0% found this document useful (0 votes)
54 views14 pages

F5Networks - BIG-IP - AFM - 11 - 4 - 1 - CEF - Config Guide - 2014

Uploaded by

syspanda7
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
54 views14 pages

F5Networks - BIG-IP - AFM - 11 - 4 - 1 - CEF - Config Guide - 2014

Uploaded by

syspanda7
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

CEF Connector Configuration Guide

This document is provided for informational purposes only, and the information herein is subject to change
without notice. Please report any errors herein to HP. HP does not provide any warranties covering this
information and specifically disclaims any liability in connection with this document.

Certified CEF:

The event format complies with the requirements of the HP ArcSight Common Event Format. The HP
ArcSight CEF connector will be able to process the events correctly and the events will be available for use
within HP’s ArcSight product. In addition, the event content has been deemed to be in accordance with
standard SmartConnector requirements. The events will be sufficiently categorized to be used in correlation
rules, reports and dashboards as a proof-of-concept (POC) of the joint solution.

Advanced Firewall Manager v. 11.4.1

May 30, 2013

Revision History
Date Description

10/23/2013 First edition of this Configuration Guide.

11/1/2013 Version 11.4.1 Certified by HP Enterprise Security

CEF Connector Support Information when an issue is outside of the ArcSight team’s ability

In some cases the ArcSight customer service team is unable to help with issues that lie within the
configuration itself in which case, the certified vendor should be contacted for assistance:

F5 Networks Customer Support

Phone North America 1-888-882-7535

or Outside North America +800-11275-435

Email [email protected]

or [email protected]

Instructions – F5 provides a number of avenues for the resolution of customer issues. F5 Technical
Support is designed to remotely assist customers with specific break-fix issues regarding on-going
maintenance of your F5 products. In addition, F5 provides DevCentral (DevCentral.f5.com) a central
source for access to technical resources including documentation, discussion forums, blogs, and
media to explore and resolve questions for custom configuration and provide feedback on F5
product integrations.
F5 BIG-IP AFM Configuration Guide
This guide provides information for configuring the F5 BIG-IP Advanced Firewall Manager (AFM) for ArcSight event
collection. This Connector is supported on Windows, Linux, and Solaris platforms. Device versions starting at v11.4.1
and greater are supported.

Overview
BIG-IP Advanced Firewall Manager (AFM) is a high-performance, stateful, full-proxy network firewall designed to
guard the data center against incoming threats that enter the network on the most widely deployed protocols -
including HTTP/S, SMTP, DNS and FTP.

If your network uses ArcSight logs, you can configure a logging profile which formats the log information to support
ArcSight's Common Event Format (CEF). F5's Advanced Firewall Manager (AFM) stores logs on the remote logging
server using the predefined ArcSight settings for the logs.

Configuration
In simple terms, a logging profile has three parts: the pool, the publisher and the virtual server. The pool
configuration specifies where the logs are stored, locally and/or remotely. The publisher determines what format the
information gets stored. The virtual server defines the BIG-IP system log security events to be processed. The
following table is helpful in understanding the objects you need to create and why:

Object to create in implementation Reason

Pool of remote log servers Create a pool of remote log servers to which the BIG-IP system can
send log messages.

Destination (unformatted) Create a log destination of Remote High-Speed Log type that specifies
a pool of remote log servers.

Destination (formatted) For ArcSight, create an additional log destination to format the logs in
the required CEF format to forward the logs to the remote destination.

Publisher Create a log publisher to send logs to a set of specified log destinations.

Logging profile Create a custom Logging profile to enable logging of user-specified


data at a user-specified level, and associate a log publisher with the
profile.

LTM virtual server Associate a custom Logging profile with a virtual server to define how
the BIG-IP system logs security events on the traffic that the virtual
server processes.
Logging profiles specify how and where the system stores request, response and violation data for security policies.

The following diagram helps to illustrate the flow of information for logging within the BIG-IP.

Figure 1. Association of remote high-speed logging configuration objects

The follow steps walk you through the configuration requirements for ArcSight log support.

A. Creating a pool of remote logging servers

Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the
pool. Ensure the ArcSight log servers are configured to listen to and receive log messages from the BIG-IP
system.

To create a pool of remote logging servers

1. On the Main tab, click Local Traffic > Pools


The Pool List screen opens.

2. Click the Create button


The New Pool screen opens.
3. In the Name field, type a unique name for the pool.

4. Using the New Members setting, add the IP address for each remote logging server that you want
to include in the pool:

a) Type an IP address in the Address field, or select a node address from the Node List.

b) Type a service number in the Service Port field, or select a service name from the list.

Note: Ensure you configure the correct remote logging port .

c) Click Add.

5. Click Finished.

Once completed, you should have the following items configured:

Figure 2. Pool List for logging servers

Figure 3. Pool Members

B. Creating a remote high-speed log destination


Before creating a remote high-speed log destination, ensure at least one pool of remote log servers exists
on the BIG-IP system.

To configure a log destination of the "Remote High-Speed Log" type to specify log messages are
sent to a pool

1. On the Main tab, click System > Logs > Configuration > Log Destinations. The Log
Destinations screen opens.
2. Click Create.

3. In the Name field, type a unique, identifiable name for this destination. This selection will be
provided below in section C.5.
4. From the Type list, select Remote High-Speed Log.

5. From the Pool Name list, select the pool of remote log servers to which you want the BIG-IP
system to send log messages.
6. From the Protocol list, select the protocol used by the high-speed logging pool members.

7. Click Finished.

C. Creating an ArcSight formatted remote log destination

Ensure at least one ArcSight destination exists on the BIG-IP system.

To create an ArcSight formatted logging destination

1. On the Main tab, click System > Logs > Configuration > Log Destinations.

The Log Destinations screen opens.

2. Click Create.

3. In the Name field, type a unique, identifiable name for this destination. This name will selected in
section D.4 below.

4. From the Type list, select an ArcSight formatted logging destination.

Important: In v11.4.1, ArcSight CEF formatting is only available for logs coming from the
Application Firewall Module (AFM) and the Application Security Manager (ASM).
5. From the Forward To list, select the destination that points to the pool of ArcSight log servers to
which you want the BIG-IP system to send log messages. This will be the same as unique,
identifiable name provided from B.3 above.

6. Click Finished.
Figure 4. Log Destinations

D. Creating a publisher

Ensure at least one destination associated with a pool of ArcSight servers exists on the BIG-IP system.

To create the publisher

1. On the Main tab, click System > Logs > Configuration > Log Publishers.
The Log Publisher screen opens.

2. Click Create.

3. In the Name field, type a unique, identifiable name for this publisher.

4. For the Destinations setting, in the Available list, select a destination, and click << to move the
ArcSight destination to the Selected list. This will be the same unique, identifiable name as
provided in section C.3 above.

5. Click Finished.

Figure 5. Log Publishers


Figure 6. Log Publisher Destinations

E. Creating a custom Network Firewall Logging profile

Create a custom profile

To create a custom Logging profile to log messages about BIG-IP system Network Firewall events

1. On the Main tab, click Security > Event Logs > Logging Profiles.
The Logging Profiles list screen opens.

2. Click Create.
The New Logging Profile screen opens.

3. In the Name field, type a unique name for the profile.

4. Select the Network Firewall check box.

5. In the Network Firewall area, from the Publisher list, select the Publisher the BIG-IP system uses
to log Network Firewall events
6. For the Log Rule Matches setting, select how the BIG-IP system logs packets that match ACL
rules.
You can select any or all of the following options:

Options Description
Enables or disables logging of packets that
Option
match ACL rules configured with:

Accept action = Accept

Drop action = Drop

Reject action = Reject


7. Select the Log IP Errors check box, to enable logging of IP error packets.

8. Select the Log TCP Errors check box, to enable logging of TCP error packets.

9. Select the Log TCP Events check box, to enable logging of open and close of TCP sessions.

10. From the Storage Format list, select how the BIG-IP system formats the log. Your choices are:

Option Description
Specifies the default format type in which the BIG-IP system logs messages
to a remote syslog server
None
"management_ip_address", "bigip_hostname", "context_type",
"context_name"

This option allows you to:


 Select from a list, the fields to be included in the log.
Field-List  Specify the order the fields display in the log.
 Specify the delimiter that separates the content in the log.
<comma is default>

This option allows you to:


User-Defined  Select from a list, the fields to be included in the log.
 Cut and paste, in a string of text, the order the fields display in the log.

11. In the IP Intelligence area, from the Publisher list, select the publisher the BIG-IP system uses to
log source IP addresses, which according to an IP Address Intelligence database have a bad
reputation, and the name of the bad reputation category.

OPTIONAL: This step is for BIG-IP systems with IP Address Intelligence licensed and enabled.

12. Click Finished.

Assign this custom network firewall Logging profile to a virtual server.

Figure 7. Logging Profiles


F. Configuring an LTM virtual server for Network Firewall event logging

Ensure at least one ArcSight log publisher exists on the BIG-IP system.

To configure LTM virtual server

1. On the Main tab, click Local Traffic > Virtual Servers.


The Virtual Server List screen opens.

2. Click the name of the virtual server you want to modify.


3. From the Security menu, select Policies.
The screen displays Policy Settings and Rules settings.

4. From the Log Profile list, select Enabled. Then, for the Profile setting, move the profiles that log
specific events to specific locations from the Available list to the Selected list..

5. Click the Update to save your changes.

G. Disabling logging

In some circumstances, you may need to Disable\Enable Network Firewall event logging when you no
longer want the BIG-IP system to log specific events on the traffic handled by specific resources.

To disable logging

1. On the Main tab, click Local Traffic > Virtual Servers.


The Virtual Server List screen opens.

2. Click the name of the virtual server you want to modify.


3. From the Security menu, select Policies.
The screen displays Policy Settings and Rules settings.

4. From the Log Profile list, select Disabled.

5. Click the Update to save your changes.

The BIG-IP system will not log the events specified in this profile for the resources to which this profile is
assigned. To re-enable, simply change Disabled to Enabled.
Log Screen Shot
F5 provides the necessary information to ArcSight, to ensure operators can take the necessary action to mitigate
against threats. Below are two snapshots showing such information, along with Priority Level information.

Example 1. Event Logs

Example 2. Event Inspector detailed information


Events
The remote logging formats are predefined and are described below.

The following section provides event specific information to help in understanding the information formats provided by
AFM for ArcSight.

A. AFM ArcSight logging format

The following section provides example information on remote ArcSight logging formats for AFM log events.

Example of "Reject" AFM log messages in the ArcSight CEF format

CEF:0|F5|Advanced Firewall Module|11.4.1.608.0|23003137|Network Event|8|rt=Oct


23 2013 08:23:39 dvchost=host.ltmve139.com dvc=192.168.5.139 src=192.168.1.12
spt=53311 dst=192.168.1.139 dpt=557 proto=TCP cs1=Reject_555
cs1Label=acl_rule_name cs2=/Common/external cs2Label=vlan act=Reject
reason=Policy c6a2= c6a2Label=source_address c6a3=
c6a3Label=destination_address cs3= cs3Label=Global cn1=0 cn1Label=route_domain
cs4=Enforced cs4Label=acl_policy_type cs5= cs5Label=acl_policy_name
destinationTranslatedAddress= destinationTranslatedPort=
sourceTranslatedAddress= sourceTranslatedPort= cn2=
cn2Label=TranslatedRouteDomain F5TranslatedIpProtocol= F5TranslatedVlan=
F5SrcTranslationType= F5SrcTranslationPool=

Example of "Drop" AFM log messages in the ArcSight CEF format

CEF:0|F5|Advanced Firewall Module|11.4.1.608.0|23003137|Network Event|8|rt=Oct


23 2013 08:23:23 dvchost=ltmve139.thebestsslvpn.com dvc=192.168.5.139
src=192.168.1.12 spt=53299 dst=192.168.1.139 dpt=556 proto=TCP cs1=Drop_556
cs1Label=acl_rule_name cs2=/Common/external cs2Label=vlan act=Drop
reason=Policy c6a2= c6a2Label=source_address c6a3=
c6a3Label=destination_address cs3= cs3Label=Global cn1=0 cn1Label=route_domain
cs4=Enforced cs4Label=acl_policy_type cs5= cs5Label=acl_policy_name
destinationTranslatedAddress= destinationTranslatedPort=
sourceTranslatedAddress= sourceTranslatedPort= cn2=
cn2Label=TranslatedRouteDomain F5TranslatedIpProtocol= F5TranslatedVlan=
F5SrcTranslationType= F5SrcTranslationPool=
B. AFM ArcSight Event Messages and Attack Types format

The following table describes the fields in the remote logging format for AFM on ArcSight servers.

Field name and ArcSight Key Example Value Description


type Name
acl_rule_name (string) cs1 Non-browser client Name of ACL rule
action (string) act Accept, Accept Action performed
decisively, Drop,
Reject
hostname (string) dvchost FQDN BIG-IP system FQDN
bigip_mgmt_ip (IP deviceTranslateAddress 192.168.1.246 BIG-IP system management IP
address) address
date_time (string) rt 09 10 2013 13:11:10 Date and time the event
occurred in this format:
MMM DD YYYY HH:MM:SS
dest_ip (IP address) dst 192.168.3.1 Destination IP address
dest_port (integer) dpt 80 Protocol port number
device_product Device Product Advanced Firewall Name of BIG-IP system
(string) Module generating the event message
device_vendor (string) Device Vendor F5 F5 static keyword
device_version Device Version 11.4.1.608.0 BIG-IP system software version
(string) in the format:
version.point_release.0.yyyy.0
drop_reason (string) reason (empty), <name of Reason action performed
error>, Policy
ip_protocol (string) proto TCP, UDP, ICMP Name of protocol
severity (integer) Severity 8 Level of the event by number
src_ip (IP address) src 192.168.3.1 Source IP address
src_port (integer) spt 80 Protocol port number (non-
negative)
C. Device Event Mapping to ArcSight Data Fields

The Remote Logging option is used to configure the BIG-IP AFM system to log alerts to a remote ArcSight
system. Information contained within vendor-specific event definitions is sent to the ArcSight
SmartConnector, then mapped to an ArcSight data field.

The following table lists the mappings from ArcSight data fields to the supported vendor-specific event
definitions.

F5 BIG-IP AFM Connector Field Mappings


AFM key name ArcSight key name ArcSight full name Data Type Meaning
hostname dvchost deviceHostName String BIG-IP system FQDN

hostip dvc deviceAddress IPv4 Device address an event references


IP of the management interface
bigip_mgmt_ip deviceTranslatedAddress deviceTranslatedAddress IPv4
of the BIG-IP machine
action act deviceAction String Action performed

src_ip src src IPv4 Source IP address

src_port spt sourcePort integer Protocol port number

dest_ip dst destinationAddress IPv4 Destination IP address

dest_port dpt destinationPort integer Protocol port number

ip_protocol proto transportProtocol String Name of protocol (TCP\UDP\ICMP)


The date and time at which the event
date_time rt receiptTime Timestamp occured. The format is
mmm dd yyyy hh:mm:ss
acl_rule_name cs1 acl_rule_name String Name of ACL rule

vlan cs2 vlan String VLAN interface name

Global cs3 Global edit Global

acl_policy_type cs4 acl_policy_type Strings Designates the type of policy

acl_policy _name cs5 acl_policy _name String Name of the security policy

drop_reason reason reason String Reason action performed

route_domain cn1 route_domain Integer Route domain number

You might also like