Forum Discussion

Gym's avatar
Gym
Icon for Cirrus rankCirrus
Oct 12, 2018

Disable Firewall Event Logging for Traffic on a Forwarding Virtual Server.

I have a Forwarding (IP) virtual server, with SNAT Automap. Allowed sources is set to 172.16.0.0/16, and destination is 10.0.0.0/8. The Big-IP has AFM enabled (default deny), with a global policy, but no security policy on this virtual server.

 

In spite of that, the event logs (Security -> Event Logs -> Network -> Firewall) show many entries for traffic forwarding through this VS. The context is shown as "Virtual Server" and the "Policy Type" and "Policy Name" fields are empty. The majority of these entries are for clients hitting a particular server and port, which I specifically don't want to log, due to the volume.

 

Problem is, I can't find what setting is actually causing them to be logged in the first place. Can anyone shed light on this?

 

I already have a global-policy rule that allows 172.16.0.0/16 to that server and port without logging, but this doesn't stop the log entries in the virtual server context.

 

I temporarily added a security policy to the VS, with a similar rule to the one in the global policy, but that also failed to stop these entries appearing.

 

The virtual server has the default fastL4 profile, and no logging parameters that I can see.

 

Other modules enabled: LTM, GTM, ASM, APM.

 

AFM
event logging
security
  • Richard_Karon's avatar
    Richard_Karon
    Icon for Employee rankEmployee
    May 24, 2019

    Firewall logging is normally configure on a virtual under:

    Local Traffic  ››  Virtual Servers : Virtual Server List  ››  <virtual server>

     

    Select Security Tab:

    Look under Log Profile for any profiles configured.

     

    Then go to

    Security  ››  Event Logs : Logging Profiles

    and click on the matching profile

    Logging configuration is under the Network Firewall Enabled checkbox tab

     

    Individual decisions on logging can be made for each created rule.

    Security  ››  Network Firewall : Policies  ››  <rulename>

    See the Logging state

  • Gym's avatar
    Gym
    Icon for Cirrus rankCirrus
    Aug 04, 2020

    Thanks Richard, but as I said:

     

    "I already have a global-policy rule that allows 172.16.0.0/16 to that server and port without logging, but this doesn't stop the log entries in the virtual server context.

     

    "I temporarily added a security policy to the VS, with a similar rule to the one in the global policy, but that also failed to stop these entries appearing."

  • IRONMAN's avatar
    IRONMAN
    Icon for Cirrostratus rankCirrostratus
    Aug 04, 2020

    Hi James,

     

    Your firewall rule action should access decisively. if it is accept only, it will go for virtual server.