Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 6.2.2 Handbook
    6.2.2
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring API Gateway

    Configuring API Gateway

    An API gateway is an API management tool that sits between a client and a collection of backend services. It acts as a reverse proxy to accept all API calls and return the appropriate result.

    API gateway on FortiADC provides the following functions:

    • API user management
    • API key verification
    • API access control
    • Rate limit control
    • Attach HTTP Header in API call

    Creating API Gateway User:

    1. Go to Web Application Firewall > API Gateway.

    2. Click the API Gateway User tab.

    3. Click Create New to display the configuration editor and set up the configuration.

    4. Save the configuration.

    Settings

    Guidelines

    Name

    		Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces are not allowed. After you initially save the configuration, you cannot edit the name.

    Comments

    		(Optional) Enter a description or comments for the user.

    UUID

    		Non-editable. Automatically generated when the user is created.

    API Key

    		 Non-editable. Automatically generated when the user is created.

    Restricted Access IPs

    		 Restrict this API key so that it may only be used from the specified IP addresses.

    Restrict HTTP Referers

    Restrict this API key so that it may only be used when the specified URLs are present in the Referer HTTP header. This can be used to prevent an API key from being reused on other client-side web applications that don’t match this URL.

    Only full URLs that begin with http:// or https:// are supported.
    Configuring API Gateway Rule:
    1. Go to Web Application Firewall > API Gateway.
    2. Click the API Gateway Rule tab.
    3. Click Create New to display the configuration editor and set up the configuration.
    4. Save the configuration.

    Settings

    Guidelines

    Name

    		Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces are not allowed. After you initially save the configuration, you cannot edit the name.

    Host Status

    Enable/Disable for applying this rule only to HTTP requests for specific web hosts.

    Host

    Select the name of a protected host that the Host: field of an HTTP request must be in to match the API gateway rule.

    This option is available only if Host Status is enabled.

    Full URL Pattern

    Matching string. Regular expressions are supported.

    Method

    Select one or more HTTP methods are allowed when access the API.

    API Key Verification

    When a user makes an API request, the API key will be included in the HTTP header or parameter. FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user.

    API Key Carried In

    Indicate where to find the API key in HTTP request:

    • HTTP Parameter
    • HTTP Header

    Available only when API Key Verification is enabled.

    HTTP Header Name

    Enter the header filed name of the API key.

    HTTP Parameter Name

    Enter the parameter name of the API key.

    Rate Limit Status

    Enable/Disable to do rate limit for API calls.

    Rate Limit Requests

    Sets the condition for the limit of the number of API requests received. If the number of requests received within the time frame (set in Rate Limit Period), this condition is fulfilled.

    Rate Limit Period

    Sets the time spent during which to count how many times a request is received.

    Action

    Select the action profile that you want to apply. See Configuring WAF Action objects.

    The default is Alert.

    Severity

    When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

    • Low
    • Medium
    • High

    The default value is Low.

    Exception Name

    Select a user-defined exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

    User

    Specify one or more users created in API Gateway User to define which users have the permission to access the API.

    Attach HTTP Header

    Insert specific header lines into HTTP header. Need to specify the fieldname and value is seach entry.
    Configure API Gateway Policy:

    1. Go to Web Application Firewall > API Gateway.

    2. Click the API Gateway Policy tab.

    3. Click Create New to display the configuration editor and set up the configuration.

    4. Save the configuration.

    Settings

    Guidelines

    Name

    		Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces are not allowed. After you initially save the configuration, you cannot edit the name.

    Rule Name

    Specify one or more rules created in API Gateway Rule to be used in policy. The rules will be checked one by one from top to bottom until URL in request is matched to the Full URL Pattern in a rule.
    Previous
    Next

    Configuring API Gateway

    Configuring API Gateway

    An API gateway is an API management tool that sits between a client and a collection of backend services. It acts as a reverse proxy to accept all API calls and return the appropriate result.

    API gateway on FortiADC provides the following functions:

    • API user management
    • API key verification
    • API access control
    • Rate limit control
    • Attach HTTP Header in API call

    Creating API Gateway User:

    1. Go to Web Application Firewall > API Gateway.

    2. Click the API Gateway User tab.

    3. Click Create New to display the configuration editor and set up the configuration.

    4. Save the configuration.

    Settings

    Guidelines

    Name

    		Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces are not allowed. After you initially save the configuration, you cannot edit the name.

    Comments

    		(Optional) Enter a description or comments for the user.

    UUID

    		Non-editable. Automatically generated when the user is created.

    API Key

    		 Non-editable. Automatically generated when the user is created.

    Restricted Access IPs

    		 Restrict this API key so that it may only be used from the specified IP addresses.

    Restrict HTTP Referers

    Restrict this API key so that it may only be used when the specified URLs are present in the Referer HTTP header. This can be used to prevent an API key from being reused on other client-side web applications that don’t match this URL.

    Only full URLs that begin with http:// or https:// are supported.
    Configuring API Gateway Rule:
    1. Go to Web Application Firewall > API Gateway.
    2. Click the API Gateway Rule tab.
    3. Click Create New to display the configuration editor and set up the configuration.
    4. Save the configuration.

    Settings

    Guidelines

    Name

    		Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces are not allowed. After you initially save the configuration, you cannot edit the name.

    Host Status

    Enable/Disable for applying this rule only to HTTP requests for specific web hosts.

    Host

    Select the name of a protected host that the Host: field of an HTTP request must be in to match the API gateway rule.

    This option is available only if Host Status is enabled.

    Full URL Pattern

    Matching string. Regular expressions are supported.

    Method

    Select one or more HTTP methods are allowed when access the API.

    API Key Verification

    When a user makes an API request, the API key will be included in the HTTP header or parameter. FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user.

    API Key Carried In

    Indicate where to find the API key in HTTP request:

    • HTTP Parameter
    • HTTP Header

    Available only when API Key Verification is enabled.

    HTTP Header Name

    Enter the header filed name of the API key.

    HTTP Parameter Name

    Enter the parameter name of the API key.

    Rate Limit Status

    Enable/Disable to do rate limit for API calls.

    Rate Limit Requests

    Sets the condition for the limit of the number of API requests received. If the number of requests received within the time frame (set in Rate Limit Period), this condition is fulfilled.

    Rate Limit Period

    Sets the time spent during which to count how many times a request is received.

    Action

    Select the action profile that you want to apply. See Configuring WAF Action objects.

    The default is Alert.

    Severity

    When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

    • Low
    • Medium
    • High

    The default value is Low.

    Exception Name

    Select a user-defined exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

    User

    Specify one or more users created in API Gateway User to define which users have the permission to access the API.

    Attach HTTP Header

    Insert specific header lines into HTTP header. Need to specify the fieldname and value is seach entry.
    Configure API Gateway Policy:

    1. Go to Web Application Firewall > API Gateway.

    2. Click the API Gateway Policy tab.

    3. Click Create New to display the configuration editor and set up the configuration.

    4. Save the configuration.

    Settings

    Guidelines

    Name

    		Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces are not allowed. After you initially save the configuration, you cannot edit the name.

    Rule Name

    Specify one or more rules created in API Gateway Rule to be used in policy. The rules will be checked one by one from top to bottom until URL in request is matched to the Full URL Pattern in a rule.
    Previous
    Next