🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

F5 ASM WAF Integration Guide

integrations network f5 waf


F5 Networks Application Security Manager (ASM) Web Application Firewall (WAF) must be configured to send logs via syslog to the Taegis™ XDR Collector. WAF logs are filtered and correlated in real time for various security event observations.

Firewall Requirements

Source Destination Port/Protocol
F5 BIG-IP Appliance Taegis™ XDR Collector (mgmt IP) TCP/601

Data Provided from Integrations

  Auth DNS HTTP Management Netflow NIDS Process Thirdparty
F5 ASM WAF     D          

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Logging Configuration Instructions

Pre-Version 11.3 ASM

Note

F5 Version 11.3 introduced some changes, and configuration instructions for ’pre 11.3’ and ’11.3 and higher’ are different. Ensure you are following the correct instructions for the version of your F5.

Configuring Logging Profiles for ASM

Accessing the Logging Profiles

To access the logging profiles:

  1. From the F5 welcome screen, open Application Security > Options > Logging Profiles.

Step 1. Open Logging Profiles.

Step 1. Open Logging Profiles.

  1. The Logging Profiles page is displayed. Note that Log all requests, Log illegal requests, and No logging profiles are the default system-created logging profiles.
Creating New Logging Profiles

To create new logging profiles:

  1. From the Logging Profiles page, click Create. A form is displayed.

Step 1. Click Create.

Step 1. Click Create.

  1. Select Advanced from the Configuration drop-down menu. The form updates to include advanced fields.

Step 2. Select Advanced.

Step 2. Select Advanced.

  1. Complete the following fields:

    • Profile Name — The name of the logging profile, including the name of the web application it is associated with
    • Profile Description — A description of the profile
    • Guarantee Local Logging — Select Enabled to ensure that all event logs are stored locally on F5 ASM before being sent to a remote syslog destination
    • Response Logging — Select Off
    • Storage Filter — Select Basic
    • Request Type — Select Illegal Requests Only
    • Maximum Entry Length — Select 64K
    • Report Detected Anomalies — Select Enabled
    • Remote Storage — Select Enabled. Additional remote logging fields appear:
      • Remote Storage Type — Select Remote
      • Protocol — Select TCP
      • IP Address — The IP address of the Taegis™ XDR Collector. Click Add after entering the IP address to add it to the list of remote server addresses.
      • Port — Enter 601
      • Facility — Select LOG_LOCAL_5
      • Storage Format — Select Predefined and change the CSV with delimiter to a pipe (|). Then move the following Available Items to the Selected Items list in this exact order:
        • date_time
        • unit_hostname
        • policy_name
        • method
        • ip_client
        • src port
        • x_forwarded-for_header-value
        • uri
        • response_code
        • http_class_name
        • attack_type
        • violations
        • sub_violations
        • sig_names
        • sig_ids
        • protocol
        • severity
        • request_status
        • request
        • support id
        • dest_id
        • dest_port

Note

It’s crucial to select these items in the order defined above, as this determines what information is populated in F5 ASM alerts to the logging device, and in what order.

Tip

You can bulk select items by holding the control key while selecting the placeholders in the Available items column. However, note that the items will move over alphabetically, and must be reordered using the Up and Down buttons.

Step 3. Complete Logging Profile Fields.

Step 3. Complete Logging Profile Fields.

Step 3. Complete Logging Profile Fields.

Step 3. Complete Logging Profile Fields.

Step 3. Complete Logging Profile Fields.

Step 3. Complete Logging Profile Fields.

  1. Click Create.

Step 4. Create.

Step 4. Create.

  1. The new logging profile is created and available from the Logging Profiles screen.

Step 5. Created Logging Profile.

Step 5. Created Logging Profile.

Associating Logging Profiles with ASM Security Policies

An ASM logging profile does not automatically send events to a remote destination; it must first be associated with a security policy in order for the ASM to determine which events to associate with the logging profile. These steps describe how to associate the profiles and policies.

To associate a logging profile with the policy:

  1. From the F5 welcome screen, select Application Security > Security Policies.

Step 1. Open Security Policies.

Step 1. Open Security Policies.

  1. The Active Security Policies page is displayed.

Step 2. Active Security Policies.

Step 2. Active Security Policies.

  1. Select the name of the policy you want to associate with a logging profile. The Policy Properties page is displayed.
  2. Under Logging Profile, select the logging profile you want to associate with the security policy.

Step 4. Select Logging Profile.

Step 4. Select Logging Profile.

  1. Select Save.
  2. A notification appears stating that the changes have not been applied yet. Select Apply Policy to make the changes live.

Step 6. Apply Policy.

Step 6. Apply Policy.

System Logging Configuration

To configure the system logging:

  1. From the F5 welcome screen, open System > Logs > Configuration > Remote Logging.
  2. The Remote Logging Properties window is displayed.
  3. Complete the following fields:
    • Remote IP — The IP address of the Taegis™ XDR Collector
    • Remote Port — Enter 601

Step 3. Edit Remote Logging Properties.

Step 3. Edit Remote Logging Properties.

  1. Select Add to add the information to the list.
  2. Select Update to save these changes.

Once these steps are completed, the device is ready to send events to the Taegis™ XDR Collector.

Version 11.3+ ASM

Note

F5 Version 11.3 introduced some changes, and configuration instructions for ’pre 11.3’ and ’11.3 and higher’ are different. Ensure you are following the correct instructions for the version of your F5.

Define your protected web applications below by their Security Policy Name (application name).

Web Application Name Description
example_website Example Company Main Website

Configuring Logging Profiles for ASM

Accessing the Logging Profiles

To access the logging profiles:

  1. From the F5 welcome screen, open Security > Event Logs > Logging Profiles.

Step 1. Open Logging Profiles.

Step 1. Open Logging Profiles.

  1. The Logging Profiles page is displayed. Note that Log all requests, Log illegal requests, and No logging profiles are the default system-created logging profiles.
Creating New Logging Profiles

To create new logging profiles:

  1. From the Logging Profiles page, click Create. A form is displayed.

Step 1. Click Logging Profile.

Step 1. Click Logging Profile.

  1. Select Advanced from the Configuration drop-down menu. The form updates to include advanced fields.

Step 1. Select Advanced.

Step 1. Select Advanced.

  1. Complete the following fields:

    • Profile Name — The name of the logging profile, including the name of the web application it is associated with
    • Profile Description — A description of the profile
    • Guarantee Local Logging — Select Enabled to ensure that all event logs are stored locally on F5 ASM before being sent to a remote syslog destination
    • Response Logging — Select Off
    • Storage Filter — Select Basic
    • Request Type — Select Illegal Requests Only
    • Maximum Entry Length — Select 64K**
    • Report Detected Anomalies — Select Enabled**
    • Remote Storage — Select Enabled. Additional remote logging fields appear:
      • Remote Storage Type — Select Remote
      • Protocol — Select TCP
      • IP Address — The IP address of the Taegis™ XDR Collector. Click Add after entering the IP address to add it to the list of remote server addresses.
      • Port — Enter 601
      • Facility — Select LOG_LOCAL_5
      • Storage Format — Select Predefined and change the CSV with delimiter to a pipe (|). Then move the following Available Items to the Selected Items list in this exact order:
        • date_time
        • unit_hostname
        • policy_name
        • method
        • ip_client
        • src port
        • x_forwarded-for_header-value
        • uri
        • response_code
        • http_class_name
        • attack_type
        • violations
        • sub_violations
        • sig_names
        • sig_ids
        • protocol
        • severity
        • request_status
        • request
        • support id
        • dest_id
        • dest_port

Note

It’s crucial to select these items in the order defined above, as this determines what information is populated in F5 ASM alerts to the logging device, and in what order.

Tip

You can bulk select items by holding the control key while selecting the placeholders in the Available items column. However, note that the items will move over alphabetically, and must be reordered using the Up and Down buttons.

Step 3. Complete Logging Profile Fields.

Step 3. Complete Logging Profile Fields.

Step 3. Complete Logging Profile Fields.

Step 3. Complete Logging Profile Fields.

Step 3. Complete Logging Profile Fields.

Step 3. Complete Logging Profile Fields.

  1. Click Create.
  2. The new logging profile is created and available from the Logging Profiles screen.

Step 5. Created Logging Profile.

Step 5. Created Logging Profile.

Associating Logging Profiles with Virtual Servers

In Version 11.3+, logging profiles are not associated with ASM security policies, but with virtual servers hosting the HTTP Class Profiles that are associated with the security policies. This enables more than one logging profile associated with a virtual profile.

To associate a logging profile with a virtual server:

  1. From the F5 welcome screen, select Local Traffic > Virtual Servers > Virtual Server List.

Step 1. Open Virtual Server List.

Step 1. Open Virtual Server List.

  1. Select the name of the virtual server you want to associate with the logging profile. The Properties window is displayed.

Step 2. Open Properties.

Step 2. Open Properties.

  1. Select Security > Policies.

Step 3. Open Policies.

Step 3. Open Policies.

  1. Under Available, select the logging profile you want to associate with the security policy and move it to the Selected box.

Step 4. Select Profiles.

Step 4. Select Profiles.

  1. Select Update to save these changes.

Step 5. Update Changes.

Step 5. Update Changes.

System Logging Configuration

To configure the system logging:

  1. From the F5 welcome screen, open System > Logs > Configuration > Remote Logging.
  2. The Remote Logging Properties window is displayed.
  3. Complete the following fields:
    • Remote IP — The IP address of the Taegis™ XDR Collector
    • Remote Port — Enter 601

Step 3. Edit Logging Properties.

Step 3. Edit Logging Properties.

  1. Select Add to add the information to the list.
  2. Select Update to save these changes.

Once these steps are completed, the device is ready to send events to the Taegis™ XDR Collector.

 

On this page: