Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiWeb Cloud User Guide

    API Gateway

    API Gateway

    API Gateway allows to manage API users, verify API keys, control API access and rate limits, as well as rewrite API calls.

    Creating API users

    You can define API users to restrict access to APIs based on API keys.

    1. Go to API PROTECTION > API Gateway.
      You must have already enabled this module in Add Modules. See How to add or remove a module.
    2. Click +Create API User.
    3. Configure these settings.

      Name

      Enter a name that identifies the user.

      Email

      Type the email address of the user that is used for contact purpose.

      Comments

      Optionally, enter a description or comments for the user.

      Restrict Access IPs

      Restrict this API key so that it may only be used from the specified IP addresses.
      Both single IP addresses or IP ranges are supported.

      You can enter multiple IP addresses by clicking .

      Restrict HTTP Referers

      Restrict this API key so that it may only be used when the specified URLs are present in the Referer HTTP header.

      This can be used to prevent an API key from being reused on other client-side web applications that don’t match this URL (but note that this does not prevent server-side reuse where the referer could be forged).

      Now only full URL such as https://example.com/foo is supported.

      You can enter multiple referers by clicking .

    4. Click OK.
      You can continue creating multiple API users.

    Once the API user is created successfully, an API key and UUID are automatically assigned to this user by FortiWeb Cloud. The API key and UUID can not be changed, while you can append IP or HTTP referer restrictions for this user.

    Configuring API gateway rules

    To restrict API access, you can configure certain rules involving API key verification, API key carryover, sub-URL setting.

    1. Click +Create API Gateway Rule.
    2. For Name, type a name for the API gateway rule.

    3. For Match URL Prefixes, configure the URL prefixes to be routed to the backend.

      • Enter the Frontend Prefix; the frontend prefix is the URL path in a client call, for example, /good/, the URL is like this https://172.22.14.244/good/example.json?param=value.
      • Enter the Backend Prefix; the backend prefix is the path which the client request will be replaced with, for example, /api/v1.0/System/Status/.
        After the URL rewriting, the URL is like this:
        https://10.200.3.183:90/api/v1.0/System/Status/example.json?param=value.

      4. You can enter multiple URL prefixes, which means multiple URL paths may match the API gateway rule.

    4. For Request Settings, configure these settings:

      API Key Verification

      When an user makes an API request, the API key will be included in HTTP header or parameter, FortiWeb Cloud obtains the API key from the request. When this option is enabled, FortiWeb Cloud verifies the key to check whether the key belongs to an valid API user.

      API Key In

      Indicate where FortiWeb Cloud can find your API key in HTTP request:

      • HTTP Parameter
      • HTTP Header

      Available only when API Key Verification is enabled.

      Parameter Name

      Enter the parameter name in which FortiWeb Cloud can find the API key when API Key In is HTTP Parameter.

      Available only when API Key Verification is enabled.

      Header Field Name

      Enter the header filed name in which FortiWeb Cloud can find the API key when API Key In is HTTP Header.

      Available only when API Key Verification is enabled.

      Allow Users

      Select API users created to define which users have the persmission to access the API.

      Available only when API Key Verification is enabled.

      Rate Limit

      Type the number of API call requests in certain time period.

      Requests in

      Type the time period during which the API call requests are made.

    5. Click OK.

    Configuring actions

    1. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.

      To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

      Alert

      Accept the request and generate an alert email and/or log message.

      Alert & Deny

      Block the request (or reset the connection) and generate an alert email and/or log message.

      Deny(no log)

      Block the request (or reset the connection).

      Period Block

      Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked. The default blocking period is 10 minutes. You can configure this value according to your own needs.

    2. Click SAVE.

    Previous
    Next

    API Gateway

    API Gateway

    API Gateway allows to manage API users, verify API keys, control API access and rate limits, as well as rewrite API calls.

    Creating API users

    You can define API users to restrict access to APIs based on API keys.

    1. Go to API PROTECTION > API Gateway.
      You must have already enabled this module in Add Modules. See How to add or remove a module.
    2. Click +Create API User.
    3. Configure these settings.

      Name

      Enter a name that identifies the user.

      Email

      Type the email address of the user that is used for contact purpose.

      Comments

      Optionally, enter a description or comments for the user.

      Restrict Access IPs

      Restrict this API key so that it may only be used from the specified IP addresses.
      Both single IP addresses or IP ranges are supported.

      You can enter multiple IP addresses by clicking .

      Restrict HTTP Referers

      Restrict this API key so that it may only be used when the specified URLs are present in the Referer HTTP header.

      This can be used to prevent an API key from being reused on other client-side web applications that don’t match this URL (but note that this does not prevent server-side reuse where the referer could be forged).

      Now only full URL such as https://example.com/foo is supported.

      You can enter multiple referers by clicking .

    4. Click OK.
      You can continue creating multiple API users.

    Once the API user is created successfully, an API key and UUID are automatically assigned to this user by FortiWeb Cloud. The API key and UUID can not be changed, while you can append IP or HTTP referer restrictions for this user.

    Configuring API gateway rules

    To restrict API access, you can configure certain rules involving API key verification, API key carryover, sub-URL setting.

    1. Click +Create API Gateway Rule.
    2. For Name, type a name for the API gateway rule.

    3. For Match URL Prefixes, configure the URL prefixes to be routed to the backend.

      • Enter the Frontend Prefix; the frontend prefix is the URL path in a client call, for example, /good/, the URL is like this https://172.22.14.244/good/example.json?param=value.
      • Enter the Backend Prefix; the backend prefix is the path which the client request will be replaced with, for example, /api/v1.0/System/Status/.
        After the URL rewriting, the URL is like this:
        https://10.200.3.183:90/api/v1.0/System/Status/example.json?param=value.

      4. You can enter multiple URL prefixes, which means multiple URL paths may match the API gateway rule.

    4. For Request Settings, configure these settings:

      API Key Verification

      When an user makes an API request, the API key will be included in HTTP header or parameter, FortiWeb Cloud obtains the API key from the request. When this option is enabled, FortiWeb Cloud verifies the key to check whether the key belongs to an valid API user.

      API Key In

      Indicate where FortiWeb Cloud can find your API key in HTTP request:

      • HTTP Parameter
      • HTTP Header

      Available only when API Key Verification is enabled.

      Parameter Name

      Enter the parameter name in which FortiWeb Cloud can find the API key when API Key In is HTTP Parameter.

      Available only when API Key Verification is enabled.

      Header Field Name

      Enter the header filed name in which FortiWeb Cloud can find the API key when API Key In is HTTP Header.

      Available only when API Key Verification is enabled.

      Allow Users

      Select API users created to define which users have the persmission to access the API.

      Available only when API Key Verification is enabled.

      Rate Limit

      Type the number of API call requests in certain time period.

      Requests in

      Type the time period during which the API call requests are made.

    5. Click OK.

    Configuring actions

    1. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.

      To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

      Alert

      Accept the request and generate an alert email and/or log message.

      Alert & Deny

      Block the request (or reset the connection) and generate an alert email and/or log message.

      Deny(no log)

      Block the request (or reset the connection).

      Period Block

      Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked. The default blocking period is 10 minutes. You can configure this value according to your own needs.

    2. Click SAVE.

    Previous
    Next