F5 VE in Azure - troubles with Sentinel integration
Hi!
I'm having F5 Act/Stb cluster - 2 VMs in Azure with 2 traffic interfaces only (external, internal). I use BIG-IP 16.1.3 build 0.0.12
I'm trying for the first time in my life integrate it with Sentinel and so far I fail to do it succesfully.
When following this article: https://my.f5.com/manage/s/article/K85539421 point by point:
- Install telemetry extension goes well. I have 1.32.0 build 2 version (downloaded today). curl check is succesful
- Create iRule - done
- Create a pool to handle telemetry traffic - ends up with down by monitor. (Manual suggests to use tcp monitor).
I tried to support with hints from:
https://community.f5.com/t5/technical-articles/deploying-big-ip-telemetry-streaming-with-azure-sentinel-as-its/ta-p/278738 , where people suggest to add static route the via internal vlan:
net route telemetry { description "Allows monitor to work" interface /Common/internal network 255.255.255.254/32
or changing port lockdown mode:
"One more note: the self IP on the chose VLAN you're using for routing the 255.255.255.254 traffic needs to allow TCP 6514, either by setting the "port lockdown" to NONE or adding a custom port."
I tried to finish the manual, so:
- Create a virtual server to listen for Telemetry traffic
- Create a request-log profile
- Attach the request logging profile to the virtual server
And when it comes to deploy the declaration (which I do via curl with .json file, I get:
Has anyone passed through some manual integrating F5 with Azure Sentinel succesfully?
Or maybe I'm doing here some obvious mistake?
Thanks in advance for your help