Manual Chapter :
Local Logging with AFM Network Firewall
Applies To:
Show VersionsBIG-IP AFM
- 14.1.3, 14.1.2, 14.1.0
Local Logging with AFM Network Firewall
Overview: Configuring local event logging
You can configure AFM Network Firewall to log detailed information about
BIG-IP system firewall events and store those logs locally on the system.
Task summary for configuring Network Firewall logging locally
Perform these tasks to configure Network Firewall logging locally on the BIG-IP® system.
Enabling logging and storing the logs locally may slightly impact BIG-IP system
CPU performance and increase disk space.
Creating a local logging profile
You create a custom logging profile
to log AFM Network Firewall events locally.
- On the Main tab, click.The Logging Profiles list screen opens.
- ClickCreate.The Create New Logging Profile screen opens.
- In theProfile Namefield, type a unique name for the profile.
- Select theNetwork Firewallcheck box.
- If you want to enable optional subscriber ID logging:
- Select theNetwork Address Translationcheck box.
- Then in the Network Address Translation area, select theLog Subscriber IDcheck box.
- ClickNetwork Firewall.
- In the Network Firewall area, from thePublisherlist, selectlocal-db-publisher.
- Set anAggregate Rate Limitto define a rate limit for all combined network firewall log messages per second.Beyond this rate limit, log messages are not logged.Rate Limits are calculated per-second per TMM. Each TMM throttles as needed independently of other TMMs.
- For theLog Rule Matchessetting, select how the BIG-IP system logs packets that match ACL rules. You can select any or all of the options.OptionEnables or disables logging of packets that match ACL rules configured with:Acceptaction=AcceptDropaction=DropRejectaction=RejectWhen an option is selected, you can configure a rate limit for log messages of that type.
- Select theLog IP Errorscheck box, to enable logging of IP error packets.When this setting is enabled, you can configure a rate limit for log messages of this type.
- Select theLog TCP Errorscheck box, to enable logging of TCP error packets.When this is enabled, you can configure a rate limit for log messages of this type.
- Select theLog TCP Eventscheck box, to enable logging of open and close of TCP sessions.When this is enabled, you can configure a rate limit for log messages of this type.
- Enable theLog Translation Fieldssetting to log both the original IP address and the NAT-translated IP address for Network Firewall log events.
- Enable theAlways Log Regionsetting to log the geographic location when a geolocation event causes a network firewall event.
- Select theLog UUID Fieldcheck box to include the UUID of the specific rule that triggered the log message.
- From theStorage Formatlist, select how the BIG-IP system formats the log.OptionDescriptionNoneSpecifies the default format type in which the BIG-IP system logs messages to a remote Syslog server, for example:"management_ip_address","bigip_hostname","context_type","context_name","src_ip","dest_ip","src_port","dest_port","vlan","protocol","route_domain","acl_rule_name","action","drop_reasonField-ListAllows you to:
- Select, from a list, the fields to be included in the log.
- Specify the order the fields display in the log.
- Specify the delimiter that separates the content in the log. The default delimiter is the comma character.
User-DefinedAllows you to:- Select, from a list, the fields to be included in the log.
- Cut and paste, in a string of text, the order the fields display in the log.
- In the IP Intelligence area, from thePublisherlist, selectlocal-db-publisher.The IP Address Intelligence feature must be enabled and licensed.
- Set anAggregate Rate Limitto define a rate limit for all combined IP Intelligence log messages per second.Beyond this rate limit, log messages are not logged.Rate Limits are calculated per-second per TMM. Each TMM throttles as needed independently of other TMMs.
- Enable theLog Translation Fieldssetting to log both the original IP address and the NAT-translated IP address for IP Intelligence log events.
- In the Traffic Statistics area, from thePublisherlist, selectlocal-db-publisher.
- For theLog Timer Eventssetting, enableActive Flowsto log the number of active flows each second.
- For theLog Timer Eventssetting, enableReaped Flowsto log the number of reaped flows, or connections that are not established because of system resource usage levels.
- For theLog Timer Eventssetting, enableMissed Flowsto log the number of packets that were dropped because of a flow table miss. A flow table miss occurs when a TCP non-SYN packet does not match an existing flow.
- For theLog Timer Eventssetting, enableSYN Cookie (Per Session Challenge)to log the number of SYN cookie challenges generated each second.
- For theLog Timer Eventssetting, enableSYN Cookie (White-listed Clients)to log the number of SYN cookie clients whitelisted each second.
- ClickFinished.
Now you should assign this custom
Network Firewall Logging profile to a virtual server.
Configuring a virtual server for event
logging
Ensure that at least one log publisher exists on the AFM Network Firewall system.
Assign a custom network firewall logging profile
to a virtual server when you want the system to log network firewall events on
the traffic that the virtual server processes.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- On the menu bar, click.The screen displays policy settings for the virtual server.
- In theLog Profilesetting, selectEnabled. Then, select one or more profiles, and move them from theAvailablelist to theSelectedlist.If you do not have a custom profile configured, select the predefined logging profileglobal-networkto log Advanced Firewall Manager events. Note that to log global, self IP, and route domain contexts, you must enable a Publisher in theglobal-networkprofile.
- ClickUpdateto save the changes.
Viewing AFM Network Firewall event logs
Ensure that the AFM Network Firewall system is configured to log the types
of events you want to view, and to store the log messages locally on the BIG-IP
system.
When the system is configured to log events locally, you can view those
events using the Configuration utility.
- On the Main tab, click.The Network Firewall event log displays.
- To search for specific events, clickCustom Search. Drag the event data that you want to search for from the Event Log table into the Custom Search table, and then clickSearch.
Creating an AFM Network Firewall rule from a firewall log entry
You must be logging Network Firewall traffic to create a rule from the Network Firewall logs.
You can create a rule from the local log, from an enforced or staged rule or policy. You
might use this to change the action taken on specific traffic that is matched by a more general
rule. You can also use this to replicate a rule and change some parameter, such as the source or
destination ports. Note that the rule you create from a log entry already has some information
specified, such as source and destination address and ports, protocol, and VLAN. You can change
any of this information as required.
- On the Main tab, click.The Network Firewall event log displays.
- Select the search parameters to show the preferred log results, then clickSearch.
- Select a log entry, and clickCreate Rule.
- From theContextlist, select the context for the firewall rule.For a firewall rule in a rule list, the context is predefined and cannot be changed.
- In theNameandDescriptionfields, type the name and an optional description.
- From theTypelist, select whether you are creating a standalone network firewall rule or creating the rule from a predefined rule list.If you create a firewall rule from a predefined rule list, only theName,Description,Order,Rule List, andStateoptions apply, and you must select or create a rule list to include.
- From theStatelist, select the rule state.
- SelectEnabledto apply the firewall rule to the given context and addresses.
- SelectDisabledto set the firewall rule to not apply at all.
- SelectScheduledto apply the firewall rule according to the selected schedule.
- From theSchedulelist, select the schedule for the firewall rule.This schedule is applied when you set the firewall rule state asScheduled.
- From theProtocollist, select the protocol to which the firewall rule applies.
- SelectAnyto apply the firewall rule to any protocol.
- Select the protocol name to apply the rule to a single protocol.
ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with theglobalorroute domaincontext. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself. - In theSourcelist, specify users and groups to which this rule applies.
- From theUserlist, selectAnyto have the rule apply to any user.
- From theUserlist, selectSpecifyand clickUser,Group, orUser Listto specify a user, group, or user list packet source to which the rule applies. When selected, you can type a user or group name in the formatdomain\user_nameordomain\group_name. You can specify a user list by selecting it from the list. ClickAddto add a selected user, group, or user list to the packet source list.
- In theSourcelist, specify addresses and geolocated sources to which this rule applies.
- From theAddress/Regionlist, selectAnyto have the rule apply to any packet source IP address or geographic location.
- From theAddress/Regionlist, selectSpecifyand clickAddressto specify one or more packet source IP addresses or fully qualified domain names (FQDNs) to which the rule applies. When selected, you can type single IP addresses or FQDNs into theAddressfield, then clickAddto add them to the address list.
- From theAddress/Regionlist, selectSpecifyand clickAddress Listto select a predefined list of packet source addresses to which the rule applies. To use an address list with this rule, select the address list and click theAddbutton. Similarly, to remove the list from this rule, select the list and click theDeletebutton.
- From theAddress/Regionlist, selectSpecifyand clickAddress Rangeto specify a contiguous range of packet source IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then clickAddto add the IP address range to the address list.
- From theAddress/Regionlist, selectSpecifyand clickCountry/Regionto identify the geographic origin of packet sources, and to apply rules based on selected geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, clickAddto add it to the Source address list.
- From the SourcePortlist, select the type of packet source ports to which this rule applies.
- SelectAnyto have the rule apply to any packet source port.
- SelectSpecifyand clickPortto specify one or more packet source ports to which the rule applies. When selected, you can type single port numbers into thePortfield, then clickAddto add them to the port list.
- SelectSpecifyand clickPort Rangeto specify a list of contiguous packet source port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then clickAddto add the ports to the port list.
- SelectSpecifyand clickPort Listto select a predefined list of packet source ports to which the rule applies. To use a port list with this rule, select the port list and click theAddbutton. Similarly, to remove the list from this rule, select the list and click theDeletebutton.
- From the SourceVLAN/Tunnellist, select the VLAN on which this rule applies.
- SelectAnyto have the rule apply to traffic on any VLAN through which traffic enters the firewall.
- SelectSpecifyto specify one or more VLANs on the firewall to which the rule applies. To use a VLAN with this rule, move the VLAN from theAvailablelist to theSelectedlist. Similarly, you can remove the VLAN from this rule, by moving the VLAN from theSelectedlist to theAvailablelist.
- In the Destination area and from theAddress/Regionlist, select the type of packet destination address to which this rule applies.
- SelectAnyto have the rule apply to any IP packet destination address.
- SelectSpecifyand clickAddressto specify one or more packet destination IP addresses or fully qualified domain names (FQDNs) to which the rule applies. When selected, you can type single IP addresses or FQDNs into theAddressfield, then clickAddto add them to the address list.
- SelectSpecifyand clickAddress Listto select a predefined list of packet destination addresses to which the rule applies. To use an address list with this rule, select the address list and click theAddbutton. Similarly, to remove the list from this rule, select the list and click theDeletebutton.
- SelectSpecifyand clickAddress Rangeto specify a contiguous range of packet destination IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then clickAddto add the IP address range to the address list.
- SelectSpecifyand clickCountry/Regionto identify the geographic packet destination, and to apply rules based on specific geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, clickAddto add it to the Destination address list.
- From the DestinationPortlist, select the type of packet destination ports to which this rule applies.
- SelectAnyto have the rule apply to any port inside the firewall.
- SelectSpecifyand clickPortto specify one or more packet destination ports to which the rule applies. When selected, you can type single port numbers into thePortfield, then clickAddto add them to the port list.
- SelectSpecifyand clickPort Rangeto specify a list of contiguous packet destination port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then clickAddto add the ports to the port list.
- SelectSpecifyand clickPort Listto select a predefined list of packet destination ports to which the rule applies. To use a port list with this rule, select the port list and click theAddbutton. Similarly, to remove the list from this rule, select the list and click theDeletebutton.
- Optionally, to apply an iRule to traffic matched by this rule, from theiRulelist, select an iRule.
- When you select an iRule to start in a firewall rule, you can enable iRule sampling, and select how frequently the iRule is started, for sampling purposes. The value you configure isone out of ntimes the iRule is triggered. For example, to trigger the iRule one out of every five times the rule matches a flow, selectEnabled, then set this field to5.
- From theActionlist, select the firewall action for traffic originating from the specified source address on the specified protocol. Choose from one of the these actions:AcceptAllows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.DropDrops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.RejectRejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.Accept DecisivelyAllows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
- From theLogginglist, enable or disable logging for the firewall rule.A logging profile must be enabled to capture logging info for the firewall rule.
- ClickFinished.The list screen and the new item are displayed.
The new firewall policy rule is created from the log entry.
Disabling logging
Disable event logging when you need to suspend logging for a period of time or you
no longer want the BIG-IP system to log specific events.
Logging is enabled by adding log settings to the access profile.
- To clear log settings from access profiles, on the Main tab, click.
- Click the name of the access profile.Access profile properties display.
- On the menu bar, clickLogs.
- Move log settings from theSelectedlist to theAvailablelist.
- ClickUpdate.
Logging is disabled for the access profile.
Implementation result
You now have an implementation in which the BIG-IP® system logs
specific Network Firewall events and stores the logs in a local database on the BIG-IP
system.