Fortinet black logo

CLI Reference

config security waf api-gateway-rule

config security waf api-gateway-rule

Use this command to create API Gateway rules.

Syntax

config security waf api-gateway-rule

edit <api-rule-name>

set url-pattern <string>

set http-method {get|post|head|options|trace|connect|delete|put|patch|other}

set api-key-verification {enable|disable}

set api-key-location {http-parameter|http-header}

set header-field-name <string>

set parameter-name <string>

set action <datasource_action>

set severity {high|medium|low}

set host <string>

set host-status {enable|disable}

set exception <datasource_exception>

set rate-limit-status {enable|disable}

set rate-limit-period <integer>

set rate-limit-requests <integer>

config user-list

edit <user-list-id>

set user <datasource_api_user>

set status {enable|disable}

next

end

config attach-http-header

edit <attach-http-header-id>

set http-header-name <http-header-name_str>

set http-header-value <http-header-value_str>

next

end

next

end

CLI Parameter

Description

url-pattern

Matching string. Regular expressions are supported.

http-method

Select one or more HTTP methods that are allowed when accessing the API.

api-key-verification

When a user makes an API request, the API key will be included in the HTTP header or parameter. FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key tocheck whether the key belongs to an valid API user.

api-key-location

Indicate where to find the API key in HTTP request:

  • HTTP Parameter
  • HTTP Header

Note: Available only when API Key Verification is enabled.

header-field-name

Enter the header field name of the API key.

parameter-name

Enter the parameter name of the API key.

action

Select the action profile that you want to apply. See config security waf action

The default is Alert.

severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

  • Low
  • Medium
  • High

The default value is Low.

host

Select the name of a protected host that the Host: field of an HTTP request must be in to match the API gateway rule.

This option is available only if Host Status is enabled.

host-status

Enable/Disable for applying this rule only to HTTP requests for specific web hosts

exception

Select a user-defined exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

rate-limit-status

Enable/Disable to do rate limit for API calls

rate-limit-period

range 1-600 seconds, default 60

rate-limit-requests

range 1-100000, default 600

user-list ( available when api-key-verification is enabled)

user

Specify one or more users created in API Gateway User to define which users have the persmission to access the API.

status

enable or disable user list

attach-http-header

http-header-name

Field name of specific header lines to be inserted into HTTP header.

http-header-value

Value of specific header lines to be inserted into HTTP header.

See also:

config security waf api-gateway-rule

Use this command to create API Gateway rules.

Syntax

config security waf api-gateway-rule

edit <api-rule-name>

set url-pattern <string>

set http-method {get|post|head|options|trace|connect|delete|put|patch|other}

set api-key-verification {enable|disable}

set api-key-location {http-parameter|http-header}

set header-field-name <string>

set parameter-name <string>

set action <datasource_action>

set severity {high|medium|low}

set host <string>

set host-status {enable|disable}

set exception <datasource_exception>

set rate-limit-status {enable|disable}

set rate-limit-period <integer>

set rate-limit-requests <integer>

config user-list

edit <user-list-id>

set user <datasource_api_user>

set status {enable|disable}

next

end

config attach-http-header

edit <attach-http-header-id>

set http-header-name <http-header-name_str>

set http-header-value <http-header-value_str>

next

end

next

end

CLI Parameter

Description

url-pattern

Matching string. Regular expressions are supported.

http-method

Select one or more HTTP methods that are allowed when accessing the API.

api-key-verification

When a user makes an API request, the API key will be included in the HTTP header or parameter. FortiWeb obtains the API key from the request. When this option is enabled, FortiWeb verifies the key tocheck whether the key belongs to an valid API user.

api-key-location

Indicate where to find the API key in HTTP request:

  • HTTP Parameter
  • HTTP Header

Note: Available only when API Key Verification is enabled.

header-field-name

Enter the header field name of the API key.

parameter-name

Enter the parameter name of the API key.

action

Select the action profile that you want to apply. See config security waf action

The default is Alert.

severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

  • Low
  • Medium
  • High

The default value is Low.

host

Select the name of a protected host that the Host: field of an HTTP request must be in to match the API gateway rule.

This option is available only if Host Status is enabled.

host-status

Enable/Disable for applying this rule only to HTTP requests for specific web hosts

exception

Select a user-defined exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

rate-limit-status

Enable/Disable to do rate limit for API calls

rate-limit-period

range 1-600 seconds, default 60

rate-limit-requests

range 1-100000, default 600

user-list ( available when api-key-verification is enabled)

user

Specify one or more users created in API Gateway User to define which users have the persmission to access the API.

status

enable or disable user list

attach-http-header

http-header-name

Field name of specific header lines to be inserted into HTTP header.

http-header-value

Value of specific header lines to be inserted into HTTP header.

See also: