Skip to main content

202002 - Fortinet Authorization Failed

Agent error code #202002 indicates that the agent authenticated successfully with the Fortinet device (FortiGate or FortiManager), but the API user lacks the permissions required to perform the requested operation. The device rejected the request with a "forbidden" or "no permission" response.

This error is distinct from authentication failures (#202001), which occur when the API token is not accepted at all. Error #202002 means the token is valid but the API user's admin profile is insufficient for the operation being attempted.

Common causes include:

  • The FortiManager API user is not assigned the Super_User admin profile (required for Active mode trusted host management)
  • The FortiManager API user's custom admin profile is missing the DeviceManager — Manage Device Configurations permission (required for Passive+ mode)
  • The FortiGate REST API Admin's admin profile does not include the required permissions for the configured mode
  • The API user does not have access to the configured ADOM (FortiManager)

Steps to Resolve

Verify the Admin Profile (FortiManager)

  1. Log into FortiManager and navigate to System Settings > Administrators
  2. Locate the API user configured in Knocknoc
  3. Check the assigned admin profile:
    • Active mode (trusted hosts): The API user must have the Super_User admin profile. No custom profile is sufficient — updating administrator trusted hosts via the JSON-RPC API requires Super_User privileges.
    • Passive+ mode: The API user requires a profile with DeviceManager — Manage Device Configurations set to Read-Write. The Super_User profile also works.
  4. If the profile is incorrect, assign the correct one and save

Verify the Admin Profile (FortiGate)

  1. Log into the FortiGate and navigate to System > Administrators
  2. Locate the REST API Admin configured in Knocknoc
  3. Check the assigned admin profile:
    • Active mode: The profile must have Firewall set to Read/Write
    • Passive+ mode: The profile must have read/write access to System > Configuration (for external resource monitor operations)
  4. If the profile is missing required permissions, update it and save

Verify ADOM Access (FortiManager)

  1. If using Administrative Domains (ADOMs), ensure the API user has access to the ADOM configured in Knocknoc
  2. Check the API user's ADOM assignment in System Settings > Administrators

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.

Back to top