Add F5 BIG-IP load balancers

Relevant for: AFA Administrators

This topic describes how to add F5 load balancers to AFA, including Big-IP LTM-only devices and Big-IP LTM and AFM devices.

If you have both LTM and AFM devices, and you do not need FireFlow support, use the LTM and AFM option. If you have only an LTM device, or if you have both but need FireFlow support, use the LTM-only option.

F5 BIG-IP LTM-only device support

This section describes how AFA connects to F5 BIG-IP LTM-only load balancers.

Device permissions

The user connecting to the F5 device can have any role, but the User Partition must be ALL.

Terminal access must be set to tmsh or Advanced shell.

Add an F5 BIG-IP LTM-only device to AFA

This procedure describes how to add an F5 BIG-IP LTM-only device to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  2. On the vendor and device selection page, select F5 > BIG-IP LTM Only.

  3. Complete the fields as needed, and then click Finish.

    Type

    F5 BIG-IP LTM Only

    This field is read-only.

    Host

    Enter the host name or IP address of the device.

    User Name

    Enter the username to use for SSH access to the device.

    Password

    Enter the password to use for SSH access to the device.

    Select the remote agent that should perform data collection for the device.

    To specify that the device is managed locally, select Central Manager.

    This field is relevant when a Geographic Distribution architecture is configured. For more details, see Configure a distributed architecture.

    To enable generation of Baseline Compliance Reports for this device, select the baseline compliance profile to use.

    The drop-down list includes all baseline compliance profiles in the system. For more details, see Customize baseline configuration profiles.

    To disable Baseline Compliance Report generation for this device, select None.

    Specify how AFA should acquire the device's routing information:

    • Automatic. AFA will automatically generate the device's routing information upon analysis or monitoring.
    • Static Routing Table (URT). AFA will take the device's routing information from a static file you provide. For details, see Specify routing data manually.

    This area enables you to select a define a data transfer method. Only SSH is supported, using either the default or a custom port.

    Define the following as needed:

    Custom Port

    To specify a custom port, select this option and type the port.

    This option is only relevant when SSH is selected.

    Number of allowed encryption keys

    Enter the permitted number of different RSA keys received from this device's IP address.

    Different RSA keys may be sent from the same IP address in cases of cluster fail-over, device operating system upgrades, etc.

    For example, if a cluster fail-over occurs, the secondary node will send a new RSA key from the same IP address to AFA. If this number is set to 1, the connection to the node will fail, resulting in a failed analysis.

    Default = unlimited

    Define the following as needed:

    Log collection method

    Specify the log collection method that AFA should use when collecting audit logs for the F5 load balancer, by selecting one of the following:

    • Extensive (Default): Not applicable. Intelligent Policy Tuner (IPT) is not available for F5 devices.
    • Standard: Use Syslog data for the Change History report page. IPT is disabled.
    • None. Disables the other Log Collection and Monitoring fields.

    Note: This device type supports audit logs only.

    Syslog-ng server

    If you selected Standard or Extensive in the Log collection method field, you must specify the syslog-ng server.

    For details, see Specify a Syslog server.

    Additional firewall identifiers

    Enter any additional IP addresses or host names that identify the device. When adding multiple entries, separate values by a colon (:).

    For example: 1.1.1.1:2.2.2.2:ServerName.

    This is relevant when the device is represented by multiple or non-standard device identifiers in the logs, for example, in cases of firewall clusters or non-standard logging settings. If AFA receives logs with an identifier it does not recognize, the logs will not be processed.

    Note: This field is only relevant for the parent device, and not for sub-systems. For more details, see Add additional device identifiers for sub-systems

    Log collection frequency (minutes)

    Enter the interval of time in minutes, at which AFA should collect logs for the device.

    The default value is 60.

    Real-time change monitoring

    Select this option to enable real-time alerting upon configuration changes. For more details, see Configure real-time monitoring,

    Set user permissions

    Select this option to set user permissions for the device.

    The new device is added to the device tree.

  4. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the device is added.

Device Configuration for source-based routing support

The F5_LTM _DeviceRouteFromVS parameter provides source-based routing support for F5 LTM virtual servers that meet these conditions:

  • The destinations of the Virtual Servers are not single IPs (VIPs, i.e. combinations of destination IP and port) but rather subnets or the destination 'any'.

  • The Virtual Servers have associated pools of Gateways.

Note: The URT file routes reflect all potential next hop IPs, according to the virtual server’s configured Pool Members (i.e. GateWays). Within a Virtual Server, the selected 'VLANs and Tunnel Traffic' option influences route creation. Routes are created either for 'All VLANs and Tunnels' or for specific VLANs. They are created without regard for the source value (assumed to be 'any') or service port.

The F5_LTM _DeviceRouteFromVS parameter

Add the paramater via the CLI to /home/afa/.fa/config or via the AFA UI.

From AFA UI, the Admin User does the following:

  1. Click Administration under user name

  2. Click the Advanced Configuration tab

  3. Verify that the F5_LTM _DeviceRouteFromVS parameter in the list of parameters and that is value is 'yes'.

  4. If it is not in the list, do this:

    • Click Add

    • Add the F5_LTM _DeviceRouteFromVS parameter

    • set the parameter value to 'yes'

F5 BIG-IP LTM and AFM device support

This section describes how AFA connects to F5 BIG-IP LTM and AFM devices.

Network connection

The following diagram shows an ASMS Central Manager or Remote Agent connecting to a F5 BIG-IP LTM and AFM device.

Device permissions

ASMS requires an Administrator role on all partitions to access your F5 BIG-IP LTM and AFM device for basic analysis and change management. Additionally, Tmsh for terminal access is required for Baseline Compliance functionality.

For more details, see F5 BIG-IP LTM+AFM - data collection authentication method in AlgoPedia.

Add an F5 BIG-IP LTM and AFM to AFA

This procedure describes how to add an F5 BIG-IP LTM and AFM device to AFA, and should be used when your device uses AFM and you do not need FireFlow support.

Note: If you need FireFlow support, add a F5 BIG-IP LTM Only device. For details, see Add an F5 BIG-IP LTM-only device to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  2. On the vendor and device selection page, select F5 > BIG-IP LTM and AFM.

  3. Complete the fields as needed, and then click Finish.

    Type

    F5 BIG-IP LTM and AFM

    This field is read-only.

    Host

    Enter the host name or IP address of the device.

    User Name

    Enter the username to use for access to the device.

    Password

    Enter the password to use for access to the device.

    Retrieve credentials from CyberArk vault

    Select this check box to authenticate the device with a CyberArk Vault instead of saving the device credentials on the AlgoSec server.

    When selected, also enter the following CyberArk details for the device being authenticated via CyberArk:

    • Platform (Policy ID)
    • Safe
    • Folder
    • Object

    Note: These options only appear when CyberArk is configured in AFA. For details, see Integrate ASMS and CyberArk.

    Select the remote agent that should perform data collection for the device.

    To specify that the device is managed locally, select Central Manager.

    This field is relevant when a Geographic Distribution architecture is configured. For more details, see Configure a distributed architecture.

    To enable generation of Baseline Compliance Reports for this device, select the baseline compliance profile to use.

    The drop-down list includes all baseline compliance profiles in the system. For more details, see Customize baseline configuration profiles.

    To disable Baseline Compliance Report generation for this device, select None.

    Specify how AFA should acquire the device's routing information:

    • Automatic. AFA will automatically generate the device's routing information upon analysis or monitoring.
    • Static Routing Table (URT). AFA will take the device's routing information from a static file you provide. For details, see Specify routing data manually.

    Define the following as needed:

    Log collection method

    Specify the log collection method that AFA should use when collecting audit logs for the F5 load balancer, by selecting one of the following:

    • Extensive (Default): Not applicable. Intelligent Policy Tuner (IPT) is not available for F5 devices.
    • Standard: Use Syslog data for the Change History report page. IPT is disabled.
    • None. Disables the other Log Collection and Monitoring fields.

    Note: This device type supports audit logs only.

    Syslog-ng server

    If you selected Standard or Extensive in the Log collection method field, you must specify the syslog-ng server.

    For details, see Specify a Syslog server.

    Additional firewall identifiers

    Enter any additional IP addresses or host names that identify the device. When adding multiple entries, separate values by a colon (:).

    For example: 1.1.1.1:2.2.2.2:ServerName.

    This is relevant when the device is represented by multiple or non-standard device identifiers in the logs, for example, in cases of firewall clusters or non-standard logging settings. If AFA receives logs with an identifier it does not recognize, the logs will not be processed.

    Note: This field is only relevant for the parent device, and not for sub-systems. For more details, see Add additional device identifiers for sub-systems

    Log collection frequency (minutes)

    Enter the interval of time in minutes, at which AFA should collect logs for the device.

    The default value is 60.

    Real-time change monitoring

    Select this option to enable real-time alerting upon configuration changes. For more details, see Configure real-time monitoring.

    Set user permissions

    Select this option to set user permissions for the device.

  4. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the device is added.