OPENAPI · GRAPHQL · ML DISCOVERY

FortiWeb for API Security —
OpenAPI-aware WAF for India

Every modern app is an API. Per Fortinet's own Data Sheet, FortiWeb uses ML-driven API Discovery to continuously evaluate application traffic, builds a positive security model from the inventory, and enforces against OpenAPI, XML and generic JSON schemas — including CI/CD-pipeline integration for automatic policy refresh on each API update.

OpenAPI ✓

Schema enforcement

Import OpenAPI / Swagger / XML / JSON schema and enforce shape, type, range, required fields.

ML

API Discovery

Auto-discover undocumented endpoints from traffic. Build positive-security policy without manual catalog.

CI/CD

Pipeline-integrated

Continuous Learning model automatically refreshes policy when the API is updated.

ATO

Account takeover

Credential stuffing detection, ATO protection in Advanced/Enterprise plans.

API attack surface that cloud-native WAFs miss

AWS WAF and Azure WAF treat APIs as HTTP traffic. They block obvious patterns (SQLi strings, XSS payloads) but have no concept of API schema, no per-endpoint logic, no positive security model. The OWASP API Security Top 10 isn't covered by string-matching alone:

BOLA / IDOR

Broken Object Level Authorization — accessing other users' resources by changing an ID. Needs per-user, per-endpoint context.

Excessive data exposure

Endpoint returns more data than the client needs. Schema-enforcement at response time catches this.

Mass assignment

Client sends extra JSON fields that update privileged attributes. Positive-security model rejects fields not in schema.

Improper rate limiting

Per-endpoint, per-key rate limits — not just per-IP. FortiWeb enforces against API-key headers and JWT claims.

Authentication abuse

Credential stuffing, token replay, JWT manipulation. Bot Defense + ATO protection in Advanced+.

Server-side request forgery (SSRF)

URL parameters that pivot to internal services. Schema enforcement on URL fields and protocol allowlists.

How FortiWeb actually does API security

Schema import

OpenAPI 3.x, Swagger 2.x, XML schema, generic JSON schema. Imported via API or UI. Validation runs per request against the imported contract.

ML API Discovery

Continuously evaluates application traffic to find undocumented endpoints. Builds a profiled API inventory automatically.

Positive security model

Once an endpoint is profiled, only schema-matching traffic is allowed. Reject-by-default for unknown shapes — flips the default from "block-known-bad" to "allow-known-good".

CI/CD integration

Continuous Learning automatically adjusts the policy when the API changes — so a new release won't break the WAF policy.

API Gateway features

FortiAppSec Cloud Advanced/Enterprise plans include API Gateway capabilities — JWT validation, key management, rate limiting per key.

GraphQL handling

Schema validation for GraphQL queries — limits query depth, blocks expensive queries, enforces field-level authorization.

What Ogma delivers

  • API discovery audit — week-1 ML discovery run to find undocumented endpoints. Output is a profiled API catalog.
  • Schema import + tuning — bring your OpenAPI / Swagger files, validate against actual traffic, tune for edge cases.
  • Positive-security cutover — staged rollout per endpoint, with rollback plan. Mature endpoints flip to deny-by-default first.
  • CI/CD pipeline integration — hook the WAF policy refresh into your release pipeline so policy never lags behind code.
  • Bot mitigation tuning — Advanced Bot Protection (Enterprise tier) configured for API-specific attack patterns (credential stuffing, token replay, scraping).
  • Reporting — Threat Analytics view of API-specific incidents grouped by ML correlation, not raw alerts.

FAQ

Which FortiWeb deployment shape is best for API security?
Depends on where the API runs. Public APIs → FortiAppSec Cloud (SaaS). API gateway in AWS / Azure → FortiWeb-VM BYOL. Internal APIs in your DC → appliance. Container APIs in Kubernetes → FortiWeb Container. All four support OpenAPI import.
Do I need Enterprise tier for API security?
Standard covers basic API protection (schema enforcement, IP-based bot defense). Advanced adds ML API Discovery, API Gateway, ATO protection — usually the sweet spot for API-focused workloads. Enterprise adds Behavioral Intent Analysis ML + Client-Side Security — required if the API powers card-payment flows.
How does FortiWeb handle GraphQL?
Schema validation per query, depth limits, query complexity limits, field-level authorization checks. Standard GraphQL anti-pattern protection (introspection abuse, batch query abuse).
Can FortiWeb sit in front of an existing API gateway (Kong, AWS API Gateway, Azure APIM)?
Yes. FortiWeb in front handles attack-pattern detection + bot mitigation; the API gateway handles routing, auth, rate-limit. Standard layered pattern.
What about API discovery for undocumented APIs?
FortiWeb's ML API Discovery continuously evaluates traffic to surface endpoints not in your declared schema. Week-1 of an engagement we run discovery against your production traffic and surface the gap between declared and actual.
How long does deployment take?
Schema import + initial positive-security policy: 1 week. Discovery + tuning: 2 weeks. Full positive-security cutover (per endpoint): 4-6 weeks for a typical 50-endpoint API.

Free API security audit

Week-1 ML API discovery run against your traffic + a tuned positive-security policy draft against your OpenAPI / Swagger files. 7 working days, no commitment.

Request the API audit