top of page
Search

F5 Networks BIG-IP ASM CEF Configuration Guide 2013

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 8, 2025
  • 13 min read

Summary:

This description outlines the integration between F5 Networks' Advanced Security Manager (ASM) and ArcSight SmartConnectors for logging purposes. The format for remote logging is specified with various fields that need to be filled based on the detected attacks and other relevant details from the BIG-IP ASM system. Here’s a breakdown of the key information: ### 1. Device Type Indicates that the log entry comes from an F5 Networks device, specifically referring to its ASM or PSM (Policy Server Module) capabilities. The placeholders should be replaced with "ASM" or "PSM". ### 2. BIG-IP Software Version This field captures the version of the BIG-IP software that is generating the log. It uses the placeholder "%s BIG-IP software version" where the actual version number will replace the placeholder. ### 3. Attack Description Two placeholders are used for describing IP Enforcer attacks: "%s IP Enforcer attack". This should be replaced with details about what type of attack was detected (e.g., "DDoS", "Protocol Attack", etc.). ### 4. ArcSight Severity Level A numeric value ranging from 2 to 8 is used here, representing the severity level of the detected anomaly. The placeholder "%d ArcSight severity level" should be replaced with this number. ### 5. BIG-IP System Host Name and Management IP Address Fields are provided for both the host name of the system ("dvchost BIG-IP system host name") and its management IP address ("dvc BIG-IP system management IP address"). These placeholders need to be filled with actual values from the BIG-IP system. ### 6. Policy and Application Details Details about the security policy in use at the time of the event ("%policy_name") and the web application name ("%web_application_name") are included here. Ensure these placeholders are replaced with accurate information. ### 7. Date and Time The date and time when the Apply Policy operation was last performed is captured as "%policy_apply_date". This should be filled in with the actual timestamp from the ASM logs. ### 8. Attack Identifier and Status Unique identifiers for the attack ("%attack_id") and its status (whether it has started, ended, or is ongoing, indicated by "%attack_status") are provided here. These placeholders should be filled accordingly. ### 9. Client IP Address and Geo-location Source IP address of the client making the request ("%src") and geographical location information ("%geo_location") are included in this field. Ensure these fields contain actual data from the logs. ### 10. Dropped Requests The number of dropped requests since the last report, showing the delta value for the drops counter ("%dropped_requests") should be filled with an accurate count reflecting the current state as monitored by the BIG-IP ASM system. This structured log format is crucial for integrating F5 Networks' security solutions with ArcSight for comprehensive network monitoring and threat analysis.

Details:

The "CEF Connector Configuration Guide" is intended solely for informational purposes and outlines the requirements for HP ArcSight CEF connectors to process events correctly within HP's ArcSight product. It specifies that the event format complies with HP's standards, meets SmartConnector requirements, and categorizes events appropriately for use in correlation rules, reports, and dashboards as a proof-of-concept (POC) of the joint solution between HP and F5 Networks. The guide includes revision history indicating updates were made on specific dates to reflect new versions, such as version 10.1 certified by HP Enterprise Security on April 2, 2011, and version 11.2 certified in February 2013. It also provides support information for when issues are outside the ArcSight team's ability to resolve; in such cases, F5 Networks should be contacted for assistance through various communication channels including phone, email, and DevCentral access. This document is an F5 BIG-IP Application Security Manager (ASM) configuration guide for syslog event collection. It outlines how to configure ASM for Windows, Linux, and Solaris platforms, supporting devices starting from version 10.1. The primary function of the BIG-IP ASM is to protect business applications using a web application firewall and comprehensive security policies. BIG-IP ASM supports ArcSight logs by configuring a logging profile that formats log information for ArcSight's Common Event Format (CEF). Logs are stored on remote logging servers with settings predefined for ArcSight. The configuration involves setting up two parts: storage configuration (where the logs are stored, locally and/or remotely) and a storage filter (which determines what information is stored). When configuring BIG-IP's ASM for ArcSight support, additional components include creating a logging profile, configuring a storage filter, setting event severity levels, and specifying the logging profile for web applications. Logging profiles determine how request, response, and violation data are stored in security policies. When setting up a security policy, select a logging profile accordingly. This guide provides a step-by-step process to configure logging profiles for external log management in an ArcSight ESM (Enterprise Security Manager). It emphasizes that F5 Networks is not responsible for configuring or maintaining external logging servers. The steps include: 1. Navigate to the Logging Profiles section on the Main tab under Application Security and Options. 2. Click 'Create' to initiate a new logging profile setup. 3. Set the configuration setting to 'Advanced'. 4. Assign a unique name for the profile. 5. Decide whether local storage should be used; this is optional. 6. Optionally, ensure that system logs are guaranteed even under resource competition by selecting 'Guarantee Local Logging'. This might affect web application server access speed. 7. Select an option from the Response Logging list: Off (do not log), For Illegal Requests Only, or For All Requests. Adjust based on request types being logged. 8. Enable Remote Storage and choose ArcSight as the storage type. 9. Configure the protocol to TCP (default) or other options like TCP-RFC3195 or UDP. 10. Specify one or more ArcSight server IP addresses, along with a port number (default 514). Add these servers by clicking 'Add'. 11. For Remote storage type use, select the facility category of the logged traffic under Facility setting. The text provided is a summary of instructions for configuring logging profiles in a system that supports remote logging through various facilities (LOG_LOCAL0 through LOG_LOCAL7). Here's a simplified breakdown of the steps and information presented: 1. **Logging Profile Creation:**

  • Specify possible values such as LOG_LOCAL0 to LOG_LOCAL7.

  • If multiple security policies are in use, you can configure them to share the same remote logging server using facility filters to differentiate logs by policy.

2. **Remote Storage Type Configuration:**

  • In the Storage Format setting of a Remote storage type, you can customize how log data is displayed, what traffic items are logged, and their order in the log.

3. **Optional Settings:**

  • Additional parameters for configuration include Maximum Request Size, Maximum Headers Size, Maximum Query String Size, and Maximum Entry Length. Refer to online F5 Help for detailed settings.

4. **Anomaly Reporting:**

  • Enable Report Detected Anomalies to automatically send a report string to the remote log when certain types of attacks (brute force, denial of service, IP enforcement, web scraping) begin or end.

5. **Applying Logging Profiles:**

  • After creating a logging profile, it can be applied to any security policy by following these steps:

  • Navigate to Security Policies on the Main tab and select the desired policy.

  • Click the name of the selected policy, then choose the new or existing profile from the Logging Profile dropdown menu.

  • Click Update to apply the profile.

6. **Configuring Storage Filters:**

  • To configure a storage filter for an existing logging profile:

  • Expand Application Security, point to Options, and click Logging Profiles.

  • Select the name of the profile you wish to edit.

  • For the Storage Filter setting, choose Advanced to access additional settings.

This summary is based on the provided text and aims to present the main points in a concise manner suitable for understanding the key steps involved in configuring logging profiles within this system. The process involves setting a storage filter where criteria are specified and chosen based on whether you want one or all criteria to be associated, using either "OR" or "AND" operators. This is done through the Edit Logging Profile screen. Next, configure request types such as HTTP and HTTPS protocols, specific response status codes, and HTTP methods that determine what data gets logged. You can also choose to log based on a specific string in the request. Finally, update these settings with an option to refresh the display of logging profiles. For customizing event severity levels for security policy violations, navigate through the application's interface by expanding Application Security and selecting Options, then from the Advanced Configuration menu, choose Severities. Adjust the severity level for each violation as needed according to its severity ranging from Informational to Emergency. Changes apply globally to all security policies. This customization can be done on the Main tab of the user interface. The text discusses configuring a web application's security settings using the Application Security Manager (ASM). It explains that a web application is a logical representation of application traffic, which is protected with a security policy when an application security class is created. ASM provides configuration information for this web application, and its properties help refine how ASM processes requests for the web application. To specify the logging profile for a web application: 1. Navigate to the Application Security Manager interface and expand "Application Security" then click on "Web Applications." 2. Select the desired web application from the list by clicking its name. 3. On the Web Application Properties screen, select a logging profile from the dropdown menu. 4. Click the "Update" button to apply any changes made to the configuration. Additionally, the text provides information on how ASM sends relevant data to ArcSight for threat mitigation, including different formats for various types of threats such as DoS attacks, brute force attacks, IP Enforcer issues, and web scraping. This information is intended to help in interpreting the logs provided by ASM for ArcSight. The provided text outlines a standard remote logging format used to report denial of service (DoS) anomaly details, specifically tailored for reporting servers. This format includes various fields such as the hostname and management IP address of the BIG-IP system, the name of the web application, the security policy applied along with its date, type of attack, attacked URL or login point, unique attack identifier, status of the attack, operational mode (transparent or blocking), detection modes like increased TPS or latency, average detections over time, current mitigation methods in place, lists of involved IP addresses and URLs, timestamp of the report, and a severity rating. The format is presented in two parts: one described using traditional key-value pairs and another part formatted according to Common Event Format (CEF), which includes elements like vendor name "F5", product type "%s", version or event class "%s", and device hostname "%s". The specific values for these fields are detailed in the table, providing a comprehensive overview of each aspect involved in reporting DoS anomalies. The text discusses two sections related to remote logging formats for different types of anomalies (DoS and Brute Force) in ArcSight servers. It starts with Table 2, which details the fields for DoS anomaly logging format, including field values such as ASM or PSM, BIG-IP software version, DoS attack type, ArcSight severity level, host name, management IP address, security policy name, web application name, apply date of the policy, action mode (Alerted or Blocked), unique attack identifier, attack status, attacked login URL, client IP address, geographical location, detection modes (TPS Increased, Latency Increased, or Number of Failed Logins Increased), current date and time, and detected historical average statistics. The second section then provides information on the remote logging format for reported Brute Force anomalies. It includes fields like unit hostname, management IP address, web application name, policy name, policy apply date, and anomaly attack type, all formatted as "%s". This indicates a standardized way of logging these specific types of anomalies in ArcSight systems. The remote logging format for Brute Force anomalies on reporting servers is described in two tables. Table 3 lists the fields and their values, including unit_hostname, management_ip_address, web_application_name, policy_name, policy_apply_date, anomaly_attack_type, uri, attack_id, attack_status, operation_mode, detection_mode, detection_average, current_mitigation, ip_list, url_list, date_time, and severity. CEF format for these anomalies includes fields such as dvchost, dvc, cs1 (policy_name), cs2 (web_application_name), deviceCustomDate1 (policy_apply_date), act (attack_status), cn3 (attack_id), and cs4 (anomaly_attack_type). The provided information outlines the remote logging format for two types of anomalies in ArcSight systems: Brute Force attacks and Web Scraping attacks. Both formats use a similar structure but with distinct field values as detailed below: **Brute Force Anomalies Logging Format:** This format is used to log details about brute force attack attempts on login pages, capturing data such as the ASM or PSM version, BIG-IP software version, type of attack (e.g., Source IP-Based Client Side Integrity Defense), ArcSight severity level, BIG-IP system host name and management IP address, security policy name and application name, date and time of last policy apply operation, action mode (Alerted or Blocked), unique attack identifier, current status of the attack (Started, Ended, or Ongoing), attacked login URL, client IP address, geographical location, detection mode (TPS Increased or Latency Increased/Number of Failed Logins Increased), current date and time, average detection metrics for TPS, latency, and failed logins, and number of dropped requests since the last report. **Web Scraping Attack Logging Format:** This format is used to log details about web scraping attacks, including unit hostname, management IP address, web application name, security policy name, date of applying the policy, type of anomaly (web scraping), unique attack identifier, status of the attack (Started, Ended, or Ongoing), operation mode (Alerted or Blocked), source IP address and port number, current date and time, and severity level. Both formats are standardized in ArcSight for remote logging to capture detailed information about security incidents such as brute force attacks and web scraping attacks, aiding in the analysis and response strategies against cyber threats. The provided information outlines two distinct logging formats used for reporting Web Scraping Attack anomalies. 1. **Remote Logging Format for Reporting Servers**: This format is described in Table 5 and uses a specific remote logging protocol (CEF) to log details about the attack. Key fields include:

  • `unit_hostname`: The host name of the BIG-IP system.

  • `management_ip_address`: The management IP address of the BIG-IP system.

  • `web_application_name`: The name of the web application being accessed during the attack.

  • `policy_name`: The name of the security policy that was active at the time of the attack.

  • `policy_apply_date`: The date and time when the policy was last applied.

  • `anomaly_attack_type`: Specifies that it is a web scraping attack.

  • `attack_id`: A unique identifier for the attack.

  • `attack_status`: Indicates whether the attack has started, ended, or is ongoing.

  • `operation_mode`: Whether the mode was transparent or blocking during the attack.

  • `source_Ip`: Details including client IP address, geographical location, drop counter, and violation counter.

  • `date_time`: The current date and time when the log entry was created.

  • `severity`: The level of impact of the anomaly.

2. **Remote Logging Format for ArcSight Servers**: This format is detailed in Table 6 and also uses CEF but with some specific fields tailored to ArcSight:

  • `%s ASM or PSM`: Indicates whether it's an ASM (Application Security Manager) or PSM (Policy Security Module).

  • `%s BIG-IP software version`: The version of the BIG-IP software.

  • `%s Web scraping attack`: Specifies that the event is related to a web scraping attack.

  • `%d ArcSight severity level (2-8)`: Indicates the severity level according to ArcSight's scale, ranging from 2 to 8.

  • Other fields such as `dvchost`, `dvc`, `policy_name`, `web_application_name`, and others are similar to those in the server logging format but with slight variations or additional details specific to ArcSight functionality.

These formats facilitate centralized monitoring and analysis of web scraping attacks across different systems, allowing for more effective response strategies against such cyber threats. The article provides information on the remote logging formats used to report anomalies related to Web Scraping Attacks and IP Enforcer attacks. For Web Scraping Attack anomalies, the format includes fields such as unit_hostname, management_ip_address, web_application_name, policy_name, policy_apply_date, anomaly_attack_type, attack_id, attack_status, operation_mode, source_ip, date_time, and severity. For IP Enforcer anomalies on reporting servers, the format is described in both ArcSight and CEF formats: 1. **ArcSight Format**: The format includes fields like unit_hostname, management_ip_address, web_application_name, policy_name, policy_apply_date, anomaly_attack_type, attack_id, attack_status, operation_mode, source_ip (with client_ip_addr and geo_location), date_time, and severity. 2. **CEF Format**: The format includes fields like unit_hostname, management_ip_address, web_application_name, policy_name, anomaly_attack_type, attack_id, attack_status, operation_mode, source_ip (with geo_location), dropped_requests, date_time, and severity. These formats are used to provide detailed information about the attacks, including their type, status, affected IP addresses, geographical location of the attack, and impact level. The passage provides a detailed description of how remote logging is configured for IP Enforcer anomalies on ArcSight servers using the BIG-IP ASM system from F5 Networks. It outlines the fields and their values that are transmitted to the ArcSight SmartConnector, which then maps this information to specific ArcSight data fields. The remote logging format includes several key pieces of information: 1. **Device Type**: This is indicated by two placeholder strings in the table (e.g., %s ASM or PSM). These placeholders need to be filled with actual device type details when used. 2. **BIG-IP Software Version**: The version of the BIG-IP software that generated the log entry is captured here (%s BIG-IP software version). 3. **Attack Description**: Two entries for IP Enforcer attack are provided, which likely represent different aspects or phases of an attack detected by the system (%s IP Enforcer attack). These placeholders should be replaced with details about the specific type of attack detected. 4. **ArcSight Severity Level**: A numeric value representing the severity level of the detected anomaly on a scale from 2 to 8 (%d ArcSight severity level). 5. **BIG-IP System Host Name and Management IP Address**: The host name of the BIG-IP system and its management IP address are captured here (dvchost BIG-IP system host name, dvc BIG-IP system management IP address). 6. **Policy and Application Details**: Includes the name of the security policy currently active (%policy_name) and the web application name in use at the time of the event (%web_application_name). 7. **Date and Time**: The date and time when the Apply Policy operation was last performed is recorded as %policy_apply_date. 8. **Attack Identifier and Status**: Includes a unique identifier for the attack (%attack_id) and its current status, whether it has started, ended, or is ongoing (%attack_status). 9. **Client IP Address and Geo-location**: The source IP address of the client making the request (%src), as well as geographical location information (%geo_location), are also recorded. 10. **Dropped Requests**: The number of dropped requests since the last report, showing the delta value for the drops counter (%dropped_requests). This setup is crucial for monitoring and managing security events across multiple devices efficiently using ArcSight's capabilities. It allows detailed tracking and analysis of potential threats and anomalies detected by the BIG-IP ASM system, ensuring robust incident response and improved network security posture. The provided text summarizes information related to network traffic analysis, including details such as HTTP/HTTPS/FTP/SMTP protocols used, full URLs, URI with query strings (QS), server IP addresses, web application names, policy names, request data, and attack types. It also mentions the integration between HP ArcSight and F5, where a reporting package was developed for use in ArcSight ESM to enhance functionality. The text outlines steps for installing this content package within the ArcSight ESM Console. The text provided outlines a series of steps for installing and verifying a package related to an ArcSight-F5 integration, focusing on specific reports and data visualization tools within the system. Here's a summary of the process: 1. **Displaying Dialog Boxes**: The user is presented with two dialog boxes - one for packages and another during installation progress. 2. **Installation Steps**:

  • Leave the checkbox selected while installing necessary packages as prompted by the Packages for Installation dialog.

  • Proceed to click 'Next' in this dialog, followed by 'OK' in subsequent import and install prompts.

3. **Completion of Install**: Once installed, navigate to the Resources tab in the Navigator panel to verify the package contents. 4. **Content Verification**:

  • Go to Reports from the dropdown menu.

  • Locate and open the "ArcSight Partner Sample Content" folder followed by the "F5 group".

  • The included reports are: AlertedViolationsPerWebApp, AttackTypesPerWebApp, BlockedViolationsPerWebApp, HTTPAttackSeverityPerWebApp, HTTPRequestStatusPerWebApp, TopAttackers.

  • Additionally, a dashboard with Data Monitors and Query Viewers such as Top 10 Attackers (Pie chart), Blocked Violations by Web Application (Bar chart), and Top 10 Attacking Countries (Event graph) is provided.

5. **Disclaimer**: The package is a proof of concept and not officially supported by HP ArcSight, nor included in any released product. This summary captures the primary actions involved in installing and exploring the newly added content within the given system setup.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

@2021 Copyrights reserved.

bottom of page