ON THIS PAGE
F5 Networks BIG-IP AFM
The F5 Networks BIG-IP Advanced Firewall Manager (AFM) DSM for JSA accepts syslog events that are forwarded from F5 Networks BIG-IP AFM systems in name-value pair format.
JSA can collect the following events from F5 BIG-IP appliances with Advanced Firewall Managers:
Network events
Network Denial of Service (DoS) events
Protocol security events
DNS events
DNS Denial of Service (DoS) events
Before you can configure the Advanced Firewall Manager, you must verify that your BIG-IP appliance is licensed and provisioned to include Advanced Firewall Manager.
Log in to your BIG-IP appliance Management Interface.
From the navigation menu, select System >License.
In the License Status column, verify that the Advanced Firewall Manager is licensed and enabled.
To enable the Advanced Firewall Manager, select System >Resource >Provisioning.
From the Provisioning column, select the check box and select Nominal from the list.
Click Submit to save your changes.
Configuring a Logging Pool
A logging pool is used to define a pool of servers that receive syslog events. The pool contains the IP address, port, and a node name that you provide.
From the navigation menu, select Local Traffic >Pools.
Click Create.
In the Name field, type a name for the logging pool.
For example, Logging_Pool.
From the Health Monitor field, in the Available list, select TCP and click <<.
This clicking action moves the TCP option from the Available list to the Selected list.
In the Resource pane, from the Node Name list, select Logging_Node or the name you defined in step 3.
In the Address field, type the IP address for the JSA console or Event Collector.
In the Service Port field, type 514.
Click Add.
Click Finish.
Creating a High-speed Log Destination
The process to configure logging for BIG-IP AFM requires that you create a high-speed logging destination.
From the navigation menu, select System >Logs >Configuration >Log Destinations.
Click Create.
In the Name field, type a name for the destination.
For example, Logging_HSL_dest.
In the Description field, type a description.
From the Type list, select Remote High-Speed Log.
From the Pool Name list, select a logging pool from the list of remote log servers.
For example, Logging_Pool.
From the Protocol list, select TCP.
Click Finish.
Creating a Formatted Log Destination
The formatted log destination is used to specify any special formatting that is required on the events that are forwarded to the high-speed logging destination.
From the navigation menu, select System >Logs >Configuration >Log Destinations.
Click Create.
In the Name field, type a name for the logging format destination.
For example, Logging_Format_dest.
In the Description field, type a description.
From the Type list, select Remote Syslog.
From the Syslog Format list, select Syslog.
From the High-Speed Log Destination list, select your high-speed logging destination.
For example, Logging_HSL_dest.
Click Finished.
Creating a Log Publisher
Creating a publisher allows the BIG-IP appliance to publish the formatted log message to the local syslog database.
From the navigation menu, select System >Logs >Configuration >Log Publishers.
Click Create.
In the Name field, type a name for the publisher.
For example, Logging_Pub.
In the Description field, type a description.
-
From the Destinations field, in the Available list, select the log destination name that you created in Configuring a Logging Pool and click << to add items to the Selected list.
This clicking action moves your logging format destination from the Available list to the Selected list. To include local logging in your publisher configuration, you can add local-db and local-syslog to the Selected list.
Creating a Logging Profile
Use the Logging profile to configure the types of events that your Advanced Firewall Manager is producing and to associate these events with the logging destination.
From the navigation menu, select Security >Event Logs >Logging Profile.
Click Create.
In the Name field, type a name for the log profile.
For example, Logging_Profile.
In the Network Firewall field, select the Enabled check box.
From the Publisher list, select the log publisher that you configured.
For example, Logging_Pub.
In the Log Rule Matches field, select the Accept, Drop, and Reject check boxes.
In the Log IP Errors field, select the Enabled check box.
In the Log TCP Errors field, select the Enabled check box.
In the Log TCP Events field, select the Enabled check box.
In the Storage Format field, from the list, select Field-List.
In the Delimiter field, type , (comma) as the delimiter for events.
In the Storage Format field, select all of the options in the Available Items list and click <<.
This clicking action moves all of the Field-List options from the Available list to the Selected list.
In the IP Intelligence pane, from the Publisher list, select the log publisher that you configured.
For example, Logging_Pub.
Click Finished.
Associating the Profile to a Virtual Server
The log profile you created must be associated with a virtual server in the Security Policy tab. This association allows the virtual server to process your network firewall events, along with local traffic.
Take the following steps to associate the profile to a virtual server.
From the navigation menu, select Local Traffic >Virtual Servers.
Click the name of a virtual server to modify.
From the Security tab, select Policies.
From the Log Profile list, select Enabled.
-
From the Profile field, in the Available list, select Logging_Profile or the name you specified in Creating a Logging Profile and click <<.
This clicking action moves the Logging_Profile option from the Available list to the Selected list.
Click Update to save your changes.
The configuration is complete. The log source is added to JSA as F5 Networks BIG-IP AFM syslog events are automatically discovered. Events that are forwarded to JSA by F5 Networks BIG-IP AFM are displayed on the Log Activity tab of JSA.
Syslog Log Source Parameters for F5 Networks BIG-IP AFM
If JSA does not automatically detect the log source, add a F5 Networks BIG-IP AFM log source on the JSA Console by using the syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect syslog events from F5 Networks BIG-IP AFM:
Parameter |
Value |
---|---|
Log Source type |
F5 Networks BIG-IP AFM |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for the log source as an identifier for events from your F5 Networks BIG-IP AFM devices. |
F5 Networks BIG-IP AFM Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.
F5 Networks BIG-IP AFM sample message when you use the syslog protocol
The following sample event message shows that a connection was dropped by the firewall.
<134>Apr 30 19:22:53 f5networks.bigipafm.test 1 2019-04-30T19:22:53.800131+02:00 testCompa ny tmm 13301 23003142 [F5@12276 date_time="Apr 30 2019 19:22:52" bigip_mgmt_ip="10.13.101.251" hostnam e="testCompany" context_type="Virtual Server" context_name="/Common/V1_VmUAG_8443" ip_intelligence_po licy_name="/Common/V1_VmUAG.app/V1_VmUAG_ip_intelligence" source_ip="192.168.0.1" dest_ip="172.16.0.1" source_port="8080" dest_port="8443" vlan="/Common/Vlan290" ip_protocol="TCP" route_domain="1" ip_in telligence_threat_name="windows_exploits,spam_sources" action="Drop" attack_type="custom_category" tr anslated_source_ip="" translated_dest_ip="" translated_source_port="" translated_dest_port="" transla ted_vlan="" translated_ip_protocol="" translated_route_domain="" sa_translation_type="" sa_translatio n_pool="" flow_id="0000000000000000"] "Apr 30 2019 19:22:52","10.13.101.251","testCompany","","",""," Virtual Server","/Common/V1_VmUAG_8443","/Common/V1_VmUAG.app/ V1_VmUAG_ip_intelligence","192.168.0.1", "172.16.0.1","8080","8443","/Common/ Vlan290","TCP","1","windows_exploits,spam_sources","Drop","custom _category","","","","","","","","","","0000000000000000"