Manual Chapter : Managing Intrusion Prevention System (IPS)

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Manual Chapter

Managing Intrusion Prevention System (IPS)

Managing inspection profiles for Network Security

In Network Security you can configure profiles to inspect traffic for protocol inspection items. These protocol inspection items can include compliance checks (which look for packet formation issues), and signatures, to detect potentially malicious packet information.
Protocol inspection items are arranged in categories by the Services (for example, HTTP, SIP, or DNS). You can assign protocol inspection items individually or in groups for your managed BIG-IP devices.
You can apply your protocol inspection profile for the following objects:
  • Profile applied to a virtual server firewall policy rule
  • Profile directly applied to a context (vip-type context)

Configuring inspection profiles in a production environment

The configuration for protocol inspection profiles has default settings, some of which might cause unexpected results when you deploy the profile in a production environment. Inspection IDs are used to identify potentially harmful traffic by identifying packets that do not conform to traffic standards (compliance checks), and known malicious payload messages (signatures). To view a full list of pre-installed inspection IDs, see the screen here:
Configuration
SECURITY
Network Security
Protocol Security
Inspection List
.
Inspection IDs have action settings that are set to
Don't Inspect
by default. This prevents any action whatsoever against traffic detected with the specified inspection items. When settings are configured to
Reject
or
Drop
, it can cause inspection ID criteria to match valid traffic, creating false positives and impacting legitimate traffic in your environment. To eliminate the possibility of the protocol inspection profile impacting valid traffic, F5 recommends these actions:
  • Change the inspection ID action settings to Accept.
  • Set the inspection log to Yes.
  • After you deploy the protocol inspection profile, and the system processes traffic for a period of time, monitor the total hit count for each inspection ID.
  • Determine the impact to your environment by monitoring data from traffic processed through the protocol inspection profile on this screen:
    Monitoring
    DASHBOARDS
    IPS
    .

Create a protocol inspection profile

Before you can create a protocol inspection profile, your managed BIG-IP device must be running version 13.1 or later, with AFM, and must be licensed with Intrusion Detection & Prevention System.
A protocol inspection profile collects rules for protocol inspection using pre-installed signatures defined by the Snort project, or custom signatures defined using the Snort syntax. Select and add signatures to the profile by inspection service. You can narrow the scope of signatures by a number of other characteristics. You can enforce signatures, or compliance items, or both.
  1. Go to
    Configuration
    SECURITY
    Network Security
    Protocol Security
    Inspection Profiles
    .
  2. Click
    Create
    .
    Alternatively, you can clone an existing inspection profile by selecting the profile and clicking
    Clone
    .
  3. Type a
    Name
    for your profile.
  4. To enforce signatures, from
    Signatures
    , select
    Enabled
    .
    If you are enforcing only compliance items, you can select
    Disabled
    here.
  5. To enforce compliance checks, from
    Compliance,
    select
    Enabled
    .
    If you are enforcing only signature items, you can select
    Disabled
    here.
  6. To collect AVR stats, from the
    AVR Stats Collect
    list, select
    Enabled
    .
    This action allows you to monitor data for traffic managed by the inspection profile using the IPS dashboard. You must have AVR provisioned on your BIG-IP device, and your BIG-IQ configuration must include a DCD with statistics collection enabled.
  7. From the services setting, select the services you want to add to this inspection profile.
    Each selected service type displays its unique list of attack signatures and compliance checks in the Inspection Properties area.
    By default, all selected service items are enabled.
  8. Edit inspection service item settings as needed, in the Inspection Properties area.
    For services and single inspection items, you can select a port or port range. These indicate the acceptance criteria for inspecting traffic assigned to a host firewall policy or virtual server.
    1. To edit all inspection items from all services, select
      Select/Unselect All
      .
      If you enable this option,
      Edit Selected Inspections
      allows you to configure the
      Action
      and
      Log
      settings. Once you have configured these settings, click
      Set
      .
    2. To disable the status of all inspection items for a single service, click the name of the service, and select
      Disabled
      from the
      Status
      list.
      Disabling a service's status allows you to save inspection action and logging settings, without deleting your changes.
      If you would like to add logging settings to all inspections in a service, expand the service to display all inspection items, and click the box at the top left of the list to select all. Under the
      Edit All Inspection Settings
      field, you can select a log setting and click
      Set
      .
      If you have disabled the service's status, the service is crossed off in the Inspection Properties list.
    3. To edit settings for a single inspection, expand a service and click the ID link to change the action and log settings for the inspection item.
      You can perform changes for multiple inspection items by selecting box next to the inspection ID, and configuring bulk changes using the
      Edit Selected Inspections
      settings. To save your changes, click
      Set
      .
  9. To trigger a delayed action following a suggestion period, once the inspection item is detected, under Suggestions Properties, select the check box for
    Suggestion Mode
    .
    Once you select the suggestion mode, you can set either a time or a confidence level threshold for the suggestion period.
    You can configure either time or confidence level as the suggestion period threshold, but you cannot configure both. This setting is not active for BIG-IP devices running version 13.1 or later.
    1. In the
      Auto Approval Trigger
      setting, for a time suggestion period, set the number of minutes.
      The default automatic approval time is 10080 minute (7 days). You can set the time threshold from 720 to 43200 minutes.
    2. For Confidence Level, set the percentage of confidence required for the system to take automatic action.
      For inspection profiles running on BIG-IP version 14.0, you cannot set a Confidence Level.
    For inspection profiles running on BIG-IP devices 14.1 or later, there is an enabled suggestion period, by default. This means that the system will take corrective action against detected inspection items, whether or not you enabled the
    Suggestion Mode
    .
  10. To automatically download any inspection updates for the services in this profile, select the check box for
    Update Mode
    .
  11. Click
    Save & Close
    .
The Inspection Profiles screen opens and the inspection profile you created is displayed in the list. The Protocol Inspection profile must be attached to an object before you can deploy the new profile.
You can attach a protocol inspection profile to a firewall rule or to a virtual server and then deploy or pin your Protocol Inspection profile.

Edit a protocol inspection profile

You can adjust the configuration of your protocol inspection profile to improve network protection, or to mitigate known issues that can affect your network.
  1. Go to
    Configuration
    SECURITY
    Network Security
    Protocol Security
    Inspection Profiles
    .
  2. To edit an inspection profile, click the name.
    The properties screen opens for that profile.
  3. Edit the profile as needed, and click
    Save & Close
    .
    The Protocol Inspection profile list is displayed.
  4. Ensure that the edited profile is selected, and click
    Deploy
    .
The the system update the edited protocol inspection profile and automatically applies changes to the associated contexts and virtual servers.

Assign a protocol inspection profile to a virtual server

before you can assign a protocol inspection profile to a virtual server, you must have AFM licensed on the BIG-IP devices that host the virtual servers. The selected BIG-IP devices must be running version 13.1 or later.
You add a protocol inspection profile to your virtual server to detect malformed packets and malicious signatures in the traffic received by your virtual server.
  1. Go to
    Configuration
    SECURITY
    Network Security
    Contexts
    .
  2. In the name column, click the name of the relevant virtual server (with a firewall type of vip).
    This displays the properties of the selected virtual server.
  3. At the lower part of the screen, from the
    Shared Objects
    list, select
    Inspection Profiles
    .
    The list of the configured inspection profiles displays.
  4. Click the row of the inspection profile you want to add, and drag the row upto the
    Protocol Inspection Profile
    setting located in the Properties area.
  5. Click
    Save & Close
    .
    The Contexts screen opens.
  6. In the Contexts screen, ensure that the virtual server is still selected, and click
    Deploy
    .
The system enables and deploys the inspection profile on your virtual server.
You can evaluate the traffic managed by your inspection profile by using the IPS dashboard (
Monitoring
DASHBOARDS
IPS
).

Assign a protocol inspection profile to a network firewall rule

Before you can add an inspection profile, you must have an existing network firewall policy. F5 recommends that you have an existing rule set for the policy, as well.
You assign protocol inspection to a firewall rule for additional firewall protection against packet compliance issues and malicious payload signatures. Assigning protocol inspection provides an additional layer of traffic inspection in the case that all prior network rules are approved.
  1. Go to
    Configuration
    SECURITY
    Network Security
    Network Firewall
    Firewall Policies
    .
  2. Click the name of the firewall policy.
    The firewall properties screen opens to the
    RULES
    screen.
  3. From the firewall rule list, identify the firewall rule you want to add to an inspection policy.
    1. If you do not have an existing rule:
    • Click
      Create Rule
      to add a blank firewall rule. For existing child rules, you might not be able to edit the rule within the firewall policy.
    • To edit a complex rule list you can go to
      Configuration
      SECURITY
      Network Security
      Network Firewall
      Rule lists
      and select the rule you want to attach an inspection profile.
  4. For your firewall rule, select the pencil icon to the far left of the rule's row.
    This displays all fields of the rule so you can edit them.
  5. Scroll to the far right of the rule row, and select a Protocol Inspection Profile from the list under the Protocol Inspection Profile column.
  6. Click
    Save & Close
    .
    The firewall policy list is now displayed.
  7. Select the policy (or rule) and click
    Deploy
    .
This adds the inspection profile to the rule of your firewall policy. Traffic that meets the rule criteria is inspected based on the inspection profile's settings.
Now you should evaluate the traffic managed by your inspection profile by using the IPS dashboard (
Monitoring
DASHBOARDS
IPS
).

Pin a protocol inspection profile to a device

You must have a protocol inspection profile already configured before you can pin it to a device.
You can pin a protocol inspection profile to a BIG-IP device. This associates the protocol inspection profile to a designated device.
  1. Go to
    Configuration
    SECURITY
    Network Security
    Network Firewall
    Pinning Policies
    .
    The screen displays a list of the managed BIG-IP devices with AFM provisioning.
  2. Click the name of the device on which to pin a protocol inspection profile.
    The properties screen opens for that device.
  3. From the
    Network Security (AFM)
    list in the middle of the screen, select
    Inspection Profiles
    .
  4. From the list of inspection profiles, select the inspection profile you want to pin to the device.
  5. Click
    Save & Close
    .
This pins the protocol inspection profile to the device.

Monitoring IPS traffic

The protocol inspection profile provides a traffic evaluation layer that supplements the standard firewall rules that are used to manage traffic based on network configurations of traffic. Depending on your configuration, your inspection profile can prompt your system to monitor suspicious traffic, or it can drop or reject traffic based on its packet formation or payload signatures.
The IPS dashboard allows you to filter inspected traffic (matched events) by several different properties. For example: the inspection profile's host (virtual server or firewall policy), traffic properties, inspection action, or inspection service.

Identify issues with traffic managed by an inspection profile

To view IPS analytics data, you must have the following prerequisites:
  • A Data Collection Device (DCD) configured to your BIG-IQ system
  • Managed BIG-IP devices that have AFM provisioned for managing network firewall policies or Network Security contexts
  • A protocol inspection profile with enabled AVR Stats Collect, assigned to a virtual server or network firewall rule
  • Statistics collection that is enabled for the managed BIG-IP devices
Once you have configured your protocol inspection profile to detect traffic with compliance issues and known malicious signatures, you can monitor this traffic to verify the profile's configuration, or identify issues that require changes. These issues can include, but are not limited to, false positives that reject or drop valid traffic, a policy that allows traffic and requires more vigorous action, or a need for additional inspection services.
  1. Go to
    Monitoring
    DASHBOARDS
    IPS
    The screen displays the Average Matched Events chart, which represents the average events per second for all inspected traffic (over the selected time period) that have been detected across all inspection profiles configured within your managed environment. Additionally, it displays the top aspects of inspected traffic in the widgets about the charts.
  2. To detect issues based on the inspected traffic details you can view the following traffic aspects:
    1. Expand one or more of the following dimensions located in the dimensions pane to the far right of the screen:
      Countries
      ,
      Client IPs
      ,
      Destination Ports
      ,
      Network Protocols
      .
      Each expanded dimension displays objects that have been detected and their data over the selected time period.
    2. To filter displayed data, select one or more of the dimension objects.
      Each object selection filters data in the charts and dimensions to include only the data relevant to your selections.
    3. Once you have filtered required traffic characteristics, you can identify the corresponding inspection profile by expanding the
      Profile Names
      dimension.
  3. To detect issues based on the inspection profile's virtual servers:
    1. Expand the
      Virtual Servers
      dimension.
    2. Select one of the virtual servers listed in the dimension display that server's data.
      From here, you can analyze the chart data, or the tabular data in the other dimensions.
    3. Isolate the associated inspection profile, by expanding the
      Profile Names
      dimension.
      You can focus on additional aspects of the inspection items, by expanding the
      Inspection IDs
      ,
      Inspection Names
      ,
      Destination Ports
      , and
      Services
      . Details from these dimensions may assist you in the editing process of an inspection profile.
  4. To view actions against inspected traffic for a single inspection profile:
    1. Expand the
      Profile Names
      dimension.
    2. Select the profile name from the dimension list.
      This selection filters data in the charts and dimensions to include only the data relevant to your selection.
    3. Expand the
      Actions
      dimension to display how the inspected traffic was managed.
Once you have isolated any issues with your inspection profile and its performance, you can edit the profile's configuration to better suit your network's protection requirements.

Update inspection packages

In order to create inspection profiles and update inspection packages, BIG-IQ users will need to obtain an Intrusion Detection & Prevention System license.
You can centrally manage inspection package updates and install updates to target devices from BIG-IQ. BIG-IQ allows users to import inspection package files from your local machine or download update files from downloads.f5.com and install updates to managed BIG-IP devices.
  1. Go to to
    Configuration
    SECURITY
    Network Security
    Protocol Security
    Inspection Package Files List
    .
  2. To manually import a package inspection update from your local machine, click
    Import
    .
    These update files may be obtained from downloads.f5.com.
  3. Once you download the update file from downloads.f5.com, Click
    Choose File...
    and select an update file from your machine, and then select
    Import
    .
  4. Click
    Download
    to navigate to a popup that will allow you to download package inspection updates for future installation, or to download the update file and install the updates on all managed BIG-IP devices immediately.
  5. To delete any of the inspection package updates on this page, select the checkbox next to the update file you would like to remove and click
    Delete
    .
  6. To install the updated inspection package files on managed BIG-IP devices, select the file name of the upgrade you would like to install.
    Install the updates to target devices, by selecting the checkboxes next to the managed BIG-IP devices you would like to install this update to, and use the arrows to move the devices from
    Available
    to
    Selected
    .
Your updated inspection package will be initiated and you can view the update status in the
Inspection Update Status List
.

Viewing inspection update statuses

From BIG-IQ, you can view and evaluate the status of all package inspection updates from
Configuration
SECURITY
Network Security
Protocol Security
Inspection Update Status
.
To learn more about the status of an update, select the start time of the update you are interested in to navigate to a page with detailed information. From this page, you can view the status of an individual inspection updates. The information displayed includes the update initiation time, update status, and device information regarding the status including error messages.
You may also delete any update status in the list by selecting the check box next to the update start time and clicking
Delete
.