CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot
    • API Protection
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
    • Snort Rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page
  • Overview
  • How does API discovery work?
  • Where can you see API Discovery Results?

Was this helpful?

  1. Additional Security Engines
  2. API Protection

API Discovery

PreviousAPI ProtectionNextTrack API Discovery Learning

Last updated 2 months ago

Was this helpful?

Overview

API Discovery provides security by visibility to the API passing to the web server.

API Discovery provides, after a learning period, the suggested initial schema for enforcement, and from then on, assists in maintaining that schema across time by suggesting changes to it according to the actual use.

For a full overview of API Discovery's role within API Security, read here:

API Discovery supports:

  1. REST API

  2. GraphQL API

GraphQL subscription requests, based on Web Sockets, are not supported yet, and will not be detected.

How does API discovery work?

API discovery learns the actual behavior of the traffic to the web server's exposed URI paths.

API discovery inspects:

  1. Requests to the internal web server that are accepted by it. i.e. their HTTP return codes are not 4XX/5XX.

  2. Traffic blocked by API Schema Validation if active and set to Prevent - In order to suggest missing APIs to the existing validated schema.

Once Schema Validation is active and set to "Prevent", API Discovery must look at traffic blocked by Schema Validation in order to detect potential new APIs or modified APIs that were added to the client and server, but not added to the schema used by Schema Validation Security.

For this reason - Once Schema Validation is active, all new API suggested by schema validation must be reviewed and approved by the security administrator and schema owner before being added to the schema.

The API Discovery will not have knowledge which of the requests for an API that does not appear in the schema are requests that would've been accepted by the

API Discovery Learning engine has 2 stages:

  1. API detection using an iterative Machine Learning A.I. engine that detects usage of APIs (a combination of the method and the endpoint used in the request). Several different endpoints may be joined at this stage to a single API using path parameters.

  2. Schema Builder looks at query parameters and the request body to build the exact schema for each API based on multiple requests. API Discovery saves up to 100 query parameters per API. At this stage, it also detects any use of sensitive data in each API.

Schema Builder does not yet look at HTTP headers as part of building the schema with the exception of "Content-Type".

Similarly to addition learning mechanisms in CloudGuard WAF, learning levels which track progress.

The Learning mechanism may require the user to decide between several options when the learning result is not conclusive enough.

Where can you see API Discovery Results?

For a full explanation of tracking API Discovery results see:

In general, there are 3 locations:

  1. Within each asset, the API Discovery engine shows the detected Schema and its progress across versions. Versions will initially change due to iterative learning as more and more traffic passes through the engine, and later, versions will be created by a change in the behavior of the client requests and the API the web server accepts.

  2. Within each asset, the Learn tab shows a summary of the discovered schema and allows for supervised fine tuning.

API discovery requires two assets: one for the base application and another for API calls (e.g., example.com and example.com/api). To ensure proper functionality.

An shows cross-asset view of all APIs as well as top APIs (most used, least used, sensitive data APIs, etc.)

API Schema validation
API Protection
Track API Discovery Learning
API Dashboard