Forum Discussion
CirrusLogging all AFM Rules
Yes. The enablement of logging on the different firewall rules, will probably need to be scripted.
HSL (high speed logging), is just a destionation to send those logs. That is configured in the security logging profile under the "Publisher".
EmployeeI suggest extreme caution when looking to enable logging for every firewall rule in AFM. Depending on load, it could use considerable resources.
Also consider configuring High Speed Logging (HSL) to send logs directly to a SIEM. This will offload the local disk writes of regular logging. https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/4.html
K15368: The BIG-IP AFM system logs network firewall events using the logging profile associated with the network firewall rule. https://my.f5.com/manage/s/article/K15368
This article also has a ton of good information: K13723376: Troubleshooting | BIG-IP AFM operations guide; https://my.f5.com/manage/s/article/K13723376#link_05_01
To answer your original question, a script is probably your best approach. I would look for a TMSH command to modify an AFM rule to enable logging. Then, depending on your skillset, it could be as simple as listing all the AFM rules in text document or spreadsheet and wrapping that list in that command. Then you can apply it through the CLI, probably 20 at a time, or apply it all as a batch transaction. https://clouddocs.f5.com/cli/tmsh-reference/v16/modules/cli/cli_transaction.html
This could also be done via iControlREST but the cli is probably the quickest.
