Forum Discussion
API WAF policy
- Does anyone have experience in setting up API security WAF policy successfully using open API swagger file?
- Do we have to import JSON schema files separately along with the swagger file or JSON schema which was created automatically by awaf after the import of the swagger file is good to go?
- Is anyone able to import more than 1 JSON schema file successfully under same JSON profile?
Background:
We have imported the swagger file provided by the app team and awaf has recognized all entities (URL, parameters) correctly. It has also created a custom JSON content profile and JSON schema file automatically. However, the requests were blocked with the default JSON schema file with violation of JSON not compliant with schema.
We then imported the JSON schema file provided by the app team and it worked as expected. But API has 4 JSON schema files for diff kinds of payloads and uses the same endpoint/URL. when we are trying to import more than 1 JSON schema file under 1 JSON profile we are getting a validation failed error.
Has anyone faced similar issue with API WAF policy?
If the the URL/endpoint is the same then how does your App know which JSON schema is needed for the diff kinds of payloads? Is the URL truly the same or it uses 4 types of positional parameters for the 4 types of payloads ?
If you know that and it is the value in the content-type header then just configure different json profiles for URL that match the different content types:
Requests with (Content-Type: application/json) blocked by ASM (f5.com)
If the URL is with positional parameters just configure 4 explicit URLs for the 4 content types not 1 URL with positional parameters:
Creating positional parameters for a URL (f5.com)
Also if the JSON scheme is a for a parameter in the BODY you can assign the Json profile not for the URL but the parameter itself:
A complex way could be if not the Content-Type or a positional parameter is used for the policy but something like a query parameter to signal what json body is returned is to use irule or local traffic policy to attach different waf polies for the 4 different cases and the 4 WAF policies to be with the same sawgger/openapi file but for the URL different JSON profile.
- spalandeNacreous
There isn't any other differentiator, such as a URL query parameter or a different content-type header. URL path is the same for all payloads. API service is designed to handle multiple schemas within the body, which may or may not include all the fields across different schema files due to business requirements.
Does F5 support open API 3 and above? Also, do we have to import JSON schema files separately if we have an openAPI swagger file imported (open API swagger file had auto-populated JSON schema though)?
There should be a differentiator as you mentioned "API has 4 JSON schema files for diff kinds of payloads" better check with your app team as this is domain knowledge for your environment that I can't know of.
The latest versions of BIG-IP support openapi 3 (there is no above at the moment as 3.x is the latest that I am aware of). I suggest using 16.1.x or 17.1.x the latest versions (for rSeries or Velos 17.1x is the way as 16.1. is not supported).
Also see:
---
The JSON schema is validated when uploaded and any violations are noted. You can use more than 1 JSON schema file but each file must be uploaded separately and the JSON Profile Properties updated after each upload.
When using more than 1 JSON schema file, upload the file with
include
links first. An error is generated but uploading the subsequent files resolves the broken links error.
After a JSON schema is uploaded and selected, the
Parse Parameters
setting is disabled because the policy stops using any configured policy parameters and begins using the JSON parameters.
--
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com