Manual Chapter : Managing Intrusion Prevention System (IPS)
Applies To:Show Versions
BIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Managing Intrusion Prevention System (IPS)
Managing inspection profiles for Network Security
In Network Security you can configure profiles to inspect traffic for protocol inspection items. These protocol inspection items can include compliance checks (which look for packet formation issues), and signatures, to detect potentially malicious packet information.
Protocol inspection items are arranged in categories by the Services (for example, HTTP, SIP, or DNS). You can assign protocol inspection items individually or in groups for your managed BIG-IP devices.
You can apply your protocol inspection profile for the following objects:
- Profile applied to a virtual server firewall policy rule
- Profile directly applied to a context (vip-type context)
Configuring inspection profiles in a production environment
The configuration for protocol inspection profiles has default settings, some of which might cause unexpected results when you deploy the profile in a production environment. Inspection IDs are used to identify potentially harmful traffic by identifying packets that do not conform to traffic standards (compliance checks), and known malicious payload messages (signatures). To view a full list of pre-installed inspection IDs, see the screen here:.
Inspection IDs have action settings that are set to
Don't Inspectby default. This prevents any action whatsoever against traffic detected with the specified inspection items. When settings are configured to
Drop, it can cause inspection ID criteria to match valid traffic, creating false positives and impacting legitimate traffic in your environment. To eliminate the possibility of the protocol inspection profile impacting valid traffic, F5 recommends these actions:
- Change the inspection ID action settings to Accept.
- Set the inspection log to Yes.
- After you deploy the protocol inspection profile, and the system processes traffic for a period of time, monitor the total hit count for each inspection ID.
- Determine the impact to your environment by monitoring data from traffic processed through the protocol inspection profile on this screen:.
Create a protocol inspection profile
Before you can create a protocol inspection profile, your managed BIG-IP device must be running version 13.1 or later, with AFM, and must be licensed with Intrusion Detection & Prevention System.
A protocol inspection profile collects rules for protocol inspection using pre-installed signatures defined by the Snort project, or custom signatures defined using the Snort syntax. Select and add signatures to the profile by inspection service. You can narrow the scope of signatures by a number of other characteristics. You can enforce signatures, or compliance items, or both.
- Go to.
- ClickCreate.Alternatively, you can clone an existing inspection profile by selecting the profile and clickingClone.
- Type aNamefor your profile.
- To enforce signatures, fromSignatures, selectEnabled.If you are enforcing only compliance items, you can selectDisabledhere.
- To enforce compliance checks, fromCompliance,selectEnabled.If you are enforcing only signature items, you can selectDisabledhere.
- To collect AVR stats, from theAVR Stats Collectlist, selectEnabled.This action allows you to monitor data for traffic managed by the inspection profile using the IPS dashboard. You must have AVR provisioned on your BIG-IP device, and your BIG-IQ configuration must include a DCD with statistics collection enabled.
- From the services setting, select the services you want to add to this inspection profile.Each selected service type displays its unique list of attack signatures and compliance checks in the Inspection Properties area.By default, all selected service items are enabled.
- Edit inspection service item settings as needed, in the Inspection Properties area.For services and single inspection items, you can select a port or port range. These indicate the acceptance criteria for inspecting traffic assigned to a host firewall policy or virtual server.
- To edit all inspection items from all services, selectSelect/Unselect All.If you enable this option,Edit Selected Inspectionsallows you to configure theActionandLogsettings. Once you have configured these settings, clickSet.
- To disable the status of all inspection items for a single service, click the name of the service, and selectDisabledfrom theStatuslist.Disabling a service's status allows you to save inspection action and logging settings, without deleting your changes.If you would like to add logging settings to all inspections in a service, expand the service to display all inspection items, and click the box at the top left of the list to select all. Under theEdit All Inspection Settingsfield, you can select a log setting and clickSet.If you have disabled the service's status, the service is crossed off in the Inspection Properties list.
- To edit settings for a single inspection, expand a service and click the ID link to change the action and log settings for the inspection item.You can perform changes for multiple inspection items by selecting box next to the inspection ID, and configuring bulk changes using theEdit Selected Inspectionssettings. To save your changes, clickSet.
- To trigger a delayed action following a suggestion period, once the inspection item is detected, under Suggestions Properties, select the check box forSuggestion Mode.Once you select the suggestion mode, you can set either a time or a confidence level threshold for the suggestion period.You can configure either time or confidence level as the suggestion period threshold, but you cannot configure both. This setting is not active for BIG-IP devices running version 13.1 or later.
For inspection profiles running on BIG-IP devices 14.1 or later, there is an enabled suggestion period, by default. This means that the system will take corrective action against detected inspection items, whether or not you enabled theSuggestion Mode.
- In theAuto Approval Triggersetting, for a time suggestion period, set the number of minutes.The default automatic approval time is 10080 minute (7 days). You can set the time threshold from 720 to 43200 minutes.
- For Confidence Level, set the percentage of confidence required for the system to take automatic action.For inspection profiles running on BIG-IP version 14.0, you cannot set a Confidence Level.
- To automatically download any inspection updates for the services in this profile, select the check box forUpdate Mode.
- ClickSave & Close.
The Inspection Profiles screen opens and the inspection profile you created is displayed in the list. The Protocol Inspection profile must be attached to an object before you can deploy the new profile.
You can attach a protocol inspection profile to a firewall rule or to a virtual server and then deploy or pin your Protocol Inspection profile.
Edit a protocol inspection profile
You can adjust the configuration of your protocol inspection profile to improve network protection, or to mitigate known issues that can affect your network.
- Go to.
- To edit an inspection profile, click the name.The properties screen opens for that profile.
- Edit the profile as needed, and clickSave & Close.The Protocol Inspection profile list is displayed.
- Ensure that the edited profile is selected, and clickDeploy.
The the system update the edited protocol inspection profile and automatically applies changes to the associated contexts and virtual servers.
Assign a protocol inspection profile to a virtual server
before you can assign a protocol inspection profile to a virtual server, you must have AFM licensed on the BIG-IP devices that host the virtual servers. The selected BIG-IP devices must be running version 13.1 or later.
You add a protocol inspection profile to your virtual server to detect malformed packets and malicious signatures in the traffic received by your virtual server.
- Go to.
- In the name column, click the name of the relevant virtual server (with a firewall type of vip).This displays the properties of the selected virtual server.
- At the lower part of the screen, from theShared Objectslist, selectInspection Profiles.The list of the configured inspection profiles displays.
- Click the row of the inspection profile you want to add, and drag the row upto theProtocol Inspection Profilesetting located in the Properties area.
- ClickSave & Close.The Contexts screen opens.
- In the Contexts screen, ensure that the virtual server is still selected, and clickDeploy.
The system enables and deploys the inspection profile on your virtual server.
You can evaluate the traffic managed by your inspection profile by using the IPS dashboard ().
Assign a protocol inspection profile to a network firewall
Before you can add an inspection profile, you must have an existing network firewall policy. F5 recommends that you have an existing rule set for the policy, as well.
You assign protocol inspection to a firewall rule for additional firewall protection against packet compliance issues and malicious payload signatures. Assigning protocol inspection provides an additional layer of traffic inspection in the case that all prior network rules are approved.
- Go to
- Click the name of the firewall policy.The firewall properties screen opens to theRULESscreen.
- From the firewall rule list, identify the firewall rule you want to add to an inspection policy.
- If you do not have an existing rule:
- ClickCreate Ruleto add a blank firewall rule. For existing child rules, you might not be able to edit the rule within the firewall policy.
- To edit a complex rule list you can go toand select the rule you want to attach an inspection profile.
- For your firewall rule, select the pencil icon to the far left of the rule's row.This displays all fields of the rule so you can edit them.
- Scroll to the far right of the rule row, and select a Protocol Inspection Profile from the list under the Protocol Inspection Profile column.
- ClickSave & Close.The firewall policy list is now displayed.
- Select the policy (or rule) and clickDeploy.
This adds the inspection profile to the rule of your firewall policy. Traffic that meets the rule criteria is inspected based on the inspection profile's settings.
Now you should evaluate the traffic managed by your inspection profile by using the IPS dashboard ().
Pin a protocol inspection profile to a device
You must have a protocol inspection profile already configured before you can pin it to a device.
You can pin a protocol inspection profile to a BIG-IP device. This associates the protocol inspection profile to a designated device.
- Go to.The screen displays a list of the managed BIG-IP devices with AFM provisioning.
- Click the name of the device on which to pin a protocol inspection profile.The properties screen opens for that device.
- From theNetwork Security (AFM)list in the middle of the screen, selectInspection Profiles.
- From the list of inspection profiles, select the inspection profile you want to pin to the device.
- ClickSave & Close.
This pins the protocol inspection profile to the device.
Monitoring IPS traffic
The protocol inspection profile provides a traffic evaluation layer that supplements the standard firewall rules that are used to manage traffic based on network configurations of traffic. Depending on your configuration, your inspection profile can prompt your system to monitor suspicious traffic, or it can drop or reject traffic based on its packet formation or payload signatures.
The IPS dashboard allows you to filter inspected traffic (matched events) by several different properties. For example: the inspection profile's host (virtual server or firewall policy), traffic properties, inspection action, or inspection service.
Identify issues with traffic managed by an inspection profile
To view IPS analytics data, you must have the following prerequisites:
- A Data Collection Device (DCD) configured to your BIG-IQ system
- Managed BIG-IP devices that have AFM provisioned for managing network firewall policies or Network Security contexts
- A protocol inspection profile with enabled AVR Stats Collect, assigned to a virtual server or network firewall rule
- Statistics collection that is enabled for the managed BIG-IP devices
Once you have configured your protocol inspection profile to detect traffic with compliance issues and known malicious signatures, you can monitor this traffic to verify the profile's configuration, or identify issues that require changes. These issues can include, but are not limited to, false positives that reject or drop valid traffic, a policy that allows traffic and requires more vigorous action, or a need for additional inspection services.
- Go toThe screen displays the Average Matched Events chart, which represents the average events per second for all inspected traffic (over the selected time period) that have been detected across all inspection profiles configured within your managed environment. Additionally, it displays the top aspects of inspected traffic in the widgets about the charts.
- To detect issues based on the inspected traffic details you can view the following traffic aspects:
- Expand one or more of the following dimensions located in the dimensions pane to the far right of the screen:Countries,Client IPs,Destination Ports,Network Protocols.Each expanded dimension displays objects that have been detected and their data over the selected time period.
- To filter displayed data, select one or more of the dimension objects.Each object selection filters data in the charts and dimensions to include only the data relevant to your selections.
- Once you have filtered required traffic characteristics, you can identify the corresponding inspection profile by expanding theProfile Namesdimension.
- To detect issues based on the inspection profile's virtual servers:
- Expand theVirtual Serversdimension.
- Select one of the virtual servers listed in the dimension display that server's data.From here, you can analyze the chart data, or the tabular data in the other dimensions.
- Isolate the associated inspection profile, by expanding theProfile Namesdimension.You can focus on additional aspects of the inspection items, by expanding theInspection IDs,Inspection Names,Destination Ports, andServices. Details from these dimensions may assist you in the editing process of an inspection profile.
- To view actions against inspected traffic for a single inspection profile:
- Expand theProfile Namesdimension.
- Select the profile name from the dimension list.This selection filters data in the charts and dimensions to include only the data relevant to your selection.
- Expand theActionsdimension to display how the inspected traffic was managed.
Once you have isolated any issues with your inspection profile and its performance, you can edit the profile's configuration to better suit your network's protection requirements.
Update inspection packages
In order to create inspection profiles and update inspection packages, BIG-IQ users will need to obtain an Intrusion Detection & Prevention System license.
You can centrally manage inspection package updates and install updates to target devices from BIG-IQ. BIG-IQ allows users to import inspection package files from your local machine or download update files from downloads.f5.com and install updates to managed BIG-IP devices.
- Go to to.
- To manually import a package inspection update from your local machine, clickImport.These update files may be obtained from downloads.f5.com.
- Once you download the update file from downloads.f5.com, ClickChoose File...and select an update file from your machine, and then selectImport.
- ClickDownloadto navigate to a popup that will allow you to download package inspection updates for future installation, or to download the update file and install the updates on all managed BIG-IP devices immediately.
- To delete any of the inspection package updates on this page, select the checkbox next to the update file you would like to remove and clickDelete.
- To install the updated inspection package files on managed BIG-IP devices, select the file name of the upgrade you would like to install.Install the updates to target devices, by selecting the checkboxes next to the managed BIG-IP devices you would like to install this update to, and use the arrows to move the devices fromAvailabletoSelected.
Your updated inspection package will be initiated and you can view the update status in the
Inspection Update Status List.
Viewing inspection update statuses
From BIG-IQ, you can view and evaluate the status of all package inspection updates from.
To learn more about the status of an update, select the start time of the update you are interested in to navigate to a page with detailed information. From this page, you can view the status of an individual inspection updates. The information displayed includes the update initiation time, update status, and device information regarding the status including error messages.
You may also delete any update status in the list by selecting the check box next to the update start time and clicking