Fortinet black logo

Handbook

Configuring API Gateway

Configuring API Gateway

An API gateway is an API management tool that sits between a client and a collection of backend services. It acts as a reverse proxy to accept all API calls and return the appropriate result.

API gateway on FortiADC provides the following functions:

  • API user management
  • API key verification
  • API access control
  • Rate limit control
  • Attach HTTP Header in API call

Creating API Gateway User:

1. Go to Web Application Firewall > API Gateway.

2. Click the API Gateway User tab.

3. Click Create New to display the configuration editor and set up the configuration.

4. Save the configuration.

Settings

Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces are not allowed. After you initially save the configuration, you cannot edit the name.

Comments

(Optional) Enter a description or comments for the user.

UUID

Non-editable. Automatically generated when the user is created.

API Key

Non-editable. Automatically generated when the user is created.

Restricted Access IPs

Restrict this API key so that it may only be used from the specified IP addresses.

Restrict HTTP Referers

Restrict this API key so that it may only be used when the specified URLs are present in the Referer HTTP header. This can be used to prevent an API key from being reused on other client-side web applications that don’t match this URL.

Only full URLs that begin with http:// or https:// are supported.

Configuring API Gateway Rule:
  1. Go to Web Application Firewall > API Gateway.
  2. Click the API Gateway Rule tab.
  3. Click Create New to display the configuration editor and set up the configuration.
  4. Save the configuration.

Settings

Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces are not allowed. After you initially save the configuration, you cannot edit the name.

Host Status

Enable/Disable for applying this rule only to HTTP requests for specific web hosts.

Host

Select the name of a protected host that the Host: field of an HTTP request must be in to match the API gateway rule.

This option is available only if Host Status is enabled.

Full URL Pattern

Matching string. Regular expressions are supported.

Method

Select one or more HTTP methods are allowed when access the API.

API Key Verification

When a user makes an API request, the API key will be included in the HTTP header or parameter. FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user.

API Key Carried In

Indicate where to find the API key in HTTP request:

  • HTTP Parameter
  • HTTP Header

Available only when API Key Verification is enabled.

HTTP Header Name

Enter the header filed name of the API key.

HTTP Parameter Name

Enter the parameter name of the API key.

Rate Limit Status

Enable/Disable to do rate limit for API calls.

Rate Limit Requests

Sets the condition for the limit of the number of API requests received. If the number of requests received within the time frame (set in Rate Limit Period), this condition is fulfilled.

Rate Limit Period

Sets the time spent during which to count how many times a request is received.

Action

Select the action profile that you want to apply. See Configuring WAF Action objects.

The default is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

  • Low
  • Medium
  • High

The default value is Low.

Exception Name

Select a user-defined exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

User

Specify one or more users created in API Gateway User to define which users have the permission to access the API.

Attach HTTP Header

Insert specific header lines into HTTP header. Need to specify the fieldname and value is seach entry.

Configure API Gateway Policy:

1. Go to Web Application Firewall > API Gateway.

2. Click the API Gateway Policy tab.

3. Click Create New to display the configuration editor and set up the configuration.

4. Save the configuration.

Settings

Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces are not allowed. After you initially save the configuration, you cannot edit the name.

Rule Name

Specify one or more rules created in API Gateway Rule to be used in policy. The rules will be checked one by one from top to bottom until URL in request is matched to the Full URL Pattern in a rule.

Configuring API Gateway

An API gateway is an API management tool that sits between a client and a collection of backend services. It acts as a reverse proxy to accept all API calls and return the appropriate result.

API gateway on FortiADC provides the following functions:

  • API user management
  • API key verification
  • API access control
  • Rate limit control
  • Attach HTTP Header in API call

Creating API Gateway User:

1. Go to Web Application Firewall > API Gateway.

2. Click the API Gateway User tab.

3. Click Create New to display the configuration editor and set up the configuration.

4. Save the configuration.

Settings

Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces are not allowed. After you initially save the configuration, you cannot edit the name.

Comments

(Optional) Enter a description or comments for the user.

UUID

Non-editable. Automatically generated when the user is created.

API Key

Non-editable. Automatically generated when the user is created.

Restricted Access IPs

Restrict this API key so that it may only be used from the specified IP addresses.

Restrict HTTP Referers

Restrict this API key so that it may only be used when the specified URLs are present in the Referer HTTP header. This can be used to prevent an API key from being reused on other client-side web applications that don’t match this URL.

Only full URLs that begin with http:// or https:// are supported.

Configuring API Gateway Rule:
  1. Go to Web Application Firewall > API Gateway.
  2. Click the API Gateway Rule tab.
  3. Click Create New to display the configuration editor and set up the configuration.
  4. Save the configuration.

Settings

Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces are not allowed. After you initially save the configuration, you cannot edit the name.

Host Status

Enable/Disable for applying this rule only to HTTP requests for specific web hosts.

Host

Select the name of a protected host that the Host: field of an HTTP request must be in to match the API gateway rule.

This option is available only if Host Status is enabled.

Full URL Pattern

Matching string. Regular expressions are supported.

Method

Select one or more HTTP methods are allowed when access the API.

API Key Verification

When a user makes an API request, the API key will be included in the HTTP header or parameter. FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key to check whether the key belongs to an valid API user.

API Key Carried In

Indicate where to find the API key in HTTP request:

  • HTTP Parameter
  • HTTP Header

Available only when API Key Verification is enabled.

HTTP Header Name

Enter the header filed name of the API key.

HTTP Parameter Name

Enter the parameter name of the API key.

Rate Limit Status

Enable/Disable to do rate limit for API calls.

Rate Limit Requests

Sets the condition for the limit of the number of API requests received. If the number of requests received within the time frame (set in Rate Limit Period), this condition is fulfilled.

Rate Limit Period

Sets the time spent during which to count how many times a request is received.

Action

Select the action profile that you want to apply. See Configuring WAF Action objects.

The default is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

  • Low
  • Medium
  • High

The default value is Low.

Exception Name

Select a user-defined exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

User

Specify one or more users created in API Gateway User to define which users have the permission to access the API.

Attach HTTP Header

Insert specific header lines into HTTP header. Need to specify the fieldname and value is seach entry.

Configure API Gateway Policy:

1. Go to Web Application Firewall > API Gateway.

2. Click the API Gateway Policy tab.

3. Click Create New to display the configuration editor and set up the configuration.

4. Save the configuration.

Settings

Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. Whitespaces are not allowed. After you initially save the configuration, you cannot edit the name.

Rule Name

Specify one or more rules created in API Gateway Rule to be used in policy. The rules will be checked one by one from top to bottom until URL in request is matched to the Full URL Pattern in a rule.