Accenture MDR Quick Start Guide for F5 BIG-IP® Application Security Manager™ (ASM)

Owned by KS
Last updated: Apr 30, 2021
9 min read

This quick start guide will help Accenture MDR customers configure F5 BIG-IP® Application Security Manager™ (ASM) to send logs to the Log Collection Platform (LCP).

 

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

F5 BIG-IP ASM

LCP

514 (UDP) or

601 (TCP)

Default port

 

Note: If the protocol is set to UDP and the log line is more than 1 KB in size then any message received more than this size will not be received in the LCP due to protocol limitations.

Configuring the F5 BIG-IP ASM 

Complete the following tasks to configure F5 BIG-IP ASM to send logs to the LCP: 

Note: The following sections on configurations are specific to F5 BIG-IP ASM v11.4.0. However, sections such as Configuring a Logging Profile if Using ArcSight Logs and Configuring the Storage Filter are also applicable to other supported versions.

Creating a Virtual Server 

  1. Create a virtual server for a virtual IP which will forward traffic to the server pool.

2. Mention the pool to which the traffic needs to be forwarded.

3. In the Security Policy tab, specify Application Security Policy, DoS Protection Profile, and Log Profile.

4. Create a pool for destination servers.

Creating a Pool of Remote Logging Servers 

Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP system. Create a pool of remote log servers to which the BIG-IP system can send log messages.

To create a pool of remote logging servers, follow the steps below.

  1. On the Main tab, go to Local Traffic > Pools. The Pool List page is displayed.

  2. Click Create. The New Pool page is displayed.

  3. In the Name field, type a unique name for the pool.

  4. In the New Members setting, add the IP address for each remote logging server that you want to include in the pool.

  • Type an IP address in the Address field, or select a node address from the Node list.

  • Type a service number in the Service Port field, or select a service name from the list. 

Note: Typical remote logging servers require port 514. 

5. Click Add.

6. Click Finished.

Create a Pool for Logging Servers (for LCP)

Figure 1-7: The Pool list.

Creating a Remote High-Speed Log Destination 

Before creating a remote high-speed log destination, ensure that at least one pool of remote log servers exists on the BIG-IP system. Create a log destination of the Remote High-Speed Log type to specify that log messages are sent to a pool of remote log servers.

To create a remote high-speed log destination, follow the steps below.

  1. On the Main tab, go to System > Logs > Configuration > Log Destinations. The Log Destinations page is displayed.

  2. Click Create.

  3. In the Name field, type a unique identifiable name for the log destination.

  4. From the Type list, select Remote High-Speed Log.

 Note: If you use log servers, such as Remote Syslog, Splunk, or ArcSight, which require data to be sent to the servers in a specific format, you must create an additional log destination of the required type and associate it with a log destination of the Remote High-Speed Log type. It allows the BIG-IP system to send data to the servers in the required format. The BIG-IP system is configured to send an unformatted string of text to the log servers.

  5. From the Pool Name list, select the pool of remote log servers to which you want the BIG-IP system to send log messages.

6. From the Protocol list, select the protocol used by high-speed logging pool members.

7. Click Finished.

Create Log Destinations for High-Speed Logging

 

Creating a Formatted Remote High-Speed Log Destination

Ensure that at least one remote high-speed log destination exists on the BIG-IP system. Create a formatted logging destination to specify that log messages are sent to a pool of remote log servers, such as Remote Syslog, Splunk, or ArcSight.

To create a formatted remote high-speed log destination, follow the steps below.

  1. On the Main tab, go to System > Logs > Configuration > Log Destinations. The Log Destinations page is displayed.

  2. Click Create.

  3. In the Name field, type a unique identifiable name for the log destination.

  4. From the Type list, select a formatted logging destination, such as Remote Syslog, Splunk, or ArcSight.

 Note: ArcSight formatting is only available for logs coming from the Network Application Firewall Manager (AFM) and Application Security Manager (ASM). The BIG-IP system is configured to send a formatted string of text to the log servers.

 5. If you selected Remote Syslog from the Syslog Format list, select a format for the logs. Then, from the High-Speed Log Destination list, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages.

6. If you selected Splunk or ArcSight from the Forward To list, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.

7. Click Finished.

Create Log Destinations for ArcSight Logging

Creating a Publisher 

Ensure that at least one destination associated with a pool of remote log servers exists on the BIG-IP system. Create a publisher to specify where the BIG-IP system sends log messages for specific resources.

To create a Publisher, follow the steps below.

  1. On the Main tab, go to System > Logs > Configuration > Log Publishers. The Log Publishers page is displayed.

  2. Click Create.

  3. In the Name field, type a unique identifiable name for this publisher.

  4. In the Destinations setting, select a destination from the Available list, and click << to move the destination to the Selected list.

Note: If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.

  5. Click Finished.

Configuring a Logging Profile for CEF Format 

If your network uses ArcSight logs, you can configure a logging profile that formats the log information for your system. The ASM stores all the logs on a remote logging server using the predefined ArcSight settings for the logs. The log messages are in Common Event Format (CEF). The format is as follows:

CEF:Version|Device Vendor|Device Product|Device Version| Device Event Class ID|Name|Severity|Extension

To create a logging profile, follow the steps below.

  1. In the Security Navigation pane, expand Application Security, then go to Options > Logging Profiles. The Logging Profiles page is displayed.

  2. Above the Logging Profiles area, click Create. The Create New Logging Profile page is displayed.

  3. In the Configuration setting, select Advanced. The page refreshes to display additional settings.

  4. In the Profile Name setting, type a unique name for the logging profile. Optionally, for the Profile Description setting, type any additional information about the profile.

  5. Check Remote Storage, and for the Type setting, select ArcSight. The page displays additional settings.

  6. If you do not want data that is logged locally as well as remotely, uncheck the Local Storage check box.

  7. In the Protocol setting, select the protocol that the reporting server uses: TCP (the default setting), UDP, or TCP-RFC3195.

  8. In the Server IP setting, type the IP address of the remote storage server.

  9. In the Server Port setting, type a port number or use the default value, 514. Optionally, configure the size and length settings.

  10. Check Guarantee Logging to ensure that the system logs requests for the Web application, even when the logging utility competes for system resources.

 Note: Enabling this setting (step 10) may slow down access to the associated Web application.

11. Optionally, adjust the maximum request, header, and query string size, and maximum entry length settings.
12. Check Report Detected Anomalies, if you want the system to log details (including the start and end time, number of dropped requests, attacking IP addresses, etc.,) about brute force attacks, denial-of- service attacks, IP Enforcer attacks, or Web scraping attacks.

13. In the Storage Filter area, make any changes as required. Refer to the section Configuring the Storage Filter.

14. Click Create. The page refreshes and displays the new logging profile.

Configuring the Storage Filter

The storage filter of a logging profile determines the type of requests the system or server logs.

To configure the storage filter, follow the steps below.

  1. In the navigation pane, expand Application Security, and then click Options > Logging Profiles. The Logging Profiles screen opens up.

  2. In the Logging Profiles area, click the name of an existing logging profile. The Edit Logging Profile screen opens.

  3. In the Storage Filter setting, select Advanced. The screen refreshes to display additional settings.

  4. In the Logic Operation setting, select the manner in which the system associates the criteria you specify. The criteria are the remaining settings in the storage filter.

    1. OR - Select this operator to log data that meets one or more of the criteria.

    2. AND - Select this operator to log data that meets all of the criteria.

  5. In the Request Type setting, select the kind of requests that you want the system to store in the log.

  6. In the Protocols setting, select whether logging occurs for HTTP and HTTPS protocols or a specific protocol.

  7. In the Response Status Codes setting, select whether logging occurs for all response status codes or specific ones.

  8. In the HTTP Methods setting, select whether logging occurs for all methods or specific methods.

  9. In the Request Containing String setting, select whether the request logging is dependent on a specific string.

  10. Click Update. The screen refreshes and displays the new logging profile on the Logging Profiles screen.

Specifying the Logging Profile for a Web Application

Perform the following steps to specify the logging profile for a web application.

  1. In the Navigation pane, expand Security and click Event Logs. The Web Application List screen opens.

  2. In the Name column, click a web application name. The Web Application Properties screen opens.

  3. In the Logging Profile setting, select a logging profile.

  4. Click the Update button. The system updates the configuration with any changes made.

LCP Configuration Parameters

Table 1-2: The F5 BIG-IP ASM event collector (Syslog -3715) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Transport Protocol

UDP

The default protocol for syslog. The LCP can also accept logs in TCP. 

Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity, contact the MDR onboarding team

IP Address

F5 BIG-IP ASM interface IP address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture MDR onboarding team.

Signatures

F5|ASM

MDR recommended signatures processed by the F5 BIG-IP ASM event collector.

Port

514

The default port for syslog. For TCP, the default port is 601.

Note: The LCP can be configured to listen on a non-standard port, please advise the MDR onboarding team if this is a requirement.

 

Event Structure of a Typical Event

CEF:Version|DeviceVendor|DeviceProduct|DeviceVersion| AttackType|MitigationType|Severity|

Attack type can be one of the following:

  • DoS Attack

  • Brute Force Attack

  • IP Enforcer Attack

  • Web Scraping Attack

  • CSRF Attack

Mitigation type can be one of the following:

  • Source IP-Based Client Side Integrity Defense

  • URL-Based Client Side Integrity Defense

  • Source IP-Based Rate Limiting

  • URL-Based Rate Limiting

  • Transparent

The following table provides the description of the CEF keys that can be found in a typical event.

Table 1-3: Description for CEF keys.

CEF key name

Description

dvchost

Host name of the BIG-IP computer.

dvc

IP of the management interface of the BIG-IP computer.

externalId

Unique ID given for a blocked transaction.

act

Action that is performed on a transaction which can be one of the following:

Blocked

Alerted

Passed

src

IP address of the client for ASM.

Spt

Remote port, client side.

dst

Destination IP (Virtual Server IP of the device).

dpt

Local port, client side.

requestMethod

HTTP method of the request.

app

HTTP/HTTPS

request

In case of CEF format: the full URL, URI +QS of the HTTP request.

In case of key/value format: URI without the query string.

deviceExternalId

ID of the blade receiving the traffic, when the VIPRION hardware is used.

cs1

Name of the security policy.

cs2

Web application name for ASM.

cs4

Attack status which can be one of the following:

Started

Ongoing

Ended

Attack type which can be one of the following:

DoS Attack

Brute Force Attack

IP Enforcer Attack

Web Scraping Attack

CSRF Attack

cs5

Reason for the attack detection which can be one of the following:

Latency Increased

TPS Increased

cs6

A string indicating the geographic location from where the request has arrived.

cn2

Dropped request counter. Each consequent request reports deltas; how many requests were dropped since the last log message for a given attack.

cn3

Attack ID

deviceCustomDate1

Timestamp of the last time when the policy was applied.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.