Setting Up API Discovery

• Log into Console.

Figure: Console Homepage

• Click Web App & API Protection.

• Select your namespace.

Figure: Select Namespace

• Click Manage > Load Balancers > HTTP Load Balancers and locate your HTTP load balancer in the list.

Figure: Load Balancers

Figure: Manage Load Balancer Configuration

• For the target load balancer, click ... > Manage Configuration in the Action column.

• Click Edit Configuration in the top-right section of the page.

• Scroll down to the API Protection section.

• Select Enable from the API Discovery drop-down menu. This will also expose the API discovery settings.

Figure: Enable API Discovery

• Select your desired option from the Learn From Traffic With Direct Response drop-down menu. By default, API Discovery learns only from traffic with 2xx (successful) responses. You can choose to select Enable Learning From Redirect Traffic to also learn from traffic with 3xx (redirect) responses.

• Use the Purge Duration for Inactive Discovered APIs field to specify how often to delete inactive discovered APIs. The purging occurs after the number of days you specify expires.

• Scroll to the bottom of the page and click Save and Exit.

Figure: Add Code Base Integration

• Navigate to Manage > API Management > Code Base Integration.

• Click Add Code Base Integration.

Figure: Add Code Base Integration Form

• Enter a name for this integration and optionally enter labels and a description.

• Select the code base you want to integrate (GitHub, GitLab, azure, and so on) from the Code Base drop-down menu.

• Based on your selected code base, you will need to add the required integration information (in other words, API key/username with password) to the Console. You can obtain integration information for your codebase as described in one of the options shown below.

In Distributed Cloud Console:

• Click Configure to bring up the Secret Type form. You can either Blindfold your token/password or you can store it in the clear.

• Paste your token/password into either the Secret to Blindfold or Secret field.

• Click Apply to save your token.

• Click Save and Exit.

• Go back to your load balancer (from Step 1) and scroll down to the API Protection section.

Figure: Enable API Discovery

• Make sure API discovery is enabled and click Configure under API Repositories. This will bring up an empty list of code base integrations. Click Add Item to start the list.

• Select the code base you created above.

• Select the API repositories you wish to include from the code base.

Figure: Select Code Base

• Scroll to the bottom and click Save and Exit.

• You can now see in the API inventory the source of detection of API endpoints. Note that it can take up to two hours for the discovery process to run and show results.

Figure: Monitor API Endpoints

• Click Manage > Load Balancers > HTTP Load Balancers and locate your HTTP load balancer in the list.

Figure: Load Balancers

Figure: Manage Load Balancer Configuration

• For the target load balancer, click ... > Manage Configuration in the Action column.

• Click Edit Configuration in the top-right section of the page.

• Scroll down to the API Protection section.

• Select Enable from the API Crawling drop-down menu (API Discovery must be enabled to see the API Crawling drop-down menu). This will also expose the Domains to Crawl list.

Figure: Enable API Discovery

• For each domain you want to crawl,

  • Click Add Item in the Domains to Crawl list.
  • Enter the domain you want to crawl. Optionally, you can click in the Domain field and then click See Suggestions.
  • Enter the username in the User field.
  • To enter the password, click Configure to bring up the Secret Type form. You can either Blindfold your password or you can store it in the clear.
    • Paste your token/password into either the Secret to Blindfold or Secret field.
    • Click Apply to save your secret (password).
  • Click Apply to save your domain to the Domains to Crawl list.

• Scroll to the bottom of the page and click Save and Exit.

• Scanning will begin shortly. You will soon (up to 4 hours) start seeing results in your API Endpoints page for this load balancer under the Discovery Source column.

Figure: Monitor API Endpoint Sources

1. Check credentials:

• Correct username and password
• No MFA requirements
• Not expired
• Proper permissions

2. For API Crawling:

• Using root domain
• Website accessible via the browser
• No geo-restrictions
• No WAF or bot protections blocking