F5 Networks BIG-IP AFM 11.4.1 CEF Configuration Guide

Summary:

The text you've provided outlines a series of steps to configure and manage Network Firewall event logging on BIG-IP systems using F5's solution. Here are the key points summarized from your instructions: ### Configuring Logging Profiles 1. **Ensure Licensing**: Make sure IP Address Intelligence (PA-F5-IPIN) is licensed and enabled on the BIG-IP system. 2. **Navigate to Virtual Servers**: On the Main tab, go to Local Traffic > Virtual Servers. 3. **Select Virtual Server**: Click on the specific virtual server you wish to modify. 4. **Access Policies**: From the Security menu, select Policies. 5. **Configure Logging Profile**: In the Policy Settings and Rules settings screen, set Log Profile to Enabled. Move desired profiles from the Available list to the Selected list under the Profile setting. 6. **Save Changes**: Click Update to save your configurations. ### Disabling Logging 1. **Navigate to Virtual Servers**: On the Main tab, go to Local Traffic > Virtual Servers. 2. **Select Virtual Server**: Click on the specific virtual server you wish to modify. 3. **Access Policies**: From the Security menu, select Policies. 4. **Disable Logging**: Set Log Profile to Disabled in the Policy Settings and Rules settings screen. 5. **Save Changes**: Click Update to confirm disabling logging. To re-enable, simply change Disabled back to Enabled. ### Optional Information This procedure is applicable for BIG-IP systems with IP Address Intelligence licensed and enabled. The information logged includes detailed event logs that can be used by operators to identify and respond to threats effectively. These logs are crucial for providing necessary data to ArcSight or other log monitoring services, ensuring a comprehensive view of network traffic and security events. ### Output Examples - **Example 1**: Event Logs - Demonstrates the types of logged information available. - **Example 2**: Event Inspector detailed information - Provides more granular details about logged events for inspectors. These steps ensure that the BIG-IP system can efficiently log specific network firewall events, providing essential data for security analysis and response. ### Remote Logging Format for AFM on ArcSight The remote logging format for AFM (Application Firewall Management) on ArcSight servers involves specific field names and their corresponding values: - **src_ip**: Source IP address - **src_port**: Source port - **dest_ip**: Destination IP address - **dest_port**: Destination port - **ip_protocol**: Transport protocol (e.g., TCP, UDP) - **date_time**: Date and time of the event - **acl_rule_name**: ACL rule name - **vlan**: VLAN interface name - **Global**: Global settings - **acl_policy_type**: Type of policy - **acl_policy_name**: Name of the security policy - **drop_reason**: Reason for the action (e.g., "Reject", "Drop") - **route_domain**: Route domain number These fields help in understanding the specific actions taken by the BIG-IP machine, such as dropping packets or allowing traffic based on predefined rules. The logs are formatted using predefined templates similar to those used for CEF (Common Event Format) and are mapped to corresponding ArcSight data fields by the F5 BIG-IP AFM Connector. This standardized logging practice ensures that information is easily integrated into existing SIEM systems like ArcSight, improving security operations and incident response.

Details:

The "CEF Connector Configuration Guide" is intended solely for informational purposes and may be subject to change without prior notification. It provides information about HP's ArcSight CEF connector, which complies with the requirements of the HP ArcSight Common Event Format (CEF). This ensures that events processed by the connector are correct and suitable for use within HP’s ArcSight products, including categorization according to standard SmartConnector requirements. The document also outlines support information for F5 Networks' Advanced Firewall Manager version 11.4.1, detailing contact details for customer service and a brief overview of how F5 supports its customers through various channels such as phone support, email assistance, DevCentral, and documentation access. The provided guide outlines how to configure F5 BIG-IP Advanced Firewall Manager (AFM) for ArcSight event collection. It is compatible with Windows, Linux, and Solaris platforms from device versions v11.4.1 onwards. The AFM acts as a high-performance, stateful full-proxy network firewall, protecting networks against threats through popular protocols like HTTP/S, SMTP, DNS, and FTP. For ArcSight log collection, the guide suggests configuring a logging profile that includes a pool, publisher, and virtual server. The pool configures where logs are stored (locally and/or remotely), the publisher determines the format of the information, and the virtual server defines the BIG-IP system's log security events for processing. The table summarizes the objects needed in implementation: 1. A pool of remote log servers to send log messages to multiple destinations. 2. A destination (unformatted) that specifies a pool of remote log servers as a Remote High-Speed Log type. 3. An additional destination (formatted) for ArcSight, which formats logs into the required Common Event Format (CEF) to forward them to a remote destination. 4. A publisher to send logs to specified destinations. 5. A custom Logging profile that enables logging of user-specified data at a user-specified level and associates it with a log publisher. 6. LTM virtual server for associating the custom Logging profile with the BIG-IP system's log security events. This document outlines how to configure logging settings for a BIG-IP system in order to log security events related to traffic processed by virtual servers. It explains the configuration steps necessary for integrating with ArcSight for remote high-speed logging. Step A involves creating a pool of remote logging servers, where you first gather the IP addresses of the intended log servers and ensure they are properly configured to receive logs from the BIG-IP system. You then create a pool by: 1. Navigating to Local Traffic > Pools on the Main tab and clicking Create to open the New Pool screen. 2. Filling in the Name field with a unique name for the pool. 3. Adding members (remote logging servers) by entering their IP addresses and specifying service ports, ensuring the correct remote logging port is configured. 4. Clicking Add and then Finished after all necessary members are added. The Pool List and Pool Members should now be correctly configured as shown in Figures 2 and 3. Step B involves creating a remote high-speed log destination to specify that log messages should be sent to the previously created pool of logging servers. This is done by: 1. Navigating to System > Logs > Configuration > Log Destinations, clicking Create when the Log Destinations screen appears. 2. Filling in the Name field with a unique and identifiable name for this destination. To create an ArcSight formatted remote log destination on a BIG-IP system using the provided steps, follow these instructions: **C. Creating an ArcSight Formatted Remote Log Destination:** 1. **Navigate to Log Destinations:** Go to the Main tab > Logs > Configuration > Log Destinations. 2. **Create a New Destination:** Click "Create" and fill in the following details:

• **Name**: Provide a unique, recognizable name for this destination.

• **Type**: Select "ArcSight formatted logging destination."

3. **Configure Forwarding Settings:**

• From the **Forward To** list, select the pool of ArcSight log servers to which you want logs sent.

4. **Finish Configuration:** Click "Finished" to complete the setup. **D. Creating a Publisher:** 1. **Navigate to Log Publishers:** Go to the Main tab > Logs > Configuration > Log Publishers. 2. **Create a New Publisher:** Click "Create" and fill in the following details:

• **Name**: Provide a unique, recognizable name for this publisher.

3. **Associate Destinations:**

• In the **Destinations** setting, select the ArcSight destination from the Available list and click "<<<" to move it to the Selected list. This should match the name provided in section C above.

4. **Finish Configuration:** Click "Finished" to complete the setup. Ensure that you follow all outlined steps carefully to set up the logging configuration correctly. To create a custom Logging Profile for logging Network Firewall events on a BIG-IP system: 1. Navigate to the Main tab and go to Security > Event Logs > Logging Profiles. The Logging Profiles list screen will open. 2. Click "Create" to open the New Logging Profile screen. 3. In the Name field, enter a unique name for the profile. 4. Check the Network Firewall box. 5. In the Network Firewall area, from the Publisher list, select the publisher that the BIG-IP system uses to log Network Firewall events. 6. For Log Rule Matches, choose whether to log packets that match ACL rules with Accept, Drop, or Reject actions. 7. Check the Log IP Errors box to enable logging of IP error packets. 8. Check the Log TCP Errors box to enable logging of TCP error packets. 9. Check the Log TCP Events box to enable logging of open and close of TCP sessions. 10. From the Storage Format list, select how the BIG-IP system formats the log message:

• None (default format)

• Field-List (choose fields from a list, specify order, and set delimiter)

• User-Defined (customize field list and order via text input)

11. In the IP Intelligence area, select the publisher that logs source IP addresses based on an IP Address Intelligence database. The provided text outlines a series of steps for configuring and managing Network Firewall event logging on BIG-IP systems using F5's solution. Here is the summarized version of these instructions: **Configuring Logging Profiles:** 1. **Ensure Licensing**: Ensure IP Address Intelligence (PA-F5-IPIN) is licensed and enabled on the BIG-IP system. 2. **Navigate to Virtual Servers**: On the Main tab, go to Local Traffic > Virtual Servers. 3. **Select Virtual Server**: Click on the specific virtual server you wish to modify. 4. **Access Policies**: From the Security menu, select Policies. 5. **Configure Logging Profile**: In the Policy Settings and Rules settings screen, set Log Profile to Enabled. Move desired profiles from the Available list to the Selected list under the Profile setting. 6. **Save Changes**: Click Update to save your configurations. **Disabling Logging:** 1. **Navigate to Virtual Servers**: On the Main tab, go to Local Traffic > Virtual Servers. 2. **Select Virtual Server**: Click on the specific virtual server you wish to modify. 3. **Access Policies**: From the Security menu, select Policies. 4. **Disable Logging**: Set Log Profile to Disabled in the Policy Settings and Rules settings screen. 5. **Save Changes**: Click Update to confirm disabling logging. To re-enable, simply change Disabled back to Enabled. **Optional Information:** This procedure is applicable for BIG-IP systems with IP Address Intelligence licensed and enabled. The information logged includes detailed event logs that can be used by operators to identify and respond to threats effectively. These logs are crucial for providing necessary data to ArcSight or other log monitoring services, ensuring a comprehensive view of network traffic and security events. **Output Examples:**

• Example 1: Event Logs - Demonstrates the types of logged information available.

• Example 2: Event Inspector detailed information - Provides more granular details about logged events for inspectors.

These steps ensure that the BIG-IP system can efficiently log specific network firewall events, providing essential data for security analysis and response. The provided text outlines information about remote logging formats used by AF (ArcSight) for logging events related to a firewall module, specifically detailing log messages in the ArcSight Common Event Format (CEF). It includes examples of "Reject" and "Drop" AFM log messages. These logs are formatted using predefined templates within CEF, where each field is assigned specific labels like 'dvchost', 'src', 'spt', 'dst', 'dpt', 'proto', 'act', etc., to categorize network events based on the type of event and the device involved (e.g., F5 Advanced Firewall Module). The text then transitions to discuss AFM ArcSight Event Messages and Attack Types, detailing the fields present in these logs which are structured according to predefined templates similar to those used for CEF. This section serves as a guide for understanding specific information formats provided by AF for ArcSight related to log events from the firewall module. The format is designed to assist in identifying key details such as timestamps, IP addresses, protocol types, and detailed descriptions of actions taken during network activities. Overall, this information aids in improving security operations and incident response through standardized logging practices that are easily integrated into existing SIEM (Security Information and Event Management) systems like ArcSight. The remote logging format for AFM (Application Firewall Management) on ArcSight servers involves specific field names and their corresponding values that are used to log information from F5 BIG-IP systems. This format includes details such as the type of action taken, the IP addresses involved, the port numbers, device product information, protocol types, severity levels, and more. The data is transmitted via a remote ArcSight system using vendor-specific event definitions which are then mapped to corresponding ArcSight data fields by the F5 BIG-IP AFM Connector. The BIG-IP machine is a device that performs various network actions, which are recorded in a log. This log includes details such as the source IP address (src_ip), source port (src_port), destination IP address (dest_ip), destination port (dest_port), transport protocol (ip_protocol), date and time of the event (date_time), ACL rule name (acl_rule_name), VLAN interface name (vlan), global settings (Global), type of policy (acl_policy_type), name of the security policy (acl_policy_name), reason for the action performed (drop_reason), and route domain number (route_domain). These details help in understanding the specific actions taken by the BIG-IP machine, such as dropping packets or allowing traffic based on predefined rules.