Forum Discussion

muntae_kim's avatar
muntae_kim
Icon for Cirrus rankCirrus
Oct 11, 2022

F5 BIG-IP HSL configuration questions

 

Hello? I am MunTae.

I am writing this because I have a question regarding HSL log setting.

(F5 BIG-IP Version 14.1)

<Question>
1. How to "send HSL debug logs to a remote log server that traverses more than one hop network"
(It is not possible to set up self-ip because it is a network with more than one hop)

[Additional explanation]
- For HSL-style debug log transmission, check HSL iRules settings in advance and log generation in the local network
(example iRules)
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername –Bypass-Host"}

- The syslog pool setup is completed as a remote log server that goes through a network of more than one hop through the TMM interface, but self-ip configuration cannot be performed because it goes through a network of more than one hop.

- It was confirmed that the default send string log to the remote log server was loaded every 5 seconds, but it was confirmed that the debug log that should actually be loaded was not loaded.

 

2. Previously, it was not known whether the debug log was caused by a policy existing in a certain DataGroup-Bypass-Host. Ask how to add a parameter so that the [Matching Bypass-Host policy] can be output to the debug log.

[Before iRules]
example) if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername –Bypass-Host" }
[After iRules]
example) if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] [How to Matching Bypass-Host Domain] $tls_servername –Bypass-Host"}

 

If there is something you do not understand, please leave a reply.

cloud
devops
event

5 Replies

Sort By
  • Leslie_Hubertus's avatar
    Leslie_Hubertus
    Ret. Employee
    Oct 12, 2022

    Hi muntae_kim, good to see you again. JRahm is out for the day, but may be able to take a look tomorrow if nobody else from the community has bee able to answer. 

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Oct 12, 2022

    Hi muntae_kim, happy to weigh in!

    I'm not totally sure what you're asking here. Some comments/questions:

    • What does your HSL::open look like?
    • HSL and BIG-IP do not care if the destination IP is locally significant or n-number of hops away. If BIG-IP has a route for it, it'll work.
    • on your #2 concern, I have no context with which to assess the issue. If you can state the overall goals, I can help proprose a solution that will work.

     

  • muntae_kim's avatar
    muntae_kim
    Icon for Cirrus rankCirrus
    Oct 13, 2022

    Thank you for answer and I will answer your questions.

     

    1. What does your HSL::open look like?
    - Create the <syslog_server_pool> pool of the remote log server and saved the generated debug log in syslog format

    <customer iRules summary> : **Don't worry about grammar, it's a summary for better understanding**
    ...
    #1.
    set hsl [HSL::open -proto UDP -pool syslog_server_pool]
    set DEBUG 1
    ...
    #2.
    if { [class match $tls_servername contains Bypass-Host] }{
    if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Bypass-Host"}}
    ...
    #3.
    elseif{
    if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Bypass_Category"}}
    ...
    #4.
    when CLIENTSSL_HANDSHAKE {
    if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Decryption"}

     


    2. HSL and BIG-IP do not care if the destination IP is locally significant or n-number of hops away. If BIG-IP has a route for it, it'll work.
    - But, as mentioned earlier in the first task, I set <syslog_server_pool> to a syslog server IP in a network more than one hop, not mgmt, to send debug logs, but only <default send string>, which is a health check log and actual debug log is not saved.
    (At this time, as the syslog server goes through a network of multiple hops, self-ip is not set at f5.)
    (No actual debug log packets occurred even on tcpdump of all interfaces.)

    - As a secondary task, set the syslog server IP to an IP directly connected to the F5 interface, set <syslog_server_pool>, set self-ip, and confirm that the debug log is saved normally. Judging from this part, it was decided that the debug log using HSL can be saved only on the local network where self-ip can be used.
    So I think that when using HSL as syslog_server_pool method, it cannot be loaded on more than one hop network.
    (Please exclude the method of proceeding with the global syslog setting in the GUI.)

     

    3. on your #2 concern, I have no context with which to assess the issue. If you can state the overall goals, I can help proprose a solution that will work.

    <goal>
    1. When SSL encryption/decryption, if the conditions are met, the following debug log is loaded: Solved
    if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Bypass-Host"}

    if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Bypass_Category"}

    if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Decryption"}

    <Actual log during decryption>
    May 14 02:33:12 SSL_01.com info tmm17[25022]: Rule /Common/SSL_Forward_Bypass_Rule_real <CLIENTSSL_HANDSHAKE>: 10.237.12.87:55575 -> 203.133.167.14:443 shop-redapi.daum.net --Decryption

    <Actual log at Host Bypass>
    May 14 02:13:08 SSL_01.com info tmm4[25022]: Rule /Common/SSL_Forward_Bypass_Rule <CLIENT_DATA>: 10.237.12.87:56129 -> 172.217.175.228:443 www.google.com --Bypass-Host

    <Actual log when Host Category match>
    May 13 16:00:00 SSL_01.com info tmm12[25022]: Rule /Common/SSL_Forward_Bypass_Rule <CLIENT_DATA>: 10.237.12.87:64787 -> 39.115.2.214:443 game.daum.net --Bypass_Category


    2. If the Bypass-Host condition is met, check which Bypass-host policy the debug log was generated by
    <iRules for Before Host-Bypass>: It is unknown which policy was matched to Bypass-Host
    if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername –Bypass-Host" }

    <Actual log during Before Host-Bypass>
    May 14 02:13:08 SSL_01.com info tmm4[25022]: Rule /Common/SSL_Forward_Bypass_Rule <CLIENT_DATA>: 10.237.12.87:56129 -> 172.217.175.228:443 www.google.com --Bypass-Host

    <Requires iRules guide for After Host-Bypass>: I want to know what policy was matched to Bypass-Host
    if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] [?????] $tls_servername –Bypass-Host" }

    <Desired log after Host-Bypass>
    May 14 02:13:08 SSL_01.com info tmm4[25022]: Rule /Common/SSL_Forward_Bypass_Rule <CLIENT_DATA>: 10.237.12.87:56129 -> 172.217.175.228:443 *.google.com www.google.com --Bypass -Host


    <Example of Customer Bypass-Host Policy>
    *.google.com
    *.office365.com
    *.microsoft.com
    naver.com
    ...

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin
      Oct 13, 2022

      There might be a problem with setup, but there is no problem with HSL sending logs to an IP destination through a distance L3 network. If BIG-IP has a route to that pool member's destination the traffic will be sent. So there might be an issue with your routes, or, it just might be that your conditions for sending the logs are not being met in your iRule.

      Stripping out the other requirements, you can make HSL work first, and then add the conditions with which you want it to work. Here are the very basic steps for HSL:

       

      when CLIENT_ACCEPTED {
  set hsl [HSL::open -proto UDP -pool my_syslog_pool]
}
when LB_SELECTED {
  HSL::send $hsl "log message you want to send"
}

      Another option is to actually define the log publishers and open HSL against a publisher instead of a pool as I show in this article.

      Once you get that working reliably in your infrastructure, then I'd recommend adding your conditions and make sure they are matching. Could be case insensitivity issues, could be a logic error somewhere in there. Without seeing the sanitized irule in its entirity and not fully grokking your goals, nothing jumps out at me on what you provided.

       

       

       

  • muntae_kim's avatar
    muntae_kim
    Icon for Cirrus rankCirrus
    Oct 14, 2022

    Thank you for answer

    1. There is no routing setting in the customer's equipment, and it is set to unconditionally pass the packet to the next firewall equipment that is the <Firwall-Pool> created.
    As instructed, I will add a routing for the syslog server and test it.

     

    2. The modification of the iRules policy so that the debug log can be output when matching the bypass-host policy is not related to the routing problem, so please review whether it can be implemented.

    In addition, please note that the iRules file applied to the current customer is provided.

Related Content