Forum Discussion
muntae_kim
Cirrus
CirrusF5 BIG-IP HSL configuration questions
Hello? I am MunTae. I am writing this because I have a question regarding HSL log setting. (F5 BIG-IP Version 14.1) <Question> 1. How to "send HSL debug logs to a remote log server that traver...
muntae_kimCirrus
CirrusThank you for answer and I will answer your questions.
1. What does your HSL::open look like?
- Create the <syslog_server_pool> pool of the remote log server and saved the generated debug log in syslog format
<customer iRules summary> : **Don't worry about grammar, it's a summary for better understanding**
...
#1.
set hsl [HSL::open -proto UDP -pool syslog_server_pool]
set DEBUG 1
...
#2.
if { [class match $tls_servername contains Bypass-Host] }{
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Bypass-Host"}}
...
#3.
elseif{
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Bypass_Category"}}
...
#4.
when CLIENTSSL_HANDSHAKE {
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Decryption"}
2. HSL and BIG-IP do not care if the destination IP is locally significant or n-number of hops away. If BIG-IP has a route for it, it'll work.
- But, as mentioned earlier in the first task, I set <syslog_server_pool> to a syslog server IP in a network more than one hop, not mgmt, to send debug logs, but only <default send string>, which is a health check log and actual debug log is not saved.
(At this time, as the syslog server goes through a network of multiple hops, self-ip is not set at f5.)
(No actual debug log packets occurred even on tcpdump of all interfaces.)
- As a secondary task, set the syslog server IP to an IP directly connected to the F5 interface, set <syslog_server_pool>, set self-ip, and confirm that the debug log is saved normally. Judging from this part, it was decided that the debug log using HSL can be saved only on the local network where self-ip can be used.
So I think that when using HSL as syslog_server_pool method, it cannot be loaded on more than one hop network.
(Please exclude the method of proceeding with the global syslog setting in the GUI.)
3. on your #2 concern, I have no context with which to assess the issue. If you can state the overall goals, I can help proprose a solution that will work.
<goal>
1. When SSL encryption/decryption, if the conditions are met, the following debug log is loaded: Solved
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Bypass-Host"}
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Bypass_Category"}
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Decryption"}
<Actual log during decryption>
May 14 02:33:12 SSL_01.com info tmm17[25022]: Rule /Common/SSL_Forward_Bypass_Rule_real <CLIENTSSL_HANDSHAKE>: 10.237.12.87:55575 -> 203.133.167.14:443 shop-redapi.daum.net --Decryption
<Actual log at Host Bypass>
May 14 02:13:08 SSL_01.com info tmm4[25022]: Rule /Common/SSL_Forward_Bypass_Rule <CLIENT_DATA>: 10.237.12.87:56129 -> 172.217.175.228:443 www.google.com --Bypass-Host
<Actual log when Host Category match>
May 13 16:00:00 SSL_01.com info tmm12[25022]: Rule /Common/SSL_Forward_Bypass_Rule <CLIENT_DATA>: 10.237.12.87:64787 -> 39.115.2.214:443 game.daum.net --Bypass_Category
2. If the Bypass-Host condition is met, check which Bypass-host policy the debug log was generated by
<iRules for Before Host-Bypass>: It is unknown which policy was matched to Bypass-Host
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername –Bypass-Host" }
<Actual log during Before Host-Bypass>
May 14 02:13:08 SSL_01.com info tmm4[25022]: Rule /Common/SSL_Forward_Bypass_Rule <CLIENT_DATA>: 10.237.12.87:56129 -> 172.217.175.228:443 www.google.com --Bypass-Host
<Requires iRules guide for After Host-Bypass>: I want to know what policy was matched to Bypass-Host
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] [?????] $tls_servername –Bypass-Host" }
<Desired log after Host-Bypass>
May 14 02:13:08 SSL_01.com info tmm4[25022]: Rule /Common/SSL_Forward_Bypass_Rule <CLIENT_DATA>: 10.237.12.87:56129 -> 172.217.175.228:443 *.google.com www.google.com --Bypass -Host
<Example of Customer Bypass-Host Policy>
*.google.com
*.office365.com
*.microsoft.com
naver.com
...
JRahm
Admin
AdminThere might be a problem with setup, but there is no problem with HSL sending logs to an IP destination through a distance L3 network. If BIG-IP has a route to that pool member's destination the traffic will be sent. So there might be an issue with your routes, or, it just might be that your conditions for sending the logs are not being met in your iRule.
Stripping out the other requirements, you can make HSL work first, and then add the conditions with which you want it to work. Here are the very basic steps for HSL:
when CLIENT_ACCEPTED {
set hsl [HSL::open -proto UDP -pool my_syslog_pool]
}
when LB_SELECTED {
HSL::send $hsl "log message you want to send"
}Another option is to actually define the log publishers and open HSL against a publisher instead of a pool as I show in this article.
Once you get that working reliably in your infrastructure, then I'd recommend adding your conditions and make sure they are matching. Could be case insensitivity issues, could be a logic error somewhere in there. Without seeing the sanitized irule in its entirity and not fully grokking your goals, nothing jumps out at me on what you provided.