Threat protection policies

Edit online

Threat protection policies prevent malicious attacks from client applications that typically involve large, recursive payloads, and SQL injections. You can limit the size of things, such as maximum message size, maximum number of requests, and maximum node depth and text node length, in the XML document. You can configure the global threat protection policies and rules for all the incoming requests that come through the external port of webMethods API Gateway. These policies and rules is enforced by an webMethods API Gateway based on your configuration.

You must have the webMethods API Gateway's manage threat protection functional privilege to configure the policies and rules such as:

  • Global Denial of Service
  • Denial of Service by IP
  • Rules

In addition, the webMethods API Gateway administrator can configure the necessary mobile devices and applications for which access should be denied. They can configure and customize the deny and alert rules, and manage the denied IPs.

When configuring the threat protection policy in a cluster, you set limits on the number of requests and concurrent requests an webMethods API Gateway instance can handle. These limitations apply during a specified time interval. Hence, if you add X number of webMethods API Gateway instances, the limitations set in the configuration increases by X times. For example, if you have 2 webMethods API Gateway instances and set the limitations as 100 requests per minute, then the webMethods API Gateway instances should be able to handle 200 requests per minute. When you add one more webMethods API Gateway instance, the processing capacity also increases to 300 requests per minute. Here, the webMethods API Gateway cluster used for Threat Protection does not act as a single unit.
Note: When you have configured a load balancer, the load balancer exposes the actual client IP address by using the X-Forwarded-For (XFF) headers. The watt.server.enterprisegateway.straightforwardness property specifies whether webMethods API Gateway uses or ignores the IP address in the XFF headers. By default, webMethods API Gateway ignores the client IP address and so the watt.server.enterprisegateway.ignoreXForwardedForHeader property is set to `true`. If you want webMethods API Gateway to use the actual client IP address present in the XFF, then set the watt.server.enterprisegateway.ignoreXForwardedForHeader property to false.