Accenture MDR Quick Start Guide for F5® BIG-IP Advanced Firewall Manager (AFM)

Owned by KS
Last updated: Feb 24, 2022 by Dinesh Murugaiyan
7 min read

This quick start guide will help Accenture MDR customers configure F5® BIG-IP Advanced Firewall Manager (AFM) to send logs to the Log Collection Platform (LCP).

 

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

F5 BIG-IP AFM

LCP    

     514 (UDP) or

601 (TCP)

Default port

Configuring F5 BIG-IP AFM

To configure F5 BIG-IP AFM to send event logs to the LCP, follow the steps below.

  1. Create a pool of remote logging servers.

  2. Create a remote high-speed log destination.

  3. Create an additional log destination to format logs in the required CEF format.

  4. Create a publisher.

  5. Configure a logging profile for ArcSight CEF logs.

  6. Create a virtual server and associate it with the logging profile.

Note: Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that ArcSight log servers are configured to listen to and receive log messages from the F5 BIG-IP AFM.

Create a pool of remote logging servers.

  1. On the Main tab, go to Local Traffic > Pools

 

2. Click the Create button on the right-hand side. The New Pool screen opens.

3. In the Name field, type a unique name for the pool.

4. In the New Members setting, in the Resources section, add the IP address for each remote logging server that you want to include in the pool.

5. In the Address field, type the lcp_ip_address or select a node address from the Node List.

6. In the Service Port field, type a service number or select a service name from the list.​​

 Note: Ensure that you have configured the correct remote logging port.

  7. Click Add and then click Finished.

 

Create a remote high-speed log destination.

  1. On the Main tab, go to System > Logs > Configuration > Log Destinations. The Log Destinations screen opens.

2. Click the Create button on the right-hand side.

3. In the Name field, type a unique, identifiable name for this destination. This selection will be provided in step 5 below.

4. From the Type list, select Remote High-Speed Log.

 

5. From the Pool Name list, select the pool of remote log servers to which you want the F5 BIG-IP AFM to send log messages.

6. From the Protocol list, select the protocol used by high-speed logging pool members.

7. Click Finished.

Note: Ensure that at least one ArcSight destination exists on the F5 BIG-IP AFM.

Create an additional log destination to format the logs in the required CEF format.

  1. On the Main tab, go to System > Logs > Configuration > Log Destinations. The Log Destinations screen opens.

  2. Click the Create button on the right-hand side.

  3. In the Name field, type a unique, identifiable name for this destination. This name will selected in step 4 below.

  4. From the Type list, select an ArcSight formatted logging destination.

  5. From the Forward To drop-down list, select the destination that points to the pool of ArcSight log servers to which you want the F5 BIG-IP AFM to send log messages.

  6. This will be the same unique, identifiable name provided in step 3 above.

 Note: Ensure that at least one destination associated with a pool of ArcSight servers exists on the F5 BIG-IP AFM.

Create a publisher.

  1. On the Main tab, go to System > Logs > Configuration > Log Publishers. The Log Publisher screen opens.

2. Click the Create button on the right-hand side.

3. In the Name field, type a unique, identifiable name for this publisher.

4. For the Destinations setting, in the Available list, select a destination, and click << to move the ArcSight destination to the Selected list. This will be the same unique, identifiable name as provided in step 3 above.

 Note: The Publisher that you created in the previous section will be used in this section.

For example, Test 2.

 

5. Click Finished.

Configure a logging profile for Arcsight CEF logs.

  1. On the Main tab, click Security > Event Logs > Logging Profiles.

2. The Logging Profiles screen opens.

3. Click the Create button on the right-hand side. The Create New Logging Profile screen opens.

4. In the Profile Name field, type a unique name for the profile.

5. Select the Protocol Security, Network Firewall, and DoS Protection check boxes.

6. On the Protocol Security tab, from the Publisher list, select the Publisher that F5 BIG-IP AFM uses to log Protocol Security Events.

 

7. In the Network Firewall section, from the Publisher list, select the Publisher that F5 BIG-IP AFM uses to log Network Firewall Events.

 

8. In the DoS Protection section, from the Publisher drop-down list, select the Publisher that F5 BIG-IP AFM uses to log Protocol Security Events.

 

9. For the Log Rule Matches setting, select how the F5 BIG-IP AFM logs packets match ACL rules.

10. Check the Log IP Errors check box to enable logging of IP error packets.

11.Check the Log TCP Errors check box to enable logging of TCP error packets.

12. Check the Log TCP Events check box to enable logging of open and close of TCP sessions.

13. From the Storage Format list, select None.

14. In the IP Intelligence section, from the Publisher list, select the publisher that F5 BIG-IP AFM uses to log source IP addresses, which according to an IP Address Intelligence database have bad reputation, and the name of the bad reputation category. This step is for F5 BIG-IP AFM with IP Address Intelligence licensed and enabled.

15. Click Finished. Assign this custom network firewall Logging profile to a virtual server. Ensure that at least one ArcSight log publisher exists on the F5 BIG-IP AFM.

Create a virtual server and associate it with the logging profile.

  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.

2. Click the name of the existing virtual server that you want to modify.

3. From the Security menu, select Policies. The screen displays Policy Settings and Rules Settings.

4. From the Log Profile list, select Enabled. Then, for Profile Settings, move the profiles that log specific events to specific locations from the Available list to the Selected list.

5. Click Update to save your changes.

LCP Configuration Parameters

Table 1-2: The F5 BIG IP AFM event collector (3753 - Syslog) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Protocol

UDP

The default protocol for syslog. The collector can also accept logs in TCP.

Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity,

contact the MDR onboarding team.

IP Address

F5 BIG IP AFM IP Address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the MDR onboarding team.

Signatures

F5 | Advanced Firewall Module, F5 | PSM

MDR recommended signatures processed by the F5 BIG IP AFM event collector. 

Port Number

514

The default port for UDP. For TCP, the default port is 601.

Note: The LCP can be configured to listen on a non-standard port. Please advise the MDR onboarding team if this is a requirement.

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.