Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Disable Firewall Event Logging for Traffic on a Forwarding Virtual Server.

Gym
Cirrus
Cirrus

I have a Forwarding (IP) virtual server, with SNAT Automap. Allowed sources is set to 172.16.0.0/16, and destination is 10.0.0.0/8. The Big-IP has AFM enabled (default deny), with a global policy, but no security policy on this virtual server.

 

In spite of that, the event logs (Security -> Event Logs -> Network -> Firewall) show many entries for traffic forwarding through this VS. The context is shown as "Virtual Server" and the "Policy Type" and "Policy Name" fields are empty. The majority of these entries are for clients hitting a particular server and port, which I specifically don't want to log, due to the volume.

 

Problem is, I can't find what setting is actually causing them to be logged in the first place. Can anyone shed light on this?

 

I already have a global-policy rule that allows 172.16.0.0/16 to that server and port without logging, but this doesn't stop the log entries in the virtual server context.

 

I temporarily added a security policy to the VS, with a similar rule to the one in the global policy, but that also failed to stop these entries appearing.

 

The virtual server has the default fastL4 profile, and no logging parameters that I can see.

 

Other modules enabled: LTM, GTM, ASM, APM.

 

3 REPLIES 3

Richard_Karon
F5 Employee
F5 Employee

Firewall logging is normally configure on a virtual under:

Local Traffic  ››  Virtual Servers : Virtual Server List  ››  <virtual server>

 

Select Security Tab:

Look under Log Profile for any profiles configured.

 

Then go to

Security  ››  Event Logs : Logging Profiles

and click on the matching profile

Logging configuration is under the Network Firewall Enabled checkbox tab

 

Individual decisions on logging can be made for each created rule.

Security  ››  Network Firewall : Policies  ››  <rulename>

See the Logging state

Gym
Cirrus
Cirrus

Thanks Richard, but as I said:

 

"I already have a global-policy rule that allows 172.16.0.0/16 to that server and port without logging, but this doesn't stop the log entries in the virtual server context.

 

"I temporarily added a security policy to the VS, with a similar rule to the one in the global policy, but that also failed to stop these entries appearing."

IRONMAN
Cirrostratus
Cirrostratus

Hi James,

 

Your firewall rule action should access decisively. if it is accept only, it will go for virtual server.