F5 Networks BIG-IP

To add an F5 BIG-IP device, complete the following steps.

The retrieval method changed from SSH-based to API-based. If you created a Resource Administrator account to use for retrievals in a previous version, you will need to update the account password (in the F5 dashboard and then in the SIP Administration module) and change the Terminal Access from Advanced shell to Disabled.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

  1. Create an Auditor account on the BIG-IP device. The data collector will use this account to retrieve configurations from the device.
    1. Log in to the configuration utility.
    2. From the Main tab, navigate to System > Users > User List.
    3. Click Create.
    4. Enter a User Name and Password for the account.

    You'll use this information when adding the device in the Administration module.

    1. Select Auditor for the Role, and then click Add for it to be included in Partition Access.
    2. Set the Terminal Access to Disabled for this account.
    3. Click Finished.
  1. Create a remote logging syslog configuration using the Configuration utility.
    1. From the Main tab, navigate to System > Logs > Configuration > Remote Logging.
    2. Enter the destination syslog server IP address in the Remote IP field.
    3. Enter the remote syslog server UDP port (default is 514) in the Remote Port field.
    4. Enter the local IP address of the BIG-IP system in the Local IP field (optional).
    5. Click Add.
    6. Click Update.
  2. Add a single remote syslog server.
    1. Log on to the Traffic Management Shell (tmsh) by typing the following command: tmsh
    2. To add a single remote syslog server, use the following command syntax: modify /sys syslog remote-servers add { <name> { host <IP address> remote-port <port> }}

    For example, to add remote syslog server 172.28.31.40 with port 514 and name mysyslog, type the following command: modify /sys syslog remote-servers add { mysyslog { host 172.28.31.40 remote-port 514 }}

    1. To save the configuration, type the following command: save /sys config

User Account Partition Access

If you want to limit the partition access given to Security Manager for retrievals, the use of API-based retrievals allows for this. Before, SSH-based retrievals required shell access, API does not.

Account role types that allow all partition access include:

  • Auditor—read only all modules, all partitions

  • Resource Administrator—read/write all modules, all partitions, will not show other users

  • Administrator—read/write system-wide

Account role types that allow partition access to be selected include:

  • Guest—read only all modules, will not show other users

  • Firewall Manager—read only all modules and read/write AFM, will not show other users

Using Automation with F5 BIG-IP AFM

  • You can use the existing admin account for automation, a secondary account is not necessary

  • AFM must be provisioned on the device and AFM level may be set to nominal, minimum or dedicated

  • Creating or modifying services is not currently supported. Even though Policy Planner allows you to start a change for services, creating or modifying services objects are not supported due to how services are configured on rules and normalized on the F5. If you do attempt to create or modify a service through automation, it will fail with the message ‘Creating service objects is not supported’ or ‘Modifying service objects is not supported’, depending on which type was selected. At this time, you can only reference existing service objects on rules.

Step 2: Onboard the Device in the Administration Module

  1. On the toolbar, click Device > Devices.
  2. Click Create, and then click F5 > BIG-IP.
  1. General Properties section.

To prevent errors in device group-level device maps and incorrect reporting data, all devices added in Administration must have unique IP addresses. If devices with duplicate IP addresses must be added within a domain, it is strongly recommended that those devices be separated into discrete device groups, where no duplicate IP addresses are included in the same device group. Devices with duplicate IP addresses will cause errors in the All Devices device map, and may cause incorrect data in reports, even if they are in discrete device groups.

  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Names box, type the syslog match name (optional). You can enter multiple comma-separated names.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. Collection Configuration is enabled on the management station or by duplicating and then editing the default configuration (DeviceCollection Configuration). Default is what is set on the installed device pack.
  1. Device Settings section.

Credentials

  1. In the User Name box, type the user name used for the Auditor account.
  2. In the Password box, type the password used for the Auditor account.
  3. In the Re-enter Password box, re-type the password entered above.

Retrieval

  • The default API Port is 443.

  1. Monitoring section.

Log Monitoring

Select the Enable Log Monitoring check box to use for Rule Usage Analysis.

  • Track Usage Via is set to Syslog.
  • Log Update Interval is set to 10 (minutes); this number determines how often usage data is sent to the application server.

Change Monitoring

Select the Enable Check for Change check box to enable checking for configuration changes after the specified interval, and perform a retrieval is changes are detected.

  • Enter an optional Alternate Syslog Source IP.

  1. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection. This will activate additional fields to complete.

  • Set the Scheduled Retrieval Time to fit your requirements.

  • Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected. This will activate an additional field to complete.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

  1. Advanced section.
    • File Retrieval Options: Select the Use Batch Config Retrieval check box only if you are manually sending configurations for this device using your data collector's batchconfig directory. While this option is enabled, online retrievals will be disabled.
    • Policy Route Options: Select the Only Use Route Domain Policy for Modeling check box to only use the Route Domain policy for rule recommendation and APA.
    • Automation Options:
      • Select the Automate as Accept-Decisively check box if you want the ability to normalize rules from BIG-IP devices that support "accept decisively" as an action. This is not a separate concept from "accept" but rather a specialization of it.
      • Select the Allow Multi-Protocol Requests check box to automate rule changes with multiple protocols as multiple rules during automation.
  2. Enforcement section.

Select one of the available enforcement options:

  •  Allow All: All automation is allowed (enforcement, change, manual).

  • Manual Only: When selected all changes must be manually pushed for this device.

  •  Prevent All: No automation is allowed.

  • Window Only: Automation can only take place in the assigned enforcement window.

If this device is assigned to an enforcement or change window, it will be listed. If no assignment, changes must be manually pushed for this device.

  1. Supplemental Routes section.

Supplemental routes cannot be added until after a retrieval normalizes successfully. You can perform a manual retrieval before continuing.

  1. Click Add.

  2. Complete fields in the Add Supplemental Routes dialog box:

  • Select an Interface.

If you select an Interface, you will not need to select a virtual router and next virtual router. If no interface is selected, you will need to select a Virtual Router and Next Virtual Router.

  • Type the Destination IP address.
  • Type the Gateway IP address.
  • Select a Virtual Router.
  • Select a Next Virtual Router.
  • Switch the Drop toggle to enable (disabled = Accept).
  • Click Add.
  1. Click Save.

Step 3: Verify Communication

Because automatically retrieving a configuration is enabled by default, there is nothing for you to do. Security Manager will automatically attempt to retrieve a device configuration.

To do a manual retrieval, select the device row, click the Menu icon and then click Retrieve Configuration.

It may take up to 15 minutes to see the status result of the retrieval.