F5Networks - BIG-IP - AFM - 11 - 4 - 1 - CEF - Config Guide - 2014
F5Networks - BIG-IP - AFM - 11 - 4 - 1 - CEF - Config Guide - 2014
This document is provided for informational purposes only, and the information herein is subject to change
without notice. Please report any errors herein to HP. HP does not provide any warranties covering this
information and specifically disclaims any liability in connection with this document.
Certified CEF:
The event format complies with the requirements of the HP ArcSight Common Event Format. The HP
ArcSight CEF connector will be able to process the events correctly and the events will be available for use
within HP’s ArcSight product. In addition, the event content has been deemed to be in accordance with
standard SmartConnector requirements. The events will be sufficiently categorized to be used in correlation
rules, reports and dashboards as a proof-of-concept (POC) of the joint solution.
Revision History
Date Description
CEF Connector Support Information when an issue is outside of the ArcSight team’s ability
In some cases the ArcSight customer service team is unable to help with issues that lie within the
configuration itself in which case, the certified vendor should be contacted for assistance:
Email [email protected]
Instructions – F5 provides a number of avenues for the resolution of customer issues. F5 Technical
Support is designed to remotely assist customers with specific break-fix issues regarding on-going
maintenance of your F5 products. In addition, F5 provides DevCentral (DevCentral.f5.com) a central
source for access to technical resources including documentation, discussion forums, blogs, and
media to explore and resolve questions for custom configuration and provide feedback on F5
product integrations.
F5 BIG-IP AFM Configuration Guide
This guide provides information for configuring the F5 BIG-IP Advanced Firewall Manager (AFM) for ArcSight event
collection. This Connector is supported on Windows, Linux, and Solaris platforms. Device versions starting at v11.4.1
and greater are supported.
Overview
BIG-IP Advanced Firewall Manager (AFM) is a high-performance, stateful, full-proxy network firewall designed to
guard the data center against incoming threats that enter the network on the most widely deployed protocols -
including HTTP/S, SMTP, DNS and FTP.
If your network uses ArcSight logs, you can configure a logging profile which formats the log information to support
ArcSight's Common Event Format (CEF). F5's Advanced Firewall Manager (AFM) stores logs on the remote logging
server using the predefined ArcSight settings for the logs.
Configuration
In simple terms, a logging profile has three parts: the pool, the publisher and the virtual server. The pool
configuration specifies where the logs are stored, locally and/or remotely. The publisher determines what format the
information gets stored. The virtual server defines the BIG-IP system log security events to be processed. The
following table is helpful in understanding the objects you need to create and why:
Pool of remote log servers Create a pool of remote log servers to which the BIG-IP system can
send log messages.
Destination (unformatted) Create a log destination of Remote High-Speed Log type that specifies
a pool of remote log servers.
Destination (formatted) For ArcSight, create an additional log destination to format the logs in
the required CEF format to forward the logs to the remote destination.
Publisher Create a log publisher to send logs to a set of specified log destinations.
LTM virtual server Associate a custom Logging profile with a virtual server to define how
the BIG-IP system logs security events on the traffic that the virtual
server processes.
Logging profiles specify how and where the system stores request, response and violation data for security policies.
The following diagram helps to illustrate the flow of information for logging within the BIG-IP.
The follow steps walk you through the configuration requirements for ArcSight log support.
Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the
pool. Ensure the ArcSight log servers are configured to listen to and receive log messages from the BIG-IP
system.
4. Using the New Members setting, add the IP address for each remote logging server that you want
to include in the pool:
a) Type an IP address in the Address field, or select a node address from the Node List.
b) Type a service number in the Service Port field, or select a service name from the list.
c) Click Add.
5. Click Finished.
To configure a log destination of the "Remote High-Speed Log" type to specify log messages are
sent to a pool
1. On the Main tab, click System > Logs > Configuration > Log Destinations. The Log
Destinations screen opens.
2. Click Create.
3. In the Name field, type a unique, identifiable name for this destination. This selection will be
provided below in section C.5.
4. From the Type list, select Remote High-Speed Log.
5. From the Pool Name list, select the pool of remote log servers to which you want the BIG-IP
system to send log messages.
6. From the Protocol list, select the protocol used by the high-speed logging pool members.
7. Click Finished.
1. On the Main tab, click System > Logs > Configuration > Log Destinations.
2. Click Create.
3. In the Name field, type a unique, identifiable name for this destination. This name will selected in
section D.4 below.
Important: In v11.4.1, ArcSight CEF formatting is only available for logs coming from the
Application Firewall Module (AFM) and the Application Security Manager (ASM).
5. From the Forward To list, select the destination that points to the pool of ArcSight log servers to
which you want the BIG-IP system to send log messages. This will be the same as unique,
identifiable name provided from B.3 above.
6. Click Finished.
Figure 4. Log Destinations
D. Creating a publisher
Ensure at least one destination associated with a pool of ArcSight servers exists on the BIG-IP system.
1. On the Main tab, click System > Logs > Configuration > Log Publishers.
The Log Publisher screen opens.
2. Click Create.
3. In the Name field, type a unique, identifiable name for this publisher.
4. For the Destinations setting, in the Available list, select a destination, and click << to move the
ArcSight destination to the Selected list. This will be the same unique, identifiable name as
provided in section C.3 above.
5. Click Finished.
To create a custom Logging profile to log messages about BIG-IP system Network Firewall events
1. On the Main tab, click Security > Event Logs > Logging Profiles.
The Logging Profiles list screen opens.
2. Click Create.
The New Logging Profile screen opens.
5. In the Network Firewall area, from the Publisher list, select the Publisher the BIG-IP system uses
to log Network Firewall events
6. For the Log Rule Matches setting, select how the BIG-IP system logs packets that match ACL
rules.
You can select any or all of the following options:
Options Description
Enables or disables logging of packets that
Option
match ACL rules configured with:
8. Select the Log TCP Errors check box, to enable logging of TCP error packets.
9. Select the Log TCP Events check box, to enable logging of open and close of TCP sessions.
10. From the Storage Format list, select how the BIG-IP system formats the log. Your choices are:
Option Description
Specifies the default format type in which the BIG-IP system logs messages
to a remote syslog server
None
"management_ip_address", "bigip_hostname", "context_type",
"context_name"
11. In the IP Intelligence area, from the Publisher list, select the publisher the BIG-IP system uses to
log source IP addresses, which according to an IP Address Intelligence database have a bad
reputation, and the name of the bad reputation category.
OPTIONAL: This step is for BIG-IP systems with IP Address Intelligence licensed and enabled.
Ensure at least one ArcSight log publisher exists on the BIG-IP system.
4. From the Log Profile list, select Enabled. Then, for the Profile setting, move the profiles that log
specific events to specific locations from the Available list to the Selected list..
G. Disabling logging
In some circumstances, you may need to Disable\Enable Network Firewall event logging when you no
longer want the BIG-IP system to log specific events on the traffic handled by specific resources.
To disable logging
The BIG-IP system will not log the events specified in this profile for the resources to which this profile is
assigned. To re-enable, simply change Disabled to Enabled.
Log Screen Shot
F5 provides the necessary information to ArcSight, to ensure operators can take the necessary action to mitigate
against threats. Below are two snapshots showing such information, along with Priority Level information.
The following section provides event specific information to help in understanding the information formats provided by
AFM for ArcSight.
The following section provides example information on remote ArcSight logging formats for AFM log events.
The following table describes the fields in the remote logging format for AFM on ArcSight servers.
The Remote Logging option is used to configure the BIG-IP AFM system to log alerts to a remote ArcSight
system. Information contained within vendor-specific event definitions is sent to the ArcSight
SmartConnector, then mapped to an ArcSight data field.
The following table lists the mappings from ArcSight data fields to the supported vendor-specific event
definitions.
acl_policy _name cs5 acl_policy _name String Name of the security policy