Fortinet black logo

Handbook

Configuring OpenAPI Detection

Configuring OpenAPI Detection

The OpenAPI Specification (OAS) defines a standard, language-agnostic interface to RESTful APIs, which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection. When properly defined, you can understand and interact with the remote service with a minimal amount of implementation logic.

FortiADC can parse the OpenAPI description file and provide additional security to APIs by making sure that access is based on the definitions described in the OpenAPI file.

Note: FortiADC supports OpenAPI 3.0.

To configure OpenAPI Detection:
  1. Go to Web Application Firewall > OpenAPI Validation.
  2. Click the OpenAPI Detection tab.
  3. Click Create New to display the configuration editor and set up the configuration.
  4. Save the configuration.

OpenAPI Detection Configuration

Settings Guidelines

Name

Configure the name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces not allowed.

Note: Once saved, the name cannot be changed.

OpenAPI Schema Check

Before enabling OpenAPI Schema Check, you must upload an OpenAPI schema file to check whether OpenAPI content is permitted. Enable to use OpenAPI schema to validate OpenAPI content. See Importing OpenAPI schema.

OpenAPI Schema

Select the OpenAPI schema file that you want to use to check whether OpenAPI content is valid.

Action

Select the action profile that you want to apply. See Configuring WAF Action objects

The default is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select the severity level FortiADC uses when using Input Validation:

  • Low
  • Medium
  • High

The default is Low.

Exception Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

Configuring OpenAPI Detection

The OpenAPI Specification (OAS) defines a standard, language-agnostic interface to RESTful APIs, which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection. When properly defined, you can understand and interact with the remote service with a minimal amount of implementation logic.

FortiADC can parse the OpenAPI description file and provide additional security to APIs by making sure that access is based on the definitions described in the OpenAPI file.

Note: FortiADC supports OpenAPI 3.0.

To configure OpenAPI Detection:
  1. Go to Web Application Firewall > OpenAPI Validation.
  2. Click the OpenAPI Detection tab.
  3. Click Create New to display the configuration editor and set up the configuration.
  4. Save the configuration.

OpenAPI Detection Configuration

Settings Guidelines

Name

Configure the name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces not allowed.

Note: Once saved, the name cannot be changed.

OpenAPI Schema Check

Before enabling OpenAPI Schema Check, you must upload an OpenAPI schema file to check whether OpenAPI content is permitted. Enable to use OpenAPI schema to validate OpenAPI content. See Importing OpenAPI schema.

OpenAPI Schema

Select the OpenAPI schema file that you want to use to check whether OpenAPI content is valid.

Action

Select the action profile that you want to apply. See Configuring WAF Action objects

The default is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select the severity level FortiADC uses when using Input Validation:

  • Low
  • Medium
  • High

The default is Low.

Exception Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.