Accenture MDR Quick Start Guide for A10® Network Thunder Series
- KS
This quick start guide will help Accenture MDR customers configure A10® Networks Thunder Series to send logs to the Log Collection Platform (LCP).
The document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table1-1: Port requirements for LCP communication
Source | Destination | Port | Description |
A10 Thunder Series | LCP | 514 (UDP) | Default port |
Configuring A10 Networks Thunder Series
Note: The steps given below can only be performed by a user with role privilege of ReadWriteAdmin and Access Type Web/CLI/API. Navigate to Config Mode > System > Admin to verify the user permissions.
A10 Networks Thunder Series can be configured in two ways:
To send logs in syslog format without WAF data event messages
To send WAF data event messages in syslog format
Note: A10 Networks Thunder Series supports syslog mechanism to send logs (except Web Application Firewall [WAF] logs) to the log server. By default, only WAF configuration events are logged but not WAF data events. Due to the potentially high volume of data event messages, they are accessible only by using a log server. To enable WAF data events logging, additional configuration is needed.
Configure A10 Network Thunder Series to send logs in syslog format without WAF
To configure the A10 Network Thunder Series, follow the steps below.
Login to the A10 Thunder Device console by typing the following: https:<A10_ip_address:portnumber>
Go to Config Mode > System > Settings > Log.
3. In the Disposition section, under Syslog, select all the check boxes.
4. In the Single Priority section, select all the check boxes.
5. From the Facility drop-down list, select Local7.
6. In the Log Server text box, type the LCP_IP_Address.
7. In the Log Server Port text box, type the Port_Number.
8. To enable audit logging, type the LCP_IP_Address and from the drop-down list, select the standard logging facility. The recommended value is local 7.
9. In the Audit section there are three options. Select one of them according to your requirement.
Disabled - Command auditing is disabled.
Enabled - Configuration commands are logged.
Enable Privilege - Configuration commands and operational commands are logged.
The recommended option is Enable Privilege.
10. Click OK to save the settings.
Note: By default, syslog is configured to send logs over UDP and cannot be configured to send logs over TCP.
Configure A10 Network Thunder Series to send WAF data events in syslog format
To configure WAF logging, follow the steps below.
Navigate to Config Mode > SLB > Service > Server.
3. Click Add.
4. In the Name text box, type the preferred name.
5. In the IP Address/Host text box, type the LCP_IP_Address and select the IP version as IPv4 or IPv6.
6. In the Port section:
In the Port text box, type the port number.
From the Protocol drop-down list, select TCP or UDP.
Click Add.
7. Click OK. The server appears in the server table.
To add server configurations to the service group, follow the steps below.
Go to Config Mode > SLB > Service > Service Group.
2. Click Add.
3. In the Name: text box, type the preferred name.
4. From the Type: drop-down list, select TCP or UDP.
5. From the Algorithm: drop-down list, select Round Robin.
6. In the Server section, configure the server information:
In the IPv4/IPv6 option, select IPv4 or IPv6.
From the Server drop-down list, select the server that was created in Step I.
In the Port text box. type the port number specified in the Step I.
Click Add.
7. Repeat the steps for each server.
8. Click OK. The service group appears in the service group table.
To configure the logging template, follow the steps below.
Select Config Mode > SLB > Template > Application > Logging.
2. Click + to add the logging template.
3. In the Logging Template section, in the Name: text box, type a preferred name for the template.
4. From the Service Group drop-down list, select the service group created in Step II.
5. If you have configured a custom TCP-proxy template for logging over TCP, select the template. To see if any TCP template is present, go to Config Mode > SLB > Template > TCP Proxy.
6. Click OK.
To apply the log template to the WAF template, follow the steps below.
Navigate to Config Mode > Security > WAF > Template.
2. Click the WAF template name. Essentially, you are binding the WAF template to the Logging template. After you bind it, the name of the Logging template appears under Logging Template as shown above.
3. Select Deployment Mode: as per your environment.
Learning – Provides a way to initially set the thresholds for certain WAF checks based on known, valid traffic.
Passive – Provides a passive WAF operation. All enabled WAF checks are applied, but no WAF action is performed on matching traffic. This mode is useful in staging environments to identify false positives for filtering.
Active – This is the standard operational mode. You must use Active mode if you want the WAF to sanitize or drop traffic based on the configured WAF policies.
4. From the Logging Template: drop-down list, select the logging template that was created in Step III.
5. Click OK.
Note: The ACL log will be included as a part of default syslog.
LCP Configuration Parameters
Table 1-2: The A10 Thunder series event collector (Syslog -3763) properties to be configured by MDR are shown in the table.
Property | Default Value | Description |
Protocol | UDP | The default protocol for syslog. |
Host Names/IP Addresses | A10 Thunder series IP address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, please contact the Accenture MDR onboarding team. |
Signatures | a10logd:,|A10| | MDR recommended signatures processed by the A10 Thunder series event collector. |
Port Number | 514 | The default port for UDP Note: A10 Networks Thunder Series does not have an option to configure syslog over TCP, however you can configure WAF data events over TCP. |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.