For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

shadow82's avatar
shadow82
Icon for Cirrus rankCirrus
Mar 21, 2023

F5 VE in Azure - troubles with Sentinel integration

Hi!

I'm having F5 Act/Stb cluster - 2 VMs in Azure with 2 traffic interfaces only (external, internal). I use BIG-IP 16.1.3 build 0.0.12
I'm trying for the first time in my life integrate it with Sentinel and so far I fail to do it succesfully.

When following this article: https://my.f5.com/manage/s/article/K85539421 point by point:

  • Install telemetry extension goes well. I have 1.32.0 build 2 version (downloaded today). curl check is succesful
  • Create iRule - done
  • Create a pool to handle telemetry traffic - ends up with down by monitor. (Manual suggests to use tcp monitor).
    I tried to support with hints from:

https://community.f5.com/t5/technical-articles/deploying-big-ip-telemetry-streaming-with-azure-sentinel-as-its/ta-p/278738 , where people suggest to add static route the via internal vlan:

net route telemetry {
    description "Allows monitor to work"
    interface /Common/internal
    network 255.255.255.254/32

or changing port lockdown mode:

"One more note: the self IP on the chose VLAN you're using for routing the 255.255.255.254 traffic needs to allow TCP 6514, either by setting the "port lockdown" to NONE or adding a custom port."

I tried to finish the manual, so:

  • Create a virtual server to listen for Telemetry traffic
  • Create a request-log profile
  • Attach the request logging profile to the virtual server

And when it comes to deploy the declaration (which I do via curl with .json file, I get:

Has anyone passed through some manual integrating F5 with Azure Sentinel succesfully?
Or maybe I'm doing here some obvious mistake?

Thanks in advance for your help

 
application delivery
cloud
security

2 Replies

  • Leslie_Hubertus's avatar
    Leslie_Hubertus
    Ret. Employee
    Mar 27, 2023

    Hi shadow82 - are you still having the issue? I see nobody from the community has answered yet, so I've forwarded your post to some colleagues to try to get a reply for you. Let us know if you've figured it out in the mean time!

  • oompaloompa31's avatar
    oompaloompa31
    Icon for Nimbostratus rankNimbostratus
    Apr 25, 2024

    I'm having a similar experience.  Despite my best efforts to follow the documentation or Azure support guidance, I'm getting the following error:
    Error: HTTP error: Error: connect ECONNREFUSED 169.254.169.254:80

    This is with  managedidentity true configured.  If I try with managedidentity false configured, and use workspace/shared key, I get this error:
    HTTP error: Error: connect ECONNREFUSED 20.140.200.227:443

    My F5s are in Azure.  I'm trying to get the F5 data connector connected.

    Any thoughts or recommendations?