F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP AFM
  4. BIG-IP Network Firewall: Policies and Implementations
  5. About Local Logging with the Network Firewall
Manual Chapter : About Local Logging with the Network Firewall

Applies To:

Show Versions Show Versions
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About Local Logging with the Network Firewall

Overview: Configuring local Network Firewall event logging

You can configure the BIG-IP® system to log detailed information about BIG-IP system Network Firewall events and store those logs on the BIG-IP system.

Important: The BIG-IP system Advanced Firewall Manager™ (AFM™) must be licensed and provisioned before you can configure Network Firewall event logging.

Task summary

Perform these tasks to configure Network Firewall logging locally on the BIG-IP® system.

Note: Enabling logging and storing the logs locally impacts BIG-IP system performance.

Creating a local Network Firewall Logging profile

Create a custom Logging profile to log BIG-IP® system Network Firewall events locally on the BIG-IP system.
  1. On the Main tab, click Security > Event Logs > Logging Profiles .
    The Logging Profiles list screen opens.
  2. Click Create.
    The New Logging Profile screen opens.
  3. In the Profile Name field, type a unique name for the profile.
  4. Select the Network Firewall check box.
  5. In the Network Firewall area, from the Publisher list, select local-db-publisher.
  6. For the Log Rule Matches setting, select how the BIG-IP system logs packets that match ACL rules. You can select any or all of the options.
    Option Description
    Option Enables or disables logging of packets that match ACL rules configured with:
    Accept action=Accept
    Drop action=Drop
    Reject action=Reject
  7. Select the Log IP Errors check box, to enable logging of IP error packets.
  8. Select the Log TCP Errors check box, to enable logging of TCP error packets.
  9. Select the Log TCP Events check box, to enable logging of open and close of TCP sessions.
  10. In the IP Intelligence area, from the Publisher list, select local-db-publisher.
    Note: The IP Address Intelligence feature must be enabled and licensed.
  11. Enable the Log Translation Fields setting to log both the original IP address and the NAT-translated IP address for Network Firewall log events.
  12. Click Finished.
Assign this custom Network Firewall Logging profile to a virtual server.

Configuring an LTM virtual server for Network Firewall event logging

Ensure that at least one log publisher exists on the BIG-IP® system.
Assign a custom Network Firewall Logging profile to a virtual server when you want the BIG-IP system to log Network Firewall events on the traffic that the virtual server processes.
Note: This task applies only to LTM®-provisioned systems.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, click Security > Policies .
    The screen displays Policy settings and Inline Rules settings.
  4. From the Log Profile list, select Enabled. Then, for the Profile setting, move the profiles that log specific events to specific locations from the Available list to the Selected list.
    Note: If you don't have a custom profile configured, select the predefined logging profile global-network to log Advanced Firewall Manager™ events. Note that to log global, self IP, and route domain contexts, you must enable a Publisher in the global-network profile.
  5. Click Update to save the changes.

Viewing Network Firewall event logs locally on the BIG-IP system

Ensure that the BIG-IP® system is configured to log the types of events you want to view, and to store the log messages locally on the BIG-IP system.
When the BIG-IP system is configured to log events locally, you can view those events using the Configuration utility.
  1. On the Main tab, click Security > Event Logs > Network > Firewall .
    The Network Firewall event log displays.
  2. To search for specific events, click Custom Search. Drag the event data that you want to search for from the Event Log table into the Custom Search table, and then click Search.

Creating a Network Firewall rule from a firewall log entry

You must be logging network firewall traffic to create a rule from the network firewall logs.
You can create a rule from the local log, from an enforced or staged rule or policy. You might use this to change the action taken on specific traffic that is matched by a more general rule. You can also use this to replicate a rule and change some parameter, such as the source or destination ports. Note that the rule you create from a log entry already has some information specified, such as source and destination address and ports, protocol, and VLAN. You can change any of this information as required.
  1. On the Main tab, click Security > Event Logs > Network > Firewall .
    The Network Firewall event log displays.
  2. Select the search parameters to show the desired log results, then click Search.
  3. Select a log entry, and click Create Rule.
  4. From the Context list, select the context for the firewall rule.
    For a firewall rule in a rule list, or a firewall rule or rule list in a policy, the context is predefined and cannot be changed.
  5. In the Name and Description fields, type the name and an optional description.
  6. From the Type list, select whether you are creating a standalone network firewall rule or creating the rule from a predefined rule list.
    If you create a firewall rule from a predefined rule list, only the Name, Description, and Stateoptions apply, and you must select or create a rule list to include.
  7. From the State list, select the rule state.
    • Select Enabled to apply the firewall rule to the given context and addresses.
    • Select Disabled to set the firewall rule to not apply at all.
    • Select Scheduled to apply the firewall rule according to the selected schedule.
  8. From the Schedule list, select the schedule for the firewall rule.
    This schedule is applied when the firewall rule state is set to Scheduled.
  9. From the Protocol list, select the protocol to which the firewall rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    Important: ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create an inline rule for ICMP or ICMPv6 on a Self IP context. You can apply a rule list to a self IP that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
    Note: Note that you must select a protocol if you specify ports.
  10. From the Source Address list, select the type of source address to which this rule applies.
    • Select Any to have the rule apply to any packet source IP address.
    • Select Specify and click Address to specify one or more packet source IP addresses to which the rule applies. When selected, you can type single IP addresses into the Address field, then click Add to add them to the address list.
    • Select Specify and click Address List to select a predefined list of packet source addresses to which the rule applies. To use an address list with this rule, select the address list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
    • Select Specify and click Address Range to specify a contiguous range of packet source IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click Add to add the IP address range to the address list.
    • Select Specify and click Country/Region to identify the geographic origin of packet sources, and to apply rules based on selected geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click Add to add it to the Source address list.
  11. From the Source Port list, select the type of packet source ports to which this rule applies.
    • Select Any to have the rule apply to any packet source port.
    • Select Specify and click Port to specify one or more packet source ports to which the rule applies. When selected, you can type single port numbers into the Port field, then click Add to add them to the port list.
    • Select Specify and click Port Range to specify a list of contiguous packet source port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click Add to add the ports to the port list.
    • Select Specify and click Port List to select a predefined list of packet source ports to which the rule applies. To use a port list with this rule, select the port list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
  12. From the Source VLAN list, select the VLAN on which this rule applies.
    • Select Any to have the rule apply to traffic on any VLAN through which traffic enters the firewall.
    • Select Specify to specify one or more VLANs on the firewall to which the rule applies. To use a VLAN with this rule, move the VLAN from the Available list to the Selected list by clicking the << button. Similarly, to remove the VLAN from this rule, click the >> button to move the VLAN from the Selected list to the Available list.
  13. From the Destination Address list, select the type of packet destination address to which this rule applies.
    • Select Any to have the rule apply to any IP packet destination address.
    • Select Specify and click Address to specify one or more packet destination IP addresses to which the rule applies. When selected, you can type single IP addresses into the Address field, then click Add to add them to the address list.
    • Select Specify and click Address List to select a predefined list of packet destination addresses to which the rule applies. To use an address list with this rule, select the address list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
    • Select Specify and click Address Range to specify a contiguous range of packet destination IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click Add to add the IP address range to the address list.
    • Select Specify and click Country/Region to identify the geographic packet destination, and to apply rules based on specific geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click Add to add it to the Destination address list.
  14. From the Destination Port list, select the type of packet destination ports to which this rule applies.
    • Select Any to have the rule apply to any port inside the firewall.
    • Select Specify and click Port to specify one or more packet destination ports to which the rule applies. When selected, you can type single port numbers into the Port field, then click Add to add them to the port list.
    • Select Specify and click Port Range to specify a list of contiguous packet destination port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click Add to add the ports to the port list.
    • Select Specify and click Port List to select a predefined list of packet destination ports to which the rule applies. To use a port list with this rule, select the port list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
  15. Optionally, from the iRule list, select an iRule to start if the rule matches traffic.
  16. From the Action list, select the firewall action for traffic originating from the specified source address on the specified protocol. Choose from one of the these actions:
    Option Description
    Accept Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Accept Decisively Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
  17. From the Logging list, enable or disable logging for the firewall rule.
  18. Click Finished.
    The list screen and the new item are displayed.
The new firewall policy rule is created from the log entry.

Disabling logging

Disable Network Firewall, Protocol Security, or DoS Protection event logging when you no longer want the BIG-IP® system to log specific events on the traffic handled by specific resources.
Note: You can disable and re-enable logging for a specific resource based on your network administration needs.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, click Security > Policies .
    The screen displays Policy settings and Inline Rules settings.
  4. From the Log Profile list, select Disabled.
  5. Click Update to save the changes.
The BIG-IP system does not log the events specified in this profile for the resources to which this profile is assigned.

Implementation result

You now have an implementation in which the BIG-IP® system logs specific Network Firewall events and stores the logs in a local database on the BIG-IP system.

Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information