Fortinet black logo

Administration Guide

Home FortiWeb 7.4.1 Administration Guide
7.4.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.10
7.0.9
7.0.8
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.2
6.4.1
6.4.0
6.3.23
6.3.19
6.3.18
6.3.17
6.3.16
6.3.15
6.3.14
6.3.13
6.3.11
6.3.10
6.3.9
6.3.7
6.3.6
6.3.5
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.2
6.1.1
5.7.0
5.6.1
5.6.0
5.6.0

gRPC protocol

gRPC protocol

gRPC is a modern open source high performance Remote Procedure Call (RPC) framework that can run in any environment. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication.

FortiWeb secures gRPC API traffic with a variety of security controls such as signature scan, rate limiting, and size limiting.

Creating gRPC security rules

This section provides instructions to:

  • Upload an IDL file
  • Create a gRPC security rule
  • Add a gRPC security rule to a gRPC security policy

To upload a gRPC IDL file

  1. Go to Web Protection > Protocol > gRPC > gRPC IDL File.
  2. Click Upload to upload an Interface Definition Language (IDL) file. It describes both the service interface and the structure of the payload messages.
  3. Click OK.

To create a gRPC security rule

  1. Go to Web Protection > Protocol > gRPC > gRPC Security Rule.
  2. Click Create New.
  3. Configure these settings:
    NameType a name that can be referenced by other parts of the configuration. The name will be used when selecting the gRPC security policy.
    Host StatusEnable to compare the gRPC security rule to the Host: field in the HTTP header. Also configure Host.
    HostSelect the IP address or fully qualified domain name (FQDN) of the protected host to which this rule applies. For details, see Defining your protected/allowed HTTP “Host:” header names.
    This setting is available only if Host Status is enabled.

    Request URL

    The URL of the gPRC API request you want to protect.

    You can enter the literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

    IDL file

    Select the IDL file you have uploaded in the gRPC IDL File tab.

    FortiWeb will decode the traffic according to the IDL file.

    Request Message Name

    The name of the message in the gRPC API request. FortiWeb will apply this gRPC security rule to the matched message.

    The format should be "<package_name>.<message_name>", for example routeguide.Point. It's case sensitive.

    Response Message Name

    The name of message in the gRPC API response. FortiWeb will apply this gRPC security rule to the matched message.

    Refer to Request Message Name for the format of the name.

    Request Rate Limit

    Specify the maximum number of messages within a gRPC API request.

    Request Size Limit

    Specify the maximum size of each message body in a gRPC API request.

    Action

    Select which action FortiWeb will take when it detects a violation of the gRPC security policy:

    • Alert—Accept the connection and generate an alert email and/or log message.
    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.
    • Block Period—Block subsequent requests from the client for a number of seconds. Also configure gRPC protocol.
    • Deny (no log)—Block the request (or reset the connection).

    The default value is Alert.

    Block Period

    Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

    This setting is available only if gRPC protocol is set to Period Block. The valid range is from 1 to 3,600 seconds (1 hour).

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level to use when FortiWeb logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High
    Trigger ActionSelect which trigger, if any, to use when FortiWeb logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
  4. Click OK.

To add a gRPC security rule to a gRPC security policy

For details about creating a gRPC security policy, see Creating gRPC security policies

  1. Go to Web Protection > Protocol > gRPC > gRPC Security Policy.
  2. Select the existing gRPC security policy to which you want to add the gRPC security rule.
  3. Click Edit.
  4. Click Create New.
  5. For gRPC Security Rule, select the gRPC security rule that you want to include in the gRPC security policy.

    6. To view details about a selected gRPC security rule, click next to the drop down list.
  6. Click OK.
  7. Repeat Steps 4-6 for as many gRPC security rules as you want to add to the gRPC security policy.

Creating gRPC security policies

This section provides instructions to:

  • Create a gRPC security policy
  • Apply a gRPC security policy in a web protection profile

To create a gRPC security policy

  1. Go to Web Protection > Protocol > gRPC > gRPC Security Policy.
  2. Click Create New.
  3. For Name, enter a name for the policy. You will use the Name to select the policy in a web protection profile.
  4. Click OK.
  5. To add gRPC security rules to the policy, see To add a gRPC security rule to a gRPC security policy.

To add a gRPC security policy in a web protection profile

For details about creating a web protection profile, see Configuring a protection profile for inline topologies.

  1. Go to Policy > Server Policy.
  2. Select an existing web protection profile to which you want to include the gRPC security policy.
  3. Click Edit.
  4. Go to Security Configuration > Web Protection Profile.
  5. Click to enter the Edit Inline Protection Profile page.
  6. For Protocol > gRPC Security, select the gRPC security policy from the drop down list.
    You can also click to open the Edit gRPC Security Policy page.
  7. Click OK.
Previous
Next

gRPC protocol

gRPC is a modern open source high performance Remote Procedure Call (RPC) framework that can run in any environment. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication.

FortiWeb secures gRPC API traffic with a variety of security controls such as signature scan, rate limiting, and size limiting.

Creating gRPC security rules

This section provides instructions to:

  • Upload an IDL file
  • Create a gRPC security rule
  • Add a gRPC security rule to a gRPC security policy

To upload a gRPC IDL file

  1. Go to Web Protection > Protocol > gRPC > gRPC IDL File.
  2. Click Upload to upload an Interface Definition Language (IDL) file. It describes both the service interface and the structure of the payload messages.
  3. Click OK.

To create a gRPC security rule

  1. Go to Web Protection > Protocol > gRPC > gRPC Security Rule.
  2. Click Create New.
  3. Configure these settings:
    NameType a name that can be referenced by other parts of the configuration. The name will be used when selecting the gRPC security policy.
    Host StatusEnable to compare the gRPC security rule to the Host: field in the HTTP header. Also configure Host.
    HostSelect the IP address or fully qualified domain name (FQDN) of the protected host to which this rule applies. For details, see Defining your protected/allowed HTTP “Host:” header names.
    This setting is available only if Host Status is enabled.

    Request URL

    The URL of the gPRC API request you want to protect.

    You can enter the literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

    IDL file

    Select the IDL file you have uploaded in the gRPC IDL File tab.

    FortiWeb will decode the traffic according to the IDL file.

    Request Message Name

    The name of the message in the gRPC API request. FortiWeb will apply this gRPC security rule to the matched message.

    The format should be "<package_name>.<message_name>", for example routeguide.Point. It's case sensitive.

    Response Message Name

    The name of message in the gRPC API response. FortiWeb will apply this gRPC security rule to the matched message.

    Refer to Request Message Name for the format of the name.

    Request Rate Limit

    Specify the maximum number of messages within a gRPC API request.

    Request Size Limit

    Specify the maximum size of each message body in a gRPC API request.

    Action

    Select which action FortiWeb will take when it detects a violation of the gRPC security policy:

    • Alert—Accept the connection and generate an alert email and/or log message.
    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.
    • Block Period—Block subsequent requests from the client for a number of seconds. Also configure gRPC protocol.
    • Deny (no log)—Block the request (or reset the connection).

    The default value is Alert.

    Block Period

    Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

    This setting is available only if gRPC protocol is set to Period Block. The valid range is from 1 to 3,600 seconds (1 hour).

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level to use when FortiWeb logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High
    Trigger ActionSelect which trigger, if any, to use when FortiWeb logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
  4. Click OK.

To add a gRPC security rule to a gRPC security policy

For details about creating a gRPC security policy, see Creating gRPC security policies

  1. Go to Web Protection > Protocol > gRPC > gRPC Security Policy.
  2. Select the existing gRPC security policy to which you want to add the gRPC security rule.
  3. Click Edit.
  4. Click Create New.
  5. For gRPC Security Rule, select the gRPC security rule that you want to include in the gRPC security policy.

    6. To view details about a selected gRPC security rule, click next to the drop down list.
  6. Click OK.
  7. Repeat Steps 4-6 for as many gRPC security rules as you want to add to the gRPC security policy.

Creating gRPC security policies

This section provides instructions to:

  • Create a gRPC security policy
  • Apply a gRPC security policy in a web protection profile

To create a gRPC security policy

  1. Go to Web Protection > Protocol > gRPC > gRPC Security Policy.
  2. Click Create New.
  3. For Name, enter a name for the policy. You will use the Name to select the policy in a web protection profile.
  4. Click OK.
  5. To add gRPC security rules to the policy, see To add a gRPC security rule to a gRPC security policy.

To add a gRPC security policy in a web protection profile

For details about creating a web protection profile, see Configuring a protection profile for inline topologies.

  1. Go to Policy > Server Policy.
  2. Select an existing web protection profile to which you want to include the gRPC security policy.
  3. Click Edit.
  4. Go to Security Configuration > Web Protection Profile.
  5. Click to enter the Edit Inline Protection Profile page.
  6. For Protocol > gRPC Security, select the gRPC security policy from the drop down list.
    You can also click to open the Edit gRPC Security Policy page.
  7. Click OK.
Previous
Next