Forum Discussion
AdvWAF, OpenAPI - how to update security profile as APIs are added?
Hi,
You have two meet some requirements to protect your APIs with F5:
Prerequisites
You must meet the following prerequisites to use this procedure:
- BIG-IP APM and Advanced WAF are licensed and provisioned on your system.
- You have an existing OpenAPI specification 2.0 file (JSON or YAML format) that defines your RESTful API.
- You have configured the following configuration elements on the BIG-IP system:
- Network components, such as VLANs, self-IP addresses, and routes.
- Administrative components, such as DNS resolver, network time protocol (NTP), the management IP address, and licensing.
After meeting this requirement you must deploy the configuration for your APIs, you can choose the guided configuration in the path:
Security ›› Guided Configuration
Or create it manually in the path:
Access ›› API Protection: Profile
After creating new APIs, you have to add them to the virtual server, but unfortunately is not possible directly choose the VS, so you have to use LTM_Policy and apply the API Protection based on the URL used to consume the API, This is one example where I choose my API profile based in the URI:
Additional you can find how to deploy the API using the dashboard in this URI:
https://support.f5.com/csp/article/K44584132
Hope it´s works.
Thank you for the reply and info! So, if you do it this way, does the new API you add end up with all of the protections as the initial ones you import via the Swagger file? An example of what I mean - the initial protections, created by the guided configuration, include conditioning the expected input values for each API based upon each's spec (yes? that was my understanding, but pls tune that if needed!); if you add the new one the way you've described, do you end up with such input value protections, etc.? Or, are you more simply allowing the URL path to be accessed, and getting the benefit of the general protections (DDoS, bot checks, signature checks, etc.)?
The goal would be to have full protections, equivalent to if the new API had been included in Guided Configuration policy buildout. I'm new to AdvWAF, if that doesn't make sense, please don't hesitate to say so and explain!
- Jun 28, 2022
Hi.
*Yes the API protection is configured initially importing the Swagger file, in block or transparent mode.
* Yes, each API profile is unique, and you can customize it every time that API changes or allowed methods change.
*The inputs are independent for each API profile, you can modify, allow, and customize based on your necessities for each API.
*The URL path for the API is necessary to apply the correct API protection profile, without LTM policies you can apply only one API protection profile by VS.
*
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com