API Gateway 10.3 | Using API Gateway | Policies | Managing Threat Protection Policies
 
Managing Threat Protection Policies
 
Configuring Global Denial of Service Policy
Configuring Denial of Service by IP Policy
Managing Denied IP List
Configuring Rules
Registering a Mobile Device or Application
Configuring Alert Settings
Threat protection policies prevent malicious attacks from client applications that typically involve large, recursive payloads, and SQL injections. You can limit the size of things, such as maximum message size, maximum number of requests, and maximum node depth and text node length, in the XML document. You can configure the global threat protection policies and rules for all the incoming requests that comes through the external port of API Gateway. These policies and rules are enforced by API Gateway based on your configuration.
You must have the API Gateway's manage threat protection functional privilege to configure the following policies and rules.
*Global Denial of Service
*Denial of Service by IP
*Rules
In addition, the API Gateway administrator can configure the necessary mobile devices and applications for which you want to deny the access, configure and customize the deny and alert rules, and manage the denied IPs.
Note: 
*If the API Gateway instances used for Threat protection are clustered using TSA, and if you apply threat protection policy configuration in one of the API Gateway instances, the other API Gateway instances are updated automatically.
*If the API Gateway instances used for Threat Protection are not clustered using TSA, then you need to apply the required threat protection policy configurations in each of the API Gateway instance.
Basically, when you configure the threat protection policy in a clustered setup, you specify the limitations (such as number of requests and concurrent request) that an API Gateway instance in the cluster can handle during a specified time interval. Hence, if you add X number of API Gateway instances, the limitations set in the configuration also increases by X times.
For example, if you have two API Gateway instances and set the limitations as 100 requests per minute, then the API Gateway instances should be able to handle 200 requests per minute. When you add one more API Gateway instance, the processing capacity also increases to 300 requests per minute. Here, the API Gateway cluster used for Threat Protection does not act as a single unit.
Note:
When you have configured a load balancer, the load balancer exposes the actual client IP address using the X-Forwarded-For (XFF) headers. The watt.server.enterprisegateway.ignoreXForwardedForHeader property specifies whether API Gateway uses or ignores the IP address in the XFF headers. By default, API Gateway ignores the client IP address and so the watt.server.enterprisegateway.ignoreXForwardedForHeader property is set to true. If you want API Gateway to use the actual client IP address present in the XFF, then set thewatt.server.enterprisegateway.ignoreXForwardedForHeader property to false.