Fortinet black logo

CLI Reference

Home FortiADC 7.4.0 CLI Reference
7.4.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.2
6.0.1
6.0.0
5.4.5
5.4.3
5.4.2
5.4.1
5.4.0
5.3.0
4.8.1
4.7.0

config security waf api-discovery

config security waf api-discovery

Use this command to configure API Discovery policies that allow FortiADC to automatically discover external API endpoints from HTTP/HTTPS requests and responses that have passed through API validity checks, wherein the API is parsed for information including the Host, Paths, parameters and their schemas from query requests or entity bodies, as well as classify parameters that match PII (Personal Identifiable Information) signatures. API Discovery also supports manually imported OAS files compliant with OpenAPI 3.0 and Swagger 2.0 standard to parse and discover as internal API endpoints that can also be matched by incoming API requests or responses. The discovered external and internal API endpoints can then be directly applied in API security rules based on the Host, Path, and request rate. Once the API requests and responses pass the API validity check that matches the rule, the specified security action will be triggered to protect against the malicious APIs.

API Discovery policies depend entirely on internal or external API endpoints to function. For external API endpoints to be discovered, the API Discovery policy must be referenced in a WAF Profile used in an active virtual server. When the virtual server referencing the API Discovery policy receives API responses/requests, external API endpoint discovery is automatically activated. The API Discovery policy will automatically begin validating APIs and parsing endpoints to build your API endpoints database which can then be viewed in the API View page (in the GUI). From the API Discovery policy, you can add API Security rules to trigger alerts and actions against APIs identified as malicious through API Discovery.

Use the config security waf api-discovery command to configure automatic discovery for external API endpoints. To manually import internal API endpoints, see execute oas-file import.

API Discovery is based on VDOMs, where API endpoints are discovered and stored per VDOM.

API Discovery is based on VDOMs, where API endpoints are discovered and stored per VDOM. The total API endpoints database size for each VDOM is 1 GB.

The maximum number of API Discovery policies is 256.

Syntax

config security waf api-discovery

edit <name>

set api-discovery {enable|disable}

config api-security-rule

edit <No.>

set host <string>

set path <string>

set rate-limit <integer>

set severity {high|medium|low}

set action <datasource>

next

end

next

end

api-discovery

 Enable or disable the API Discovery configuration. This is disabled by default.
config api-security-rule

host

Specify the HTTP Host header. This is required. Maximum length is 255 characters.

Example: 192.168.0.253, [2001:1234::a41:6e]:8443, or demo.fortinet.com.

Once the API Discovery policy is activated, the policy matches only if the Host header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

path

Specify the API resource path. Text string and simple regex is supported.

Example: /login. Begin with '/'.

rate-limit

Specify the allowable requests per second. Default: 0. Range: 0 - 100000000.

Note: 0 means there is no limit.

severity

Select the action profile to apply when a bot is detected. See config security waf action.

The default action is alert.

action

Select the event severity to log when a bot is detected:

  • high — Log as high severity events.
  • medium — Log as a medium severity events.
  • low — Log as low severity events.

The default is low.

Example

config security waf api-discovery

edit "api-discovery-test"

set api-discovery enable

config api-security-rule

edit 1

set host 192.168.0.253

set path /api/*

set rate-limit 0

set severity low

set action alert

next

end

next

end

Previous
Next

config security waf api-discovery

Use this command to configure API Discovery policies that allow FortiADC to automatically discover external API endpoints from HTTP/HTTPS requests and responses that have passed through API validity checks, wherein the API is parsed for information including the Host, Paths, parameters and their schemas from query requests or entity bodies, as well as classify parameters that match PII (Personal Identifiable Information) signatures. API Discovery also supports manually imported OAS files compliant with OpenAPI 3.0 and Swagger 2.0 standard to parse and discover as internal API endpoints that can also be matched by incoming API requests or responses. The discovered external and internal API endpoints can then be directly applied in API security rules based on the Host, Path, and request rate. Once the API requests and responses pass the API validity check that matches the rule, the specified security action will be triggered to protect against the malicious APIs.

API Discovery policies depend entirely on internal or external API endpoints to function. For external API endpoints to be discovered, the API Discovery policy must be referenced in a WAF Profile used in an active virtual server. When the virtual server referencing the API Discovery policy receives API responses/requests, external API endpoint discovery is automatically activated. The API Discovery policy will automatically begin validating APIs and parsing endpoints to build your API endpoints database which can then be viewed in the API View page (in the GUI). From the API Discovery policy, you can add API Security rules to trigger alerts and actions against APIs identified as malicious through API Discovery.

Use the config security waf api-discovery command to configure automatic discovery for external API endpoints. To manually import internal API endpoints, see execute oas-file import.

API Discovery is based on VDOMs, where API endpoints are discovered and stored per VDOM.

API Discovery is based on VDOMs, where API endpoints are discovered and stored per VDOM. The total API endpoints database size for each VDOM is 1 GB.

The maximum number of API Discovery policies is 256.

Syntax

config security waf api-discovery

edit <name>

set api-discovery {enable|disable}

config api-security-rule

edit <No.>

set host <string>

set path <string>

set rate-limit <integer>

set severity {high|medium|low}

set action <datasource>

next

end

next

end

api-discovery

 Enable or disable the API Discovery configuration. This is disabled by default.
config api-security-rule

host

Specify the HTTP Host header. This is required. Maximum length is 255 characters.

Example: 192.168.0.253, [2001:1234::a41:6e]:8443, or demo.fortinet.com.

Once the API Discovery policy is activated, the policy matches only if the Host header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

path

Specify the API resource path. Text string and simple regex is supported.

Example: /login. Begin with '/'.

rate-limit

Specify the allowable requests per second. Default: 0. Range: 0 - 100000000.

Note: 0 means there is no limit.

severity

Select the action profile to apply when a bot is detected. See config security waf action.

The default action is alert.

action

Select the event severity to log when a bot is detected:

  • high — Log as high severity events.
  • medium — Log as a medium severity events.
  • low — Log as low severity events.

The default is low.

Example

config security waf api-discovery

edit "api-discovery-test"

set api-discovery enable

config api-security-rule

edit 1

set host 192.168.0.253

set path /api/*

set rate-limit 0

set severity low

set action alert

next

end

next

end

Previous
Next