The machine learning based API Protection learns the REST API data structure from user traffic samples and then build a mathematical model to screen out malicious API requests.
It analyzes the method, URL, and endpoint data of the API request samples to generate an API data structure file for your application. This model describes the API data schema model of endpoint data. If the incoming API request violates the data structure, it will be detected as an attack.
API Protection supports JSON request body.
API Protection policy is part of a server policy. It is created on the Policy > Sever Policy page.
- Click Policy > Server Policy.
- Select an existing server policy.
Please note that the API Protection Machine Learning policies can't be created during the server policy creation process. You should first create a server policy, then click Edit to create a API Protection Machine Learning policy.
- Scroll down to the Machine Learning section at the bottom of the page, click the API Protection tab, then click Create. The New Machine Learning dialog opens.
- Click the + (Add) sign after the Domain filed to add the desired domains, so that the system collects samples and builds up a API Protection Machine Learning model for the domains.
- Select whether to trust or block the specified source IP addresses.
- Click the + (Add) sign after the IP Range field to add IP/Range, so as to limit the system to collect data only (When IP List Type is Trust) or exclude data (When IP List Type is Block) from the specified IP range.
- Click OK.
After it's completed, go back to Server Policy. Select the one which contains the API Protection policy you just created. You will see the following buttons in the API Protection tab.
Click to view and edit API Protection policies and their learning results.
Note: You can also access the API Protection page by clicking Machine Learning > API Protection, and then selecting a specific policy.
Click to start/stop API Protection machine learning for the policy.
Click to restart API Protection model building for all the domains in the policy.
Note: This will discard all existing learning results and then relearn all data.
Click to remove all learned data from the policy.
Click to export the data for all the domains, including the model data and configurations.
Click to import the API Protection data from your local directory to FortiWeb.
Note: The API Protection model generated in FortiWeb 7.0 cannot be imported in FortiWeb 7.0.1, and vice versa.
All API Protection policies that you have created are displayed on the Machine Learning > API Protection page, where you can edit them to your preference.
- Click Machine Learning > API Protection .
- Double-click the server policy that contains the desired API Protection policy (or highlight it and then click the Edit button on top of the page) to open it. The Edit API Protection Configuration page opens, which breaks down API Protection policy into several sections, each of which has various parameters you can use to configure the policy.
- Add domains to be protected by the API Protection Policy.
- Click Create. The Allow sample collection for domains page will open.
- Enter the host address. You can enter the exact string or use wildcard to match multiple domains.
- Click OK.
The system will start building API Protection model when 100 API request samples are collected for the specified domain. You can change the sample count through
set start-training-cnt <int>in
config waf api-learning-policy.
- Configure the action that FortiWeb will take when it detects malicious API requests. The following settings apply to all the API paths in your domain. If you want to change the action setting for a specific API, see API patterns and paths
Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds (1 hour).
This option only takes effect when you choose Block Period in Action.
Select the severity level for this anomaly type. The severity level will be displayed in the alert email and/or log message.
Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If potential or definite anomaly or HTTP Method Violation is detected, it will trigger the system to send email and/or log messages according to the trigger policy.
Add IP ranges in the Source IP list, then select Trust or Black to allow or disallow collecting traffic data samples from these IP addresses.
- Trust: The system will collect samples only from the IP ranges in the Source IP list.
- Block: The system will collect sample from any IP addresses except the ones in the Source IP list
Whether selecting Trust or Black, if you leave the Source IP list blank, the system will collect traffic data samples from any IP addresses.
Select the name of the URL Replacer Policy that you have created in Machine Learning Templates.
If web applications have dynamic URLs or unusual parameter styles, you must adapt URL Replacer Policy to recognize them.
If you have not created an URL Replacer Policy yet, you can leave this option empty for now, and then edit this policy later when the URL Replacer Policy is created. For more information on URL Replacer Policy, see Configure a URL replacer rule
- Click OK when done.
The system collects samples for the specified domains and analyzes the parameter, body, and the response structure of API requests to all the API paths in the domain.