WAF REST API is known as the secondary development interface, and can be called by third-party platforms/software for adding, deleting, modifying, and querying WAF as wells its site, policy, and other configurations.
Basic Conventions
Format conventions:
WAF REST API requests and responses are in JSON format:
- The attribute (primary key) name and character string of JSON request and response packets must be enclosed in double quotation marks (“”).
- The key value of a JSON object must be lowercase, and multiple words are separated by an underscore (_).
- The value of a JSON object must be lowercase, and multiple words are separated by a blank space.
- The API URI contains letters, digits, underscores (_), semicolons (;), dots (.), and slashes (/). This rule also applies to the GET parameter.
- Fields enclosed in curly brackets ({}) are variables. Dots (.) are used to link path strings, commas (,) are used to delimit a series of parameters, and semicolons (;) are used to delimit parallel parameters.
Character set conventions:
WAF API requests and responses are UTF-8 encoded.
Request methods:
Authentication and Authorization
Authentication type:
When calling WAF REST API, you can choose to enable or disable digital signature authentication. If Postman is used for API testing, disable digital signature to facilitate operation.
After login as a maintainer, choose System Management > REST API > Digital Signature Parameters and set Digital Signature to Enable or Close to enable or disable it.
Tips:
If the digital signature is disabled, no digital signature authentication is required, and only username and password authentication is performed. The default account and password are admin and password respectively.
Digital signature:
(1) Parameter description
A digital signature sign consists of the following four parameters:
apikey: has a fixed value vmwaf regardless of product models.
method: indicates the request method, such as get, post, put, and delete.
timestamp: indicates an integer value of the timestamp, for example, 1600578857.
devhash: indicates the device hash value, for example, 46CB-5C18-A669-0BBF.
(2) Signature combination
The preceding four parameters are combined in the following order to form a character string. After the character string is UTF-8 encoded and then encrypted with the MD5 algorithm, the generated 32-bit lowercase value is the sign.
URL combination:
WAF REST API URL is https://IP:8443/rest/v1. For example, the system information path is sysinfo:
If the digital signature is disabled, the URL is as follows:
https://IP:8443/rest/v1/sysinfo
If the digital signature is enabled, the parameter generated by combining the timestamp, apikey, method, and sign is appended. The URL is as follows:
https://10.66.245.14:8443/rest/v1/sysinfo?timestamp=1600580783&apikey=vmwaf&method=get&sign=cef4002cc6febe9f84c3260bc164be62
API Usage
If the digital signature is disabled and the request URL is https://10.66.245.14:8443/rest/v1/sysinfo. Choose GET, and in the Authentication tab, set Type to Basic Auth, enter the username and password, and click Send.
If digital signature is enabled, the preceding URL will be appended with the parameter generated by combining the timestamp, apikey, method, and sign. In the Authorization tab, set Type to Basic Auth, enter the username and password, and click Send.