Forum Discussion

shadow82's avatar
shadow82
Icon for Cirrus rankCirrus
Mar 21, 2023

F5 VE in Azure - troubles with Sentinel integration

Hi!

I'm having F5 Act/Stb cluster - 2 VMs in Azure with 2 traffic interfaces only (external, internal). I use BIG-IP 16.1.3 build 0.0.12
I'm trying for the first time in my life integrate it with Sentinel and so far I fail to do it succesfully.

When following this article: https://my.f5.com/manage/s/article/K85539421 point by point:

  • Install telemetry extension goes well. I have 1.32.0 build 2 version (downloaded today). curl check is succesful
  • Create iRule - done
  • Create a pool to handle telemetry traffic - ends up with down by monitor. (Manual suggests to use tcp monitor).
    I tried to support with hints from:

https://community.f5.com/t5/technical-articles/deploying-big-ip-telemetry-streaming-with-azure-sentinel-as-its/ta-p/278738 , where people suggest to add static route the via internal vlan:

net route telemetry {
    description "Allows monitor to work"
    interface /Common/internal
    network 255.255.255.254/32

or changing port lockdown mode:

"One more note: the self IP on the chose VLAN you're using for routing the 255.255.255.254 traffic needs to allow TCP 6514, either by setting the "port lockdown" to NONE or adding a custom port."

I tried to finish the manual, so:

  • Create a virtual server to listen for Telemetry traffic
  • Create a request-log profile
  • Attach the request logging profile to the virtual server

And when it comes to deploy the declaration (which I do via curl with .json file, I get:

Has anyone passed through some manual integrating F5 with Azure Sentinel succesfully?
Or maybe I'm doing here some obvious mistake?

Thanks in advance for your help

 
  • Hi shadow82 - are you still having the issue? I see nobody from the community has answered yet, so I've forwarded your post to some colleagues to try to get a reply for you. Let us know if you've figured it out in the mean time!

  • I'm having a similar experience.  Despite my best efforts to follow the documentation or Azure support guidance, I'm getting the following error:
    Error: HTTP error: Error: connect ECONNREFUSED 169.254.169.254:80

    This is with  managedidentity true configured.  If I try with managedidentity false configured, and use workspace/shared key, I get this error:
    HTTP error: Error: connect ECONNREFUSED 20.140.200.227:443

    My F5s are in Azure.  I'm trying to get the F5 data connector connected.

    Any thoughts or recommendations?