Fortinet black logo

Handbook

Home FortiADC 7.4.3 Handbook
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

Configuring API Discovery

Configuring API Discovery

API Discovery policies allow FortiADC to automatically discover external API endpoints from HTTP/HTTPS requests and responses that have passed through API validity checks, wherein the API is parsed for information including the Host, Paths, parameters and their schemas from query requests or entity bodies, as well as classify parameters that match PII (Personal Identifiable Information) signatures. API Discovery also supports manually imported OAS files compliant with OpenAPI 3.0 and Swagger 2.0 standard to parse and discover as internal API endpoints that can also be matched by incoming API requests or responses. The discovered external and internal API endpoints can then be directly applied in API security rules based on the Host, Path, and request rate. Once the API requests and responses pass the API validity check that matches the rule, the specified security action will be triggered to protect against the malicious APIs.

API Discovery is based on VDOMs, where API endpoints are discovered and stored per VDOM. The total API endpoints database size for each VDOM is 1 G.

API Discovery is based on VDOMs, where API endpoints are discovered and stored per VDOM.

Basic API Discovery workflow

API Discovery policies depend entirely on internal or external API endpoints to function. For external API endpoints to be discovered, the API Discovery policy must be referenced in a WAF Profile used in an active virtual server. Follow the basic workflow below to deploy API Discovery.

Basic steps:
  1. Create and enable an API Discovery policy to enable automatic discovery for external API endpoints. For details, see Configuring automatic discovery for external API endpoints.
  2. Reference the API Discovery policy in a WAF Profile. Once the WAF Profile is used in a virtual server, external API endpoints will be discovered from HTTP/HTTPS requests and responses. For details, see Configuring a WAF Profile.
  3. Optionally, import an OAS file to parse and discovery as internal API endpoints. For details, see Manually import internal API endpoints.
  4. Optionally, check and refresh the API View page for automatically discovered API endpoints.
  5. Optionally, check the API Threats page under FortiView > Data Analytics to view all discovered API endpoints that have triggered attacks.

Configuring automatic discovery for external API endpoints

External API endpoint discovery is automatically activated when the virtual server referencing the API Discovery policy receives API responses/requests. The API Discovery policy will automatically begin validating APIs and parsing endpoints to build your API endpoints database which can then be viewed in the API View page. From the API Discovery policy, you can add API Security rules to trigger alerts and actions against APIs identified as malicious through API Discovery.

The maximum number of API Discovery policies is 256.

To configure an API Discovery policy:
  1. Go to Web Application Firewall > API Discovery.
    The configuration page displays the API Discovery tab.
  2. Click Create New to display the configuration editor.
  3. Configure the following settings:

    Setting

    Description

    Name

    Enter a unique API Discovery name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of an Allowed Origin cannot be changed.

    API Discovery

    Enable or disable the API Discovery configuration.

  4. Click Save.
    Once the API Discovery configuration is saved, the API Security Rule section can be configured.
  5. Under the API Security Rule section, click Create New to display the configuration editor.
    The maximum number of API security rules under one API Discovery policy is 256.
  6. Configure the following API Security Rule settings:

    Setting

    Description

    Host

    Specify the HTTP Host header. This is required. Maximum length is 255 characters.

    Example: 192.168.0.253, [2001:1234::a41:6e]:8443, or demo.fortinet.com.

    Once the API Discovery policy is activated, the policy matches only if the Host header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

    Path

    Specify the API resource path. Text string and simple regex is supported.

    Example: /login. Begin with '/'.

    API Request Rate

    Specify the allowable requests per second. Default: 0. Range: 0 - 100000000.

    Note: 0 means there is no limit.

    Action

    Specify a WAF action object to apply when a bot is detected. See Configuring WAF Action objects.

    The default action is alert.

    Severity

    Select the event severity to log when a bot is detected:

    • High — Log as high severity events.
    • Medium — Log as a medium severity events.
    • Low — Log as low severity events.

    The default is Low.

  7. Click Save.
    Once the API Security Rule configuration is saved, the dialog closes.
  8. Click Save to update the API Discovery configuration with the API Security Rule changes.

After you have completed the API Discovery policy configuration, reference it in a WAF Profile that will be used in a virtual server.

If a previously enabled API Discovery policy is disabled, new API endpoints will not be discovered. However, the API security rules associated with that API Discovery policy will continue to work.

Manually import internal API endpoints

API Discovery supports manually imported OAS files compliant with OpenAPI 3.0 and Swagger 2.0 standard to parse and discover as internal API endpoints that can also be matched by incoming API requests or responses.

JSON and YAML file types are supported.

To import an OAS file:
  1. Go to Web Application Firewall > API Discovery.
  2. Click the API View tab.
  3. Click Choose File to display the file upload dialog.
  4. Locate and select the OAS file to import.
    After the OAS file is successfully imported, the file contents are parsed into internal API endpoints that can be viewed on the API View page.
Previous
Next

Configuring API Discovery

API Discovery policies allow FortiADC to automatically discover external API endpoints from HTTP/HTTPS requests and responses that have passed through API validity checks, wherein the API is parsed for information including the Host, Paths, parameters and their schemas from query requests or entity bodies, as well as classify parameters that match PII (Personal Identifiable Information) signatures. API Discovery also supports manually imported OAS files compliant with OpenAPI 3.0 and Swagger 2.0 standard to parse and discover as internal API endpoints that can also be matched by incoming API requests or responses. The discovered external and internal API endpoints can then be directly applied in API security rules based on the Host, Path, and request rate. Once the API requests and responses pass the API validity check that matches the rule, the specified security action will be triggered to protect against the malicious APIs.

API Discovery is based on VDOMs, where API endpoints are discovered and stored per VDOM. The total API endpoints database size for each VDOM is 1 G.

API Discovery is based on VDOMs, where API endpoints are discovered and stored per VDOM.

Basic API Discovery workflow

API Discovery policies depend entirely on internal or external API endpoints to function. For external API endpoints to be discovered, the API Discovery policy must be referenced in a WAF Profile used in an active virtual server. Follow the basic workflow below to deploy API Discovery.

Basic steps:
  1. Create and enable an API Discovery policy to enable automatic discovery for external API endpoints. For details, see Configuring automatic discovery for external API endpoints.
  2. Reference the API Discovery policy in a WAF Profile. Once the WAF Profile is used in a virtual server, external API endpoints will be discovered from HTTP/HTTPS requests and responses. For details, see Configuring a WAF Profile.
  3. Optionally, import an OAS file to parse and discovery as internal API endpoints. For details, see Manually import internal API endpoints.
  4. Optionally, check and refresh the API View page for automatically discovered API endpoints.
  5. Optionally, check the API Threats page under FortiView > Data Analytics to view all discovered API endpoints that have triggered attacks.

Configuring automatic discovery for external API endpoints

External API endpoint discovery is automatically activated when the virtual server referencing the API Discovery policy receives API responses/requests. The API Discovery policy will automatically begin validating APIs and parsing endpoints to build your API endpoints database which can then be viewed in the API View page. From the API Discovery policy, you can add API Security rules to trigger alerts and actions against APIs identified as malicious through API Discovery.

The maximum number of API Discovery policies is 256.

To configure an API Discovery policy:
  1. Go to Web Application Firewall > API Discovery.
    The configuration page displays the API Discovery tab.
  2. Click Create New to display the configuration editor.
  3. Configure the following settings:

    Setting

    Description

    Name

    Enter a unique API Discovery name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of an Allowed Origin cannot be changed.

    API Discovery

    Enable or disable the API Discovery configuration.

  4. Click Save.
    Once the API Discovery configuration is saved, the API Security Rule section can be configured.
  5. Under the API Security Rule section, click Create New to display the configuration editor.
    The maximum number of API security rules under one API Discovery policy is 256.
  6. Configure the following API Security Rule settings:

    Setting

    Description

    Host

    Specify the HTTP Host header. This is required. Maximum length is 255 characters.

    Example: 192.168.0.253, [2001:1234::a41:6e]:8443, or demo.fortinet.com.

    Once the API Discovery policy is activated, the policy matches only if the Host header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

    Path

    Specify the API resource path. Text string and simple regex is supported.

    Example: /login. Begin with '/'.

    API Request Rate

    Specify the allowable requests per second. Default: 0. Range: 0 - 100000000.

    Note: 0 means there is no limit.

    Action

    Specify a WAF action object to apply when a bot is detected. See Configuring WAF Action objects.

    The default action is alert.

    Severity

    Select the event severity to log when a bot is detected:

    • High — Log as high severity events.
    • Medium — Log as a medium severity events.
    • Low — Log as low severity events.

    The default is Low.

  7. Click Save.
    Once the API Security Rule configuration is saved, the dialog closes.
  8. Click Save to update the API Discovery configuration with the API Security Rule changes.

After you have completed the API Discovery policy configuration, reference it in a WAF Profile that will be used in a virtual server.

If a previously enabled API Discovery policy is disabled, new API endpoints will not be discovered. However, the API security rules associated with that API Discovery policy will continue to work.

Manually import internal API endpoints

API Discovery supports manually imported OAS files compliant with OpenAPI 3.0 and Swagger 2.0 standard to parse and discover as internal API endpoints that can also be matched by incoming API requests or responses.

JSON and YAML file types are supported.

To import an OAS file:
  1. Go to Web Application Firewall > API Discovery.
  2. Click the API View tab.
  3. Click Choose File to display the file upload dialog.
  4. Locate and select the OAS file to import.
    After the OAS file is successfully imported, the file contents are parsed into internal API endpoints that can be viewed on the API View page.
Previous
Next