Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

API Gateway

API Gateway allows to manage API users, verify API keys, control API access and rate limits, as well as rewrite API calls.

Creating API users

You can define API users to restrict access to APIs based on API keys.

  1. Go to API PROTECTION > API Gateway.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Click +Create API User.
  3. Configure these settings.

    Name

    Enter a name that identifies the user.

    Email

    Type the email address of the user that is used for contact purpose.

    Comments

    Optionally, enter a description or comments for the user.

    Restrict Access IPs

    Restrict this API key so that it may only be used from the specified IP addresses.
    Both single IP addresses or IP ranges are supported.

    You can enter multiple IP addresses by clicking .

    Restrict HTTP Referers

    Restrict this API key so that it may only be used when the specified URLs are present in the Referer HTTP header.

    This can be used to prevent an API key from being reused on other client-side web applications that don’t match this URL (but note that this does not prevent server-side reuse where the referer could be forged).

    Now only full URL such as https://example.com/foo is supported.

    You can enter multiple referers by clicking .

  4. Click OK.
    You can continue creating multiple API users.

Once the API user is created successfully, an API key and UUID are automatically assigned to this user by FortiWeb Cloud. The API key and UUID can not be changed, while you can append IP or HTTP referer restrictions for this user.

Configuring API gateway rules

To restrict API access, you can configure certain rules involving API key verification, API key carryover, sub-URL setting.

  1. Click +Create API Gateway Rule.
  2. For Name, type a name for the API gateway rule.
  3. For Match URL Prefixes, configure the URL prefixes to be routed to the backend.

    • Enter the Frontend Prefix; the frontend prefix is the URL path in a client call, for example, /good/, the URL is like this https://172.22.14.244/good/example.json?param=value.
    • Enter the Backend Prefix; the backend prefix is the path which the client request will be replaced with, for example, /api/v1.0/System/Status/.
      After the URL rewriting, the URL is like this:
      https://10.200.3.183:90/api/v1.0/System/Status/example.json?param=value.
  4. You can enter multiple URL prefixes, which means multiple URL paths may match the API gateway rule.

  5. For Request Settings, configure these settings:

    API Key Verification

    When an user makes an API request, the API key will be included in HTTP header or parameter, FortiWeb Cloud obtains the API key from the request. When this option is enabled, FortiWeb Cloud verifies the key to check whether the key belongs to an valid API user.

    API Key In

    Indicate where FortiWeb Cloud can find your API key in HTTP request:

    • HTTP Parameter
    • HTTP Header

    Available only when API Key Verification is enabled.

    Parameter Name

    Enter the parameter name in which FortiWeb Cloud can find the API key when API Key In is HTTP Parameter.

    Available only when API Key Verification is enabled.

    Header Field Name

    Enter the header filed name in which FortiWeb Cloud can find the API key when API Key In is HTTP Header.

    Available only when API Key Verification is enabled.

    Allow Users

    Select API users created to define which users have the persmission to access the API.

    Available only when API Key Verification is enabled.

    Rate Limit

    Type the number of API call requests in certain time period.

    Requests in

    Type the time period during which the API call requests are made.

  6. Click OK.

Configuring actions

  1. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.

    To configure the actions, you must first enable the Advanced Configuration in Global > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

    Period Block

    Block subsequent requests from the client for 10 minutes.

  2. Click SAVE.

 

API Gateway

API Gateway allows to manage API users, verify API keys, control API access and rate limits, as well as rewrite API calls.

Creating API users

You can define API users to restrict access to APIs based on API keys.

  1. Go to API PROTECTION > API Gateway.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Click +Create API User.
  3. Configure these settings.

    Name

    Enter a name that identifies the user.

    Email

    Type the email address of the user that is used for contact purpose.

    Comments

    Optionally, enter a description or comments for the user.

    Restrict Access IPs

    Restrict this API key so that it may only be used from the specified IP addresses.
    Both single IP addresses or IP ranges are supported.

    You can enter multiple IP addresses by clicking .

    Restrict HTTP Referers

    Restrict this API key so that it may only be used when the specified URLs are present in the Referer HTTP header.

    This can be used to prevent an API key from being reused on other client-side web applications that don’t match this URL (but note that this does not prevent server-side reuse where the referer could be forged).

    Now only full URL such as https://example.com/foo is supported.

    You can enter multiple referers by clicking .

  4. Click OK.
    You can continue creating multiple API users.

Once the API user is created successfully, an API key and UUID are automatically assigned to this user by FortiWeb Cloud. The API key and UUID can not be changed, while you can append IP or HTTP referer restrictions for this user.

Configuring API gateway rules

To restrict API access, you can configure certain rules involving API key verification, API key carryover, sub-URL setting.

  1. Click +Create API Gateway Rule.
  2. For Name, type a name for the API gateway rule.
  3. For Match URL Prefixes, configure the URL prefixes to be routed to the backend.

    • Enter the Frontend Prefix; the frontend prefix is the URL path in a client call, for example, /good/, the URL is like this https://172.22.14.244/good/example.json?param=value.
    • Enter the Backend Prefix; the backend prefix is the path which the client request will be replaced with, for example, /api/v1.0/System/Status/.
      After the URL rewriting, the URL is like this:
      https://10.200.3.183:90/api/v1.0/System/Status/example.json?param=value.
  4. You can enter multiple URL prefixes, which means multiple URL paths may match the API gateway rule.

  5. For Request Settings, configure these settings:

    API Key Verification

    When an user makes an API request, the API key will be included in HTTP header or parameter, FortiWeb Cloud obtains the API key from the request. When this option is enabled, FortiWeb Cloud verifies the key to check whether the key belongs to an valid API user.

    API Key In

    Indicate where FortiWeb Cloud can find your API key in HTTP request:

    • HTTP Parameter
    • HTTP Header

    Available only when API Key Verification is enabled.

    Parameter Name

    Enter the parameter name in which FortiWeb Cloud can find the API key when API Key In is HTTP Parameter.

    Available only when API Key Verification is enabled.

    Header Field Name

    Enter the header filed name in which FortiWeb Cloud can find the API key when API Key In is HTTP Header.

    Available only when API Key Verification is enabled.

    Allow Users

    Select API users created to define which users have the persmission to access the API.

    Available only when API Key Verification is enabled.

    Rate Limit

    Type the number of API call requests in certain time period.

    Requests in

    Type the time period during which the API call requests are made.

  6. Click OK.

Configuring actions

  1. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.

    To configure the actions, you must first enable the Advanced Configuration in Global > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

    Period Block

    Block subsequent requests from the client for 10 minutes.

  2. Click SAVE.