Setting Up API Protection

Published April 5, 2023 | Last modified December 9, 2024

Objective

This document provides instructions on configuring API Protection on the F5® Distributed Cloud Platform. This core capability is essential for dynamically securing and monitoring your application's API endpoints.

Prerequisites

F5 Distributed Cloud Console SaaS account.

Note: If you do not have an account, see Create an Account.
Active HTTP Load Balancer configured for your application within the Distributed Cloud environment. See Setting up a load balancer on WAAP.
OpenAPI Specification files, if applicable.
API Discovery is set up.

Concepts

OpenAPI Specification: A standard format used to define and describe RESTful APIs. By uploading OpenAPI specs, you can define the structure of your APIs and ensure that API Discovery is aware of all intended endpoints.
Schema Validation: Ensures that API traffic conforms to a specified schema. This is crucial for preventing security vulnerabilities, especially those highlighted in the OWASP API Security Top 10. Schema validation can block or report non-compliant traffic.
API Protection: Encompasses a set of features, including schema validation, service policies, and threat protection, designed to secure your API endpoints from attacks and unauthorized access.

Configuration

The configuration process is divided into two sections: API Discovery and API Protection.

Activity	Description
Find HTTP Load Balancer	Locate the specific HTTP Load Balancer where API Discovery will be enabled.
Upload OpenAPI Specs and Apply API Definitions	Upload OpenAPI Specification files, create API definitions, and apply them to the load balancer.
Configure API Protection (Schema Validation)	Set up schema validation as part of API Protection.

Set Up API Discovery

Step 1: Prepare OpenAPI Specification Files.

Prepare your OpenAPI specification files locally with the required API definitions.

Step 2: Upload OpenAPI Specification Files and Apply API Definitions.

Log into Console.

Figure: Console Homepage

Click Web App & API Protection.
Select your namespace.

Figure: Select Namespace

Navigate to Manage > Files > OpenAPI Files.

Figure: OpenAPI Files

Click Add OpenAPI File.

Figure: Upload OpenAPI File

Enter a name for this file and optionally add a description.
Click Upload File and select your file from the system window.

Step 3: Create and Apply API Definition.

Navigate to Manage > API Management > API Definition.

Figure: API Definitions

Click Add API Definition.

Figure: API Definition Form

Enter a name for this file and optionally add labels and a description.
Click Add Item and select the OpenAPI specification file you uploaded in the previous step.
Click Save and Exit.
Click Manage > Load Balancers > HTTP Load Balancers.
In the Actions column for your load balancer, select ... > Manage Configuration.
Select Edit Configuration in the upper right corner.

Figure: Enable API Definition

In the API Protection section, use the API Definition drop-down menu to select Enable.

Figure: Select API Definition

Select one of your API definitions from the API Definition drop-down menu.
Click Save and Exit to save your updated load balancer configuration.

Set Up API Protection

Validation is disabled by default. Follow these steps to enable and configure it.

Step 1: Enable OpenAPI Validation.

Click Manage > Load Balancers > HTTP Load Balancers.
In the Actions column for your load balancer, select ... > Manage Configuration.
Select Edit Configuration in the upper right corner.
Scroll down to the API Protection section.

Figure: API Definition Validation Choices

Choose a validation method.

Step 2: API Inventory Validation

Select API Inventory in the Validation drop-down menu.
API Inventory is configured with default values. Click View Configuration to make changes.

Figure: API Definition Validation Form

Choose Validate or Skip for the OpenAPI Validation Request Processing Mode drop-down menu to enforce or skip validation, respectively. For Validate, also do the following:
- Choose Report or Block for the Request Validation Enforcement Type to either allow traffic and log an event (Report) or block it entirely (Block).
- Specify which parameters should be validated using the Request Validation Properties drop-down menu.
Choose Validate or Skip for the OpenAPI Validation Response Processing Mode drop-down menu to enforce or skip validation, respectively. For Validate, also do the following:
- Choose Report or Block for the Request Validation Enforcement Type to either allow traffic and log an event (Report) or block it entirely (Block).
- Specify which parameters should be validated using the Request Validation Properties drop-down menu.

Alternative Custom List Validation

Select Custom List in the Validation drop-down menu, and then click Configure.

Figure: Custom List Validation Form

Click Configure to build your list of validation rules.
For each rule you want to add, click Add Item in the Validation List.

Figure: Custom Validation Form

Enter a name for the rule and then specify the endpoint, domain, and methods to validate.
Click Apply to save each rule you add.
When you're done adding rules, click Apply to save the rule list.

For endpoints not specified in either the API file or custom rules, the Fall Through Mode determines the behavior. The default is Allow, which allows any unprotected endpoint. For different behavior, select Custom.

Custom Fall Through

Select Custom in the Fall Through Mode drop-down menu and then click Configure to build your rules list.
For each rule you want to add, click Add Item in the Custom Fall Through List and specify the endpoint, domain, and methods to validate.

Figure: Custom Fall Through

Enter a name for this rule and optionally a description.
Choose Skip, Report, or Block from the Action drop-down menu.
Click Apply to save each rule. Then click Apply to save the Custom Fall Through Rule List.

Click Apply to save the validation rules and get back to the load balancer configuration form.
Click Save and Exit to save the changes to your load balancer.