Visibility is Not Enough
A critical component to any mission-critical application infrastructure (Network and Security) is visibility. To effectively manage and protect an application, one must have granular visibility into performance and security events/metrics. However, visibility is not as effective, on its own, without the ability to take action to mitigate risks and improve operational efficiency, preferably automatically.
Introducing BlockAPT
In this edition of the “Partner Solution Showcase” we introduce one of our technology alliance partners, BlockAPT. BlockAPT helps organizations to securely connect, monitor and manage their entire digital ecosystem from a single pane of glass, which enables them to audit, orchestrate, and automate IT security and operations centrally. The BlockAPT platform comprises three modular products that can be deployed independently or in combination. These products are:
Command - Centralized incidents and events database, customizable and automatable alerting, reporting and dashboards
Control - Centralized management and administration of the digital ecosystem from a single pane of glass to enable centralized orchestration and automation of tasks for SecOps, NetOps and CloudOps
Connect - Securing data-at-rest and data-in-motion using FIPS 140-3 certified MTE technology for post-quantum secure connectivity
Solution Overview
The remainder of this article illustrates how BlockAPT can be used to collect, monitor, and process logs & events from F5 BIG-IP LTM and Advanced WAF. By combining security and networking data organizations can start their journey towards achieving unified visibility, which is a key component if they want to embrace automation.
Prerequisites
- F5 BIG-IP LTM (Version:12 or later): Virtual Edition (VE) was utilized for this article. However, both hardware and virtual edition platforms can be utilized.
- F5 BIG-IP Advanced WAF (formerly ASM) (Version:12 or later): Virtual Edition (VE) was utilized for this article. However, both hardware and virtual edition platforms can be utilized.
- BlockAPT Command (Version 4.1.0 or later): BlockAPT software
- Internet Connectivity
Step 1: Deploy and configure F5 BIG-IP LTM and Advanced WAF
- Follow F5 Networks’ documentation to deploy F5 BIG-IP LTM and Advanced WAF on your preferred infrastructure (in the cloud or on-premises)
- License and active F5 BIG-IP LTM and Advanced WAF
- Ensure that the BIG-IP logs & events can be sent to the BlockAPT Platform via standard BIG-IP syslog or logging profiles
- Ensure that there is connectivity between the BIG-IP and the BlockAPT platform utilizing the port selected for the syslog and/or logging profile
Step 2: Deploy and configure BlockAPT Platform (Command)
- Follow BlockAPT’s documentation to deploy BlockAPT Platform - Command on your preferred infrastructure (in the cloud or on-premises)
- License and activate BlockAPT Platform - Command
- Log into the platform
- Go to Global Settings > Logger > Log Listener
- Review the list to ensure your F5 devices are showing that the raw logs are being received. If not, ensure the network connectivity is confirmed and that F5 devices are sending data to the correct port (data is sent from BIG-IP LTM and Advanced WAF to the BlockAPT Platform).
Step 3: Customize your BlockAPT Platform - Command Dashboard
- Go to Global Settings > Dashboard Settings > Custom Dashboard
- For data source choose: Logger
- For device type select: F5 LTM
- Select the desired widgets
- Click Submit
- Go to Global Settings > Dashboard Settings > Custom Dashboard
- For data source choose: Logger
- For device type select: F5 Advanced WAF
- Select the desired widgets
- Click Submit
- You will now be able to see all the widgets you had selected, in one place; the custom dashboard. You can reach the custom dashboard by:
- Clicking the BlockAPT logo on the top left-hand side of the screen
- By going to Global Settings > Dashboard settings > Custom Dashboard.
- By going to Dashboard > Custom Dashboard
Step 4: Create Custom Reports on BlockAPT Platform - Command
- Task Management > Create Task
- Choose a name for this task
- Choose Type: Custom Reports
- Choose Action: Devices or Logger
- Choose Device Type: F5 (from the drop-down menu)
- Fill in the rest of the form in accordance with your preferences
- Select Assignee(s)
- Click Submit
- Go to Task Management > Tasks
- Select and view the task created
- Click Approve. You will now be able to access the report in the Custom Reports section of the GUI. An incident management ticket referencing the report creation will be generated automatically.
Step 5: Alerts
- Under Incident Management > search for the relevant tickets to view the alerts
- Change the tickets accordingly (i.e., priority, assignment, etc.)
Conclusion
BlockAPT Platform - Command enables customers to unify visibility into a single pane of glass WebUI. To maximize on the benefits of the BlockAPT Platform we recommend using BlockAPT Platform - Control to activate the automation and orchestration of actions following detected alerts or thresholds. This can be done using automated Workflows / Playbooks. Actions can also be manual or semi-automated.