F5 BIG-IP Automatic email notification for system live update (ASM/AWAF signature)
Recently had some request from Security team asking an email to be sent from the F5 BIG-IP when it installs an live update such as ASM signature updates via the automatic schedule. upon looking at KBs it doesn't seem to be a natively embedded function for now. So my idea is to trace system log for signature updates, and generate an SNMP message to trigger email notification. Most syslogs and updates could be found from /log/var/ directory while as some event based log such as Signature updates are located in a different place. https://support.f5.com/csp/article/K82512024 The system live update info is located in /var/log/tomcat/liveupdate.log So the thinking is once the system generate a log after the signature Update, you could try to grab log info and use a unique key word to identify completion of update, and use the key word a customised OID to trigger SNMP trap for system notification. Once you schedule or completed an installation: You should be able to see the log generated with following info: cat /var/log/tomcat/liveupdate.log | grep modifiedEntitiesCount XXXX… {"link":"https://localhost/mgmt/tm/asm/signatures/y5tmU8gG6VdfPFaVbRSPLg","name":"Java code injection - java.util.concurrent.ScheduledThreadPoolExecutor"},{"link":"https://localhost/mgmt/tm/asm/signatures/7KeqKA8hHqv2cfJBXRMz9Q","name":"Java code injection - oracle.jms.AQjmsQueueConnectionFactory"},{"link":"https://localhost/mgmt/tm/asm/signatures/-NXlVMOujg3EvdVKd7PVQA","name":"btoa() (URI)"},{"link":"https://localhost/mgmt/tm/asm/signatures/sqa3ct3N1gOjMZLc3KiNsw","name":"SQL-INJ \"UNION SELECT\" (3) (URI)"},{"link":"https://localhost/mgmt/tm/asm/signatures/J4R4I5KgY8akJtm3TOc55w","name":"\"/etc/php4/apache2/php.ini\" access (Parameter)"},{"link":"https://localhost/mgmt/tm/asm/signatures/S2IcFP11pOpAHjFOSBIi3Q","name":"\"mail\" execution attempt (2) (Header)"},{"link":"https://localhost/mgmt/tm/asm/signatures/HUqMOwJ9SHU6mJF0y3HjBg","name":"SQL-INJ convert(db_name) (Header)"}],"modifiedEntitiesCount":1599} The word: modifiedEntitiesCount seemed to only poppulate upon a installation of signature update completion. so we could use the log key world modifiedEntitiesCount to customise a System OID associate with email alerts https://support.f5.com/csp/article/K3727 add something like the following in to/config/user_alert.conf: alert ASM_update_STATUS " modifiedEntitiesCount(.*)" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.xxx" } and create an email alert with SNMP Trap https://support.f5.com/csp/article/K3667 alert BIGIP_SIG_UPDATE_COMPLETE { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.XXX"; email toaddress="demo@askf5.com" fromaddress="root" body="The Signature has been updated!" } This tricks could also apply to any event based notification you 'd like to sent using keyword from log files. https://support.f5.com/csp/article/K16197 If you would like to put some feed from BIG-IP notification instead of using you log server to filter some tailored events, I hope this could be helpful. Any comments for improvement or correction would be highly appreciated
Problems connecting to vpn after upgrading to ubuntu 24.04
good afternoon, I have upgraded ubuntu to 24.04 and since then I can no longer connect correctly to the vpn with the f5 client. In the client it appears that I am connected to the vpn, but then I do not reach any of the sites and servers that with the 22.04 version if it arrived. Can you help me.Integration of Azure Sentinel and F5 BIG-IP using TS and AS3
This user guide is all about the configuration and deployment of Telemetry Streaming and Application Service 3 (AS3) on F5 BIG-IP to fetch logs on Azure Sentinel as its consumer. This guide is heavily based on the work performed by Greg_Coward and one can view on here. The purpose of this guide is to document a little more elaborated guide for both learning and deployment aspects and also address the possible issues that could be faced during the process of deployment. Note: More detailed steps along with configuration images can be found on : https://nishalrai.com.np/2023/06/19/integration-of-azure-sentinel-and-f5-big-ip-using-ts-and-as3/ One can leverage the usage of Azure Sentinel to collect and display the data using the Telemetry streaming extension on the F5 BIG-IP device. Azure Sentinel is able to collect the logs from the F5 BIG-IP via Telemetry Streaming regardless of its deployed location – F5 BIG-IP does not need to be on Azure to fetch those logs. A little background about the F5 BIG-IP Application Services 3 and Telemetry Streaming. BIG-IP AS3, the F5 BIG-IP Application Services 3 is an extension that uses a declarative model – JSON declaration instead of a set of imperative commands to create resources on a BIG-IP system. The system’s API endpoint – (https://<BIG-IP>/mgmt/shared/appsvcs/declare) Telemetry streaming (TS) is an iControl LX extension delivered as a TMOS-independent RPM file with the ability to declaratively aggregate, normalize and forward statistics and events from the BIG-IP to a consumer application by posting a single TS JSON declaration to TS’s declarative REST API endpoint. The Telemetry Streaming’s API endpoint – (https://<BIG-IP>>/mgmt/shared/telemetry/declare) Setup of TS and AS3 on F5 BIG-IP to integrate with Azure Sentinel The whole configuration is summarized in the following points: Verify the required modules are enabled Install the TS and AS3 extension on the F5 BIG-IP device Create the required configuration object on F5 BIG-IP Configure the Data connector of Azure with F5 BIG-IP device Verify all the required data types are available on Azure Sentinel The configuration involves both TS and AS3 extensions for different purposes – TS for establishing a connection with Azure Sentinel Data connector and AS3 for creating configuration object in the F5 BIG-IP like Virtual Server, Request Logging profile, log profile, iRule, and others. On the F5 BIG-IP device, the required modules to be enabled are ASM, AVR and iRulesLX. NOTE: The version on which the configuration is carried out is F5 BIG-IP v16.3.3 and v17.0.1 Install the TS and AS3 extension on the F5 BIG-IP device You need to download TS and AS3 extension and upload on your F5 BIG-IP device. Download link of Telemetry Streaming: https://github.com/F5Networks/f5-appsvcs-extension/releases Download link of Application Streaming 3 extension: https://github.com/F5Networks/f5-telemetry-streaming/releases To upload on F5 BIG-IP device: Go to Main Dashboard > iApps > Package Management LX Click on Import and select the file f5-appsvcs v3.45.0 and f5-telemetry v1.33.0 is being used (the latest version available). Create the required configuration object on F5 BIG-IP AS3 and TS extension is used to configure F5 BIG-IP with the necessary resources with a single JSON declaration. In this configuration, Postman is used to configure event listeners for the various deployed modules. The JSON declaration to configure to the following configuration object – Virtual Server, Pool, Node, iRule, Request Logging and Request log. { "class": "ADC", "schemaVersion": "3.45.0", "remark": "Example depicting creation of BIG-IP module log profiles", "Common": { "class": "Tenant", "Shared": { "class": "Application", "template": "shared", "telemetry_local_rule": { "remark": "Only required when TS is a local listener", "class": "iRule", "iRule": "when CLIENT_ACCEPTED {\n node 127.0.0.1 6514\n}" }, "telemetry_local": { "remark": "Only required when TS is a local listener", "class": "Service_TCP", "virtualAddresses": [ "255.255.255.254" ], "virtualPort": 6514, "iRules": [ "telemetry_local_rule" ] }, "telemetry": { "class": "Pool", "members": [{ "enable": true, "serverAddresses": [ "255.255.255.254" ], "servicePort": 6514 }], "monitors": [{ "bigip": "/Common/tcp" }] }, "telemetry_hsl": { "class": "Log_Destination", "type": "remote-high-speed-log", "protocol": "tcp", "pool": { "use": "telemetry" } }, "telemetry_formatted": { "class": "Log_Destination", "type": "splunk", "forwardTo": { "use": "telemetry_hsl" } }, "telemetry_publisher": { "class": "Log_Publisher", "destinations": [{ "use": "telemetry_formatted" }] }, "telemetry_traffic_log_profile": { "class": "Traffic_Log_Profile", "requestSettings": { "requestEnabled": true, "requestProtocol": "mds-tcp", "requestPool": { "use": "telemetry" }, "requestTemplate": "event_source=\"request_logging\",hostname=\"$BIGIP_HOSTNAME\",client_ip=\"$CLIENT_IP\",server_ip=\"$SERVER_IP\",http_method=\"$HTTP_METHOD\",http_uri=\"$HTTP_URI\",virtual_name=\"$VIRTUAL_NAME\",event_timestamp=\"$DATE_HTTP\"" }, "responseSettings": { "responseEnabled": true, "responseProtocol": "mds-tcp", "responsePool": { "use": "telemetry" }, "responseTemplate": "event_source=\"response_logging\",hostname=\"$BIGIP_HOSTNAME\",client_ip=\"$CLIENT_IP\",server_ip=\"$SERVER_IP\",http_method=\"$HTTP_METHOD\",http_uri=\"$HTTP_URI\",virtual_name=\"$VIRTUAL_NAME\",event_timestamp=\"$DATE_HTTP\",http_statcode=\"$HTTP_STATCODE\",http_status=\"$HTTP_STATUS\",response_ms=\"$RESPONSE_MSECS\"" } }, "telemetry_asm_security_log_profile": { "class": "Security_Log_Profile", "application": { "localStorage": false, "remoteStorage": "splunk", "servers": [{ "address": "255.255.255.254", "port": "6514" }], "storageFilter": { "requestType": "all" } } } } } } Tips to mitigate configuration issues Use the visual studio code and add JSON formatter extension to format the JSON code and avoid any indentation error on the code. On the JSON declaration, be careful with the schemaVersion, the version should match with the install The F5 Application Streaming v3 extension, in my case it’s 3.45.0 Launch the postman, enter the API endpoint: https://<BIG-IP>/mgmt/shared/appsvcs/declare Output of the successful deployment: Verify whether the object has been created on F5 BIG-IP Browse to the F5 BIG-IP dashboard and verify whether all the required objects has been created or not. Once all the object has been created, you need to execute the following command on the F5 BIG-IP CLI. This seems to be a bug on the TS listener with the F5 BIG-IP device. The issue was caused by a new db key which by default prohibits loopback addresses in irules. If you have configured a local listener, with an irule such as “when CLIENT_ACCEPTED {\n node 127.0.0.1 6514\n}” Then you need to run the following tmsh command. tmsh modify sys db tmm.tcl.rule.node.allow_loopback_addresses value true For more info: https://github.com/F5Networks/f5-telemetry-streaming/issues/238 Configure the Data connector of Azure Sentinel with F5 BIG-IP device Once all the above configuration has been completed, it’s time to integrate F5 BIG-IP device with Azure Sentinel. Telemetry Streaming extension will be used to establish the connection between the F5 BIG-IP device and data connector of Azure sentinel. The JSON declaration used to establish the connection between the Azure Sentinel – Data Connector and F5 BIG-IP device. { "class": "Telemetry", "controls": { "class": "Controls", "logLevel": "info", "debug": true }, "My_System": { "class": "Telemetry_System", "trace": "/var/tmp/telemetry_trace.log", "systemPoller": { "interval": 60 } }, "My_Listener": { "class": "Telemetry_Listener", "port": 6514 }, "My_Consumer": { "class": "Telemetry_Consumer", "type": "Azure_Log_Analytics", "workspaceId": "<workspace-id>", "passphrase": { "cipherText": "<cipher-text>" }, "useManagedIdentity": false, "region": "<region>" } } You can find the required credentials of the Azure Sentinel on the workspace of the F5 BIG-IP connector page. Once you’ve got all the required credentials then you can carry out the configuration. I will be using Postman to declare the configuration in JSON format on system’s endpoint: https://<BIG-IP>>/mgmt/shared/telemetry/declare then you will get something like this as an output on the successful deployment: Verify all the required data types are available on Azure Sentinel After all the configuration has been completed, you need to login into the Azure Portal. Browse to the Microsoft Sentinel then select the workspace. Search for F5 BIG-IP and open the connector page then you can see the data type available. On the Workspace of the Azure Sentinel, you can browse to the Workbook – F5 BIG-IP ASM, where all the collected logs of ASM (only Application Security logs) are visualized. This is the visualization of the ASM logs on the Azure Sentinel.CPU high load during specific time periods
In our Big IP ASM, the server CPU is operating at high load during specific time periods. I have checked and confirmed that cron jobs are running at different times. Even though the traffic is not high, this issue still occurs. What could be the cause of this?
AppDynamics Javascript Injection iRule for monitoring
Herewith iRule for AppDynamics Javascript Injection iRule In this iRule /title has been replaced and javascript has been injected ======================================== when HTTP_REQUEST { if {[HTTP::uri] starts_with "/"}{ set enableEum 1 HTTP::header remove "Accept-Encoding" } # Disable the stream filter for client requests as we are only interested in the server response STREAM::disable } when HTTP_RESPONSE { STREAM::disable if {($enableEum == 1) && ([HTTP::header "Content-Type"] starts_with "text/html")}{ STREAM::expression "@</title>@</title><script>window\[\'adrum-start-time\'\] = new Date().getTime();(function(config)\{config.appKey = \'EEE-EEE-EEE\';config.adrumExtUrlHttp = \'http://cdn.appdynamics.com\';config.adrumExtUrlHttps = \'https://cdn.appdynamics.com\';config.beaconUrlHttp = \'http://col-eum-abcd.com\';config.beaconUrlHttps = \'https://col-eum-abcd.com\';config.xd = \{enable : false\};\})(window\[\'adrum-config\'\] || (window\[\'adrum-config\'\] = \{\}));</script><script type=\'text/javascript\' src=\'//cdn.appdynamics.com/adrum/adrum-latest.js\'></script>@" STREAM::enable } } ============================ Stream profile also required for this. This iRule has been tested and working successfully Regards
Response page additional information from triggered violation
Hi, Please help, We need for our dev tem provide a response page with some information like it is from (Gui - Triggered Violations details, once you click occurrensec arrow to see table details) So for exampl. Dev is testing new webapp and has been blocked, he see support id on respond page and we would like to give them details from triggered violations like: Detected keyword, attack signature, context, parameter level, actual parameter name, wildcard parameter and so on. It is test env so we can provide them this information. Is any chance to do that using iRule or other way? Thanks for providing any example for iRule or any link for parrameters needed to be add in iRule We cannot give dev team any Monitor access from gui, best regards
