syslog over tcp and define management IP as source
Hello I used following method to add syslog server ip with tcp port. can anyone help me how to define source IP (management IP) to send logs to syslog server. https://support.f5.com/csp/article/K13080 Configuring the BIG-IP system to log to the remote syslog server using TCP protocol Impact of procedure: Performing the following procedure should not have a negative impact on your system. 1.Log in to tmsh by typing the following command: tmsh 2.To log to the remote syslog server using the TCP protocol, use the following command syntax: modify /sys syslog include "destination remote_server {tcp(\"\" port (514));};filter f_alllogs {level (debug...emerg);};log source(local);filter(f_alllogs);destination(remote_server);};" For example, to log to the remote syslog server 172.28.68.42, type the following command: modify /sys syslog include "destination remote_server {tcp(\"172.28.68.42/" port (514));};filter f_alllogs {level (debug...emerg);};log {source(local);filter(f_alllogs);destination(remote_server);};"
Unable to Forward APM and AFM Logs to AWS CloudWatch Using Telemetry Streaming
Hello Team, I am trying to forward AFM (Network Firewall) logs and APM logs from F5 BIG-IP to Amazon CloudWatch using F5 Telemetry Streaming. F5 BigIP version - BIG-IP 17.1.0.1 Build 0.0.4 Point Release 1 Current Behavior When I configure the security logging profile with local-db-publisher, I am able to see logs on the BIG-IP dashboard: Security → Event Logs → Network Firewall Security → Event Logs → Access However, when I change the logging profile to use a remote log publisher, I am unable to receive the logs in CloudWatch. My Decalartion { "class": "Telemetry", "My_Listener": { "class": "Telemetry_Listener", "port": 6514 }, "My_Consumer": { "class": "Telemetry_Consumer", "type": "AWS_CloudWatch", "region": "us-east-1", "logGroup": "loggrpname", "logStream": "logstreamname", "username": "Access Key", "passphrase": { "cipherText": "Secret Key" } } } Telemetry Architecture for AFM Security Log Profile → Log Publisher → Remote High Speed Log → telemetry_pool → 127.0.0.1:6514 → Telemetry Listener → Telemetry Consumer → CloudWatch Configuration Summary AFM policy and APM access policy attached to the virtual server Security logging profile attached to the virtual server Log Publisher configured Remote High-Speed Log destination configured Pool member configured as 127.0.0.1:6514 Telemetry Streaming declaration deployed.
F5 BIG-IP DNS/Audit Logs — Structured Format for SIEM Ingestion
Hello Team, We are working on adding ingestion support for F5 BIG-IP DNS and Audit logs into a SIEM, with the goal of normalising events to the OCSF standard. For other BIG-IP event types, we use Telemetry Streaming to forward logs in structured JSON format, which makes normalisation straightforward. However, DNS and Audit logs appear to be emitted only in syslog text format, and we have not found a way to obtain them in structured JSON. Additionally, we were unable to locate any official schema documentation describing the available fields for these log types. This makes it challenging to reliably parse and map the events to a standard schema. Can someone please help if there are any schema documentation available for DNS and Audit logs, or if there is any supported way to forward these logs in JSON or any other structured format? Any guidance or documentation would be greatly appreciated. Thanks, Krishna
Bot Defense causing a lot of false positives
Hello DevCentral Community, While configuring a Bot Defense profile for our websites, we noticed a lot of false positives, where legitimate browsers are flagged as Malicious Bots to a point where we cannot safely enable Malicious Bot blocking. The detected anomalies are mostly : Device ID Deletion (can be worked around by raising the threshold from 3 to ~10) Resource request without browser verification cookie Session Opening Browser Verification Timed out (more rarely) We have tried various configuration, none of which worked properly. Currently, our test bot defense profile is as follows : DoS Attack Mitigation Mode : Enabled API Access for Browsers and Mobile Applications : Enabled Exceptions: Device ID Deletions : Block for 600s Detect after 10 (instead of 3) access attemps in 600s No microservice Browser Access : Allow Browser Verification : Verify After Access (Blocking) / 300s grace perdiod (we also tried verify before, but the white challenge page isn't acceptable for our users) Device ID mode : Generate After Access (we also tried Generate Before access) Single page application : Enabled (we also tried to disable it) Cross Domain Requests : Allow configured domains; validate upon request (with all of our websites added in related site domains) We also tried with allow all requests After a bit of digging around, we noticed the following : The false positives often happen after visiting a website that loads various resources from other domains, and we believe the issue might be linked to cross domain requests Google Chrome (and derivatives) are dropping the TS* cookies for cross domain requests, even with the domains added in the related domain list After creating an iRule that updates TS* cookies with SameSite=None; Secure, some previously blocked requests were now allowed but not all Disabling the check for the detected anomalies feel like it would severely affect the bot defense effectiveness. We have opened a support ticket related to this is issue over a year ago and haven't found any solution yet. Has anyone faced a similar problem before, and has managed to solve it ? If so, how ? Thank you for any help. Regards
[ASM] - How to disable the SQL injection attack signatures
Hi Team , We have a request to deactivate the SQL Injection attack signature at the URL level . Below are the details . Kindly , please help with the detailed steps to manually disable the 2 attack signatures .. Attack Type : SQL-Injection Requested URL : [HTTPS] /stock/option/getexcelfile Host : trade-it.ifund.com Attack Type : SQL-Injection Detected Keyword : RS% -OR%16%1600021-02-2385433%16%C3% Attack Signature : SQL-INJ expressions like ""OR 1=1"" (3) (Parameter) = 200002147 Detected in : Element value Detected Keyword : D'OR%20SA%16%1611%2F08%2F2021%0D% Attack Signature : SQL-INJ expressions like ""' or 1 --"" = 200002419 Detected in : Element value Security ›› Application Security : Parameters : Parameters List Parameter Name : ? >> what will be the parameter name ? Parameter Level : /stock/option/getexcelfile Parameter Value Type : user-input value Under attack signature >> we have to add 2 signature and disable it ? Can we deactivate both Signatures under 1 parameter rule ? Thank you in advance !!!
ASM/AWAF declarative policy
Hi there, I searching for options to automate ASM and rather want to avoid having AS3 in loop due to need to update it on F5 side. Luckily F5 introduced "declarative policy" But, I am not able to get it working properly. I am able to deploy WAF policy with example mentioned here. But it does not contain any of specified servier technologies. I do have the same issue with parameters or URLs when I tried other examples. They are simply got ignored. Is it buggy, or have anyone of you struggled with it? My last option is to have set of policies predefined in XML format and do some importing or playing with policy inheritance. Well declarative ASM looks exactly what I need, it just does not work or I am wrong :) Thanks for any help Zdenek
GRPC through F5 Virtual Server [RST_STREAM with error code: INTERNAL_ERROR]
Hello everyone. We have a GRPC service running in a K8s cluster and it's reachable through Nginx ingress from inside the cluster. We need to access the GRPC service from outside the cluster through F5 Virtual server and we've configured it as described in this guide https://my.f5.com/manage/s/article/K08041451 So the traffic route should be: External Client (GRPC) -> F5 Virtual server (GRPC) -> Nginx ingress running in a k8s cluster (GRPC) -> GRPC Server. However, this rote doesn't work using the VIP as we are getting this error: Error Message Json Failed to list services: rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: INTERNAL_ERROR Please note that this traffic route is working as expected: Internal Client (GRPC)-> Nginx ingress running in a k8s cluster (GRPC) -> GRPC Server. What could be the issue here? Thanks!iRule Approach to Mask Authorization Header for Bot Defense Logging – Validation Needed
I am working on masking sensitive information (specifically the Authorization header) from being exposed in Bot Defense logs on F5 BIG-IP Bot Defense, as there is currently no native feature available to mask the BOT request. To address this, I have implemented the following iRule: when HTTP_REQUEST { # Unique ID per request (handles keep-alive correctly) set req_id [HTTP::request_num] if {[HTTP::header exists "Authorization"]} { # Save original header for later restore set auth($req_id) [HTTP::header value "Authorization"] # Mask BEFORE Bot Defense inspects/logs HTTP::header replace "Authorization" "Bearer *******************************************************************************" } } when HTTP_REQUEST_RELEASE { # This runs AFTER Bot Defense logging but BEFORE server send set req_id [HTTP::request_num] if {[info exists auth($req_id)]} { # Restore original header for the application HTTP::header replace "Authorization" $auth($req_id) # Clean up memory unset auth($req_id) } } Is this iRule approach valid and reliable? Any suggestions for improvement or enhancement would be greatly appreciated.
