Overview 💥
After upgrading Fortinet FortiGate devices to FortiOS 7.4.x, some Liongard FortiGate Inspectors may fail with:
Inspection failed at https://xxxx:8443/api/v2/cmdb/system/interface with status code 403: Request failed with status code 403
This issue is related to permissions and configuration changes introduced during the upgrade from FortiOS 7.2.x → 7.4.x. Units running FortiOS 7.2.x and earlier typically continue to work without issue.
This article explains the cause, resolution steps, and additional troubleshooting paths if the inspector still fails after correcting the FortiGate configuration.
Why This Happens 🤔
FortiOS 7.4.x introduces changes that affect API-based access for read-only REST API users. During an upgrade, FortiGate may automatically modify security-related administrator settings, causing the API user to lose access.
Common causes include:
Root Cause | Description |
“Permit usage of CLI commands” auto-changed | During the upgrade, this setting toggles from Enabled → Custom, blocking API endpoints Liongard requires. |
Trusted Hosts auto-reset or misaligned | API admin trusted hosts become invalid or require re-toggling. |
API Admin locked out (status 429) | Happens after repeated inspector attempts when the Agent’s IP is not properly allowlisted. |
Incorrect allowlisting | If the Agent's IP is missing, mis-typed, or changed, FortiGate returns 401/403. |
VDOMs configured | Liongard FortiGate Inspector does not support VDOMs, causing failures irrespective of version. |
Resolution Steps (Required After Upgrading to FortiOS 7.4.x) 🧑🏫
Follow these steps on the FortiGate UI:
1️⃣ Verify “Permit usage of CLI commands”
Log in to FortiGate
Go to System > Settings (or Administrator Settings depending on version)
Find: Permit usage of CLI commands
Ensure the value is set to:
✅ Enabled (and not "Custom")
This is the most common fix after upgrading.
2️⃣ Re-toggle Trusted Hosts
FortiGate sometimes silently resets trusted host behavior after an upgrade.
Go to System > Administrators
Open the REST API Admin used for Liongard
Under Trusted Hosts:
Disable Trusted Hosts
Save
Re-enable Trusted Hosts
Add back the correct trusted host IP(s)
Trusted Hosts must include the exact IP address of the Liongard Agent running the inspector.
3️⃣ Save the changes and re-run the inspection
If the API settings are correct and the API Admin profile has the proper read-only permissions, the inspector should begin running normally.
Additional Troubleshooting 👨💻
If the inspection still fails after completing the above steps, move through the following checks.
1️⃣ Confirm FortiGate API User Permissions
Your REST API Admin user should be assigned the Read-Only profile created during setup:
Log in → System > Admin Profiles
Confirm Read-Only profile has all permissions under the Read-Only column
Under System > Administrators, confirm the REST API Admin uses this profile
2️⃣ Validate Correct API Host Allowlisting
Trusted Hosts must include:
If using On-Premises Agent
→ Internal IP address of the server where the Agent is installedIf using Self-Hosted Agent
→ Datacenter IP address of the Self-Hosted Agent
If the IP is incorrect:
FortiGate returns 401 Unauthorized
Multiple unauthorized attempts lock out the API user → 429 Too Many Requests
If locked out, regenerate the key or unlock the user.
3️⃣ Regenerate the API Key
If:
The key was created before the upgrade
Trusted hosts were removed
Admin user became locked out
Then regenerating the key is recommended. Please refer our document for the same.
4️⃣ Run Inspector in Clear Cache + Debug Mode
Check inspector logs for:
403 → permissions/trusted host
401 → IP allowlisting issue
429 → FortiGate lockout
404 → unsupported endpoint or VDOM environment
5️⃣ Confirm You Are Not Inspecting a VDOM-enabled Device
Liongard does NOT currently support VDOMs.
If VDOMs are enabled, the inspector will fail regardless of configuration.
6️⃣ Check Firmware Support
Liongard supports:
FortiOS 6.2 and later
Versions below 6.2 are “best effort” only
7.4.x is supported but requires the settings adjustments outlined above
Contact Support 🦁
If the above steps do not resolve the issue, Contact Liongard Support Include:
Inspector name
FortiOS version
Inspector Logs
Screenshot of Admin Profile
Screenshot of Trusted Hosts
Confirmation of whether VDOMs are enabled
Our Support team is happy to help 😇
💬 Start a chat with Leo (Our AI Assistant) or connect with a live support engineer.
📧 Email: support@liongard.com