For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

rodquin_211279's avatar
rodquin_211279
Icon for Nimbostratus rankNimbostratus
Jul 14, 2015

Logging traffic from span port

Hello,

 

I'm trying to log traffic coming from a SPAN port. The traffic is arriving properly to the F5 (if I do a tcpdump in the interface, I can see the traffic) but for some reason the F5 is not logging the traffic. Is there a special way to configure the F5 (BIG-IP)? I've searched in the documentation but I haven't found any kind of answer. Notice that I don't want the F5 to be a load balancer, I just want to it to alert in case of web attack. I've created a new profile of logging which logs all the traffic.

 

Can anyonw help me on this? I've tried different configs but no luck.

 

Thank you very much.

 

Regards.

 

deployment
log
mirror
span
traffic

4 Replies

    • rodquin_211279's avatar
      rodquin_211279
      Icon for Nimbostratus rankNimbostratus
      Jul 14, 2015
      Hello Steigman, First of all thank you very much for your quick response. :) What I want to do is the opposite thing, I mean, I want the F5 to act like an IDS. The F5 is receiving traffic from a SPAN port and I just want to generate an alert if it detects a web attack. Thank you very much. Regards.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 14, 2015

    A bit confusing. An F5 BIG-IP is not an IDS, it's a proxy. ASM (the F5 web application firewall) does detect and alert/block web attacks, but it generally does so in a proxy configuration - where application traffic flows through the proxy to the web servers.