Fortinet firewall and FortiGate VDOM REST-based discovery

  • Release version: Zurich
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Fortinet firewall and FortiGate VDOM REST-based discovery

    The Discovery and Service Mapping Patterns application in ServiceNow uses the Next Generation Fortinet Network Firewall - REST pattern to discover Fortinet firewalls via REST API calls. An extension called VDOM Discovery enables discovery of FortiGate Virtual Domains (VDOMs), supporting multi-VDOM mode only. This REST-based discovery method is required to find FortiGate VDOMs, as the SNMP-based method does not support VDOM discovery.

    Show full answer Show less

    To enable these capabilities, customers may need to update the Discovery and Service Mapping Patterns application from the ServiceNow Store.

    Key Features

    • REST-based API discovery: Uses Fortinet's REST APIs to discover firewall devices, clusters, interfaces, policies, and VDOMs.
    • Multi-VDOM support: Discovers FortiGate VDOMs only when multi-VDOM mode is enabled on the firewall.
    • CMDB integration: Introduces new CI classes extending core CMDB classes for detailed representation of Fortinet firewalls, firewall clusters, interfaces, policies, VDOMs, and associated network topology.
    • API token authentication: Requires creation and configuration of an API token with proper permissions to access specific Fortinet API endpoints.
    • Serverless discovery scheduling: Supports creating serverless schedules to automate REST-based discovery.
    • Disabling SNMP discovery: Recommends disabling the SNMP-based Fortinet firewall discovery to avoid conflicts and ensure VDOM discovery via REST.

    Prerequisites and Setup

    • Ensure Discovery and Service Mapping Patterns application is up to date.
    • Create and configure a Fortinet API token with permissions to access required Fortinet APIs (including system status, HA, routing, firewall policies, interfaces, and VDOM properties).
    • Verify MID Server connectivity to Fortinet devices and API access rights.
    • Disable SNMP-based Fortinet firewall discovery when using REST-based discovery for VDOMs.
    • Create an alias for the API key credentials and configure serverless discovery schedules in ServiceNow.

    Data Model and CMDB Integration

    The REST-based discovery populates detailed Fortinet firewall and VDOM information into ServiceNow CMDB through new CI classes, including:

    • Fortinet Firewall Device and Cluster: Hostname, serial number, IP address, model, firmware, OS, and operational status.
    • Fortinet Virtual Domain (VDOM): VDOM index, name, description, and associated IP address.
    • Firewall Interfaces: Interface ID, name, IP and MAC addresses, access type, and description.
    • Firewall Policies: Policy IDs, names, source/destination interfaces and addresses, and managed internet services.
    • Network Adapters and IP Addresses: IP details and relationships linking network components to firewall devices.

    CI Relationships and References

    The discovery establishes relationships among discovered CIs to reflect the network structure and ownership, such as:

    • Firewall clusters host firewall devices.
    • Firewall devices own network adapters and IP addresses.
    • Network adapters own IP addresses.
    • VDOMs contain firewall interfaces and policies, and are hosted on firewall devices.
    • Firewall interfaces are members of network topologies.

    Benefits for ServiceNow Customers

    Implementing Fortinet firewall and FortiGate VDOM REST-based discovery empowers customers to maintain an accurate and comprehensive CMDB with detailed firewall and VDOM configurations. This improves visibility into network security infrastructure, supports compliance and operational readiness, and facilitates automated service mapping and impact analysis. By leveraging REST APIs and the latest discovery patterns, customers gain enhanced discovery capabilities beyond SNMP limitations, especially for multi-VDOM FortiGate environments.

    The Discovery and Service Mapping Patterns application uses the Next Generation Fortinet Network Firewall - REST pattern to find Fortinet firewalls through REST API calls. Additionally, the pattern extension VDOM Discovery finds FortiGate Virtual Domains (VDOMs). Discovering some of these resources may require updating to the latest version of the Discovery and Service Mapping Patterns application from the ServiceNow Store.

    The Next Generation Fortinet Network Firewall - REST pattern uses a set of REST API calls to find the Fortinet firewalls. For FortiGate VDOM discovery, only multi-VDOM mode is supported.

    Note:
    Only the REST-based Fortinet firewall discovery method finds FortiGate VDOMs. The SNMP-based Fortinet firewall discovery method doesn't discover them. For information about the default SNMP-based Fortinet firewall discovery, see Next-Generation Fortinet Network Firewall SNMP-based discovery.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    To learn about Fortinet Firewalls and their versions that you can discover, refer to Detailed information on products discovered by ITOM Visibility.

    Fortinet firewall and FortiGate VDOM data model

    The Next Generation Fortinet Network Firewall - REST pattern and VDOM Discovery extension introduce the following CI classes that extend existing CMDB classes.

    Table 1. CI classes introduced by these patterns
    CI class Extends from
    Fortinet Firewall Cluster [cmdb_ci_firewall_cluster_fortinet] Firewall Cluster [cmdb_ci_firewall_cluster]
    Fortinet Firewall Device [cmdb_ci_firewall_device_fortinet] Firewall Device [cmdb_ci_firewall_device]
    Fortinet Firewall Interface [cmdb_ci_fortinet_firewall_interface] Network Interface [cmdb_ci_ni_interface]
    Fortinet Firewall Policy [cmdb_ci_fortinet_firewall_policy] Firewall Security Policy [cmdb_ci_firewall_sec_policy]
    Fortinet Virtual Domain [cmdb_ci_fortinet_vdom] IP Firewall [cmdb_ci_ip_firewall]

    Prerequisites

    Verify that the applications are up to date
    • Discovery and Service Mapping Patterns
    • CMDB CI Class Models
    Create API Token
    Create an API Token in Fortinet. For instructions on creating an API Token, go to the Fortinet Document Library and search for the "Connect FortiGate device via API Token - Online Help" article under the FortiConverter Tool product family.
    Verify API access and permissions
    • Verify that the MID Server can access the Fortinet APIs.
    • Verify that the API Token has sufficient permissions to retrieve the required information from the Fortinet devices.
    Required Fortinet APIs:
    • v2/cmdb/system/global
    • api/v2/monitor/system/status
    • api/v2/cmdb/system/ha
    • api/v2/cmdb/router/static
    • /api/v2/cmdb/firewall/policy
    • api/v2/cmdb/system/vdom-property
    • api/v2/cmdb/system/interface
    • /api/v2/monitor/system/interface/select
    Disable SNMP-based Fortinet firewall discovery
    For more information, see Disable SNMP-based Fortinet firewall discovery.
    Create an alias for the API Key Credentials
    For more information, see Create an alias for the API key credential for Fortinet firewall REST-based discovery.
    Create a serverless discovery schedule
    For more information, see Create a serverless schedule for Fortinet firewall REST-based discovery.

    Data collected by Discovery during horizontal discovery

    Discovery populates the data in the CMDB when running the Next Generation Fortinet Network Firewall - REST pattern.

    Table 2. Fortinet Firewall Device [cmdb_ci_firewall_device_fortinet]
    Field Description
    Name [name] Hostname field of the Fortinet device.
    Serial number [serial_number] Serial number of the Fortinet device.
    Fully qualified domain name [fqdn] Fully qualified domain name of the Fortinet device.
    Operational status [operational_status] Indicates whether the Fortinet device is in active state.
    IP Address [ip_address] IP address of the Fortinet device.
    Manufacturer [manufacturer] Fortinet device manufacturer.
    Description [short_description] Short description of the Fortinet device.
    Model Number [model_number] Fortinet device model number.
    Firmware version [firmware_version] Fortinet device firmware version.
    Hardware OS [hardware_os] OS running on the hardware.
    Hardware OS Version [hardware_os_version] OS version running on the hardware.
    Table 3. Fortinet Firewall Cluster [cmdb_ci_firewall_cluster_fortinet]
    Field Description
    Name [name] Hostname field of the Fortinet firewall cluster.
    Fully qualified domain name [fqdn] Fully qualified domain name of the firewall cluster.
    IP address [ip_address] IP address of the firewall cluster.
    Manufacturer [manufacturer] Device manufacturer.
    Description [short_description] Short description of the firewall cluster.
    Model Number [model_number] Device model number.
    Hardware OS [hardware_os] OS running on the hardware.
    Hardware OS Version [hardware_os_version] OS version running on the hardware.
    Table 4. Network Adapter [cmdb_ci_network_adapter]
    Field Description
    IP Address [ip_address] IP address of the network adapter.
    Netmask [netmask] Netmask of the network adapter.
    Alias [alias] User-assigned name for the network adapter.
    MAC Address [mac_address] MAC address of the network adapter.
    Name [name] Name of the network adapter.
    Configuration Item [cmdb_ci] References the Fortinet Firewall Device [cmdb_ci_firewall_device_fortinet] table.
    Table 5. IP Address [cmdb_ci_ip_address]
    Field Description
    IP Address [ip_address] IP address of the Fortinet firewall.
    Netmask [netmask] Netmask of the Fortinet firewall.
    Nic [nic] References the Network Adapter [cmdb_ci_network_adapter] table.

    Discovery populates the data in the CMDB when running the Next Generation Fortinet Network Firewall - REST pattern extension VDOM Discovery.

    Table 6. Fortinet Virtual Domain [cmdb_ci_fortinet_vdom]
    Field Description
    Vdom Index [vdom_index] Index of the VDOM in the list.
    Name [name] Name of the VDOM.
    Description [short_description] Description of the VDOM property that provides additional context or information about the purpose of the property.
    IP Address [ip_address] IP address of the Fortinet device associated with this VDOM.
    Table 7. Fortinet Firewall Interface [cmdb_ci_fortinet_firewall_interface]
    Field Description
    ID [id] Unique identifier for the interface. For example: port1.
    Name [name] Name of the interface. For example: LAN.
    IP Address [ip_address] IP address assigned to the interface.
    Description [short_description] Description of the interface, often used for documentation or identification purposes. For example: Main LAN interface.
    MAC Address [mac_address] MAC address of the interface.
    Access Type [access_type] Type of interface. For example: physical, VLAN, or aggregate.
    Table 8. Network Topology [cmdb_ci_network_topology]
    Field Description
    Name [name]

    Virtual LAN (VLAN) ID associated with the interface, if applicable.

    The format is: VLAN-{Vlan ID}. For example: VLAN-310.
    Table 9. Fortinet Firewall Policy [cmdb_ci_fortinet_firewall_policy]
    Field Description
    Policy ID [policy_id] Unique ID assigned to the policy in VDOM or device level.
    UUID [uuid] Global unique identifier (GUID) for the firewall policy.
    Name [name] Name of the policy.
    Source interface [source_interface] Network interface from which the traffic originates.
    Destination interface [destination_interface] Network interface to which the traffic is directed.
    Source address [source_address] Source address or address group from which traffic originates.
    Destination address [destination_address] Destination address or address group to which traffic is directed.
    Internet Service [internet_service] Service or application being managed by the policy, often represented by a service group or name.

    CI relationships

    The Next Generation Fortinet Network Firewall - REST pattern creates the following relationships and references to support Fortinet firewall discovery. References link to records in other tables and don't appear in the CI Relationship [cmdb_rel_ci] table.

    Table 10. CI relationships
    CI Relationship CI
    Fortinet Firewall Cluster [cmdb_ci_firewall_cluster_fortinet] Hosted on::Hosts Fortinet Firewall Device [cmdb_ci_firewall_device_fortinet]
    Fortinet Firewall Device [cmdb_ci_firewall_device_fortinet] Owns::Owned by IP Address [cmdb_ci_ip_address]
    Fortinet Firewall Device [cmdb_ci_firewall_device_fortinet] Owns::Owned by Network Adapter [cmdb_ci_network_adapter]
    Fortinet Firewall Device [cmdb_ci_firewall_device_fortinet] Uses::Used by Router Interface [dscy_router_interface]
    Network Adapter [cmdb_ci_network_adapter] Owns::Owned by IP Address [cmdb_ci_ip_address]
    Table 11. CI references
    CI Field Referenced CI
    Serial Number [cmdb_serial_number] Configuration item [configuration_item] Fortinet Firewall Device [cmdb_ci_firewall_device_fortinet]
    Network Adapter [cmdb_ci_network_adapter] Configuration Item [cmdb_ci] Fortinet Firewall Device [cmdb_ci_firewall_device_fortinet]
    Router Interface [dscy_router_interface] Configuration Item [cmdb_ci] Fortinet Firewall Device [cmdb_ci_firewall_device_fortinet]
    IP Address [cmdb_ci_ip_address] Nic [nic] Network Adapter [cmdb_ci_network_adapter]

    The VDOM Discovery extension creates the following relationships to support FortiGate VDOM discovery.

    Table 12. CI relationships
    CI Relationship CI
    Fortinet Virtual Domain [cmdb_ci_fortinet_vdom] Contains::Contained by Fortinet Firewall Interface [cmdb_ci_fortinet_firewall_interface]
    Fortinet Virtual Domain [cmdb_ci_fortinet_vdom] Contains::Contained by Fortinet Firewall Policy [cmdb_ci_fortinet_firewall_policy]
    Fortinet Virtual Domain [cmdb_ci_fortinet_vdom] Hosted on::Hosts Fortinet Firewall Device [cmdb_ci_firewall_device_fortinet]
    Fortinet Firewall Interface [cmdb_ci_fortinet_firewall_interface] Members::Member of Network Topology [cmdb_ci_network_topology]