Configuring an API Gateway Rule
- Go to Web Application Firewall > API Gateway.
- Click the API Gateway Rule tab.
- Click Create New to display the configuration editor and set up the configuration.
- Save the configuration.
Settings |
Guidelines |
---|---|
Name |
Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces are not allowed. After you initially save the configuration, you cannot edit the name. |
Host Status |
Enable/Disable for applying this rule only to HTTP requests for specific web hosts. |
Host |
Select the name of a protected host that the Host: field of an HTTP request must be in to match the API gateway rule. This option is available only if Host Status is enabled. |
Full URL Pattern |
Matching string. Regular expressions are supported. |
Method |
Select one or more HTTP methods are allowed when access the API. |
API Key Verification |
When a user makes an API request, the API key will be included in the HTTP header or parameter. FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user. |
API Key Carried In |
Indicate where to find the API key in HTTP request:
Available only when API Key Verification is enabled. |
HTTP Header Name |
Enter the header filed name of the API key. |
HTTP Parameter Name |
Enter the parameter name of the API key. |
Rate Limit Status |
Enable/Disable to do rate limit for API calls. |
Rate Limit Requests |
Sets the condition for the limit of the number of API requests received. If the number of requests received within the time frame (set in Rate Limit Period), this condition is fulfilled. |
Rate Limit Period |
Sets the time spent during which to count how many times a request is received. |
Action |
Select the action profile that you want to apply. See Configuring WAF Action objects. The default is Alert. |
Severity |
When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:
The default value is Low. |
Exception Name |
Select a user-defined exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule. |
User |
Specify one or more users created in API Gateway User to define which users have the permission to access the API. |
Attach HTTP Header |
Insert specific header lines into HTTP header. Need to specify the fieldname and value is seach entry. |