Fortinet black logo

CLI Reference

waf api-rules

waf api-rules

To restrict API access, you can use this command to configure certain rules involving API key verification, API key carryover, API user grouping, sub-URL setting, and specified actions FortiWeb will take in case of any API call violation.

Syntax

config waf api-rules

edit <api-rules_name>

set api-key-verification {enable | disable}

set allow-user-group <allow-user-group_name>

set api-key-location {http-parameter | http-header}

set header-field-name <header-field-name_str>

set parameter-name <parameter-name_str>

set rate-limit-period <rate-limit-period_int>

set rate-limit-requests <rate-limit-requests_int>

set action {alert | deny_no_log | alert_deny | block-period}

set block-period <block-period_int>

set severity {High | Medium | Low | Info}

set trigger-policy <trigger-policy_str>

set host <host_str>

set host-status {enable | disable}

config attach-http-header

edit <attach-http-header_id>

set http-header-item <http-header-item_str>

next

end

config match-url-prefixes

edit <match-url-prefixes_id>

set frontend-prefix <frontend-prefix_str>

set backend-prefix <backend-prefix_str>

next

end

config sub-url-setting

edit <sub-url-setting_id>

set http-method {get | post | head | options | trace | connect | delete | put | patch | any}

set type {plain | regular}

set url-expression <url-expression_str>

set api-key-verification {enable | disable}

set api-key-location {http-parameter | http-header}

set header-field-name <header-field-name_str>

set parameter-name <parameter-name_str>

set rate-limit-period <rate-limit-period_int>

set rate-limit-requests <rate-limit-requests_int>

set allow-user-group <allow-user-group_name>

set api-key-inherit {enable | disable}

next

end

next

end

Variable

Description

Default

<api-rules_name>

Type a unique name for the API gateway rule.

No default

api-key-verification {enable | disable}

When an user makes an API request, the API key will be included in HTTP header or parameter, FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user.

disable

allow-user-group <allow-user-group_str>

Select a user group created to define which users have the persmission to access the API.

Available only when waf api-rules is enable.

disable

api-key-location {http-parameter | http-header}

Indicate where FortiWeb can find your API key in HTTP request:

  • http-parameter
  • http-header

http-parameter

header-field-name <header-field-name_str>

Enter the header filed name in which FortiWeb can find the API key whenapi-key-location {http-parameter | http-header} is HTTP Header.

No default.

parameter-name <parameter-name_str>

Enter the parameter name in which FortiWeb can find the API key when api-key-location {http-parameter | http-header} is HTTP Parameter.

No default.

rate-limit-period <rate-limit-period_int>

Type the number of seconds for API call requests.

No default.

rate-limit-requests <rate-limit-requests_int>

Type the number of API call requests in a certain number of seconds.

No default.

action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects any API call violation:

  • alert—Accept the connection and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
  • deny_no_log—Block the request (or reset the connection).
  • block-period—Block subsequent requests from the client for a number of seconds. Also configure waf api-rules.

alert

block-period <block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects any API call violation. The valid range is 1–10,000 seconds.

Available only if waf api-rules is set to block-period.

600

severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs any API call violation:

  • Informative
  • Low
  • Medium
  • High

Low

trigger-policy <trigger-policy_str>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about any API call violation. For details, see Viewing log messages.

No default.

host <host_str>

Select the name of a protected host that the Host: field of an HTTP request must be in to match the API gateway rule.

This option is available only if waf api-rules is enable.

No default.

host-status {enable | disable}

Enable to apply this rule only to HTTP requests for specific web hosts. Also configure waf api-rules.

disable

<attach-http-header_id>

Enter the sequence number of the HTTP header.

No default.

http-header-item <http-header-item_str>

Enter the HTTP header item.

No default.

<match-url-prefixes_id>

The sequence number of the match URL prefixes.

No default.

frontend-prefix <frontend-prefix_str>

Enter the Frontend Prefix; the frontend prefix is the URL path in a client call, for example, /fortiweb/, the URL is like this https://172.22.14.244/ fortiweb/example.json?param=value.

No default.

backend-prefix <backend-prefix_str>

Enter the Backend Prefix; the backend prefix is the path which the client request will be replaced with, for example, /api/v1.0/System/Status/.

After the URL rewriting, the URL is like this https://10.200.3.183:90/api/

v1.0/System/Status/example.json?param=value.

No default.

<sub-url-setting_id>

Enter the sequence number of the sub-URL.

No default.

http-method {get | post | head | options | trace | connect | delete | put | patch | any}

Select the HTTP method from the drop down list.

GET

type {plain | regular}

Select whether the url-expression <url-expression_str> field must contain either:

  • plain —The field is a string that the request URL must exactly.
  • regular—The field is a regular expression that defines a set of matching URLs.

plain

url-expression <url-expression_str>

Depending on your selection in type {plain | regular}, enter either:

  • The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
  • A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.cfm.

No default.

api-key-verification {enable | disable}

When an user makes an API request, the API key will be included in HTTP header or parameter, FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user.

disable

api-key-location {http-parameter | http-header}

Indicate where FortiWeb can find your API key in HTTP request:

  • http-parameter
  • http-header

Available only when api-key-verification {enable | disable} is enable.

http-parameter

header-field-name <header-field-name_str>

Enter the header filed name in which FortiWeb can find the API key when api-key-location {http-parameter | http-header} is http-header.

No default.

parameter-name <parameter-name_str>

Enter the parameter name in which FortiWeb can find the API key when api-key-location {http-parameter | http-header} is http-parameter.

No default.

rate-limit-period <rate-limit-period_int>

Type the number of seconds during which API call requests are made.

No default.

rate-limit-requests <rate-limit-requests_int>

Type the number of API call requests in a certain number of seconds.

No default.

allow-user-group <allow-user-group_name>

Select a user group created to define which users have the persmission to access the API.

Available only when api-key-verification {enable | disable} is enable.

No default.

api-key-inherit {enable | disable}

When an user makes an API request, the API key will be included in HTTP header or parameter of sub URL, FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user.

disable

Related topics

waf api-rules

To restrict API access, you can use this command to configure certain rules involving API key verification, API key carryover, API user grouping, sub-URL setting, and specified actions FortiWeb will take in case of any API call violation.

Syntax

config waf api-rules

edit <api-rules_name>

set api-key-verification {enable | disable}

set allow-user-group <allow-user-group_name>

set api-key-location {http-parameter | http-header}

set header-field-name <header-field-name_str>

set parameter-name <parameter-name_str>

set rate-limit-period <rate-limit-period_int>

set rate-limit-requests <rate-limit-requests_int>

set action {alert | deny_no_log | alert_deny | block-period}

set block-period <block-period_int>

set severity {High | Medium | Low | Info}

set trigger-policy <trigger-policy_str>

set host <host_str>

set host-status {enable | disable}

config attach-http-header

edit <attach-http-header_id>

set http-header-item <http-header-item_str>

next

end

config match-url-prefixes

edit <match-url-prefixes_id>

set frontend-prefix <frontend-prefix_str>

set backend-prefix <backend-prefix_str>

next

end

config sub-url-setting

edit <sub-url-setting_id>

set http-method {get | post | head | options | trace | connect | delete | put | patch | any}

set type {plain | regular}

set url-expression <url-expression_str>

set api-key-verification {enable | disable}

set api-key-location {http-parameter | http-header}

set header-field-name <header-field-name_str>

set parameter-name <parameter-name_str>

set rate-limit-period <rate-limit-period_int>

set rate-limit-requests <rate-limit-requests_int>

set allow-user-group <allow-user-group_name>

set api-key-inherit {enable | disable}

next

end

next

end

Variable

Description

Default

<api-rules_name>

Type a unique name for the API gateway rule.

No default

api-key-verification {enable | disable}

When an user makes an API request, the API key will be included in HTTP header or parameter, FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user.

disable

allow-user-group <allow-user-group_str>

Select a user group created to define which users have the persmission to access the API.

Available only when waf api-rules is enable.

disable

api-key-location {http-parameter | http-header}

Indicate where FortiWeb can find your API key in HTTP request:

  • http-parameter
  • http-header

http-parameter

header-field-name <header-field-name_str>

Enter the header filed name in which FortiWeb can find the API key whenapi-key-location {http-parameter | http-header} is HTTP Header.

No default.

parameter-name <parameter-name_str>

Enter the parameter name in which FortiWeb can find the API key when api-key-location {http-parameter | http-header} is HTTP Parameter.

No default.

rate-limit-period <rate-limit-period_int>

Type the number of seconds for API call requests.

No default.

rate-limit-requests <rate-limit-requests_int>

Type the number of API call requests in a certain number of seconds.

No default.

action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects any API call violation:

  • alert—Accept the connection and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
  • deny_no_log—Block the request (or reset the connection).
  • block-period—Block subsequent requests from the client for a number of seconds. Also configure waf api-rules.

alert

block-period <block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects any API call violation. The valid range is 1–10,000 seconds.

Available only if waf api-rules is set to block-period.

600

severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs any API call violation:

  • Informative
  • Low
  • Medium
  • High

Low

trigger-policy <trigger-policy_str>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about any API call violation. For details, see Viewing log messages.

No default.

host <host_str>

Select the name of a protected host that the Host: field of an HTTP request must be in to match the API gateway rule.

This option is available only if waf api-rules is enable.

No default.

host-status {enable | disable}

Enable to apply this rule only to HTTP requests for specific web hosts. Also configure waf api-rules.

disable

<attach-http-header_id>

Enter the sequence number of the HTTP header.

No default.

http-header-item <http-header-item_str>

Enter the HTTP header item.

No default.

<match-url-prefixes_id>

The sequence number of the match URL prefixes.

No default.

frontend-prefix <frontend-prefix_str>

Enter the Frontend Prefix; the frontend prefix is the URL path in a client call, for example, /fortiweb/, the URL is like this https://172.22.14.244/ fortiweb/example.json?param=value.

No default.

backend-prefix <backend-prefix_str>

Enter the Backend Prefix; the backend prefix is the path which the client request will be replaced with, for example, /api/v1.0/System/Status/.

After the URL rewriting, the URL is like this https://10.200.3.183:90/api/

v1.0/System/Status/example.json?param=value.

No default.

<sub-url-setting_id>

Enter the sequence number of the sub-URL.

No default.

http-method {get | post | head | options | trace | connect | delete | put | patch | any}

Select the HTTP method from the drop down list.

GET

type {plain | regular}

Select whether the url-expression <url-expression_str> field must contain either:

  • plain —The field is a string that the request URL must exactly.
  • regular—The field is a regular expression that defines a set of matching URLs.

plain

url-expression <url-expression_str>

Depending on your selection in type {plain | regular}, enter either:

  • The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
  • A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.cfm.

No default.

api-key-verification {enable | disable}

When an user makes an API request, the API key will be included in HTTP header or parameter, FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user.

disable

api-key-location {http-parameter | http-header}

Indicate where FortiWeb can find your API key in HTTP request:

  • http-parameter
  • http-header

Available only when api-key-verification {enable | disable} is enable.

http-parameter

header-field-name <header-field-name_str>

Enter the header filed name in which FortiWeb can find the API key when api-key-location {http-parameter | http-header} is http-header.

No default.

parameter-name <parameter-name_str>

Enter the parameter name in which FortiWeb can find the API key when api-key-location {http-parameter | http-header} is http-parameter.

No default.

rate-limit-period <rate-limit-period_int>

Type the number of seconds during which API call requests are made.

No default.

rate-limit-requests <rate-limit-requests_int>

Type the number of API call requests in a certain number of seconds.

No default.

allow-user-group <allow-user-group_name>

Select a user group created to define which users have the persmission to access the API.

Available only when api-key-verification {enable | disable} is enable.

No default.

api-key-inherit {enable | disable}

When an user makes an API request, the API key will be included in HTTP header or parameter of sub URL, FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user.

disable

Related topics