F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP AFM
  4. BIG-IP Network Firewall: Policies and Implementations
  5. About Local Logging with the Network Firewall
Manual Chapter : About Local Logging with the Network Firewall

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 11.3.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Overview: Configuring local Network Firewall event logging

You can configure the BIG-IP system to log detailed information about BIG-IP system Network Firewall events and store those logs on the BIG-IP system.

Important: The BIG-IP system Advanced Firewall Module (AFM) must be licensed and provisioned before you can configure Network Firewall event logging.

Task summary

Perform these tasks to configure Network Firewall logging locally on the BIG-IP® system.

Note: Enabling logging and storing the logs locally impacts BIG-IP system performance.

Creating a local Network Firewall Logging profile

Create a custom Logging profile to log BIG-IP® system Network Firewall events locally on the BIG-IP system.
  1. On the Main tab, click Security > Event Logs > Logging Profiles. The Logging Profiles list screen opens.
  2. Click Create. The New Logging Profile screen opens.
  3. In the Profile Name field, type a unique name for the profile.
  4. Select the Network Firewall check box.
  5. In the Network Firewall area, from the Publisher list, select local-db-publisher.
  6. For the Log Rule Matches setting, select how the BIG-IP system logs packets that match ACL rules. You can select any or all of the options.
    Option Description
    Option Enables or disables logging of packets that match ACL rules configured with:
    Accept action=Accept
    Drop action=Drop
    Reject action=Reject
  7. Select the Log IP Errors check box, to enable logging of IP error packets.
  8. Select the Log TCP Errors check box, to enable logging of TCP error packets.
  9. Select the Log TCP Events check box, to enable logging of open and close of TCP sessions.
  10. In the IP Intelligence area, from the Publisher list, select local-db-publisher.
    Note: The IP Address Intelligence feature must be enabled and licensed.
  11. Click Finished.
Assign this custom Network Firewall Logging profile to a virtual server.

Configuring an LTM virtual server for Network Firewall event logging

Ensure that at least one log publisher exists on the BIG-IP system.
Assign a custom Network Firewall Logging profile to a virtual server when you want the BIG-IP system to log Network Firewall events on the traffic that the virtual server processes.
Note: This task applies only to LTM-provisioned systems.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the Security menu, select Policies. The screen displays Policy Settings and Rules settings.
  4. From the Log Profile list, select Enabled. Then, for the Profile setting, move the profiles that log specific events to specific locations from the Available list to the Selected list.
  5. Click Update to save your changes.

Viewing Network Firewall event logs locally on the BIG-IP system

Ensure that the BIG-IP system is configured to log the types of events you want to view, and to store the log messages locally on the BIG-IP system.
When the BIG-IP system is configured to log events locally, you can view those events using the Configuration utility.
  1. On the Main tab, click Security > Event Logs > Network > Firewall. The Network Firewall event log displays.
  2. To search for specific events, click Custom Search. Drag the event data that you want to search for from the Event Log table into the Custom Search table, and then click Search.

Disabling logging

Disable Network Firewall, Protocol Security, or DoS Protection event logging when you no longer want the BIG-IP system to log specific events on the traffic handled by specific resources.
Note: You can disable and re-enable logging for a specific resource based on your network administration needs.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the Security menu, select Policies. The screen displays Policy Settings and Rules settings.
  4. From the Log Profile list, select Disabled.
  5. Click Update to save your changes.
The BIG-IP system does not log the events specified in this profile for the resources to which this profile is assigned.

Implementation result

You now have an implementation in which the BIG-IP® system logs specific Network Firewall events and stores the logs in a local database on the BIG-IP system.

Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information