Setting Up API Discovery & Protection

Objective

This document provides instructions on configuring API Discovery and API Protection on the F5® XC Distributed Cloud Platform. These two core capabilities are essential for dynamically identifying, securing, and monitoring your application's API endpoints.

Prerequisites

Concepts

  • API Discovery: The process of dynamically identifying and classifying all API endpoints within your application, including Inventory, Discovered, and Shadow APIs. It involves both detecting APIs from traffic and integrating OpenAPI Specifications to create API definitions.
  • OpenAPI Specification: A standard format used to define and describe RESTful APIs. By uploading OpenAPI specs, you can define the structure of your APIs and ensure that API Discovery is aware of all intended endpoints.
  • Sensitive Data Discovery: This feature identifies and masks sensitive data such as Personally Identifiable Information (PII) within API traffic. This helps ensure data privacy and compliance with regulations.
  • Schema Validation: Ensures that API traffic conforms to a specified schema. This is crucial for preventing security vulnerabilities, especially those highlighted in the OWASP API Security Top 10. Schema validation can block or report non-compliant traffic.
  • Service Policies: These are rules that control access to your APIs, allowing you to define who can access specific API endpoints or groups. Service policies provide granular control over API traffic and security.
  • API Protection: Encompasses a set of features, including schema validation, service policies, and threat protection, designed to secure your API endpoints from attacks and unauthorized access.

Configuration

The configuration process is divided into two sections: API Discovery and API Protection.

ActivityDescription
Find HTTP Load BalancerLocate the specific HTTP Load Balancer where API Discovery will be enabled.
Enable API Discovery (Traffic-based)Enable API Discovery on the identified HTTP Load Balancer.
Upload OpenAPI Specs and Apply API DefinitionsUpload OpenAPI Specification files, create API definitions, and apply them to the load balancer.
Configure API Protection (Schema Validation)Set up schema validation and as part of API Protection.

Set Up API Discovery

Step 1: Find your HTTP Load Balancer.
  • Log into Console.
Figure: Console Homepage

Figure: Console Homepage

  • Click Web App & API Protection.

  • Select your namespace.

Figure: Select Namespace

Figure: Select Namespace

  • Click Manage > Load Balancers > HTTP Load Balancers and locate your HTTP load balancer in the list.
Figure: Load Balancers

Figure: Load Balancers

Step 2: Enable API Discovery.
Figure: Manage Load Balancer Configuration

Figure: Manage Load Balancer Configuration

  • For the target load balancer, click ... > Manage Configuration in the Action column.

  • Click Edit Configuration in the top right section of the page.

  • Scroll down to the API Protection section.

  • Select Enable from the API Discovery drop-down menu. This will also expose the API discovery settings.

Figure: Enable API Discovery

Figure: Enable API Discovery

  • Select your desired option from the Learn From Traffic With Direct Response drop-down menu. By default, API Discovery learns only from traffic with 2xx (successful) responses. You can choose to select Enable Learning From Redirect Traffic to also learn from traffic with 3xx (redirect) responses.

  • Use the Purge Duration for Inactive Discovered APIs field to specify how often to delete inactive discovered APIs. The purging occurs after the number of days you specify expires.

  • Scroll to the bottom of the page and click Save and Exit.

Step 3: Add Code Scanning API Discovery.
Figure: Add Code Base Integration

Figure: Add Code Base Integration

  • Navigate to Manage > API Management > Code Base Integration.

  • Click Add Code Base Integration.

Figure: Add Code Base Integration Form

Figure: Add Code Base Integration Form

  • Enter a name for this integration and optionally enter labels and a description.

  • Select the code base you want to integrate (GitHub, GitLab, azure, etc.) from the Code Base drop-down menu.

  • Based on your selected code base, add the required integration information (i.e. API key/username + password)

  • Click Save and Exit.

  • Go back to your load balancer (from Step 1) and scroll down to the API Protection section.

Figure: Enable API Discovery

Figure: Enable API Discovery

  • Make sure API discovery is enabled and click Configure under API Repositories. This will bring up an empty list of code base integrations. Click Add Item to start the list.

  • Select the code base you created above.

  • Select the API repositories you wish to include from the code base.

Figure: Select Code Base

Figure: Select Code Base

  • Scroll to the bottom and click Save and Exit.

  • You can now see in the API inventory the source of detection of an API endpoints.

Figure: Monitor API Endpoints

Figure: Monitor API Endpoints

Step 4: Upload OpenAPI Specification Files and Apply API Definitions.
  • Navigate to Manage > Files > OpenAPI Files.
Figure: OpenAPI Files

Figure: OpenAPI Files

  • Click Add OpenAPI File.
Figure: Upload OpenAPI File

Figure: Upload OpenAPI File

  • Enter a name for this file and optionally add a description.

  • Click Upload File and select your file from the system window.

Step 5: Create and Apply API Definition.
  • Navigate to Manage > API Management > API Definition.
Figure: API Definitions

Figure: API Definitions

  • Click Add API Definition.
Figure: API Definition Form

Figure: API Definition Form

  • Enter a name for this file and optionally add labels and a description.

  • Click Add Item and select the OpenAPI specification file you uploaded in the previous step.

  • Click Save and Exit.

  • Go back to your load balancer (from Step 1), scroll down to the API Protection section and select Enable in the API Definition drop-down menu.

Figure: Enable API Definition

Figure: Enable API Definition

  • Select on of your API Definitions from the API Definition drop-down menu.

  • Click Save and Exit to save your updated load balancer configuration.

Set Up API Protection

Perform the following to create your set up you API Protection:

Step 1: Configure OpenAPI Validation.

  • Go back to your load balancer (from Step 1) and scroll down to the API Protection section.

  • Choose a validation method.

Figure: API Definition Validation Choices

Figure: API Definition Validation Choices

Step 2: API Inventory Validation

  • Select API Inventory in the Validation drop-down menu.

  • API Inventory is configured with default values. Click View Configuration to make changes.

Figure: API Definition Validation Form

Figure: API Definition Validation Form

  • Choose Validate or Skip for the OpenAPI Validation Request Processing Mode drop-down menu to enforce or skip validation, respectively. For Validate, also do the following:

    • Choose Report or Block for the Request Validation Enforcement Type to either allow traffic and log an event (Report) or block it entirely (Block).

    • Specify which parameters should be validated using the Request Validation Properties drop-down menu.

  • Choose Validate or Skip for the OpenAPI Validation Response Processing Mode drop-down menu to enforce or skip validation, respectively. For Validate, also do the following:

    • Choose Report or Block for the Request Validation Enforcement Type to either allow traffic and log an event (Report) or block it entirely (Block).

    • Specify which parameters should be validated using the Request Validation Properties drop-down menu.

Alternative Custom List Validation
  • Select Custom List in the Validation drop-down menu, and then click Configure.
Figure: Custom List Validation Form

Figure: Custom List Validation Form

  • Click Configure to build your list of validation rules.

  • For each rule you want to add, click Add Item in the Validation List.

Figure: Custom Validation Form

Figure: Custom Validation Form

  • Enter a name for the rule and then specify the endpoint, domain, and methods to validate.
  • Click Apply to save each rule you add.
  • When you're done adding rules, click Apply to save the rule list.
  • For endpoints not specified in either the API file or custom rules, the Fall Through Mode determines the behavior. The default is Allow, which allows any unprotected endpoint. For different behavior, select Custom.
Custom Fall Through

  • Select Custom in the Fall Through Mode drop-down menu and then click Configure to build your rules list.

  • For each rule you want to add, click Add Item in the Custom Fall Through List and specify the endpoint, domain, and methods to validate.

Figure: Custom Fall Through

Figure: Custom Fall Through

  • Enter a name for this rule and optionally a description.

  • Choose Skip, Report, or Block from the Action drop-down menu.

  • Click Apply to save each rule. Then click Apply to save the Custom Fall Through Rule List.

  • Click Apply to save the validation rules and get back to the load balancer configuration form.

  • Click Save and Exit to save the changes to your load balancer.

Limitations

Discovery From Code

  • Code scan intervals:

    • Discovering new repositories - once a day
    • Scanning existing repositories - once a day
    • Checking integration token validity - every 5 minutes

  • Supported languages and frameworks:

    • Java
      • EE
      • Spring
    • .Net
    • Python
      • Flask
      • Django - function-based views
    • Javascript
      • Express
      • Hapi
    • Go

  • Supported SCM platforms:

    • Azure Repos
    • Bitbucket Cloud
    • Bitbucket Server
    • GitHub - Only classic tokens
    • GitHub Enterprise - Only classic tokens
    • GitLab
    • GitLab Enterprise

  • Code base integration will scan repos from the organization level, not from the user level.

On this page: