enhancement: Helper methods are planned to simplify this pattern:
# Planned for future release (not yet available)
fgt.api.cmdb.router.bgp.add_neighbor(ip='10.0.0.1', remote_as=65001)
fgt.api.cmdb.router.bgp.remove_neighbor('10.0.0.1')
fgt.api.cmdb.router.bgp.list_neighbors()
Affected Endpoints:
router/bgp- BGP neighbors, networks, aggregate addresses, VRFsrouter/ospf- OSPF areas, interfaces, networks, neighborsrouter/ospf6- OSPFv3 areas, interfacesrouter/rip- RIP networks, neighbors, interfacesrouter/ripng- RIPng networks, neighborsrouter/isis- IS-IS NETs, interfacesrouter/bfd- BFD neighbors (IPv4)router/bfd6- BFD neighbors (IPv6)
See the test files in the development workspace for complete working examples.
### Helper Methods - Safe Existence Checking โจ
The `.exists()` helper method provides safe existence checking on 288 CMDB endpoints without raising exceptions:
```python
from hfortix import FortiOS
fgt = FortiOS(host='192.168.1.99', token='your-token', verify=False)
# Check if object exists before operations
if fgt.api.cmdb.firewall.address.exists('web-server'):
print("Address already exists")
fgt.api.cmdb.firewall.address.update('web-server', comment='Updated')
else:
print("Creating new address")
fgt.api.cmdb.firewall.address.create(
name='web-server',
subnet='10.0.1.100/32'
)
# Safe deletion pattern
if fgt.api.cmdb.user.local.exists('testuser'):
fgt.api.cmdb.user.local.delete('testuser')
# Conditional processing
users = ['alice', 'bob', 'charlie']
for user in users:
if not fgt.api.cmdb.user.local.exists(user):
fgt.api.cmdb.user.local.create(
name=user,
type='password',
passwd='SecureP@ss123'
)
Available on: 288 endpoints with full CRUD operations (firewall addresses, policies, users, VPN configs, etc.)
๐ Complete Documentation:
- See HELPER_METHODS.md for detailed guide with examples
- See ENDPOINT_METHODS.md for complete API method reference
Exception Hierarchy
Exception
โโโ FortinetError (base)
โโโ AuthenticationError
โโโ AuthorizationError
โโโ APIError
โโโ ResourceNotFoundError (404)
โโโ BadRequestError (400)
โโโ MethodNotAllowedError (405)
โโโ RateLimitError (429)
โโโ ServerError (500)
โโโ DuplicateEntryError (-5, -15, -100)
โโโ EntryInUseError (-23, -94, -95)
โโโ InvalidValueError (-651, -1, -50)
โโโ PermissionDeniedError (-14, -37)
๐งช Testing
Note: This SDK is currently in beta (v0.3.x). All endpoints are functional but will remain in beta status until version 1.0.0 with comprehensive unit test coverage.
Current Status:
- All implemented endpoints are tested against live FortiGate devices
- Integration testing performed during development
- Unit test framework planned for v1.0.0 release
๐ Version
Current version: 0.3.12 (See CHANGELOG.md for release notes)
from hfortix import get_version
print(get_version())
๐ค Contributing
Contributions are welcome! Please feel free to:
- Report bugs and issues
- Suggest new features or improvements
- Submit pull requests
For code contributions:
- Fork the repository
- Create a feature branch
- Make your changes with proper tests
- Submit a pull request with clear description
๐ License
Proprietary License - Free for personal, educational, and business use.
You may:
- Use for personal projects and learning
- Use in your business operations
- Deploy in client environments
- Use in managed services and technical support
You may not:
- Sell the software itself as a standalone product
- Redistribute as your own product
See CHANGELOG.md v0.2.0 for details.
๐ Links
๐ก Tips
- Use API Tokens: Only token-based authentication is supported for FortiOS REST API
- Error Handling: Always catch specific exceptions for better error handling
- Verify SSL: Set
verify=Truein production (requires valid certificates) - Automatic Retries: Built-in retry logic handles transient failures (429, 500, 502, 503, 504)
- Connection Pooling: HTTP/2 support with connection multiplexing for better performance
- Timeout Configuration: Customize
connect_timeoutandread_timeoutfor your environment - Logging: Use
hfortix.set_log_level('INFO')for request/response debugging
โ๏ธ Configuration
Environment Variables
export FGT_HOST="192.168.1.99"
export FGT_TOKEN="your-api-token"
export FGT_VERIFY_SSL="false"
Using .env File
from dotenv import load_dotenv
import os
load_dotenv()
fgt = FortiOS(
host=os.getenv('FGT_HOST'),
token=os.getenv('FGT_TOKEN'),
verify=os.getenv('FGT_VERIFY_SSL', 'false').lower() == 'true'
)
๐ฏ Roadmap
- [๐ง] FortiOS API implementation (In Development)
- Exception handling system (387 error codes)
- Base client architecture with HTTP/2, retry logic, circuit breaker
- [๐ท] CMDB endpoints (Beta - 57.5% coverage, 23/40 categories)
- [๐ท] Firewall (address, policy, service, DoS, ICAP, IPS, etc.) - Beta
- [๐ท] System (interface, admin, global, etc.) - Beta
- [๐ท] Router (static, bgp, ospf, rip, isis, etc.) - NEW Beta โ ๏ธ See note below
- [๐ท] VPN (IPsec, SSL, etc.) - Beta
- [๐ท] Log (disk, syslog, fortianalyzer, etc.) - Beta
- [๐ท] Wireless Controller, User, Web Filter, Application - Beta
- Remaining 17 categories (Switch Controller, WAD, etc.)
- [๐ท] Monitor endpoints (Beta - 18% coverage, 6/33 categories)
- [๐ท] Firewall, Endpoint Control, Azure, CASB, Extender - Beta
- Remaining 27 categories
- [๐ท] Service endpoints (Beta - 100% coverage, 3/3 categories)
- Sniffer, Security Rating, etc.
- [๐ท] Log endpoints (Beta - 100% coverage, 5/5 categories)
- Traffic, Event, Virus, etc.
- Modular package architecture
- PyPI package publication (hfortix on PyPI)
- FortiManager module (Not Started)
- FortiAnalyzer module (Not Started)
- Helper methods for singleton routing endpoints (Planned)
- Async/await support (Implemented in v0.3.15)
- CLI tool (Planned)
โ ๏ธ Important Note: Singleton Routing Endpoints (Beta)
Routing protocol configurations (BGP, OSPF, RIP, ISIS, etc.) use a different pattern than collection endpoints:
-
Collection Endpoints (addresses, policies, etc.): Use standard CRUD operations
# Simple add/remove pattern fgt.api.cmdb.firewall.address.create(name='test', subnet='192.168.1.0/24') fgt.api.cmdb.firewall.address.delete('test')
-
Singleton Endpoints (bgp, ospf, rip, isis, etc.): Require GETโModifyโPUT pattern
# Must get entire config, modify, and send back config = fgt.api.cmdb.router.bgp.get() config['neighbor'].append({'ip': '10.0.0.1', 'remote-as': 65001}) fgt.api.cmdb.router.bgp.update(data_dict=config)
Why? This is a FortiOS API design - routing protocols are singleton objects with nested lists (neighbors, networks, areas). The API requires sending the entire configuration on updates.
Future Enhancement: Helper methods like add_neighbor(), remove_neighbor(), list_neighbors() are planned to simplify this pattern.
Affected Endpoints:
router/bgp- BGP neighbors, networks, VRFsrouter/ospf- OSPF areas, interfaces, networksrouter/ospf6- OSPFv3 configurationrouter/rip- RIP networks, neighborsrouter/ripng- RIPng configurationrouter/isis- IS-IS NETs, interfacesrouter/bfd- BFD neighbors (IPv4)router/bfd6- BFD neighbors (IPv6)
All implementations remain in BETA until version 1.0.0 with comprehensive unit test coverage.
๐ค Author
Herman W. Jacobsen
- Email: herman@wjacobsen.fo
- LinkedIn: linkedin.com/in/hermanwjacobsen
- GitHub: @hermanwjacobsen
Built with โค๏ธ for the Fortinet community
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
hfortix-0.3.15.tar.gz
(760.5 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file hfortix-0.3.15.tar.gz.
File metadata
- Download URL: hfortix-0.3.15.tar.gz
- Upload date:
- Size: 760.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3e1abc2a22d4b60744c13dec63334afa89d15366f68e498fbee9d85b4f8cc320
|
|
| MD5 |
efa11552fe19917d0e4eba1832669b06
|
|
| BLAKE2b-256 |
0f51574d17975c1b5761dc24006b1524eb79a45a65af4212d5e361231b30186d
|
File details
Details for the file hfortix-0.3.15-py3-none-any.whl.
File metadata
- Download URL: hfortix-0.3.15-py3-none-any.whl
- Upload date:
- Size: 2.2 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4f6dc7ed2711e52975aebb4b13c515a7cb8d93b58611fdec7a2ee9991e17a1cd
|
|
| MD5 |
93687522c232f61c3f72116dc9fd02b6
|
|
| BLAKE2b-256 |
e172d99187c892fdbb5f6a306e2e4d2c6269ca5d779cf6c185e96447b7de02eb
|
