API Protection
Table of Contents
API Protection
WAAS can enforce API security based on specifications provided in the form of Swagger or OpenAPI files.
Alternatively, you can manually define your API (e.g., paths, allowed HTTP methods, parameter names, input types, value ranges, and so on).
Once defined, you can configure the actions WAAS applies to requests that do not comply with the API’s expected behavior.
Users should be careful when enabling Prisma Session Cookies along with API protection.
Prisma Session Cookies mandates client’s support of cookies and javascript in order for them to reach the protected application.
As APIs are often accessed by "primitive" automation clients, avoid enabling Prisma Session Cookies unless you are certain all clients accessing the protected API support BOTH cookies AND Javascript.
Import API definition from Swagger or OpenAPI files
- Click theApp definitiontab.
- ClickImport.
- Select a file to load.
- Click theAPI protectiontab.
- Review path and parameter definitions listed underAPI Resources.
- Click theEndpoint setuptab.
- Review protected endpoints listed underProtected Endpointsand verify configured base paths all end with a trailing *.Base path in the endpoint definition should always end with a * e.g. "/*", "/api/v2/*". If not configured that way, API protection will not apply to sub-paths defined in the API protection tab.
- Go back to theAPI protectiontab.
Define an API manually
- Click theApp definitiontab.
- Click theEndpoint setuptab.
- Add protected endpoints underProtected endpointsand verify configured base paths all end with a trailing *.Base path in the endpoint definition should always end with a * e.g. "/*", "/api/v2/*". If not configured that way, API protection will not apply to sub-paths defined in the API protection tab.
- Click theAPI protectiontab.
- ClickAdd path
Paths entered in this section are additional subpaths to the base path defined in the previous endpoint section. For example, if in the endpoint definition hostname was set to "www.example.com", base path set to "/api/v2/*" and in theAPI Protectiontab resource path set to "/product" - full protected resource would be www.example.com/api/v2/product.- Select allowed methods.
- For each allowed HTTP method, define parameters by selecting the method fromParameters fordrop-down list.
- Parameter violation— Action to be taken when a request sent to one of the specified paths in the API resource list does not comply with the parameter provided definitions.
- Unspecified path(s)/method(s)— Action to be taken in one of the following cases:
- Request sent to a resource path that is not specified in the API resources list.
- Request sent using an unsupported HTTP method for a resource path in the API list.
API Actions
HTTP requests that trigger API protections are subject to one of the following actions:
- Alert- Request is passed to the protected application and an audit is generated for visibility.
- Prevent- Request is denied from reaching the protected application, an audit is generated, and WAAS responds with an HTML banner indicating the request was blocked.
- Ban- Can be applied on either IP addresses or Prisma Session IDs. All requests originating from the same IP/Prisma Session to the protected application are denied for the configured time period (default is 5 minutes) following the last detected attack.To enable ban by Prisma Session ID, you must enable Prisma Session Cookies. For more information on enabling Prisma Sessions and configuring ban definitions, see Advanced Settings.
- When the X-Forwarded-For HTTP header is included in the request headers, ban will apply based on the first IP listed in the header value (true client IP).
- WAAS implements state, which is required for banning user sessions by IP address. Because Defenders do not share state, any application that is replicated across multiple nodes must enable IP address stickiness on the load balancer.