waf api-rules
To restrict API access, you can use this command to configure certain rules involving API key verification, API key carryover, API user grouping, sub-URL setting, and specified actions FortiWeb will take in case of any API call violation.
Syntax
config waf api-rules
edit <api-rules_name>
set api-key-verification {enable | disable}
set allow-user-group <allow-user-group_name>
set api-key-location {HTTP-parameter | HTTP-header}
set header-field-name <header-field-name_str>
set parameter-name <parameter-name_str>
set rate-limit-period <rate-limit-period_int>
set rate-limit-requests <rate-limit-requests_int>
set rate-limit-user-period <rate-limit-user-period_int>
set rate-limit-user-requests <rate-limit-user-requests_int>
set x-ratelimit-headers <enable|disable>
set action {alert | deny_no_log | alert_deny | block-period}
set block-period <block-period_int>
set severity {High | Medium | Low | Info}
set trigger-policy <trigger-policy_str>
set host <host_str>
set host-status {enable | disable}
config attach-HTTP-header
edit <attach-HTTP-header_id>
set HTTP-header-item <HTTP-header-item_str>
next
end
config match-url-prefixes
edit <match-url-prefixes_id>
set frontend-prefix <frontend-prefix_str>
set backend-prefix <backend-prefix_str>
next
end
config sub-url-setting
edit <sub-url-setting_id>
set HTTP-method {get | post | head | options | trace | connect | delete | put | patch | any}
set type {plain | regular}
set url-expression <url-expression_str>
set api-key-verification {enable | disable}
set api-key-location {HTTP-parameter | HTTP-header}
set header-field-name <header-field-name_str>
set parameter-name <parameter-name_str>
set rate-limit-period <rate-limit-period_int>
set rate-limit-requests <rate-limit-requests_int>
set rate-limit-user-period <rate-limit-user-period_int>
set rate-limit-user-requests <rate-limit-user-requests_int>
set allow-user-group <allow-user-group_name>
set api-key-inherit {enable | disable}
next
end
next
end
|
Variable |
Description |
Default |
|---|---|---|
|
<api-rules_name> |
Type a unique name for the API gateway rule. |
No default |
|
api-key-verification {enable | disable} |
When an user makes an API request, the API key will be included in HTTP header or parameter, FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user. |
|
|
allow-user-group <allow-user-group_str> |
Select a user group created to define which users have the persmission to access the API. Available only when waf api-rules is enable. |
|
|
api-key-location {HTTP-parameter | HTTP-header} |
Indicate where FortiWeb can find your API key in HTTP request:
|
|
|
header-field-name <header-field-name_str> |
Enter the header filed name in which FortiWeb can find the API key whenapi-key-location {HTTP-parameter | HTTP-header} is HTTP Header. |
No default. |
|
parameter-name <parameter-name_str> |
Enter the parameter name in which FortiWeb can find the API key when api-key-location {HTTP-parameter | HTTP-header} is HTTP Parameter. |
No default. |
|
rate-limit-period <rate-limit-period_int> |
Type the maximum number of API call requests allowed in a certain number of seconds. |
No default. |
|
rate-limit-requests <rate-limit-requests_int> |
Type the maximum number of API call requests allowed in a certain number of seconds. |
No default. |
|
rate-limit-user-period <rate-limit-user-period_int> |
Limit API requests by users. Type the maximum number of API call requests allowed per user in a certain number of seconds. |
No default. |
|
rate-limit-user-requests <rate-limit-user-requests_int> |
Type the maximum number of API call requests allowed per user in a certain number of seconds. |
No default. |
|
x-ratelimit-headers {enable | disable} |
Enable to add X-RateLimit-* headers in the response packet if the user exceeds the rate limit. The following information can be displayed to users: the request limit, the remaining requests, and the minimum time to wait before the user is allowed to send the next request. |
disable |
|
action {alert | deny_no_log | alert_deny | block-period} |
Select which action FortiWeb will take when it detects any API call violation:
|
|
|
block-period <block-period_int> |
Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects any API call violation. The valid range is 1–10,000 seconds. Available only if waf api-rules is set to |
600 |
|
severity {High | Medium | Low | Info} |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
|
|
trigger-policy <trigger-policy_str> |
Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about any API call violation. For details, see Viewing log messages. |
No default. |
|
host <host_str> |
Select the name of a protected host that the This option is available only if waf api-rules is enable. |
No default. |
|
host-status {enable | disable} |
Enable to apply this rule only to HTTP requests for specific web hosts. Also configure waf api-rules. |
|
|
<attach-HTTP-header_id> |
Enter the sequence number of the HTTP header. |
No default. |
|
HTTP-header-item <HTTP-header-item_str> |
Enter the HTTP header item. |
No default. |
|
<match-url-prefixes_id> |
The sequence number of the match URL prefixes. |
No default. |
|
frontend-prefix <frontend-prefix_str> |
Enter the Frontend Prefix; the frontend prefix is the URL path in a client call, for example, |
No default. |
|
backend-prefix <backend-prefix_str> |
Enter the Backend Prefix; the backend prefix is the path which the client request will be replaced with, for example, After the URL rewriting, the URL is like this
|
No default. |
|
<sub-url-setting_id> |
Enter the sequence number of the sub-URL. |
No default. |
|
HTTP-method {get | post | head | options | trace | connect | delete | put | patch | any} |
Select the HTTP method from the drop down list. |
|
|
Select whether the url-expression <url-expression_str> field must contain either:
|
plain |
|
|
Depending on your selection in type {plain | regular}, enter either:
|
No default. |
|
|
When an user makes an API request, the API key will be included in HTTP header or parameter, FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user. |
|
|
|
Indicate where FortiWeb can find your API key in HTTP request:
Available only when api-key-verification {enable | disable} is enable. |
|
|
|
Enter the header filed name in which FortiWeb can find the API key when api-key-location {HTTP-parameter | HTTP-header} is HTTP-header. |
No default. |
|
|
Enter the parameter name in which FortiWeb can find the API key when api-key-location {HTTP-parameter | HTTP-header} is HTTP-parameter. |
No default. |
|
|
Type the maximum number of API call requests allowed in a certain number of seconds. |
No default. |
|
|
Type the maximum number of API call requests allowed in a certain number of seconds. |
No default. |
|
|
rate-limit-user-period <rate-limit-user-period_int> |
Limit API requests by users. Type the maximum number of API call requests allowed per user in a certain number of seconds. |
No default. |
|
rate-limit-user-requests <rate-limit-user-requests_int> |
Type the maximum number of API call requests allowed per user in a certain number of seconds. |
No default. |
|
Select a user group created to define which users have the persmission to access the API. Available only when api-key-verification {enable | disable} is enable. |
No default. |
|
|
When an user makes an API request, the API key will be included in HTTP header or parameter of sub URL, FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user. |
|