Forum Discussion

spalande's avatar
spalande
Icon for Nacreous rankNacreous
Aug 23, 2024

API WAF policy

Does anyone have experience in setting up API security WAF policy successfully using open API swagger file? Do we have to import JSON schema files separately along with the swagger file or JSON sch...
security
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP

If the the URL/endpoint is the same then how does your App know which JSON schema is needed for the diff kinds of payloads? Is the URL truly the same or it uses 4 types of positional parameters for the 4 types of payloads  ? 

 

If you know that and it is the value in the content-type header then just configure different json profiles for URL that match the different content types:

 

Requests with (Content-Type: application/json) blocked by ASM (f5.com)

 

 

If the URL is with positional parameters just configure 4 explicit URLs for the 4 content types not 1 URL with positional parameters:

 

Creating positional parameters for a URL (f5.com)

 

 

Also if the JSON scheme is a for a parameter in the BODY you can assign the Json profile not for the URL but the parameter itself:

 

Adding JSON Support to an Existing Security Policy,Adding JSON Support to an Existing Security Policy,Adding JSON Support to an Existing Security Policy (f5.com)

 

 

A complex way could be if not the Content-Type or a positional parameter is used for the policy but something like a query parameter to signal what json body is returned is to use irule or local traffic policy to attach different waf polies for the 4 different cases and the 4 WAF policies to be with the same sawgger/openapi file but for the URL different JSON profile.

 

ASM::enable (f5.com)

 

HTTP::query (f5.com)

spalande's avatar
spalande
Icon for Nacreous rankNacreous
Aug 28, 2024

There isn't any other differentiator, such as a URL query parameter or a different content-type header.  URL path is the same for all payloads. API service is designed to handle multiple schemas within the body, which may or may not include all the fields across different schema files due to business requirements.

Does F5 support open API 3 and above? Also, do we have to import JSON schema files separately if we have an openAPI swagger file imported (open API swagger file had auto-populated JSON schema though)? 

 

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Aug 28, 2024

    There should be a differentiator as you mentioned "API has 4 JSON schema files for diff kinds of payloads" better check with your app team as this is domain knowledge for your environment that I can't know of.

     

    The latest versions of BIG-IP support openapi 3 (there is no above at the moment as 3.x is the latest that I am aware of). I suggest using 16.1.x or 17.1.x the latest versions (for rSeries or Velos 17.1x is the way as 16.1. is not supported).

     

    Also see:

     

    Working with OpenAPI JSON schemas,Working with OpenAPI JSON schemas,Working with OpenAPI JSON schemas (f5.com)

     

     

    ---

     

    The JSON schema is validated when uploaded and any violations are noted. You can use more than 1 JSON schema file but each file must be uploaded separately and the JSON Profile Properties updated after each upload.

    When using more than 1 JSON schema file, upload the file with 

    include

     links first. An error is generated but uploading the subsequent files resolves the broken links error.

    After a JSON schema is uploaded and selected, the 

    Parse Parameters

     setting is disabled because the policy stops using any configured policy parameters and begins using the JSON parameters.

     

    --