config security waf api-discovery
Use this command to configure API Discovery policies that allow FortiADC to automatically discover external API endpoints from HTTP/HTTPS requests and responses that have passed through API validity checks, wherein the API is parsed for information including the Host, Paths, parameters and their schemas from query requests or entity bodies, as well as classify parameters that match PII (Personal Identifiable Information) signatures. API Discovery also supports manually imported OAS files compliant with OpenAPI 3.0 and Swagger 2.0 standard to parse and discover as internal API endpoints that can also be matched by incoming API requests or responses. The discovered external and internal API endpoints can then be directly applied in API security rules based on the Host, Path, and request rate. Once the API requests and responses pass the API validity check that matches the rule, the specified security action will be triggered to protect against the malicious APIs.
API Discovery policies depend entirely on internal or external API endpoints to function. For external API endpoints to be discovered, the API Discovery policy must be referenced in a WAF Profile used in an active virtual server. When the virtual server referencing the API Discovery policy receives API responses/requests, external API endpoint discovery is automatically activated. The API Discovery policy will automatically begin validating APIs and parsing endpoints to build your API endpoints database which can then be viewed in the API View page (in the GUI). From the API Discovery policy, you can add API Security rules to trigger alerts and actions against APIs identified as malicious through API Discovery.
Use the config security waf api-discovery
command to configure automatic discovery for external API endpoints. To manually import internal API endpoints, see execute oas-file import.
API Discovery is based on VDOMs, where API endpoints are discovered and stored per VDOM.
API Discovery is based on VDOMs, where API endpoints are discovered and stored per VDOM. The total API endpoints database size for each VDOM is 1 GB. |
The maximum number of API Discovery policies is 256.
Syntax
config security waf api-discovery
edit <name>
set api-discovery {enable|disable}
config api-security-rule
edit <No.>
set host <string>
set path <string>
set rate-limit <integer>
set severity {high|medium|low}
set action <datasource>
next
end
next
end
api-discovery |
Enable or disable the API Discovery configuration. This is disabled by default. |
config api-security-rule | |
host |
Specify the HTTP Host header. This is required. Maximum length is 255 characters. Example: 192.168.0.253, [2001:1234::a41:6e]:8443, or demo.fortinet.com. Once the API Discovery policy is activated, the policy matches only if the Host header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk. |
path |
Specify the API resource path. Text string and simple regex is supported. Example: /login. Begin with '/'. |
rate-limit |
Specify the allowable requests per second. Default: 0. Range: 0 - 100000000. Note: 0 means there is no limit. |
severity |
Select the action profile to apply when a bot is detected. See config security waf action. The default action is alert. |
action |
Select the event severity to log when a bot is detected:
The default is low. |
Example
config security waf api-discovery
edit "api-discovery-test"
set api-discovery enable
config api-security-rule
edit 1
set host 192.168.0.253
set path /api/*
set rate-limit 0
set severity low
set action alert
next
end
next
end