1. Overview

WAAS is able to enforce API security based on specifications provided in the form of Swagger or OpenAPI files. WAAS also allows for manual API definition. E.g. paths, allowed HTTP methods, parameter names, input types, value ranges, etc. Once defined, users can choose WAAS actions to apply for requests which do not comply with the API’s expected behavior.

Enforcement for body, header and formData parameters is currently not supported by WAAS.
Users should be careful when enabling Prisma Session Cookies along with API protection. Prisma Session Cookies mandates client’s support of cookies and javascript in order for them to reach the protected application. As APIs are often accessed by "primitive" automation clients, avoid enabling Prisma Session Cookies unless you are certain all clients accessing the protected API support BOTH cookies AND Javascript.

2. Importing API Definition From Swagger or OpenAPI

  1. Enter App Definiton Tab.

    waas app definition
  2. Click on Import.

    waas import api
  3. Select definition file to load.

  4. Select API Protection Tab.

    waas api protection tab
  5. Review path and parameter definitions listed under API Resources.

  6. Select Endpoint Setup Tab.

    waas endpoint setup tab
  7. Review protected endpoints listed under Protected Endpoints and verify configured base paths all end with a trailing *.

    Base path in the endpoint definition should always end with a * e.g. "/*", "/api/v2/*". If not configured that way, API protection will not apply to sub-paths defined in the API protection tab.
  8. Enter App Firewall Tab.

    waas app firewall tab
  9. Assign API Protection action for resources defined under API Resources tab and an action for all other paths.

    waas api protection action

3. Manual API Definition

  1. Enter App Definiton Tab.

    waas app definition
  2. Select Endpoint Setup Tab.