Generating irule logs, emails and reports for Shadow API Endpoints on the F5 BIG-IP AWAF/ASM device

Nowadays the F5 XC Distributed Cloud is all the rage for shadow API discovery and schema learning as seen in https://docs.cloud.f5.com/docs/how-to/app-security/apiep-discovery-control and for a good reason!

 

The F5 BIG-IP does not have this option but with a little bit of irule code the shadow API endpoints can be discovered by creating an API security policy with irules enabled. As by default new URL will not be learned, you can enable this as to not only see the logs but also the learning suggestions. In the future there could be integration between F5 XC API protection and F5 AWAF/ASM to generate the OpenAPI/Swagger file by sending the API data from the F5 BIG-IP to the F5 XC Distributed Cloud WAAP API Protection service that will generate the OpenAPI/Swagger file, using the XC receiver features. You can review the discussion below:

https://community.f5.com/t5/technical-forum/export-big-ip-awaf-urls-to-swagger-file/td-p/319845

 

Edit:

Now there is an official article about sending the API traffic from F5 BIG-IP to XC for Swagger/OpenAPI file generation:

 

https://community.f5.com/t5/technical-articles/apis-everywhere/ta-p/320688

 

This is limited to what F5 XC can do and there is no way to generate a new Swagger/OpenAPI files based on accepted new endpoints but it is still a good option for on-prem implementations.

 

 

 

 

The below code is a modification of the code at https://clouddocs.f5.com/api/irules/ASM__unblock.html and https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html

 

CODE:

 

when ASM_REQUEST_DONE
{
log local0. "[ASM::violation_data] uri=[HTTP::uri]"
set x [ASM::violation_data]

for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { }
1 { }
2 { }
3 { }
4 { }
5 { }
6 { }
}}

if {([lindex $x 5] contains "ATTACK_TYPE_FORCEFUL_BROWSING")}
{
log local0. "Illegal API endpoint detected for uri=[HTTP::uri]"

ASM::unblock

}
}

 

The ASM::unblock is added as if we want to just monitor and discover undocumented or shadow API but to have the ASM policy in blocking mode for anything else. Also just the Illegal URL violation still can be stopped under Traffic Learning but Alarm and Learn can be left enabled.

 

Also custom SNMP and email notifications can be configured based on this message and for more info you can see https://my.f5.com/manage/s/article/K3727 and https://my.f5.com/manage/s/article/K3667 . Even ASM reports can be generated for this data.

 

 

The same can be done for parameters and Methods !

Updated Sep 19, 2023
Version 16.0
No CommentsBe the first to comment