Setting Up API Discovery & Protection
Objective
This document provides instructions on configuring API Discovery and API Protection on the F5® XC Distributed Cloud Platform. These two core capabilities are essential for dynamically identifying, securing, and monitoring your application's API endpoints.
Prerequisites
-
F5 Distributed Cloud Console SaaS account.
Note: If you do not have an account, see Create an Account.
-
Active HTTP Load Balancer configured for your application within the Distributed Cloud environment. See Setting up a load balancer on WAAP.
-
OpenAPI Specification files, if applicable.
Concepts
- API Discovery: The process of dynamically identifying and classifying all API endpoints within your application, including Inventory, Discovered, and Shadow APIs. It involves both detecting APIs from traffic and integrating OpenAPI Specifications to create API definitions.
- OpenAPI Specification: A standard format used to define and describe RESTful APIs. By uploading OpenAPI specs, you can define the structure of your APIs and ensure that API Discovery is aware of all intended endpoints.
- Sensitive Data Discovery: This feature identifies and masks sensitive data such as Personally Identifiable Information (PII) within API traffic. This helps ensure data privacy and compliance with regulations.
- Schema Validation: Ensures that API traffic conforms to a specified schema. This is crucial for preventing security vulnerabilities, especially those highlighted in the OWASP API Security Top 10. Schema validation can block or report non-compliant traffic.
- Service Policies: These are rules that control access to your APIs, allowing you to define who can access specific API endpoints or groups. Service policies provide granular control over API traffic and security.
- API Protection: Encompasses a set of features, including schema validation, service policies, and threat protection, designed to secure your API endpoints from attacks and unauthorized access.
Configuration
The configuration process is divided into two sections: API Discovery and API Protection.
Activity | Description |
---|---|
Find HTTP Load Balancer | Locate the specific HTTP Load Balancer where API Discovery will be enabled. |
Enable API Discovery (Traffic-based) | Enable API Discovery on the identified HTTP Load Balancer. |
Upload OpenAPI Specs and Apply API Definitions | Upload OpenAPI Specification files, create API definitions, and apply them to the load balancer. |
Configure API Protection (Schema Validation) | Set up schema validation and as part of API Protection. |
Set Up API Discovery
Step 1: Find your HTTP Load Balancer.
- Log into Console.
Figure: Console Homepage
-
Click
Web App & API Protection
. -
Select your namespace.
Figure: Select Namespace
- Click
Manage
>Load Balancers
>HTTP Load Balancers
and locate your HTTP load balancer in the list.
Figure: Load Balancers
Step 2: Enable API Discovery.
Figure: Manage Load Balancer Configuration
-
For the target load balancer, click
...
>Manage Configuration
in theAction
column. -
Click
Edit Configuration
in the top right section of the page. -
Scroll down to the
API Protection
section. -
Select
Enable
from theAPI Discovery
drop-down menu. This will also expose the API discovery settings.
Figure: Enable API Discovery
-
Select your desired option from the
Learn From Traffic With Direct Response
drop-down menu. By default, API Discovery learns only from traffic with 2xx (successful) responses. You can choose to selectEnable Learning From Redirect Traffic
to also learn from traffic with 3xx (redirect) responses. -
Use the
Purge Duration for Inactive Discovered APIs
field to specify how often to delete inactive discovered APIs. The purging occurs after the number of days you specify expires. -
Scroll to the bottom of the page and click
Save and Exit
.
Step 3: Add Code Scanning API Discovery.
Figure: Add Code Base Integration
-
Navigate to
Manage
>API Management
>Code Base Integration
. -
Click
Add Code Base Integration
.
Figure: Add Code Base Integration Form
-
Enter a name for this integration and optionally enter labels and a description.
-
Select the code base you want to integrate (GitHub, GitLab, azure, etc.) from the
Code Base
drop-down menu. -
Based on your selected code base, add the required integration information (i.e. API key/username + password)
-
Click
Save and Exit
. -
Go back to your load balancer (from Step 1) and scroll down to the
API Protection
section.
Figure: Enable API Discovery
-
Make sure API discovery is enabled and click
Configure
underAPI Repositories
. This will bring up an empty list of code base integrations. ClickAdd Item
to start the list. -
Select the code base you created above.
-
Select the API repositories you wish to include from the code base.
Figure: Select Code Base
-
Scroll to the bottom and click
Save and Exit
. -
You can now see in the API inventory the source of detection of an API endpoints.
Figure: Monitor API Endpoints
Step 4: Upload OpenAPI Specification Files and Apply API Definitions.
- Navigate to
Manage
>Files
>OpenAPI Files
.
Figure: OpenAPI Files
- Click
Add OpenAPI File
.
Figure: Upload OpenAPI File
-
Enter a name for this file and optionally add a description.
-
Click
Upload File
and select your file from the system window.
Step 5: Create and Apply API Definition.
- Navigate to
Manage
>API Management
>API Definition
.
Figure: API Definitions
- Click
Add API Definition
.
Figure: API Definition Form
-
Enter a name for this file and optionally add labels and a description.
-
Click
Add Item
and select the OpenAPI specification file you uploaded in the previous step. -
Click
Save and Exit
. -
Go back to your load balancer (from Step 1), scroll down to the
API Protection
section and selectEnable
in theAPI Definition
drop-down menu.
Figure: Enable API Definition
-
Select on of your API Definitions from the
API Definition
drop-down menu. -
Click
Save and Exit
to save your updated load balancer configuration.
Set Up API Protection
Perform the following to create your set up you API Protection:
Step 1: Configure OpenAPI Validation.
-
Go back to your load balancer (from Step 1) and scroll down to the
API Protection
section. -
Choose a validation method.
Figure: API Definition Validation Choices
Step 2: API Inventory Validation
-
Select
API Inventory
in theValidation
drop-down menu. -
API Inventory is configured with default values. Click
View Configuration
to make changes.
Figure: API Definition Validation Form
-
Choose
Validate
orSkip
for theOpenAPI Validation Request Processing Mode
drop-down menu to enforce or skip validation, respectively. ForValidate
, also do the following:-
Choose
Report
orBlock
for theRequest Validation Enforcement Type
to either allow traffic and log an event (Report
) or block it entirely (Block
). -
Specify which parameters should be validated using the
Request Validation Properties
drop-down menu.
-
-
Choose
Validate
orSkip
for theOpenAPI Validation Response Processing Mode
drop-down menu to enforce or skip validation, respectively. ForValidate
, also do the following:-
Choose
Report
orBlock
for theRequest Validation Enforcement Type
to either allow traffic and log an event (Report
) or block it entirely (Block
). -
Specify which parameters should be validated using the
Request Validation Properties
drop-down menu.
-
Alternative Custom List Validation
- Select
Custom List
in theValidation
drop-down menu, and then clickConfigure
.
Figure: Custom List Validation Form
-
Click
Configure
to build your list of validation rules. -
For each rule you want to add, click
Add Item
in theValidation List
.
Figure: Custom Validation Form
- Enter a name for the rule and then specify the endpoint, domain, and methods to validate.
- Click
Apply
to save each rule you add. - When you're done adding rules, click
Apply
to save the rule list.
- For endpoints not specified in either the API file or custom rules, the
Fall Through Mode
determines the behavior. The default isAllow
, which allows any unprotected endpoint. For different behavior, selectCustom
.
Custom Fall Through
-
Select
Custom
in theFall Through Mode
drop-down menu and then clickConfigure
to build your rules list. -
For each rule you want to add, click
Add Item
in theCustom Fall Through List
and specify the endpoint, domain, and methods to validate.
Figure: Custom Fall Through
-
Enter a name for this rule and optionally a description.
-
Choose
Skip
,Report
, orBlock
from theAction
drop-down menu. -
Click
Apply
to save each rule. Then clickApply
to save the Custom Fall Through Rule List.
-
Click
Apply
to save the validation rules and get back to the load balancer configuration form. -
Click
Save and Exit
to save the changes to your load balancer.
Limitations
Discovery From Code
-
Code scan intervals:
- Discovering new repositories - once a day
- Scanning existing repositories - once a day
- Checking integration token validity - every 5 minutes
-
Supported languages and frameworks:
- Java
- EE
- Spring
- .Net
- Python
- Flask
- Django - function-based views
- Javascript
- Express
- Hapi
- Go
- Java
-
Supported SCM platforms:
- Azure Repos
- Bitbucket Cloud
- Bitbucket Server
- GitHub - Only classic tokens
- GitHub Enterprise - Only classic tokens
- GitLab
- GitLab Enterprise
-
Code base integration will scan repos from the organization level, not from the user level.