Fortinet black logo

Handbook

Home FortiADC 7.4.2 Handbook
7.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

Understanding the API endpoints database in API View

Understanding the API endpoints database in API View

From the API View tab, you can view your database of discovered internal and external API endpoints. You can refresh the page to view newly discovered external API endpoints.


Each API endpoint is parsed for the following key elements:

API Information

Description
Host

The name of the protected host that the Host: field of an HTTP request must be in to match the API Discovery policy.

Example: 110.ztnatest02.com

Note: Maximum supported length of Host is 255 characters.
Base_URL

The base_url consists of the prefix HTTP/HTTPS and the Host.

Example: http://110.ztnatest02.com

Note: Maximum supported length of Base_URL is 255 characters.
Path

The resource path of the API.

Example: /api/test
API Endpoint

The API endpoint is organized and displayed as the Path with HTTP method.

Example: GET: /api/test
Parameter

Parsed from the HTTP query request or entity body.

Example: path, required, internal
API View endpoint organization

Each API endpoint entry is identified and stored by its HTTP method and path. However, each entry is maintained per method, so in cases where endpoints share the same path but use different HTTP methods, a separate entry will be maintained per HTTP method.

API endpoints will be displayed in a simplified view when four or more requests that have a different integer as the last sub-path are discovered. In which case, the endpoints will be simplified and reorganized as a single endpoint template with the following specifications:

  • The Path of the endpoint will be similar to /v1/users/{users_id}.

  • An extra parameter will be generated, named “users_id” with a label “required”.

Supported API types and HTTP methods for API Discovery

  • RESTful API — GET/POST/PUT with XML/JSON, or DELETE

  • SOAP API — POST with SOAP+XML

  • OAS file types — JSON or YAML

Prerequisites for APIs to be discovered
  • The return code must be 200-299.
  • The HTTP headers and corresponding entity body must have the following in the request/response:

    HTTP Method

    Requirement

    GET“Accept: application/json”, “Accept: application/xml” or “Accept: */*” in the request, and corresponding “Content-Type:” header with entity body in the response.
    PUT/POST“Content-Type: application/json”, “Accept: application/xml” or “Accept: application/soap+xml” with corresponding entity body in the request.
    DELETENo requirement; all DELETE requests can be discovered.

  • For RESTful APIs: the last sub-path should not include the dot (.) character. SOAP API supports including the dot (.) in the last sub-path.

  • For OpenAPI 3.0: servers and paths are required in the OAS file.

  • For Swagger 2.0: host, paths & schemes are required in the OAS file.

API endpoint parameters

The API Discovery engine parses through raw API data to extract information that make up an API endpoint. Parameters can be parsed from the key elements of an API, which refers to HTTP/HTTPS, Host, Path, and Parameters. Further information can be parsed from the classification or labels of parameters, PII and schema.

Parameters can be parsed from the following API information:

Source

Parsed parameters
HTTP query request

Parameters can be parsed from the HTTP query request.

For example:

/query?username=admin&password=test

  • username = admin

  • password = test
Elements or keys in the entity body

For JSON API type, API Discovery parses up to 1 layer.

For XML/SOAP API type, API Discovery parses up to 2 or 3 layers:

  • If sub-elements have the same name, the schema of the elements will be recognized as an "array", and 3 layers of the nested parameters will be parsed.
  • Otherwise, the parameters will be treated as an object, and only 2 layers of the nested parameters will be parsed.

Classification or labels of parameters

  • Position — requestBody, responseBody, query, path (for external API endpoints)

  • Position (“in”) — query, path, header or cookie (for internal API endpoints)

  • Required — the reorganized parameter {api_id} will be labeled as “required” (for external API endpoints); labeled if "required“ is true in files (for internal API endpoints)

  • Source — external for API endpoints parsed from Automatic discovery, and internal for imported OAS files

  • Description — added automatically for the template parameter (for external API endpoints); defined in the file (for internal API endpoints)
    Note: Maximum supported description length is 2048 characters.

PII (Personal Identifiable Information)

  • Scan name — Username, Password, Token
  • Scan value — Credit Card Number, Email, URL, IP Address, GUID
  • Scan name & value — CVV

Schema of parameters

String, number, integer, Boolean, object, array
Previous
Next

Understanding the API endpoints database in API View

From the API View tab, you can view your database of discovered internal and external API endpoints. You can refresh the page to view newly discovered external API endpoints.


Each API endpoint is parsed for the following key elements:

API Information

Description
Host

The name of the protected host that the Host: field of an HTTP request must be in to match the API Discovery policy.

Example: 110.ztnatest02.com

Note: Maximum supported length of Host is 255 characters.
Base_URL

The base_url consists of the prefix HTTP/HTTPS and the Host.

Example: http://110.ztnatest02.com

Note: Maximum supported length of Base_URL is 255 characters.
Path

The resource path of the API.

Example: /api/test
API Endpoint

The API endpoint is organized and displayed as the Path with HTTP method.

Example: GET: /api/test
Parameter

Parsed from the HTTP query request or entity body.

Example: path, required, internal
API View endpoint organization

Each API endpoint entry is identified and stored by its HTTP method and path. However, each entry is maintained per method, so in cases where endpoints share the same path but use different HTTP methods, a separate entry will be maintained per HTTP method.

API endpoints will be displayed in a simplified view when four or more requests that have a different integer as the last sub-path are discovered. In which case, the endpoints will be simplified and reorganized as a single endpoint template with the following specifications:

  • The Path of the endpoint will be similar to /v1/users/{users_id}.

  • An extra parameter will be generated, named “users_id” with a label “required”.

Supported API types and HTTP methods for API Discovery

  • RESTful API — GET/POST/PUT with XML/JSON, or DELETE

  • SOAP API — POST with SOAP+XML

  • OAS file types — JSON or YAML

Prerequisites for APIs to be discovered
  • The return code must be 200-299.
  • The HTTP headers and corresponding entity body must have the following in the request/response:

    HTTP Method

    Requirement

    GET“Accept: application/json”, “Accept: application/xml” or “Accept: */*” in the request, and corresponding “Content-Type:” header with entity body in the response.
    PUT/POST“Content-Type: application/json”, “Accept: application/xml” or “Accept: application/soap+xml” with corresponding entity body in the request.
    DELETENo requirement; all DELETE requests can be discovered.

  • For RESTful APIs: the last sub-path should not include the dot (.) character. SOAP API supports including the dot (.) in the last sub-path.

  • For OpenAPI 3.0: servers and paths are required in the OAS file.

  • For Swagger 2.0: host, paths & schemes are required in the OAS file.

API endpoint parameters

The API Discovery engine parses through raw API data to extract information that make up an API endpoint. Parameters can be parsed from the key elements of an API, which refers to HTTP/HTTPS, Host, Path, and Parameters. Further information can be parsed from the classification or labels of parameters, PII and schema.

Parameters can be parsed from the following API information:

Source

Parsed parameters
HTTP query request

Parameters can be parsed from the HTTP query request.

For example:

/query?username=admin&password=test

  • username = admin

  • password = test
Elements or keys in the entity body

For JSON API type, API Discovery parses up to 1 layer.

For XML/SOAP API type, API Discovery parses up to 2 or 3 layers:

  • If sub-elements have the same name, the schema of the elements will be recognized as an "array", and 3 layers of the nested parameters will be parsed.
  • Otherwise, the parameters will be treated as an object, and only 2 layers of the nested parameters will be parsed.

Classification or labels of parameters

  • Position — requestBody, responseBody, query, path (for external API endpoints)

  • Position (“in”) — query, path, header or cookie (for internal API endpoints)

  • Required — the reorganized parameter {api_id} will be labeled as “required” (for external API endpoints); labeled if "required“ is true in files (for internal API endpoints)

  • Source — external for API endpoints parsed from Automatic discovery, and internal for imported OAS files

  • Description — added automatically for the template parameter (for external API endpoints); defined in the file (for internal API endpoints)
    Note: Maximum supported description length is 2048 characters.

PII (Personal Identifiable Information)

  • Scan name — Username, Password, Token
  • Scan value — Credit Card Number, Email, URL, IP Address, GUID
  • Scan name & value — CVV

Schema of parameters

String, number, integer, Boolean, object, array
Previous
Next