Office Hours - Let's do some home lab stuff!
The week between Christmas and New Year's here in the US is often a little slow. Ok, a lot slow. I always like to work this week because it allows me to clean my "work" house: trying to salvage my inbox, organizing files, shredding docs. It also affords me some time to plan and strategize for the new year, and to work on some projects that are hard to fit in during normal weeks. One of those projects will be to give my home lab some much-needed attention. If you are in the same boat and just need a dedicated block of time, why don't you join me and we can do a community dojo office hours and chat while we make progress on our labs, and share what we're struggling with, what we're excited about, and just enjoy a little community time? Come late and/or leave early; just come! Details Date: Dec 28th, 2023 Time: 9am - 12pm PST Link:https://f5networks.zoom.us/j/9056331793?pwd=S3pKRUc4NWwvSUpaQXBaZms0VENSQT09
Meet the F5 team at Cisco Live in Las Vegas – Why It Matters
I’m happy to extend a personal invitation to join us at Cisco Live this year in person. CLUS will be held in Las Vegas and promises to continue bringing education and inspiration to those that attend, via the breakout sessions and insights that this event is famous for. F5 is proud to return as a sponsor. We’ll be sharing our latest joint solutions, development initiatives and current useful best practices, including examples of some of the most used solution documentation on Cisco.com developed through our partnership. This event affords us the chance to speak with technology innovators about exactly what makes our Cisco collaboration so valued by our joint customers. Furthermore, it provides those customers and innovators the opportunity to have a hand in shaping the course of our partnership and integration development, Our customers are embarking on digital transformation that elevates technology from a supporting role to one at the heart of their businesses. Application strategy is becoming paramount and at F5 our mission is to support our customers and help them smoothly navigate and accelerate this transition. Our strategy recognizes the importance of partners that can help us deliver integrated offerings for modern (and evolving) application environments, and for more than 7 years Cisco has consistently demonstrated that they are exactly that. At Cisco Live, you can check out new releases, like version 10 of the F5 ACI ServiceCenter app (or F5 APM and Duo), the expanded scope of our work, and updates on what we’re planning and thinking about developing next. Don’t miss out on what seems to be two years’ worth of news and please plan time in your schedule to visit us at Booth #940 in the Mandalay Bay Events Center. We’re excited to share our deep expertise via use case demos delivering valuable business outcomes in security, application deployment (including our NEW F5 dCloud labs), operations/troubleshooting, orchestration, and automation. We’d welcome the chance to talk about your needs and challenges and how our partnership with Cisco can help solve them. Just stop by or Schedule a Meeting. Discover, firsthand, what F5’s collaboration with Cisco has to offer.MemeLief Contest
I'm not sure where this will go but there is just too much material here to let the opportunity pass by. Yesterday my family and I went to our local state fair and one of the splurges my youngest and I indulged in was a ride called the slingshot (you've seen this on YouTube). It was great. I ordered the video and only after we finished the adrenaline rushand were watching the video did I realize I was wearing an OG DevCentral t-shirt. So, NOW we have an opportunity; and I offer myself as tribute in a MemeLief contest. Maybe if there are enough good memes I'll release the video. Cheers!
F5 BIG-IP Automatic email notification for system live update (ASM/AWAF signature)
Recently had some request from Security team askingan email to be sent from the F5 BIG-IP when it installs an live update such as ASM signature updates via the automatic schedule. upon looking at KBs it doesn't seem to be a natively embedded function for now. So my idea is to trace system log for signature updates, and generate an SNMP message to trigger email notification. Most syslogs and updates could be found from /log/var/ directory while as some event based log such as Signature updates are located in a different place. https://support.f5.com/csp/article/K82512024 The system live update info is located in /var/log/tomcat/liveupdate.log So the thinking is once the system generate a log after the signature Update, you could try to grab log info and use a unique key word to identify completion of update, and use the key word a customised OID to trigger SNMP trap for system notification. Once you schedule or completed an installation: You should be able to see the log generated with following info: cat /var/log/tomcat/liveupdate.log | grep modifiedEntitiesCount XXXX… {"link":"https://localhost/mgmt/tm/asm/signatures/y5tmU8gG6VdfPFaVbRSPLg","name":"Java code injection - java.util.concurrent.ScheduledThreadPoolExecutor"},{"link":"https://localhost/mgmt/tm/asm/signatures/7KeqKA8hHqv2cfJBXRMz9Q","name":"Java code injection - oracle.jms.AQjmsQueueConnectionFactory"},{"link":"https://localhost/mgmt/tm/asm/signatures/-NXlVMOujg3EvdVKd7PVQA","name":"btoa() (URI)"},{"link":"https://localhost/mgmt/tm/asm/signatures/sqa3ct3N1gOjMZLc3KiNsw","name":"SQL-INJ \"UNION SELECT\" (3) (URI)"},{"link":"https://localhost/mgmt/tm/asm/signatures/J4R4I5KgY8akJtm3TOc55w","name":"\"/etc/php4/apache2/php.ini\" access (Parameter)"},{"link":"https://localhost/mgmt/tm/asm/signatures/S2IcFP11pOpAHjFOSBIi3Q","name":"\"mail\" execution attempt (2) (Header)"},{"link":"https://localhost/mgmt/tm/asm/signatures/HUqMOwJ9SHU6mJF0y3HjBg","name":"SQL-INJ convert(db_name) (Header)"}],"modifiedEntitiesCount":1599} The word: modifiedEntitiesCount seemed to only poppulate upon a installation of signature update completion. so we could use the log key world modifiedEntitiesCount to customise a System OID associate with email alerts https://support.f5.com/csp/article/K3727 add something like the following in to/config/user_alert.conf: alert ASM_update_STATUS " modifiedEntitiesCount(.*)" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.xxx" } and create an email alert with SNMP Trap https://support.f5.com/csp/article/K3667 alert BIGIP_SIG_UPDATE_COMPLETE { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.XXX"; email toaddress="demo@askf5.com" fromaddress="root" body="The Signature has been updated!" } This tricks could also apply to any event based notification you 'd like to sent using keyword from log files. https://support.f5.com/csp/article/K16197 If you would like to put some feed from BIG-IP notification instead of using you log server to filter some tailored events, I hope this could be helpful. Any comments for improvement or correction would be highly appreciated
Problems connecting to vpn after upgrading to ubuntu 24.04
good afternoon, I have upgraded ubuntu to 24.04 and since then I can no longer connect correctly to the vpn with the f5 client. In the client it appears that I am connected to the vpn, but then I do not reach any of the sites and servers that with the 22.04 version if it arrived. Can you help me.Integration of Azure Sentinel and F5 BIG-IP using TS and AS3
This user guide is all about the configuration and deployment of Telemetry Streaming and Application Service 3 (AS3) on F5 BIG-IP to fetch logs on Azure Sentinel as its consumer. This guide is heavily based on the work performed by Greg_Coward and one can view on here. The purpose of this guide is to document a little more elaborated guide for both learning and deployment aspects and also address the possible issues that could be faced during the process of deployment. Note:More detailed steps along with configuration images can be found on : https://nishalrai.com.np/2023/06/19/integration-of-azure-sentinel-and-f5-big-ip-using-ts-and-as3/ One can leverage the usage of Azure Sentinel to collect and display the data using the Telemetry streaming extension on the F5 BIG-IP device. Azure Sentinel is able to collect the logs from the F5 BIG-IP via Telemetry Streaming regardless of its deployed location – F5 BIG-IP does not need to be on Azure to fetch those logs. A little background about the F5 BIG-IP Application Services 3 and Telemetry Streaming. BIG-IP AS3, theF5 BIG-IP Application Services 3is an extension that uses a declarative model – JSON declaration instead of a set of imperative commands to create resources on a BIG-IP system. The system’s API endpoint – (https://<BIG-IP>/mgmt/shared/appsvcs/declare) Telemetry streaming (TS)is an iControl LX extension delivered as a TMOS-independent RPM file with the ability to declaratively aggregate, normalize and forward statistics and events from the BIG-IP to a consumer application by posting a single TS JSON declaration to TS’s declarative REST API endpoint. The Telemetry Streaming’s API endpoint – (https://<BIG-IP>>/mgmt/shared/telemetry/declare) Setup of TS and AS3 on F5 BIG-IP to integrate with Azure Sentinel The whole configuration is summarized in the following points: Verify the required modules are enabled Install the TS and AS3 extension on the F5 BIG-IP device Create the required configuration object on F5 BIG-IP Configure the Data connector of Azure with F5 BIG-IP device Verify all the required data types are available on Azure Sentinel The configuration involves both TS and AS3 extensions for different purposes – TS for establishing a connection with Azure Sentinel Data connector and AS3 for creating configuration object in the F5 BIG-IP like Virtual Server, Request Logging profile, log profile, iRule, and others. On the F5 BIG-IP device, the required modules to be enabled are ASM, AVR and iRulesLX. NOTE: The version on which the configuration is carried out is F5 BIG-IP v16.3.3 and v17.0.1 Install the TS and AS3 extension on the F5 BIG-IP device You need to download TS and AS3 extension and upload on your F5 BIG-IP device. Download link of Telemetry Streaming: https://github.com/F5Networks/f5-appsvcs-extension/releases Download link of Application Streaming 3 extension: https://github.com/F5Networks/f5-telemetry-streaming/releases To upload on F5 BIG-IP device: Go to Main Dashboard > iApps > Package Management LX Click on Import and select the file f5-appsvcs v3.45.0 and f5-telemetry v1.33.0 is being used (the latest version available). Create the required configuration object on F5 BIG-IP AS3 and TS extension is used to configure F5 BIG-IP with the necessary resources with a single JSON declaration. In this configuration, Postman is used to configure event listeners for the various deployed modules. The JSON declaration to configure to the following configuration object – Virtual Server, Pool, Node, iRule, Request Logging and Request log. { "class": "ADC", "schemaVersion": "3.45.0", "remark": "Example depicting creation of BIG-IP module log profiles", "Common": { "class": "Tenant", "Shared": { "class": "Application", "template": "shared", "telemetry_local_rule": { "remark": "Only required when TS is a local listener", "class": "iRule", "iRule": "when CLIENT_ACCEPTED {\n node 127.0.0.1 6514\n}" }, "telemetry_local": { "remark": "Only required when TS is a local listener", "class": "Service_TCP", "virtualAddresses": [ "255.255.255.254" ], "virtualPort": 6514, "iRules": [ "telemetry_local_rule" ] }, "telemetry": { "class": "Pool", "members": [{ "enable": true, "serverAddresses": [ "255.255.255.254" ], "servicePort": 6514 }], "monitors": [{ "bigip": "/Common/tcp" }] }, "telemetry_hsl": { "class": "Log_Destination", "type": "remote-high-speed-log", "protocol": "tcp", "pool": { "use": "telemetry" } }, "telemetry_formatted": { "class": "Log_Destination", "type": "splunk", "forwardTo": { "use": "telemetry_hsl" } }, "telemetry_publisher": { "class": "Log_Publisher", "destinations": [{ "use": "telemetry_formatted" }] }, "telemetry_traffic_log_profile": { "class": "Traffic_Log_Profile", "requestSettings": { "requestEnabled": true, "requestProtocol": "mds-tcp", "requestPool": { "use": "telemetry" }, "requestTemplate": "event_source=\"request_logging\",hostname=\"$BIGIP_HOSTNAME\",client_ip=\"$CLIENT_IP\",server_ip=\"$SERVER_IP\",http_method=\"$HTTP_METHOD\",http_uri=\"$HTTP_URI\",virtual_name=\"$VIRTUAL_NAME\",event_timestamp=\"$DATE_HTTP\"" }, "responseSettings": { "responseEnabled": true, "responseProtocol": "mds-tcp", "responsePool": { "use": "telemetry" }, "responseTemplate": "event_source=\"response_logging\",hostname=\"$BIGIP_HOSTNAME\",client_ip=\"$CLIENT_IP\",server_ip=\"$SERVER_IP\",http_method=\"$HTTP_METHOD\",http_uri=\"$HTTP_URI\",virtual_name=\"$VIRTUAL_NAME\",event_timestamp=\"$DATE_HTTP\",http_statcode=\"$HTTP_STATCODE\",http_status=\"$HTTP_STATUS\",response_ms=\"$RESPONSE_MSECS\"" } }, "telemetry_asm_security_log_profile": { "class": "Security_Log_Profile", "application": { "localStorage": false, "remoteStorage": "splunk", "servers": [{ "address": "255.255.255.254", "port": "6514" }], "storageFilter": { "requestType": "all" } } } } } } Tips to mitigate configuration issues Use the visual studio code and add JSON formatter extension to format the JSON code and avoid any indentation error on the code. On the JSON declaration, be careful with the schemaVersion, the version should match with the install The F5 Application Streaming v3 extension, in my case it’s 3.45.0 Launch the postman, enter the API endpoint: https://<BIG-IP>/mgmt/shared/appsvcs/declare Output of the successful deployment: Verify whether the object has been created on F5 BIG-IP Browse to the F5 BIG-IP dashboard and verify whether all the required objects has been created or not. Once all the object has been created, you need to execute the following command on the F5 BIG-IP CLI. This seems to be a bug on the TS listener with the F5 BIG-IP device. The issue was caused by a new db key which by default prohibits loopback addresses in irules. If you have configured a local listener, with an irule such as “when CLIENT_ACCEPTED {\n node 127.0.0.1 6514\n}” Then you need to run the following tmsh command. tmsh modify sys db tmm.tcl.rule.node.allow_loopback_addresses value true For more info: https://github.com/F5Networks/f5-telemetry-streaming/issues/238 Configure the Data connector of Azure Sentinel with F5 BIG-IP device Once all the above configuration has been completed, it’s time to integrate F5 BIG-IP device with Azure Sentinel. Telemetry Streaming extension will be used to establish the connection between the F5 BIG-IP device and data connector of Azure sentinel. The JSON declaration used to establish the connection between the Azure Sentinel – Data Connector and F5 BIG-IP device. { "class": "Telemetry", "controls": { "class": "Controls", "logLevel": "info", "debug": true }, "My_System": { "class": "Telemetry_System", "trace": "/var/tmp/telemetry_trace.log", "systemPoller": { "interval": 60 } }, "My_Listener": { "class": "Telemetry_Listener", "port": 6514 }, "My_Consumer": { "class": "Telemetry_Consumer", "type": "Azure_Log_Analytics", "workspaceId": "<workspace-id>", "passphrase": { "cipherText": "<cipher-text>" }, "useManagedIdentity": false, "region": "<region>" } } You can find the required credentials of the Azure Sentinel on the workspace of the F5 BIG-IP connector page. Once you’ve got all the required credentials then you can carry out the configuration. I will be using Postman to declare the configuration in JSON format on system’s endpoint: https://<BIG-IP>>/mgmt/shared/telemetry/declare then you will get something like this as an output on the successful deployment: Verify all the required data types are available on Azure Sentinel After all the configuration has been completed, you need to login into the Azure Portal. Browse to the Microsoft Sentinel then select the workspace. Search for F5 BIG-IP and open the connector page then you can see the data type available. On the Workspace of the Azure Sentinel, you can browse to the Workbook – F5 BIG-IP ASM, where all the collected logs of ASM (only Application Security logs) are visualized. This is the visualization of the ASM logs on the Azure Sentinel.
