Forum Discussion

daboochmeister's avatar
Jun 28, 2022

AdvWAF, OpenAPI - how to update security profile as APIs are added?

Hi - We have an integration in which we want to create a security profile via Guided Configuration for an API server, and plan on importing the OpenAPI specification as the starting point.

But - this server will be adding more APIs on a regular basis for the foreseeable future ... and it's not clear to us how we can add new APIs to the security policy.  The documentation on importing an OpenAPI spec says that all of the APIs supported by the virtual server involved must be described ... what is the procedure to add single APIs, one by one as they become relevant, over time?

Thank you!

  • Hi,

    You have two meet some requirements to protect your APIs with F5:

    Prerequisites

    You must meet the following prerequisites to use this procedure:

    • BIG-IP APM and Advanced WAF are licensed and provisioned on your system.
    • You have an existing OpenAPI specification 2.0 file (JSON or YAML format) that defines your RESTful API.
    • You have configured the following configuration elements on the BIG-IP system:
      • Network components, such as VLANs, self-IP addresses, and routes.
      • Administrative components, such as DNS resolver, network time protocol (NTP), the management IP address, and licensing.

     

    After meeting this requirement you must deploy the configuration for your APIs, you can choose the guided configuration in the path:

    Security ›› Guided Configuration

    Or create it manually in the path:

    Access ›› API Protection: Profile

    After creating new APIs, you have to add them to the virtual server, but unfortunately is not possible directly choose the VS, so you have to use LTM_Policy and apply the API Protection based on the URL used to consume the API, This is one example where I choose my API profile based in the URI:

    Additional you can find how to deploy the API using the dashboard in this URI:

    https://support.f5.com/csp/article/K44584132

    Hope it´s works.

     

    • daboochmeister's avatar
      daboochmeister
      Icon for Cirrus rankCirrus

      Thank you for the reply and info!  So, if you do it this way, does the new API you add end up with all of the protections as the initial ones you import via the Swagger file?  An example of what I mean - the initial protections, created by the guided configuration, include conditioning the expected input values for each API based upon each's spec (yes?  that was my understanding, but pls tune that if needed!); if you add the new one the way you've described, do you end up with such input value protections, etc.?  Or, are you more simply allowing the URL path to be accessed, and getting the benefit of the general protections (DDoS, bot checks, signature checks, etc.)?

      The goal would be to have full protections, equivalent to if the new API had been included in Guided Configuration policy buildout.  I'm new to AdvWAF, if that doesn't make sense, please don't hesitate to say so and explain!

      • Sebastiansierra's avatar
        Sebastiansierra
        Icon for MVP rankMVP

        Hi.

        *Yes the API protection is configured initially importing the Swagger file, in block or transparent mode.

        * Yes, each API profile is unique, and you can customize it every time that API changes or allowed methods change.

        *The inputs are independent for each API profile, you can modify, allow, and customize based on your necessities for each API.

        *The URL path for the API is necessary to apply the correct API protection profile, without LTM policies you can apply only one API protection profile by VS.

         

         

        *