Forum Discussion
Nikoolayy1
MVP
MVPKnowledge sharing: Advanced Logging and debugging for the F5 modules
For the different F5 issues related to the different F5 modules advanced logging can be enabled. There is an F5 general article for such tasks:
1. F5 BIG-IP LTM
For the f5 LTM advanced debug logging can be enabled or F5 iRule logging if the issue is with an irule:
- https://support.f5.com/csp/article/K15530
- https://support.f5.com/csp/article/K5532
- https://community.f5.com/t5/technical-articles/the101-logging-and-comments/ta-p/280832
2. F5 BIG-IP GTM/DNS
For F5 GTM/DNS if the issue is with bad DNS response from the F5 device the DNS logging profile can be placed to log DNS requests and DNS responses from example the local Bind. If there is Wide IP that has many load balancing options then Wide IP load balancing decisions can be logged globally or better yet just for the affected Wide IP:
- https://support.f5.com/csp/article/K65762138
- https://support.f5.com/csp/article/K25751652
- https://support.f5.com/csp/article/K14615
- https://techdocs.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-implementations-13-0-0/20.html
For iquery DNS communication between the F5 DNS/GTM devices in a cluster iqdump can be used:
Also there are DNS logs(big3d etc.) under global system logs for the f5 device:
3. F5 BIG-IP AFM
The AFM has a packet tracer utility that may show where is the issue with AFM rules or DDOS protection, also the AFM rules can log when they are matched and even the DDOS layer 3/4 attacks. Also the AFM IPS protocol inspection can log with action set to " Accept+Log".
- https://support.f5.com/csp/article/K15368
- https://support.f5.com/csp/article/K03094407
- https://clouddocs.f5.com/training/community/firewall/html/archive/archive1/lab2/step2.html
- https://support.f5.com/csp/article/K37718515
- https://support.f5.com/csp/article/K51266926
- https://support.f5.com/csp/article/K25265787
4. F5 BIG-IP ASM/Advanced WAF.
The F5 WAF needs a security logging profile to log much of the data needed for investigation (the learning suggestions are not related to the logs and the security logging profile but to the local SQL database) but if the logs will be local better to log just illegal requests and responses. For DDOS or Bot defense the Security Logging profile under F5 Virtual server should have those options enabled. Also generate ASM reports for false postives the Security logging profiles are needed.
- https://support.f5.com/csp/article/K58073501
- https://support.f5.com/csp/article/K37655278
- https://clouddocs.f5.com/training/community/firewall/html/archive/archive1/lab3/2a-03.html
- https://support.f5.com/csp/article/K11412315
- https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-1-0/13.html
5. F5 BIG-IP APM
For the F5 APM reports that show traffic for specfic user was processed and where the issue could be. For SSO or VDI seperate logging options need to be configured.
- https://support.f5.com/csp/article/K13095148
- https://support.f5.com/csp/article/K13394
- https://support.f5.com/csp/article/K24826763
- https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-secure-web-gateway-13-1-0/14.html
- https://support.f5.com/csp/article/K20320970
- https://support.f5.com/csp/article/K44555523
- https://support.f5.com/csp/article/K41437771
- https://support.f5.com/csp/article/K35932460
- https://support.f5.com/csp/article/K24756214
- https://support.f5.com/csp/article/K44555523
6. F5 BIG-IP Analytics and BIG-IQ.
The Analytics module can help discover web application issues, also BIG-IQ uses this module to provide advanced statistics for applications deployed from the BIG-IQ using AS3.
Sweet collection. Thanks for sharing buddy!
- Nikoolayy1I wanted to also add but I can't edit the article anymore:
For General BIG-IP logging see:
For CPU/MEMORY/DISK issues see:
For HTTP/HTTPS(SSL) issues see:
For failovers and crashes see:
-
F5 Edge Client VPN
Issues that I have seen is when the F5 APM device is upgraded to not be any longer compliant with the old VPN client on the user systems. Also I have seen issues with slowness for VOIP or file download and upload and the solution was to use DTLS not SSL for the VPN. For the F5 VPN solutions in many cases from the agent the diagnostics logs need to be gathered and reviewed as from the F5APM the logs could be not enough. Because the MTU of the installed Edge client agent can't be configured better to play with the Network Access Virtual server and it's TCP profiles if needed or try DTLS when there are issues.
- https://support.f5.com/csp/
article/K12444 - https://support.f5.com/csp/
article/K17421 - https://support.f5.com/csp/
article/K00819308 - https://support.f5.com/csp/
article/K11003574 - https://support.f5.com/csp/
article/K32311645 - https://support.f5.com/csp/
article/K0023152 - https://support.f5.com/csp/
article/K05847240
-
- LiefZimmerman
Admin
Forum Posts can be edited - but only for an hour. This is the default in order to protect the integrity of the thread - so a malicious user doesn't change their original post after a whole bunch of people have contributed - and invalidate the entire thread.
This post - will be converted into a CrowdSRC article; but that feature is not working right now. Hang tight and just keep adding any changes in thread like this. We'll get it sorted out. 😄
Thanks - GREAT stuff. Very helpful.
