Configure API Protection Rules

Published April 5, 2023 | Last modified March 11, 2025

Objective

This guide provides instructions on how to enable the API Protection Rules feature in an HTTP/HTTPS load balancer using F5® Distributed Cloud Console (Console). These rules provide you with configurable options to allow or block API endpoints from reaching your application. You can configure these rules using one of two methods (or categories): (1) configure rules using API endpoints, or (2) configure rules using server URLs and API groups. If a client request matches any rule created using the first category, then the second category rules are not evaluated.

Prerequisites

The following prerequisites apply:

Configuration

Configure API protection rules using one of two methods available.

Configure Rules Using API Endpoints

If you are configuring rules using API endpoints, perform the following:

Step 1: Navigate to load balancer.
  • From the Console homepage, click Multi-Cloud App Connect.
Figure: Homepage

Figure: Homepage

  • Select your application namespace.

  • Navigate to Manage > Load Balancers > HTTP Load Balancers.

  • Click ... for your load balancer and select Manage Configuration to open the load balancer configuration form.

  • Click Edit Configuration in the top right corner of the form.

Step 2: Start configuring API protection rules.
  • In the API Protection section, click Configure in the API Protection Rules field.
Figure: Security Configuration Section

Figure: Security Configuration Section

  • Under the API Endpoints section, click Configure.

  • Click Add Item.

Figure: API Endpoints Section

Figure: API Endpoints Section

  • In the Name field, enter a name for this API protection rule.

  • Under the Action section, select whether to Allow or Deny from the Action menu.

Figure: Action Selection

Figure: Action Selection

  • In the API Endpoint section, enable the Show Advanced Fields option.

  • From the Domain menu, select an option:

    • Any Domain: default option.

    • Specific Domain: enter the domain in the Specific Domain field.

  • From the API Endpoint menu, select a specific API endpoint path. Click See Suggestions to display suggested list of paths and endpoints.

Note: The suggestions are shown only if you have configured an API definition. To learn how to create and configure API definitions, see Import Swagger and Define APIs.

Figure: Path Selection

Figure: Path Selection

  • Under HTTP Methods, select the methods for which the API protection rules are to be applied from Method List. You can select more than one method.

Note: If no HTTP methods are selected, then the behavior is that all methods (ANY) will be matched by default.

  • Optionally, select the Invert Method Matcher option to invert the match result.
Step 3: Optionally, configure API request parameters.

Perform the following:

  • In the HTTP Query Parameters field, click Add Item. Follow the guided wizard to complete the match criteria for query parameters.

  • In the HTTP Headers field, click Add Item. Follow the guided wizard to complete the match criteria for HTTP header parameters.

  • In the Cookie Matchers field, click Add Item. Follow the guided wizard to complete the match criteria for web cookie parameters.

Figure: Request Parameters

Figure: Request Parameters

Step 4: Configure client match parameters.

  • In the Clients section, enable the Show Advanced Fields option.

  • From the Clients menu, select which clients will match to this rule:

    • Any Client: Default option.

    • List of IP Threat Categories: Select clients based on known IP threat categories.

    • Group of Clients by Label Selector: Select clients based on label selectors and expressions.

Figure: Client Selection

Figure: Client Selection

  • From the Source IPv4/Asn Match menu, select an option to match the client request from. Any Source IP is the default option. However, you can select an option to match by IPv4 prefix, IP prefix, ASN list, or BGP ASN sets.

  • Optionally, configure the TLS fingerprint match parameters:

    • From the TLS fingerprint classes menu, select a TLS fingerprint class.

    • For the exact values, click Add item. From the menu, click See Common Values to select an exact fingerprint to match from the class previously selected. You can add a fingerprint option even if no classes were selected from the TLS fingerprint classes menu.

Figure: Fingerprint Selection

Figure: Fingerprint Selection

  • For the excluded values, click Add item. From the menu, click See Common Values to select an exact fingerprint to exclude from the class previously selected.

  • Click Apply.

Step 5: Confirm rule order and save the new settings.

  • Check the order of the rules. You can reorder them by selecting a rule and moving it up or down the list.

  • After you finish, click Apply.

Figure: Apply Protection Rule

Figure: Apply Protection Rule

  • Click Apply.

  • Click Save and Exit.

Configure Rules Using Server URLs and API Groups

If you are configuring rules using server URLs and API groups, perform the following:

Step 1: Navigate to load balancer.
  • From the Console homepage, click Multi-Cloud App Connect.
Figure: Homepage

Figure: Homepage

  • Select your application namespace.

  • Navigate to Manage > Load Balancers > HTTP Load Balancers.

  • Click ... for your load balancer and select Manage Configuration to open the load balancer configuration form.

  • Click Edit Configuration in the top right corner of the form.

Step 2: Start configuring API protection rules.
  • In the API Protection section, click Configure in the API Protection Rules field.
Figure: Security Configuration Section

Figure: Security Configuration Section

  • Under the Server URLs and API Groups section, click Configure.

  • Click Add Item.

  • In the Name field, enter a name for this API protection rule.

  • From the Action menu, select whether to Allow or Deny.

Figure: Action Selection

Figure: Action Selection

  • Under the API Group/ Base Path section, enable the Show Advanced Fields option.

  • From the Domain menu, select an option:

    • Any Domain: default option.

    • Specific Domain: enter the domain in the Specific Domain field.

  • From the Base Path menu, select a server endpoint path. Click See Suggestions to display suggested list of paths and endpoints.

  • From the API Group menu, select the API group based on a previously configured API definition. The suggestions are shown only if you have configured an API definition. To learn how to create and configure API definitions, see Import Swagger and Define APIs.

Figure: Path Selection

Figure: Path Selection

Step 3: Configure client match parameters.

  • In the Clients section, enable the Show Advanced Fields option.

  • From the Clients menu, select which clients will match to this rule:

    • Any Client: Default option.

    • List of IP Threat Categories: Select clients based on known IP threat categories.

    • Group of Clients by Label Selector: Select clients based on label selectors and expressions.

  • From the Source IP/Asn Match menu, select an option to match the client request from. Any Source IP is the default option. However, you can select an option to match by IP prefix list, IP prefix sets, ASN list, or BGP ASN sets.

  • Optionally, configure the TLS fingerprint match parameters:

    • From the TLS fingerprint classes menu, select a TLS fingerprint class.

    • For the exact values, click Add item. From the menu, click See Common Values to select an exact fingerprint to match from the class previously selected. You can add a fingerprint option even if no classes were selected from the TLS fingerprint classes menu.

    • For the excluded values, click Add item. From the menu, click See Common Values to select an exact fingerprint to exclude from the class previously selected.

  • Click Apply.

Figure: Fingerprint Selection

Figure: Fingerprint Selection

Step 4: Confirm rule order and save the new settings.

  • Check the order of the rules. You can reorder them by selecting a rule and moving it up or down the list.

  • After you finish, click Apply.

Figure: Apply Protection Rule

Figure: Apply Protection Rule

  • Click Apply.

  • Click Save and Exit.

Concepts

On this page: