waf mobile-api-protection
When a client accesses a web server from a mobile application, the Mobile Application Identification module checks whether the request carries the JWT-token field and whether the token carried is valid, and sets flags for the following cases:
- The traffic doesn't carry the JWT-token header
- The traffic carries the JWT-token header and the token is valid
- The traffic carries the JWT-token header, while the token is invalid
The mobile API protection feature checks the flags. With the API protection policy and rule configured, actions set in the protection rule will be performed.
Syntax
config waf mobile-api-protection-rule
edit <mobile-api-protection-rule_name>
set host-status {enable | disable}
set host <host_str>
set action {alert | deny_no_log | alert_deny | block-period}
set block-period <block-period_int>
set severity {High | Medium | Low | Info}
set trigger <trigger_policy_name>
config url-list
edit <url-list_id>
set url-type {plain | regular}
set url-pattern <url-pattern_str>
next
end
next
end
config waf mobile-api-protection-policy
edit <mobile-api-protection-policy_name>
set jwt-signature-scan {enable | disable}
set jwt-allow-alg {None | RS256 RS384 RS512 PS256 PS384 PS512 ES256 ES384 ES512 HS256 HS384 HS512}
config rule-list
edit <rule-list_id>
set rule <rule_name>
next
end
next
end
|
Variable |
Description |
Default |
|---|---|---|
|
Enter the name for the mobile API protection rule. |
No default. |
|
Enable to compare the mobile API protection rule to the Host: field in the HTTP header. |
Disable | |
| Select the IP address or fully qualified domain name (FQDN) of the
protected host to which this rule applies. This option is available only if host-status {enable | disable} is enable. |
No default. | |
|
Select which action the FortiWeb appliance will take when it detects a
violation. block-period—Blocks the request for a certain period of
time. |
Alert
|
|
|
Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds. This option only takes effect when you choose Period Block in action {alert | deny_no_log | alert_deny | block-period}. |
600 |
|
|
When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is violated:
The default value is High. |
High | |
|
Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see "Viewing log messages" on page 1. |
No default. |
|
|
Type the index number of the individual URL within the URL list, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number. |
No default. |
|
| Select whether the URL Pattern field will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular). | plain
|
|
|
Depending on the
Do not include the domain name, such as |
No default | |
| config waf mobile-api-protection-policy | ||
|
Enter the name for the mobile API protection policy. |
No default. |
|
| Enables inspection of JWT header and payload fields for malicious patterns, leveraging FortiWeb’s threat detection engine to block tampered or manipulated tokens. |
disable |
|
|
jwt-allow-alg {None | RS256 RS384 RS512 PS256 PS384 PS512 ES256 ES384 ES512 HS256 HS384 HS512} |
Defines the list of signing algorithms that FortiWeb accepts. Requests using algorithms outside the allowed list are blocked. Useful for preventing misuse of weak or unexpected algorithms. Supported values include: None, RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, HS256, HS384, HS512 |
No default. |
| <rule-list_id> |
Type the index number of the individual rule within the rule list, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number. |
No default. |
|
Select the mobile API protection rule from the drop-down list. |
No default. |
|