API security with FortiWeb — OpenAPI-aware WAF for 2026 APIs

Pawan Sharma Published 10 Jun 2026  ·  By Pawan Sharma  ·  Network Security  ·  14 min read

Every modern app is an API. AWS WAF and Azure WAF treat APIs as HTTP traffic — they block obvious payloads but have no concept of schema, no per-endpoint logic, no positive security model. Per Fortinet's own Data Sheet, FortiWeb uses ML-driven API Discovery to continuously evaluate application traffic, builds a positive-security model from the profiled inventory, and enforces against OpenAPI / Swagger / XML / JSON schemas — including CI/CD-pipeline integration for automatic policy refresh on each API update.

OpenAPI ✓

Schema-aware

OpenAPI 3.x, Swagger 2.x, XML, JSON. Validation against the declared contract.

ML

API Discovery

Auto-surface undocumented endpoints. Build positive policy without manual catalog work.

CI/CD

Continuous Learning

Policy auto-adjusts when the API changes — releases don't break the WAF.

ATO

Account Takeover

Credential stuffing, token replay, behavioural detection. Advanced+ plans.

Why cloud-native WAFs miss API-specific attacks

AWS WAF and Azure WAF do basic string-matching for OWASP Top 10 payloads. That catches SQL injection strings, XSS payloads, basic command injection. It doesn't catch any of the OWASP API Security Top 10:

BOLA / IDOR (API1)

Accessing other users' resources by changing an object ID. Needs per-user, per-endpoint authorization context — string matching is blind to it.

Broken Authentication (API2)

JWT manipulation, weak signing, token-validation bypass. Needs JWT-aware inspection.

Excessive Data Exposure (API3)

Endpoint returns more data than the client asked for. Response-side schema enforcement catches this; string matching can't see it.

Lack of Rate Limiting (API4)

Per-key, per-endpoint rate limits — not just per-IP. Cloud-native WAFs do per-IP at best.

BFLA (API5)

Function-level authorization bypass — calling an admin endpoint without admin privileges. Needs role-aware policy.

Mass Assignment (API6)

Client sends extra JSON fields that update privileged attributes. Positive-security rejects fields not in schema.

Security Misconfiguration (API7)

Missing security headers, verbose errors, default credentials. Catchable by config + response inspection.

Injection (API8)

SQLi, NoSQLi, OS-command injection — same as web but inside JSON / XML payloads. Cloud-native WAFs partly catch this; FortiWeb fully.

Improper Asset Mgmt (API9)

Forgotten test endpoints exposed in production. Discovery surfaces these from traffic.

Insufficient Logging (API10)

Per-endpoint logging, attack-attempt context, integration into FortiAnalyzer / FortiSOC.

FortiWeb's API security architecture

From the Data Sheet

ML discovery → profiled inventory → positive-security policy → CI/CD-integrated refresh

Fortinet describes it as: "FortiWeb API Discovery and Protection uses machine learning algorithms to automatically discover APIs by continuously evaluating application traffic. Discovery is an integral role for establishing a positive security model and FortiWeb protects your critical APIs based on your profiled API inventory."

The schema validation can be integrated into the CI/CD pipeline, "automatically generating an updated positive security model policy once the API is updated." This is the key advantage over schema-import-only WAFs — your policy doesn't lag behind your code.

The capability stack — by FortiWeb tier

API CapabilityStdAdvEntNotes
Schema enforcement (OpenAPI, JSON, XML)Positive security against declared schema
ML API DiscoveryAuto-surface undocumented endpoints
API Gateway (FortiAppSec Cloud)JWT validation, key mgmt, per-key rate
Account Takeover protectionBehavioural ATO + credential stuffing
Credential Stuffing DefensePattern + reputation + ML
Behavioral Intent Analysis (ML)FortiAppSec Cloud Enterprise only
Advanced Bot ProtectionML/biometric/behavioural — appliance + VM Enterprise
GraphQL handlingSchema validation, depth/complexity limits

Where to deploy FortiWeb for APIs

Public-facing APIs

  • FortiAppSec Cloud (SaaS) — CNAME the API hostname
  • Advanced or Enterprise plan for API Gateway + Discovery
  • Multi-region delivery built in
  • Lowest friction; zero infra

Cloud-VPC APIs

  • FortiWeb-VM BYOL on AWS / Azure
  • Sits in front of API Gateway / app load balancer
  • Same policy framework as appliance
  • Best for AWS / Azure-native deployments

Internal DC APIs

  • FortiWeb appliance — 1000F+ for low-latency inspection
  • On-prem data residency for regulated workloads
  • FortiManager integration for centralised policy
  • Best for BFSI / regulated

Microservice APIs

  • FortiWeb Container in Kubernetes
  • Sidecar or ingress integration
  • CI/CD-aligned policy refresh
  • Best for cloud-native microservice estates

A 6-week rollout plan

1

Week 1 — Schema import + initial policy

Import your OpenAPI / Swagger files. Initial positive-security policy in monitor-only mode.

2

Week 2 — ML Discovery + delta surface

FortiWeb runs Discovery against production traffic. Output: endpoints in the real traffic that weren't in your declared schema. Triage the delta — accept legit ones, reject zombies.

3

Week 3 — Policy tuning

Adjust schema, field types, required fields based on real-traffic feedback. Reduce false-positive rate to operational floor.

4

Week 4 — First endpoint to deny-by-default

Pick the lowest-risk endpoint; flip from monitor to enforce. Watch for 24 hours. Roll back if needed.

5

Week 5 — Cohort cutover

Flip remaining mature endpoints to enforce in waves. New/changing endpoints stay in monitor until stable.

6

Week 6 — CI/CD pipeline hook

Wire FortiWeb policy refresh into your release pipeline so future API changes auto-update the policy. Continuous Learning takes over.

FAQ

Does FortiWeb support OpenAPI 3?
Yes — OpenAPI 3.x and Swagger 2.x both. XML schema and generic JSON schema are also supported. Import is via the FortiWeb UI or API; the schema becomes the positive-security model that traffic is validated against.
What's the difference between API Discovery and API Gateway in FortiAppSec Cloud?
API Discovery uses ML to surface undocumented endpoints from traffic — builds the catalog. API Gateway provides the runtime controls — JWT validation, key management, per-key rate limiting, request transformation. Both are in the Advanced and Enterprise plans of FortiAppSec Cloud.
How does FortiWeb handle GraphQL?
Schema-aware query validation, query-depth and complexity limits, field-level authorization checks. Standard GraphQL anti-pattern protection: introspection abuse, batch-query abuse, n+1 query exploits.
Can FortiWeb sit in front of AWS API Gateway?
Yes — layered pattern. FortiWeb handles attack detection, bot mitigation, schema enforcement. AWS API Gateway handles routing, authentication, throttling. Both layers add value; neither is redundant with the other.
What's the positive-security model and why does it matter?
Positive security = only allow what matches the declared schema. Negative security = block what matches known attack patterns. Positive defaults to deny, negative defaults to allow. APIs lend themselves naturally to positive security because they have a contract; web apps don't. FortiWeb supports both layered.
How long does API onboarding take?
Schema import + initial positive-security policy: 1 week. Discovery + tuning against actual traffic: 2 weeks. Full per-endpoint cutover to positive security: 4-6 weeks for a 50-endpoint API. The continuous-learning model then keeps policy current as the API evolves.
Which deployment shape is best for API security?
Depends on where the API lives. Public APIs behind DNS → FortiAppSec Cloud (SaaS). APIs in AWS/Azure VPC → FortiWeb-VM BYOL. Internal DC APIs → appliance. Kubernetes microservice APIs → FortiWeb Container. All four support OpenAPI import.
What about token-replay attacks and credential stuffing?
Credential Stuffing Defense is in the Advanced bundle and above. Account-takeover protection (ATO) is in FortiAppSec Cloud Advanced/Enterprise. Both use ML + behavioural tracking, not just rate limits.

Free API security audit

ML Discovery run against your APIs — find the undocumented endpoints first

Ogma runs a 7-day ML Discovery audit against your API traffic and returns the delta between your declared schema and the real-traffic catalog. Plus a tuned positive-security policy draft.

Request the API audit or explore the FortiWeb API Security landing

Sources

Related: FortiWeb deployment models · FortiWeb API Security landing · FortiAppSec Cloud

Stay ahead of cyber threats

One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.

Related Posts

Which FortiGate Should You Buy? Technical Sizing Guide for Indian Enterprises (2026)

Complete FortiGate sizing guide for Indian enterprises. Compare G-series vs F-series specs, SP5 vs NP7 ASIC, ATP vs...

FortiSASE India Deployment Guide 2026 — Replace Your Legacy VPN with Zero Trust

FortiSASE deployment guide for Indian enterprises. Replace legacy VPN with Zero Trust. 5 India PoPs, Gartner SASE...

FortiOS 8.0: AI Controls, Sovereign SASE, Post-Quantum

FortiOS 8.0 adds AI governance, Sovereign SASE, SASE Outpost, post-quantum cryptography and unified SD-WAN. Inside...

Search
Talk to an Expert

Get a free consultation from Ogma's certified IT & cybersecurity engineers.

Get in Touch
Cato Firewall as a Service
Cato ZTNA — Zero Trust Network Access
Cato SASE Solution