For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nfordhk_66801's avatar
Nfordhk_66801
Icon for Nimbostratus rankNimbostratus
Feb 15, 2016

AFM Logging without a Virtual Server Profile

Hi,

 

I am trying to view the logging for rules configured on our network firewall. All F5 documentation I have found ultimately points applying a profile to a VIP. We are using this as a layer 4 firewall to protect the individual nodes and not a VIP. Could someone please direct me on how to accomplish this?

 

AFM
logging
security

6 Replies

  • Chris_Grant's avatar
    Chris_Grant
    Icon for Employee rankEmployee
    Feb 15, 2016

    If you are applying global rules they you need to modify the global-network logging profile to log to your intended destination. I know that we generally advise against modifying default profiles, but in this case it is the only way to log rules that are applied in a global context. Creating a child profile with global-network as the parent will not work.

     

    Bear in mind that the AFM still requires a valid TMM listener to handle the traffic after it passes the firewall. BigIP is a default deny device and will not pass traffic unless configured to do so.

     

  • Nfordhk_66801's avatar
    Nfordhk_66801
    Icon for Nimbostratus rankNimbostratus
    Feb 16, 2016

    Hi Chris,

     

    I have seen the global-network profile. But I do not understand how to modify the destination. Is there a supporting document for me to review?

     

    • Chris_Grant's avatar
      Chris_Grant
      Icon for Employee rankEmployee
      Feb 16, 2016
      I would start here: https://support.f5.com/kb/en-us/solutions/public/15000/300/sol15368/ Ultimately you will end up on the AFM implementation guide, but that is specific to your version. There are links to help you get there at the bottom or the above link. You will need to decide if you want to log locally or remotely. If you decide to log remotely be aware that you will need to send the traffic over a tmm interface rather than the management interface.
    • Nfordhk_66801's avatar
      Nfordhk_66801
      Icon for Nimbostratus rankNimbostratus
      Feb 16, 2016
      This is really the step I can't seem to find. I've been searching for this for a while. "Ensure that each individual rule has its Logging setting set to Enabled." But I will not be attaching global to a virtual server. The global rules I have are for nodes. When I setup the global profile, and its logging it is not outputting any info on my global rules. They all say disabled. I feel like I've read quite a few F5 articles with no mention of it.