Fortinet black logo

Administration Guide

Configuring mobile API protection

Configuring mobile API protection

When a client accesses a web server from a mobile application, the Mobile Application Identification module checks whether the request carries the JWT-token field and whether the token carried is valid, and sets flags for the following cases:

  • The traffic doesn't carry the JWT-token header.
  • The traffic carries the JWT-token header and the token is valid.
  • The traffic carries the JWT-token header, while the token is invalid.

The mobile API protection feature checks the flags. With the API protection policy and rule configured, actions set in the protection rule will be performed.

tooltip icon

If Mobile Application Identification is not enabled in Feature Visibility, you must enable it before you can configure mobile API protection policy and rule. To enable Mobile Application Identification, go to System > Config > Feature Visibility and enable Mobile Application Identification in Security Features.

This section provides instructions on:

  • How to create a mobile API protection rule
  • How to create a mobile API protection policy
  • How to apply a mobile API protection policy in a web protection profile

To create a mobile API protection rule

  1. Go to API Protection > Mobile API Protection, select the Mobile API Protection Rule tab.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  2. Click Create New.
  3. Configure these settings:

    Name

    Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a mobile API protection policy. The maximum length is 63 characters.

    Host Status

    Enable to compare the mobile API protection rule to the Host: field in the HTTP header. If enabled, also configure Host.

    Host

    Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the mobile API protection rule.

    This option is available only if Host Status is enabled.

    Action

    Select which action FortiWeb will take when it detects a violation of the rule:

    • Alert—Accept the connection and generate an alert email and/or log message.
    • Alert & Deny—Block the request (or reset the connection) and generate an alert and /or log message.
    • Deny (no log)—Block the request (or reset the connection).
    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Configuring mobile API protection.

    The default value is Alert. .

    Note: Logging will occur only if enabled and configured. For details, see Logging and Alert email.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when Action is set to Period Block.

    The valid range is 1–3,600 seconds (1 hour).

    Severity

    When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is violated:

    • Low
    • Medium
    • High
    • Informative

    The default value is High.

    Trigger Policy

    Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see Viewing log messages.

  4. Click OK.
  5. Click Create New.
  6. Configure these settings:

    Type

    Select whether the Request URL field must contain either:

    • Simple String—The field is a string that the request URL must match exactly.
    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    Request URL

    Depending on your selection in Type, enter either:

    • Simple String—Enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax.

  7. Click OK.

To create a mobile API protection policy

  1. Go to API Protection > Mobile API Protection, and select the Mobile API Protection Policy tab.
  2. Click Create New.
  3. For Name, enter a name that can be referenced by other parts of the configuration.
  4. Click OK.
  5. Click Create New.
  6. For Mobile API Protection Rule, select a mobile protection rule from the drop-down list.
    You can also click to edit the protection rule or view the details.
  7. Click OK.

To apply a mobile API protection policy to a web protection profile

  1. Go to Policy > Web Protection Profile.
  2. Select an existing web protection profile to which you want to include the mobile API protection policy.
  3. Click Edit.
  4. Go to Mobile > Mobile Application Identification.
  5. Enable Mobile Application Identification.
  6. Configure these settings:

    Token Secret

    Enter the JWT-token secret that you get from the Approov platform.
    Refer to Approov doc for how to get the token.

    Token Header

    Indicate the header that carries the JWT-token in the request.

    Mobile API Protection

    Select the mobile API protection policy from the drop-down list.
    You can also click to open the Edit Mobile API Protection Policy page.

  7. Click OK.

Configuring mobile API protection

Configuring mobile API protection

When a client accesses a web server from a mobile application, the Mobile Application Identification module checks whether the request carries the JWT-token field and whether the token carried is valid, and sets flags for the following cases:

  • The traffic doesn't carry the JWT-token header.
  • The traffic carries the JWT-token header and the token is valid.
  • The traffic carries the JWT-token header, while the token is invalid.

The mobile API protection feature checks the flags. With the API protection policy and rule configured, actions set in the protection rule will be performed.

tooltip icon

If Mobile Application Identification is not enabled in Feature Visibility, you must enable it before you can configure mobile API protection policy and rule. To enable Mobile Application Identification, go to System > Config > Feature Visibility and enable Mobile Application Identification in Security Features.

This section provides instructions on:

  • How to create a mobile API protection rule
  • How to create a mobile API protection policy
  • How to apply a mobile API protection policy in a web protection profile

To create a mobile API protection rule

  1. Go to API Protection > Mobile API Protection, select the Mobile API Protection Rule tab.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  2. Click Create New.
  3. Configure these settings:

    Name

    Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a mobile API protection policy. The maximum length is 63 characters.

    Host Status

    Enable to compare the mobile API protection rule to the Host: field in the HTTP header. If enabled, also configure Host.

    Host

    Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the mobile API protection rule.

    This option is available only if Host Status is enabled.

    Action

    Select which action FortiWeb will take when it detects a violation of the rule:

    • Alert—Accept the connection and generate an alert email and/or log message.
    • Alert & Deny—Block the request (or reset the connection) and generate an alert and /or log message.
    • Deny (no log)—Block the request (or reset the connection).
    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Configuring mobile API protection.

    The default value is Alert. .

    Note: Logging will occur only if enabled and configured. For details, see Logging and Alert email.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when Action is set to Period Block.

    The valid range is 1–3,600 seconds (1 hour).

    Severity

    When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is violated:

    • Low
    • Medium
    • High
    • Informative

    The default value is High.

    Trigger Policy

    Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see Viewing log messages.

  4. Click OK.
  5. Click Create New.
  6. Configure these settings:

    Type

    Select whether the Request URL field must contain either:

    • Simple String—The field is a string that the request URL must match exactly.
    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    Request URL

    Depending on your selection in Type, enter either:

    • Simple String—Enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax.

  7. Click OK.

To create a mobile API protection policy

  1. Go to API Protection > Mobile API Protection, and select the Mobile API Protection Policy tab.
  2. Click Create New.
  3. For Name, enter a name that can be referenced by other parts of the configuration.
  4. Click OK.
  5. Click Create New.
  6. For Mobile API Protection Rule, select a mobile protection rule from the drop-down list.
    You can also click to edit the protection rule or view the details.
  7. Click OK.

To apply a mobile API protection policy to a web protection profile

  1. Go to Policy > Web Protection Profile.
  2. Select an existing web protection profile to which you want to include the mobile API protection policy.
  3. Click Edit.
  4. Go to Mobile > Mobile Application Identification.
  5. Enable Mobile Application Identification.
  6. Configure these settings:

    Token Secret

    Enter the JWT-token secret that you get from the Approov platform.
    Refer to Approov doc for how to get the token.

    Token Header

    Indicate the header that carries the JWT-token in the request.

    Mobile API Protection

    Select the mobile API protection policy from the drop-down list.
    You can also click to open the Edit Mobile API Protection Policy page.

  7. Click OK.