Scribd Logo
Upload

Welcome to Scribd!

  • f5 Integration To Qradar

    Uploaded by

    shahbaz khan
    114 views3 pages

    Original Title

    f5 integration to qradar

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    114 views3 pages

    f5 Integration To Qradar

    Uploaded by

    shahbaz khan

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    F5 N ETWORKS

    This section provides information on the following DSMs:


    • F5 Networks BIG-IP AFM
    • F5 Networks BIG-IP APM
    • F5 Networks BIG-IP ASM
    • F5 Networks BIG-IP LTM
    • F5 Networks FirePass
    F5 Networks BIG-IP
    AFM
    The F5 Networks BIG-IP Advanced Firewall Manager (AFM) DSM for IBM Security
    QRadar accepts syslog events forwarded from F5 Networks BIG-IP AFM systems
    in name-value pair format.
    Supported event
    types
    QRadar is capable of collecting the following events from F5 BIG-IP appliances
    with Advanced Firewall Managers:
    • Network events
    • Network Denial of Service (DoS) events
    • Protocol security events
    • DNS events
    • DNS Denial of Service (DoS) events
    Before you begin Before you can configure the Advanced Firewall Manager, you must
    verify that
    your BIG-IP appliance is licensed and provisions to include Advanced Firewall
    Manager.
    Procedure
    Step 1 Log in to your BIG-IP appliance Management Interface.
    Step 2 From the navigation menu, select System > License.
    Step 3 In the License Status column, verify the Advanced Firewall Manager is
    licensed
    and enabled.
    IBM Security QRadar DSM Configuration Guide
    232 F5 NETWORKS
    Step 4 To enable the Advanced Firewall Manager, select System > Resource
    Provisioning.
    Step 5 From the Provisioning column, select the check box and select Nominal from
    the
    list.
    Step 6 Click Submit to save your changes.
    Configure a logging
    pool
    A logging pool allows you to define a pool of servers that receive syslog events.
    The pool contains the IP address, port, and a node name that you provide.
    Procedure
    Step 1 From the navigation menu, select Local Traffic > Pools.
    Step 2 Click Create.
    Step 3 In the Name field, type a name for the logging pool.
    For example, Logging_Pool.
    Step 4 From the Health Monitor field, in the Available list, select TCP and click
    <<.
    This moves the TCP option from the Available list to the Selected list.
    Step 5 In the Resource pane, from the Node Name list, select Logging_Node or the
    name you defined in Step 3.
    Step 6 In the Address field, type the IP address for the QRadar Console or Event
    Collector.
    Step 7 In the Service Port field, type 514.
    Step 8 Click Add.
    Step 9 Click Finish.
    Creating a
    high-speed log
    destination
    The process to configure logging for BIG-IP AFM requires that you create a
    high-speed logging destination.
    Procedure
    Step 1 From the navigation menu, select System > Logs > Configuration > Log
    Destinations.
    Step 2 Click Create.
    Step 3 In the Name field, type a name for the destination.
    For example, Logging_HSL_dest.
    Step 4 In the Description field, type a description.
    Step 5 From the Type list, select Remote High-Speed Log.
    Step 6 From the Pool Name list, select a logging pool from the list of remote log
    servers.
    For example, Logging_Pool.
    Step 7 From the Protocol list, select TCP.
    Step 8 Click Finish.
    IBM Security QRadar DSM Configuration Guide
    F5 Networks BIG-IP AFM 233
    Creating a formatted
    log destination
    The formatted log destination allows you to specify any special formatting required
    on the events forwarded to the high-speed logging destination.
    Procedure
    Step 1 From the navigation menu, select System > Logs > Configuration > Log
    Destinations.
    Step 2 Click Create.
    Step 3 In the Name field, type a name for the logging format destination.
    For example, Logging_Format_dest.
    Step 4 In the Description field, type a description.
    Step 5 From the Type list, select Remote Syslog.
    Step 6 From the Syslog Format list, select Syslog.
    Step 7 From the High-Speed Log Destination list, select your high-speed logging
    destination.
    For example, Logging_HSL_dest.
    Step 8 Click Finished.
    Creating a log
    publisher
    Creating a publisher allows the BIG-IP appliance to publish the formatted log
    message to the local syslog database.
    Procedure
    Step 1 From the navigation menu, select System > Logs > Configuration > Log
    Publishers.
    Step 2 Click Create.
    Step 3 In the Name field, type a name for the publisher.
    For example, Logging_Pub.
    Step 4 In the Description field, type a description.
    Step 5 From the Destinations field, in the Available list, select the log
    destination name
    you created in Step 3 and click << to add items to the Selected list.
    This moves your logging format destination from the Available list to the Selected
    list. To include local logging in your publisher configuration, you can add local-
    db
    and local-syslog to the Selected list.
    IBM Security QRadar DSM Configuration Guide
    234 F5 NETWORKS
    Creating a logging
    profile
    Logging profiles allow you to configure the types of events that your Advanced
    Firewall Manager is producing and associates your events with the logging
    destination.
    Procedure
    Step 1 From the navigation menu, select Security > Event Logs > Logging Profile.
    Step 2 Click Create.
    Step 3 In the Name field, type a name for the log profile.
    For example, Logging_Profile.
    Step 4 In the Network Firewall field, select the Enabled check box.
    Step 5 From the Publisher list, select the log publisher you configured.
    For example, Logging_Pub.
    Step 6 In the Log Rule Matches field, select the Accept, Drop, and Reject check
    boxes.
    Step 7 In the Log IP Errors field, select the Enabled check box.
    Step 8 In the Log TCP Errors field, select the Enabled check box.
    Step 9 In the Log TCP Events field, select the Enabled check box.
    Step 10 In the Storage Format field, from the list, select Field-List.
    Step 11 In the Delimiter field, type , (comma) as the delimiter for events.
    Step 12 In the Storage Format field, select all of the options in the Available
    Items list and
    click <<.
    This moves the all Field-List options from the Available list to the Selected list.
    Step 13 In the IP Intelligence pane, from the Publisher list, select the log
    publisher you
    configured.
    For example, Logging_Pub.
    Step 14 Click Finished.
    Associate the profile
    to a virtual server
    The log profile you created must be associated with a virtual server in theSecurity
    Policy tab. This allows the virtual server to process your network firewall events,
    along with local traffic.
    Procedure
    Step 1 From the navigation menu, select Local Traffic > Virtual Servers.
    Step 2 Click the name of a virtual server to modify.
    Step 3 From the Security tab, select Policies.
    Step 4 From the Log Profile list, select Enabled.
    Step 5 From the Profile field, in the Available list, select Logging_Profile or the
    name
    you specified in Step 3 and click <<.
    This moves the Logging_Profile option from the Available list to the Selected list.

    You might also like