Accenture MDR Quick Start Guide for F5 BIG-IP® Application Security Manager™ (ASM)
This quick start guide will help Accenture MDR customers configure F5 BIG-IP® Application Security Manager™ (ASM) to send logs to the Log Collection Platform (LCP).
Â
The document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
F5 BIG-IP ASM | LCP | 514 (UDP) or 601 (TCP) | Default port |
Â
Note:Â If the protocol is set to UDP and the log line is more than 1 KB in size then any message received more than this size will not be received in the LCP due to protocol limitations.
Configuring the F5 BIG-IP ASMÂ
Complete the following tasks to configure F5 BIG-IP ASM to send logs to the LCP:Â
Note:Â The following sections on configurations are specific to F5 BIG-IP ASM v11.4.0. However, sections such as Configuring a Logging Profile if Using ArcSight Logs and Configuring the Storage Filter are also applicable to other supported versions.
Create a virtual server for a virtual IP which will forward traffic to the server pool.
2. Mention the pool to which the traffic needs to be forwarded.
3. In the Security Policy tab, specify Application Security Policy, DoS Protection Profile, and Log Profile.
4. Create a pool for destination servers.
Creating a Pool of Remote Logging ServersÂ
Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP system. Create a pool of remote log servers to which the BIG-IP system can send log messages.
To create a pool of remote logging servers, follow the steps below.
On the Main tab, go to Local Traffic > Pools. The Pool List page is displayed.
Click Create. The New Pool page is displayed.
In the Name field, type a unique name for the pool.
In the New Members setting, add the IP address for each remote logging server that you want to include in the pool.
Type an IP address in the Address field, or select a node address from the Node list.
Type a service number in the Service Port field, or select a service name from the list.Â
Note:Â Typical remote logging servers require port 514.Â
5. Click Add.
6. Click Finished.
Create a Pool for Logging Servers (for LCP)
Figure 1-7: The Pool list.
Creating a Remote High-Speed Log DestinationÂ
Before creating a remote high-speed log destination, ensure that at least one pool of remote log servers exists on the BIG-IP system. Create a log destination of the Remote High-Speed Log type to specify that log messages are sent to a pool of remote log servers.
To create a remote high-speed log destination, follow the steps below.
On the Main tab, go to System > Logs > Configuration > Log Destinations. The Log Destinations page is displayed.
Click Create.
In the Name field, type a unique identifiable name for the log destination.
From the Type list, select Remote High-Speed Log.
 Note: If you use log servers, such as Remote Syslog, Splunk, or ArcSight, which require data to be sent to the servers in a specific format, you must create an additional log destination of the required type and associate it with a log destination of the Remote High-Speed Log type. It allows the BIG-IP system to send data to the servers in the required format. The BIG-IP system is configured to send an unformatted string of text to the log servers.
 5. From the Pool Name list, select the pool of remote log servers to which you want the BIG-IP system to send log messages.
6. From the Protocol list, select the protocol used by high-speed logging pool members.
7. Click Finished.
Create Log Destinations for High-Speed Logging
Â
Creating a Formatted Remote High-Speed Log Destination
Ensure that at least one remote high-speed log destination exists on the BIG-IP system. Create a formatted logging destination to specify that log messages are sent to a pool of remote log servers, such as Remote Syslog, Splunk, or ArcSight.
To create a formatted remote high-speed log destination, follow the steps below.
On the Main tab, go to System > Logs > Configuration > Log Destinations. The Log Destinations page is displayed.
Click Create.
In the Name field, type a unique identifiable name for the log destination.
From the Type list, select a formatted logging destination, such as Remote Syslog, Splunk, or ArcSight.
 Note: ArcSight formatting is only available for logs coming from the Network Application Firewall Manager (AFM) and Application Security Manager (ASM). The BIG-IP system is configured to send a formatted string of text to the log servers.
 5. If you selected Remote Syslog from the Syslog Format list, select a format for the logs. Then, from the High-Speed Log Destination list, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages.
6. If you selected Splunk or ArcSight from the Forward To list, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.
7. Click Finished.
Create Log Destinations for ArcSight Logging
Ensure that at least one destination associated with a pool of remote log servers exists on the BIG-IP system. Create a publisher to specify where the BIG-IP system sends log messages for specific resources.
To create a Publisher, follow the steps below.
On the Main tab, go to System > Logs > Configuration > Log Publishers. The Log Publishers page is displayed.
Click Create.
In the Name field, type a unique identifiable name for this publisher.
In the Destinations setting, select a destination from the Available list, and click << to move the destination to the Selected list.
Note: If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
 5. Click Finished.
Configuring a Logging Profile for CEF FormatÂ
If your network uses ArcSight logs, you can configure a logging profile that formats the log information for your system. The ASM stores all the logs on a remote logging server using the predefined ArcSight settings for the logs. The log messages are in Common Event Format (CEF). The format is as follows:
CEF:Version|Device Vendor|Device Product|Device Version| Device Event Class ID|Name|Severity|Extension
To create a logging profile, follow the steps below.
In the Security Navigation pane, expand Application Security, then go to Options > Logging Profiles. The Logging Profiles page is displayed.
Above the Logging Profiles area, click Create. The Create New Logging Profile page is displayed.
In the Configuration setting, select Advanced. The page refreshes to display additional settings.
In the Profile Name setting, type a unique name for the logging profile. Optionally, for the Profile Description setting, type any additional information about the profile.
Check Remote Storage, and for the Type setting, select ArcSight. The page displays additional settings.
If you do not want data that is logged locally as well as remotely, uncheck the Local Storage check box.
In the Protocol setting, select the protocol that the reporting server uses: TCP (the default setting), UDP, or TCP-RFC3195.
In the Server IP setting, type the IP address of the remote storage server.
In the Server Port setting, type a port number or use the default value, 514. Optionally, configure the size and length settings.
Check Guarantee Logging to ensure that the system logs requests for the Web application, even when the logging utility competes for system resources.
 Note: Enabling this setting (step 10) may slow down access to the associated Web application.
11. Optionally, adjust the maximum request, header, and query string size, and maximum entry length settings.
12. Check Report Detected Anomalies, if you want the system to log details (including the start and end time, number of dropped requests, attacking IP addresses, etc.,) about brute force attacks, denial-of- service attacks, IP Enforcer attacks, or Web scraping attacks.
13. In the Storage Filter area, make any changes as required. Refer to the section Configuring the Storage Filter.
14. Click Create. The page refreshes and displays the new logging profile.
Configuring the Storage Filter
The storage filter of a logging profile determines the type of requests the system or server logs.
To configure the storage filter, follow the steps below.
In the navigation pane, expand Application Security, and then click Options > Logging Profiles. The Logging Profiles screen opens up.
In the Logging Profiles area, click the name of an existing logging profile. The Edit Logging Profile screen opens.
In the Storage Filter setting, select Advanced. The screen refreshes to display additional settings.
In the Logic Operation setting, select the manner in which the system associates the criteria you specify. The criteria are the remaining settings in the storage filter.
OR - Select this operator to log data that meets one or more of the criteria.
AND - Select this operator to log data that meets all of the criteria.
In the Request Type setting, select the kind of requests that you want the system to store in the log.
In the Protocols setting, select whether logging occurs for HTTP and HTTPS protocols or a specific protocol.
In the Response Status Codes setting, select whether logging occurs for all response status codes or specific ones.
In the HTTP Methods setting, select whether logging occurs for all methods or specific methods.
In the Request Containing String setting, select whether the request logging is dependent on a specific string.
Click Update. The screen refreshes and displays the new logging profile on the Logging Profiles screen.
Specifying the Logging Profile for a Web Application
Perform the following steps to specify the logging profile for a web application.
In the Navigation pane, expand Security and click Event Logs. The Web Application List screen opens.
In the Name column, click a web application name. The Web Application Properties screen opens.
In the Logging Profile setting, select a logging profile.
Click the Update button. The system updates the configuration with any changes made.
LCP Configuration Parameters
Table 1-2: The F5 BIG-IP ASM event collector (Syslog -3715) properties to be configured by MDR are shown in the table.
Property | Default Value | Description |
Transport Protocol | UDP | The default protocol for syslog. The LCP can also accept logs in TCP. Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity, contact the MDR onboarding team |
IP Address | F5 BIG-IP ASM interface IP address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture MDR onboarding team. |
Signatures | F5|ASM | MDR recommended signatures processed by the F5 BIG-IP ASM event collector. |
Port | 514 | The default port for syslog. For TCP, the default port is 601. Note: The LCP can be configured to listen on a non-standard port, please advise the MDR onboarding team if this is a requirement. |
Â
Event Structure of a Typical Event
CEF:Version|DeviceVendor|DeviceProduct|DeviceVersion| AttackType|MitigationType|Severity|
Attack type can be one of the following:
DoS Attack
Brute Force Attack
IP Enforcer Attack
Web Scraping Attack
CSRF Attack
Mitigation type can be one of the following:
Source IP-Based Client Side Integrity Defense
URL-Based Client Side Integrity Defense
Source IP-Based Rate Limiting
URL-Based Rate Limiting
Transparent
The following table provides the description of the CEF keys that can be found in a typical event.
Table 1-3: Description for CEF keys.
CEF key name | Description |
dvchost | Host name of the BIG-IP computer. |
dvc | IP of the management interface of the BIG-IP computer. |
externalId | Unique ID given for a blocked transaction. |
act | Action that is performed on a transaction which can be one of the following: Blocked Alerted Passed |
src | IP address of the client for ASM. |
Spt | Remote port, client side. |
dst | Destination IP (Virtual Server IP of the device). |
dpt | Local port, client side. |
requestMethod | HTTP method of the request. |
app | HTTP/HTTPS |
request | In case of CEF format: the full URL, URI +QS of the HTTP request. In case of key/value format: URI without the query string. |
deviceExternalId | ID of the blade receiving the traffic, when the VIPRION hardware is used. |
cs1 | Name of the security policy. |
cs2 | Web application name for ASM. |
cs4 | Attack status which can be one of the following: Started Ongoing Ended Attack type which can be one of the following: DoS Attack Brute Force Attack IP Enforcer Attack Web Scraping Attack CSRF Attack |
cs5 | Reason for the attack detection which can be one of the following: Latency Increased TPS Increased |
cs6 | A string indicating the geographic location from where the request has arrived. |
cn2 | Dropped request counter. Each consequent request reports deltas; how many requests were dropped since the last log message for a given attack. |
cn3 | Attack ID |
deviceCustomDate1 | Timestamp of the last time when the policy was applied. |
Â
Â
Â
Â
Â
Â
Â
Â
Â
Â
Â
Â
Â
Â
Â
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.