How I did it - "Remote Logging with the F5 XC Global Log Receiver and Elastic"
Welcome to configuring remote logging to Elastic, where we take a look at the F5 Distributed Cloud’s global log receiver service and we can easily send event log data from the F5 distributed cloud services platform to Elastic stack.Security Automation with F5 BIG-IP and Event Driven Ansible
Updated (September 19th 2023) INTRODUCTION TO EVENT DRIVEN SECURITY: Event Driven Security is one of the projects I have been working on for the last year or so. The idea of creating automated security that can react similarly to how I would react in situations is fascinating to me, and then comes the BIG Question.... "Can I code it?" Originally our solution we had utilized ELK (Elastic Logstash Kibana) where Elasticsearch was my logging and monitoring tool, Kibana was the frontend GUI for helping me visualize and set up my watchers for my webhook triggers, Logstash would be an intermediary to receive my webhooks to help me execute Ansible related code. While using Logstash, if the Ansible code was simple it had no issues, however when things got more complex (i.e., taking payloads from Elastic and feeding them through Logstash to my playbooks), I would sometimes get intermittent results. Some of this could be my lack of knowledge of the software but for me it needed to be simple! As I want to become more complex with my Event Driven Security, I needed a product that would follow those needs. And luckily in October 2022 that product was announced "Event Driven Ansible" it made it so I didn’t need Logstash anymore i could call Ansible related code directly, it even took in webhooks (JSON based) to trigger the code, so I was already half way there! CODE FOR EVENT DRIVEN SECURITY: So now I have setup the preface let’s get down to the good stuff! I have setup a GitHub repository for the code i have been testing withhttps://github.com/f5devcentral/f5-bd-ansible-eda-demowhich is free for all to use and please feel free to take/fork/expand!!! There are some cool things worth noting in the code specifically the transformation of the watch code into something usable in playbooks. This code will take all the times the watcher finds a match in its filter and then then copies the Source IP from that code and puts it into a CSV list, then it sends the list as a variable within the webhook along with the message to execute the code. Here is the code I am mentioning above about transforming and sending the payloads in an elastic watcher. See the Full code in the GitHub repo. (Github Repo --> elastic -->watch_blocked_ips.json) "actions": { "logstash_exec": { "transform": { "script": { "source": """ def hits = ctx.payload.hits.hits; def transform = ''; for (hit in hits) { transform += hit._source.src_ip; transform += ', ' } return transform; """, "lang": "painless" } }, "webhook": { "scheme": "http", "host": "10.1.1.12", "port": 5000, "method": "post", "path": "/endpoint", "params": {}, "headers": {}, "body": """{ "message": "Ansible Please Block Some IPs", "payload": "{{ctx.payload._value}}" }""" } } } } In the Ansible Rulebook the big thing to note is that from the Pre-GA code (which was all CLI ansible-rulebook based) to the GA version (EDA GUI) rulebooks now are setup to call Ansible Automation Platform (AAP) templates. In the code below you can see that its looking for an existing template "Block IPs" in the organization "Default" to be able to run correctly. (Github Repo --> rulebooks -->webhook-block-ips.yaml) --- - name: Listen for events on a webhook hosts: all ## Define our source for events sources: - ansible.eda.webhook: host: 0.0.0.0 port: 5000 ## Define the conditions we are looking for rules: - name: Block IPs condition: event.payload.message == "Ansible Please Block Some IPs" action: run_job_template: name: "Block IPs" organization: "Default" This shows my template setup in Ansible Automation Platform 2.4.x, there is one CRITICAL piece of information i wanted to share about using EDA GA and AAP 2.4 code is that within the template you MUSTtick the checkbox on the "Prompt on launch" in the "variables section". This will allow the payload from EDA (given to it from Elastic) to pass on to the playbook. In the Playbook you can see how we extract the payload from the event using the ansible_eda variable, this allows us to pull in the event we were sent from Elastic to Event Driven Ansible and then sent to the Ansible Automation Platform template to narrow down the specific fields we needed (Message and Payload) from there we create an array from that payload so we can pass it along to our F5 code to start adding Blocked IPs to the WAF Policy.(Github Repo --> playbooks -->block-ips.yaml) --- - name: ASM Policy Update with Blocked IPs hosts: lb connection: local gather_facts: false vars: Blocked_IPs_Events: "{{ ansible_eda.event.payload }}" F5_VIP_Name: VS_WEB F5_VIP_Port: "80" F5_Admin_Port: "443" ASM_Policy_Name: "WAF-POLICY" ASM_Policy_Directory: "/tmp/f5/" ASM_Policy_File: "WAF-POLICY.xml" tasks: - name: Setup provider ansible.builtin.set_fact: provider: server: "{{ ansible_host }}" user: "{{ ansible_user }}" password: "{{ ansible_password }}" server_port: "{{ F5_Admin_Port }}" validate_certs: "no" - name: Blocked IP Events From EDA debug: msg: "{{ Blocked_IPs_Events.payload }}" - name: Create Array from BlockedIPs ansible.builtin.set_fact: Blocked_IPs: "{{ Blocked_IPs_Events.payload.split(', ') }}" when: Blocked_IPs_Events is defined - name: Remove Last Object from Array which is empty array object ansible.builtin.set_fact: Blocked_IPs: "{{ Blocked_IPs[:-1] }}" when: Blocked_IPs_Events is defined ... All of this combined, creates a well-oiled setup that looks like the following diagram below, with the code and the flows setup we can now create proactive event based security! Here is the flow of the code that is in the GitHub repo when executed. The F5 BIG-IP is pushing all the monitoring logs to Elastic. Elastic is taking all that data and storing it while utilizing a watcher with its filters and criteria, The Watcher finds something that matches its criteria and sends the webhook with payload to Event Driven Ansible. Event Driven Ansible's Rulebook triggers and calls a template within Ansible Automation Platform and sends along the payload given to it from Elastic. Ansible Automation Platforms Template executes a playbook to secure the F5 BIG-IP using the payload given to it from EDA (originally from Elastic). In the End we go Full Circle, starting from the F5 BIG-IP and ending at the F5 BIG-IP! Full Demonstration Video: Check out our full demonstration video we recently posted (Sept 13th 2023) is available on-demand viahttps://www.f5.com/company/events/webinars/f5-and-red-hat-3-part-demo-series This page does require a registration and you can check out our 3 part series. The one related to this lab is the "Event-Driven Automation and Security with F5 and Red Hat Ansible" Proactive Securiy with F5 & Event Driven Ansible Video Demo LINKS TO CODE: https://github.com/f5devcentral/f5-bd-ansible-eda-demoDevCentral RSA Trip Planning Guide
Well.. It's RSA season and, for me, this will be SUPER exciting, as it's my first one! The Moscone Center in San Francisco, California, will once again host the RSA Conference on April 24th through April 27th, 2023. There are quite a few things to look forward to this year, but the one that I'm most excited about so far is the theme, "Stronger Together." Through time, we've had a very bi-lateralcommunity in security. Whether it's the Spy vs. Spy influenced White Hat / Black Hat concept from my early days or the Team Red / Blue of today, it feels clear that we need some unity... or better yet, community. At DevCentral, everything's about community, so I'm most curious to see how community is reflected in RSA message. As a community member, though, I'd like to share the things I'm most excited about there. Where to find F5? F5 will be all over the place at this show! Our booth on the expo floor is N5435 and, of course,PSilvawill be scheming a Find The Booth Video, I'd imagine! For us DevCentral crew, the booth is like a home base. We frequent it between shoots to check the action and to meet with industry experts. On Tuesday at 8:30am, F5 Labs'Sander_Vinbergwill be presenting "The Evolution of CVEs, Vulnerability Management and Hybrid Architectures," with Ben Edwards, from The Cyentia Institute. Knowing Ben a bit, this should be a VERY cool talk and one to highlight if you're into community working together types of themes... oh! You are! Well.. you might see me in the audience snapping pics like Peter Parker. Friday has a couple of sessions you'll want to catch! The first is at 9:30 with Angel Grant, with "Metaspace Race, Securing Minors in the Metaverse - from the Start" and, after lunch, get your CTF on withwarburtr0nand Malcolm Heath at "Learn the FUNdamentals of API Security," at 1pm! Keynotes / Speakers: Aside from the F5 presence, I'm very excited to see Tanya Janca, who's got 3 sessions! She's doing a Birds of a Feather on Thursday at 1pm, "Creating a Great DevSecOps Culture," and a lab, "Adding SAST to CI/CD, Without Losing Any Friends," Wednesday at 1:15pm, but the one I'm REALLY thrilled to see is her Keynote on Thursday at 9:40 at the South Stage called, DevSecOps Worst Practices. I'm also looking forward to seeing Alyssa Miller. I just went to see her at Security B-Sides Rochester, NY, but this RSA event is a CISO panel, "CISO Legal Risks and Liabilities," on Wednesday at 1:15 PM, Moscone West 2001. Networking Events: I'm not sure what to expect with these as a new attendee. There are a couple events focused around beer, if that's your thing, and I hear the pub crawl is semi-legendary. The Sandbox looks to offer a wide array of experiences.. also with beer. There is also a Women's Networking Reception, sponsored by Cisco, on Tuesday night at South 303. Personally, I'd like to hit up the "Inclusive Security Welcome & Networking Breakfast" on Wednesday at South, 305. To me, that sounds a bit different and, as someone who's always been passionate about the benefits of workplace diversity it seems like a fit. Also, I think it is only appropriate that I try to attend the "RSAC Loyalty Plus & First-Timer Reception" on Sunday, from 5-7:30, but I think that's up to the airline gods. I Hope To See You There! Like, Comment.. Let us know if you're going, as we'd LOVE to connect with you community members! We want to know what YOU are excited about with RSA this year, as well. If there's anything you're missing out on but would like to see covered, let us know that, as well, so we can try to get coverage for you!Revolutionize F5 BIG-IP Deployment Automation with HashiCorp’s No-Code Ready Terraform Modules
Introduction In organizations today, application infrastructure deployment involves teams such as platform teams, Ops teams, and dev teams all working together to ensure consistency and compliance. This is no easy task as because of siloed teams and expertise and deploying application infrastructure is time-consuming. Platform teams typically address this challenge with automation and by enabling their ops team and developers with self-service infrastructure – which abstracts most steps of deployment. HashiCorp Terraform No-Code Provisioning enables self-service of BIG-IP infrastructure as it allows the platform teams tocreate and maintain a library of pre-built Terraform modules that can be used by ops teams and developers to deploy multi-cloud BIG-IP infrastructure and services for their applications. This help to ensure consistency and reduce the amount of time organizations need to set up and configure infrastructure. Taking this one step further, the Terraform no-code modules enable infrastructure teams to streamline automation by combining CI/CD pipelines, any custom scripts, and other automation tools in the deployment chain allowing developers and operations teams to deploy F5 application services and infrastructure anywhere with a few clicks from the Terraform Cloud GUI – all while maintaining compliance. What is No-Code? No-code provisioning in Terraform Cloud lets users deploy infrastructure resources without writing Terraform configuration. This lets organizations provide a self-service model to developers with limited infrastructure knowledge and a way to deploy the resources they need. It allows individuals with limited Terraform coding experience or knowledge to provision infrastructure with Terraform. It can accelerate the development process by eliminating the need for coding and testing. It can reduce the reliance on scarce technical resources or expertise. It can improve the flexibility and agility of BIG-IP deployment. How to set up Terraform Cloud for BIG-IP No-Code Module? You need the following: Terraform Cloud account AWS account Terraform Cloud variables set configured with your AWS credentials Fork the example GitHub repository https://github.com/f5businessdevelopment/terraform-aws-bigip-nocode Then, clone your forked repository. Replacing USER with your username. Git clone https://github.com/USER/terraform-aws-bigip-nocode-1 Navigate to the repository directory. Navigate to terraform-aws-bigip-nocode1 directory Make sure you have variables defined as shown below variable "prefix" { description = "provide some prefix for deployment" } variable "region" { description = "AWS region you can define example is us-west-2 " } variable "allow_from" { description = "IP Address/Network to allow traffic from your machine (i.e. 192.0.2.11/32)" } These variable definitions facilitate the exposure of parameters while deploying the BIG-IP instance, you can add/delete any new parameters you need to expose. How to Publish No-code ready module? First, create a tag for your module. Tags are required to create a release on the GitHub repository, Terraform Cloud will use this tag to register the module. git tag 1.0.0 git push –tags Once your release is ready on the Github repository Navigate to Terraform Cloud at https://app.terraform.iohttps://terraform.io Click Registry 🡪 Publish 🡪 Module On the Add Module option select GitHub in Connect to VCS option Browse through your repository and select the repository as shown below. Confirm the selection as shown below Click on Add Module to no-code provision allow list and then hit Publish as shown below. Confirm the selection as shown below Click on Add Module to no-code provision allow list and then hit Publish as shown below. It will take a couple of seconds to Publish the module, once done you will see the screen below as shown. Now you are ready to use the module, to deploy the BIG-IP instance you click on the Provision workspace tab. How to use the BIG-IP No-Code Terraform Module? Once we have the No-Code module published on Terraform Cloud we are ready to use it. Login to Terraform Cloud at https://app.terraform.io and choose an organization Click on Registry🡪 Module (bigip-1nic-nocode) as shown Click on the Provision workspace button as shown below. Workspaces in Terraform Cloud separate infrastructure configurations to help provide a multi-tenant environment. Provide the 3 parameters below as shown, you can give any name as a prefix, this helps in further providing more multi-tenancy if multiple people are provisioning. Provide workspace name, you can give any name. And finally hit the “Create Workspace” button to deploy the BIG-IP instance. BIG-IP instance will be ready with the Management IP address and password for you. Conclusion: Finally, the Infrastructure team can help to ensure the security and compliance of the infrastructure deployed using the Terraform No-Code Provisioning by implementing security best practices controls and monitoring. Reference Video
2022 DevCentral MVP Announcement
Congratulations to the 2022 DevCentral MVPs! Without users who take time from their busy days to share their experience and knowledge for others, DevCentral would be more of a corporate news site and not an actual user community. To that end, the DevCentral MVP Award is given annually to the outstanding group of individuals – the experts in the technical F5 user community who go out of their way to engage with the user community. The award is our way of recognizing their significant contributions, because while all of our users collectively make DevCentral one of the top community sites around and a valuable resource for everyone, MVPs regularly go above and beyond in assisting fellow F5 users.We understand that 2021 was difficult for everyone, and we are extra-grateful to this year's MVPs for going out of their ways to help others. MVPs get badges in their DevCentral profiles so everyone can see that they are recognized experts. This year’s MVPs will receive a glass award, certificate, exclusive thank-you gifts, and invitations to exclusive webinars and behind-the-scenes looks at things like roadmaps, new product sneak-previews, and innovative concepts in development. The 2022 DevCentral MVPs are: Aditya K Vlogs AlexBCT Amine_Kadimi Austin_Geraci Boneyard Daniel_Wolf Dario_Garrido David.burgoyne Donamato 01 Enes_Afsin_Al FrancisD iaine jaikumar_f5 Jim_Schwartzme1 JoshBecigneul JTLampe Kai Wilke Kees van den Bos Kevin_Davies Lionel Deval (Lidev) LouisK Mayur_Sutare Neeeewbie Niels_van_Sluis Nikoolayy1 P K Patrik_Jonsson Philip Jönsson Rob_Carr Rodolfo_Nützmann Rodrigo_Albuquerque Samstep SanjayP ScottE Sebastian Maniak Stefan_Klotz StephanManthey Tyler.HattonAgility sessions announced
Good news, everyone! This year's virtual Agilitywill have over 100 sessions for you to choose from, aligned to 3 pillars. There will be Breakouts (pre-recorded 25 minutes, unlimited audience) Discussion Forums (live content up to 45 minutes, interactive for up to 75 attendees) Quick Hits (pre-recorded 10 minutes, unlimited audience) So, what kind of content are we talking about? If you'd like to learn more about how to Simplify Delivery of Legacy Apps, you might be interested in Making Sense of Zero Trust: what’s required today and what we’ll need for the future (Discussion Forum) Are you ready for a service mesh? (breakout) BIG-IP APM + Microsoft Azure Active Directory for stronger cybersecurity defense (Quick Hits) If you'd like to learn more about how to Secure Digital Experiences, you might be interested in The State of Application Strategy 2022: A Sneak Peak (Discussion Forum) Security Stack Change at the Speed of Business (Breakout) Deploy App Protect based WAF Solution to AWS in minutes (Quick Hits) If you'd like to learn more about how to Enable Modern App Delivery at Scale, you might be interested in Proactively Understanding Your Application's Vulnerabilities (Discussion Forum Is That Project Ready for you? Open Source Maturity Models (Breakout) How to balance privacy and security handling DNS over HTTPS (Quick Hits) The DevCentral team will be hosting livestreams, and the DevCentral lounge where we can hang out, connect, and you can interact directly with session presenters and other technical SMEs. Please go to https://agility2022.f5agility.com/sessions.html to see the comprehensive list, and check back with us for more information as we get closer to the conference.January 2022 DevCentral Survey
Hi everyone, As 2021 winds down, we are excited about some changes coming to DevCentral in the new year.We'd like your input as we work to make DevCentral a community you WANT to visit. To that end, we hope that you'll fill out this 6-question survey. That's all for now! Stay tuned over the next few weeks to learn more about the changes. Happy new year! ~your DevCentral TeamAgility 2020 - you're invited!
In-person event for Agility 2020 has been cancelled. Please see the Agility Event Page for more details. (Update 2/28/2020) In an abundance of caution for our customers, partners and employees, we have made the tough decision to cancel our in-person event for Agility 2020 due to the escalating travel and safety concerns related to the global COVID-19 (Coronavirus) outbreak. While we are disappointed to miss sharing ideas and solving problems with customers and partners from around the globe in person, we believe this is the best decision for everyone's welfare. We are rapidly developing an alternative to Agility as a virtual experience in the near term to deliver valuable Lab, Break-out Session, Certification and Keynote content to our customers and partners. Check back regularly for more details on the virtual event or email F5Agility@F5.com for additional information. <Professor Farnsworth imitation>Good news, everybody!</Professor Farnsworth imitation> As you know, there was no Agility 2019. This was in part so that we could reset the time of year for the conference from August to March. Agility 2020will be held from March 16-19, 2020 at theSwan & Dolphinin Orlando, Florida. Orlando, and Disney, and putt-putt golfing... That's right, *puts on ears* we're going to Disneyworld - and you are all cordially invited to participate in labs and breakouts, meet fellow F5 users, talk with F5 and partner subject-matter experts, learn to develop and deploy applications in days instead of months, secure your apps at scale in a multi-cloud environment, and hear about our vision for the future of F5 and NGINX. Registration is now open! The DevCentral team will be busy as usual that week. We areallflying over, and will be: hosting our usual booth and giving out swag in the expo hall, hosting a walk-in Nerdery zone next to our booth, where folks can drop in to speak with one of our subject-matter experts, presenting breakout sessions, hanging out at Geekfest, connecting community, enjoying the exclusive community area at the final night party, and of course, spoiling the dev/central MVPs during the joint 2019-20 MVP Summit at Agility with special sessions and activities. If you'd like to do more than pick up all the knowledge being dropped, if you have some cool technical stories or lessons-learned to share, please stay tuned for the open call for proposals which should go live in early December - so please start getting those great breakout, lightening round, and open talk ideas ready. Hope to see you there!DevCentral trivia event - UPDATED
Dec 16 UPDATE: The team had a lot of fun with this, and we hope that all the participants did as well. Everything on Zoom went smoothly, though we had an audio issue on YouTube. You can watch the second half of theevent and play along with game 2 at home here: ********************* Hi everyone, We're happy to announce DevCentral's first-ever virtual trivia event! 11:30-12:30 PST on Tuesday, December 15 Come show off your technical, F5, DevCentral, and general knowledge in this live event hosted by the DevCentral team. There will be 2 games of 15 questions each during this hour, with prizes for 4 lucky random players, and prizes for the winners. Attendance is capped at 500, so be sure to log in on time if you can.Stay tuned for more details here and on our Twitter feed on December 9. Open https://crowdpurr.com/and use event code DC1 Click HERE to join the live event on Zoom in order to hear us, orjoin the livestreamover on our YouTube channel. The Zoom call and livestream will both go live shortly before the event. See you there!Agility 2020 Call for Proposals now open!
In-person event for Agility 2020 has been cancelled. Please see the Agility Event Page for more details. (Update 2/28/2020) In an abundance of caution for our customers, partners and employees, we have made the tough decision to cancel our in-person event for Agility 2020 due to the escalating travel and safety concerns related to the global COVID-19 (Coronavirus) outbreak. While we are disappointed to miss sharing ideas and solving problems with customers and partners from around the globe in person, we believe this is the best decision for everyone's welfare. We are rapidly developing an alternative to Agility as a virtual experience in the near term to deliver valuable Lab, Break-out Session, Certification and Keynote content to our customers and partners. Check back regularly for more details on the virtual event or email F5Agility@F5.com for additional information. This is the announcement that the open call for proposals for Agility 2020 breakout and lightening talk sessions is now open! The next Agility conference will be March 16-19, 2020 in Orlando, FL. We here at DevCentral officially invite our outstanding user community to submit abstracts for 50-minute breakout sessions and/or 15-minute lightening talks. Do you have unique first-hand technical insights and real-world best practices to share? Are you an innovative user of F5 technology? Want to present for 60 minutes or just throw your hat in the ring for 15 minutes’ worth of a lightening round? Submit your proposal abstract(s) via this form for an opportunity to share your expertise with other F5 practitioners at Agility 2020. When submitting your abstract, please choose one of the following tracks that most closely aligns with your proposed talk(s): ·App Protect ·Modern Application Development ·Deployment Modernization ·Open Source We strongly recommend reading “Why Your Excellent Conference Talk Was Rejected” by Sarah Gray for tips on getting your proposal added to the agenda. Potential presenters may submit more than one abstract, with one proposal per submission. Submit your proposal abstract(s) by January 13th via this form. Why present? ·Complimentary conference registration ·Because you have something interesting to say ·Professional recognition by your peers ·Help your fellow users ·Increased networking opportunities ·Awesome shirt Deadline for proposal submission: 11:59pm PST January 13, 2020 Please emailLeslie Hubertusat l.hubertus (at) f5 d0t com with any questions.
