OpenAPI Protection¶
OpenAPI file can be used to create a WAF security policy. To create a security policy using an OpenAPI file, you need to use the dedicated API security template. This specialized template, along with the settings in your OpenAPI file, eliminates the need to modify the standard security policy settings in WAF.
WAF/OpenAPI integration is useful in a CI/CD environment. Using a CI/CD pipeline, the security policy can be regularly and automatically updated.
In addition to secure APIs via OpenAPI file, the default API security policy set to protect against various violations. For more information about the violation protection from each template, see Reference: Violation Protection
Note: OpenAPI protection can be implemented without an OpenAPI file. In this section, security policies are created using the OpenAPI file. You can edit and replace the OpenAPI file
Create a Policy using an OpenAPI file¶
To create a policy with OpenAPI file, use the following steps:
Click the workspace icon next to the F5 icon, and click Security.
From the left menu, click Policies, under WAF.
At the top of the screen, click Create.
Type a policy Name and an optional Description.
Add Tags if you would like to filter your policy according to keywords.
To change the template, application language, and whether the policy is case sensitive, toggle the Advanced View button to the top right of the Policy Properties panel.
Select the API Security Template for security policies to view the OpenAPI Protection feature. In this feature, you can add an OpenAPI file to create security policies.
By default, the Enforcement Mode is set to Blocking.
In OpenAPI Protection, you can add the OpenAPI file that can be of .json, .yaml, .yml format. In this, you can either:
Click Choose file…, to add the file.
Drag and drop the file.
To change the Application Language, select a language from the list provided.
Note: Unicode (utf-8) is the default application language.
By default, Policy is Case Sensitive is enabled. To disable, click the checkbox.
Result: The new security policy is created with an OpenAPI file.
Replace the OpenAPI file¶
Note: All existing OpenAPI file entities will be replaced by the new entities from the upcoming OpenAPI file.
To replace the OpenAPI file for existing security policy
Click the workspace icon next to the F5 icon, and click Security.
From the left menu, click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.From the panel menu, click OpenAPI Protection.
The panel displays the added OpenAPI file to security policy.Click Choose file…, to add a new OpenAPI file in .json, .yaml, .yml format. Select the new OpenAPI file and that will replace the already existing OpenAPI file.
Click Save, this will save and replace the file.
Click Save & Deploy to save and replace the OpenAPI file, which will then deploy the WAF policy.
Result: The OpenAPI file is replaced with a new file. When an updated OpenAPI file is uploaded, all entities not in the updated file are deleted from the WAF policy.
Edit the existing OpenAPI file¶
To edit the attached OpenAPI file for existing security policy, use the following steps:
Click the workspace icon next to the F5 icon, and click Security.
From the left menu, click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.From the panel menu, click OpenAPI Protection.
The panel displays the attached OpenAPI file to security policy.Click the uploaded OpenAPI file, a new window opens. In this window, you can update the file.
After changing the OpenAPI file, click Save.
Click Yes, Replace, to update the existing OpenAPI file with new changes.
Result: The existing OpenAPI file is updated.
Edit the policy if no OpenAPI file is added¶
Update the existing security policy by attaching a new OpenAPI file. Use the steps below to edit the policy:
Click the workspace icon next to the F5 icon, and click Security.
From the left menu, click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.From the panel menu, click OpenAPI Protection.
The panel opens with no OpenAPI file attached.Click Choose file…, to add an OpenAPI file in .json, .yaml, .yml format.
After the file is added, click Save. This will add the new file
Click Deploy, this will deploy the changes to security policy.
Result: The security policy is updated with a new OpenAPI file.
WAF Policy Creation using the Policy Editor¶
Edit the WAF policy JSON declaration directly through the WAF policy editor.