Nowadays the F5 XC Distributed Cloud is all the rage for shadow API discovery and schema learning as seen in https://docs.cloud.f5.com/docs/how-to/app-security/apiep-discovery-control and for a good reason!

The F5 BIG-IP does not have this option but with a little bit of irule code the shadow API endpoints can be discovered by creating an API security policy with irules enabled. As by default new URL will not be learned, you can enable this as to not only see the logs but also the learning suggestions.

This is limited to what F5 XC can do and there is no way to generate a new Swagger/OpenAPI files based on accepted new endpoints but it is still a good option for on-prem implementations.

The below code is a modification of the code at https://clouddocs.f5.com/api/irules/ASM__unblock.html and https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html

CODE:

when ASM_REQUEST_DONE
{
log local0. "[ASM::violation_data] uri=[HTTP::uri]"
set x [ASM::violation_data]

for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { }
1 { }
2 { }
3 { }
4 { }
5 { }
6 { }
}}

if {([lindex $x 5] contains "ATTACK_TYPE_FORCEFUL_BROWSING")}
{
log local0. "Illegal API endpoint detected for uri=[HTTP::uri]"

ASM::unblock

}
}

The ASM::unblock is added as if we want to just monitor and discover undocumented or shadow API but to have the ASM policy in blocking mode for anything else. Also just the Illegal URL violation still can be stopped under Traffic Learning but Alarm and Learn can be left enabled.

Also custom SNMP and email notifications can be configured based on this message and for more info you can see https://my.f5.com/manage/s/article/K3727 and https://my.f5.com/manage/s/article/K3667 . Even ASM reports can be generated for this data.

The same can be done for parameters !