Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Jun 27, 2022

AdvWAF, OpenAPI - how to update security profile as APIs are added?

Hi - We have an integration in which we want to create a security profile via Guided Configuration for an API server, and plan on importing the OpenAPI specification as the starting point. But - thi...
advwaf
openapi
security
swagger
waf
Sebastiansierra's avatar
Sebastiansierra
Icon for MVP rankMVP
Jun 28, 2022

Hi,

You have two meet some requirements to protect your APIs with F5:

Prerequisites

You must meet the following prerequisites to use this procedure:

  • BIG-IP APM and Advanced WAF are licensed and provisioned on your system.
  • You have an existing OpenAPI specification 2.0 file (JSON or YAML format) that defines your RESTful API.
  • You have configured the following configuration elements on the BIG-IP system:
    • Network components, such as VLANs, self-IP addresses, and routes.
    • Administrative components, such as DNS resolver, network time protocol (NTP), the management IP address, and licensing.

 

After meeting this requirement you must deploy the configuration for your APIs, you can choose the guided configuration in the path:

Security ›› Guided Configuration

Or create it manually in the path:

Access ›› API Protection: Profile

After creating new APIs, you have to add them to the virtual server, but unfortunately is not possible directly choose the VS, so you have to use LTM_Policy and apply the API Protection based on the URL used to consume the API, This is one example where I choose my API profile based in the URI:

Additional you can find how to deploy the API using the dashboard in this URI:

https://support.f5.com/csp/article/K44584132

Hope it´s works.

 

daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Jun 28, 2022

Thank you for the reply and info!  So, if you do it this way, does the new API you add end up with all of the protections as the initial ones you import via the Swagger file?  An example of what I mean - the initial protections, created by the guided configuration, include conditioning the expected input values for each API based upon each's spec (yes?  that was my understanding, but pls tune that if needed!); if you add the new one the way you've described, do you end up with such input value protections, etc.?  Or, are you more simply allowing the URL path to be accessed, and getting the benefit of the general protections (DDoS, bot checks, signature checks, etc.)?

The goal would be to have full protections, equivalent to if the new API had been included in Guided Configuration policy buildout.  I'm new to AdvWAF, if that doesn't make sense, please don't hesitate to say so and explain!

  • Sebastiansierra's avatar
    Sebastiansierra
    Icon for MVP rankMVP
    Jun 28, 2022

    Hi.

    *Yes the API protection is configured initially importing the Swagger file, in block or transparent mode.

    * Yes, each API profile is unique, and you can customize it every time that API changes or allowed methods change.

    *The inputs are independent for each API profile, you can modify, allow, and customize based on your necessities for each API.

    *The URL path for the API is necessary to apply the correct API protection profile, without LTM policies you can apply only one API protection profile by VS.

     

     

    *