Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 7.4.5 Handbook
    7.4.5
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Understanding the API endpoints database in API View

    Understanding the API endpoints database in API View

    From the API View tab, you can view your database of discovered internal and external API endpoints. You can refresh the page to view newly discovered external API endpoints.


    Each API endpoint is parsed for the following key elements:

    API Information

    Description
    Host

    The name of the protected host that the Host: field of an HTTP request must be in to match the API Discovery policy.

    Example: 110.ztnatest02.com

    Note: Maximum supported length of Host is 255 characters.
    Base_URL

    The base_url consists of the prefix HTTP/HTTPS and the Host.

    Example: http://110.ztnatest02.com

    Note: Maximum supported length of Base_URL is 255 characters.
    Path

    The resource path of the API.

    Example: /api/test
    API Endpoint

    The API endpoint is organized and displayed as the Path with HTTP method.

    Example: GET: /api/test
    Parameter

    Parsed from the HTTP query request or entity body.

    Example: path, required, internal
    API View endpoint organization

    Each API endpoint entry is identified and stored by its HTTP method and path. However, each entry is maintained per method, so in cases where endpoints share the same path but use different HTTP methods, a separate entry will be maintained per HTTP method.

    API endpoints will be displayed in a simplified view when four or more requests that have a different integer as the last sub-path are discovered. In which case, the endpoints will be simplified and reorganized as a single endpoint template with the following specifications:

    • The Path of the endpoint will be similar to /v1/users/{users_id}.

    • An extra parameter will be generated, named “users_id” with a label “required”.

    Supported API types and HTTP methods for API Discovery

    • RESTful API — GET/POST/PUT with XML/JSON, or DELETE

    • SOAP API — POST with SOAP+XML

    • OAS file types — JSON or YAML

    Prerequisites for APIs to be discovered
    • The return code must be 200-299.
    • The HTTP headers and corresponding entity body must have the following in the request/response:

      HTTP Method

      Requirement

      GET“Accept: application/json”, “Accept: application/xml” or “Accept: */*” in the request, and corresponding “Content-Type:” header with entity body in the response.
      PUT/POST“Content-Type: application/json”, “Accept: application/xml” or “Accept: application/soap+xml” with corresponding entity body in the request.
      DELETENo requirement; all DELETE requests can be discovered.

    • For RESTful APIs: the last sub-path should not include the dot (.) character. SOAP API supports including the dot (.) in the last sub-path.

    • For OpenAPI 3.0: servers and paths are required in the OAS file.

    • For Swagger 2.0: host, paths & schemes are required in the OAS file.

    API endpoint parameters

    The API Discovery engine parses through raw API data to extract information that make up an API endpoint. Parameters can be parsed from the key elements of an API, which refers to HTTP/HTTPS, Host, Path, and Parameters. Further information can be parsed from the classification or labels of parameters, PII and schema.

    Parameters can be parsed from the following API information:

    Source

    Parsed parameters
    HTTP query request

    Parameters can be parsed from the HTTP query request.

    For example:

    /query?username=admin&password=test

    • username = admin

    • password = test
    Elements or keys in the entity body

    For JSON API type, API Discovery parses up to 1 layer.

    For XML/SOAP API type, API Discovery parses up to 2 or 3 layers:

    • If sub-elements have the same name, the schema of the elements will be recognized as an "array", and 3 layers of the nested parameters will be parsed.
    • Otherwise, the parameters will be treated as an object, and only 2 layers of the nested parameters will be parsed.

    Classification or labels of parameters

    • Position — requestBody, responseBody, query, path (for external API endpoints)

    • Position (“in”) — query, path, header or cookie (for internal API endpoints)

    • Required — the reorganized parameter {api_id} will be labeled as “required” (for external API endpoints); labeled if "required“ is true in files (for internal API endpoints)

    • Source — external for API endpoints parsed from Automatic discovery, and internal for imported OAS files

    • Description — added automatically for the template parameter (for external API endpoints); defined in the file (for internal API endpoints)
      Note: Maximum supported description length is 2048 characters.

    PII (Personal Identifiable Information)

    • Scan name — Username, Password, Token
    • Scan value — Credit Card Number, Email, URL, IP Address, GUID
    • Scan name & value — CVV

    Schema of parameters

    String, number, integer, Boolean, object, array
    Previous
    Next

    Understanding the API endpoints database in API View

    Understanding the API endpoints database in API View

    From the API View tab, you can view your database of discovered internal and external API endpoints. You can refresh the page to view newly discovered external API endpoints.


    Each API endpoint is parsed for the following key elements:

    API Information

    Description
    Host

    The name of the protected host that the Host: field of an HTTP request must be in to match the API Discovery policy.

    Example: 110.ztnatest02.com

    Note: Maximum supported length of Host is 255 characters.
    Base_URL

    The base_url consists of the prefix HTTP/HTTPS and the Host.

    Example: http://110.ztnatest02.com

    Note: Maximum supported length of Base_URL is 255 characters.
    Path

    The resource path of the API.

    Example: /api/test
    API Endpoint

    The API endpoint is organized and displayed as the Path with HTTP method.

    Example: GET: /api/test
    Parameter

    Parsed from the HTTP query request or entity body.

    Example: path, required, internal
    API View endpoint organization

    Each API endpoint entry is identified and stored by its HTTP method and path. However, each entry is maintained per method, so in cases where endpoints share the same path but use different HTTP methods, a separate entry will be maintained per HTTP method.

    API endpoints will be displayed in a simplified view when four or more requests that have a different integer as the last sub-path are discovered. In which case, the endpoints will be simplified and reorganized as a single endpoint template with the following specifications:

    • The Path of the endpoint will be similar to /v1/users/{users_id}.

    • An extra parameter will be generated, named “users_id” with a label “required”.

    Supported API types and HTTP methods for API Discovery

    • RESTful API — GET/POST/PUT with XML/JSON, or DELETE

    • SOAP API — POST with SOAP+XML

    • OAS file types — JSON or YAML

    Prerequisites for APIs to be discovered
    • The return code must be 200-299.
    • The HTTP headers and corresponding entity body must have the following in the request/response:

      HTTP Method

      Requirement

      GET“Accept: application/json”, “Accept: application/xml” or “Accept: */*” in the request, and corresponding “Content-Type:” header with entity body in the response.
      PUT/POST“Content-Type: application/json”, “Accept: application/xml” or “Accept: application/soap+xml” with corresponding entity body in the request.
      DELETENo requirement; all DELETE requests can be discovered.

    • For RESTful APIs: the last sub-path should not include the dot (.) character. SOAP API supports including the dot (.) in the last sub-path.

    • For OpenAPI 3.0: servers and paths are required in the OAS file.

    • For Swagger 2.0: host, paths & schemes are required in the OAS file.

    API endpoint parameters

    The API Discovery engine parses through raw API data to extract information that make up an API endpoint. Parameters can be parsed from the key elements of an API, which refers to HTTP/HTTPS, Host, Path, and Parameters. Further information can be parsed from the classification or labels of parameters, PII and schema.

    Parameters can be parsed from the following API information:

    Source

    Parsed parameters
    HTTP query request

    Parameters can be parsed from the HTTP query request.

    For example:

    /query?username=admin&password=test

    • username = admin

    • password = test
    Elements or keys in the entity body

    For JSON API type, API Discovery parses up to 1 layer.

    For XML/SOAP API type, API Discovery parses up to 2 or 3 layers:

    • If sub-elements have the same name, the schema of the elements will be recognized as an "array", and 3 layers of the nested parameters will be parsed.
    • Otherwise, the parameters will be treated as an object, and only 2 layers of the nested parameters will be parsed.

    Classification or labels of parameters

    • Position — requestBody, responseBody, query, path (for external API endpoints)

    • Position (“in”) — query, path, header or cookie (for internal API endpoints)

    • Required — the reorganized parameter {api_id} will be labeled as “required” (for external API endpoints); labeled if "required“ is true in files (for internal API endpoints)

    • Source — external for API endpoints parsed from Automatic discovery, and internal for imported OAS files

    • Description — added automatically for the template parameter (for external API endpoints); defined in the file (for internal API endpoints)
      Note: Maximum supported description length is 2048 characters.

    PII (Personal Identifiable Information)

    • Scan name — Username, Password, Token
    • Scan value — Credit Card Number, Email, URL, IP Address, GUID
    • Scan name & value — CVV

    Schema of parameters

    String, number, integer, Boolean, object, array
    Previous
    Next