This section provides information on the following DSMs:
• F5 Networks BIG-IP AFM • F5 Networks BIG-IP APM • F5 Networks BIG-IP ASM • F5 Networks BIG-IP LTM • F5 Networks FirePass F5 Networks BIG-IP AFM The F5 Networks BIG-IP Advanced Firewall Manager (AFM) DSM for IBM Security QRadar accepts syslog events forwarded from F5 Networks BIG-IP AFM systems in name-value pair format. Supported event types QRadar is capable of collecting the following events from F5 BIG-IP appliances with Advanced Firewall Managers: • Network events • Network Denial of Service (DoS) events • Protocol security events • DNS events • DNS Denial of Service (DoS) events Before you begin Before you can configure the Advanced Firewall Manager, you must verify that your BIG-IP appliance is licensed and provisions to include Advanced Firewall Manager. Procedure Step 1 Log in to your BIG-IP appliance Management Interface. Step 2 From the navigation menu, select System > License. Step 3 In the License Status column, verify the Advanced Firewall Manager is licensed and enabled. IBM Security QRadar DSM Configuration Guide 232 F5 NETWORKS Step 4 To enable the Advanced Firewall Manager, select System > Resource Provisioning. Step 5 From the Provisioning column, select the check box and select Nominal from the list. Step 6 Click Submit to save your changes. Configure a logging pool A logging pool allows you to define a pool of servers that receive syslog events. The pool contains the IP address, port, and a node name that you provide. Procedure Step 1 From the navigation menu, select Local Traffic > Pools. Step 2 Click Create. Step 3 In the Name field, type a name for the logging pool. For example, Logging_Pool. Step 4 From the Health Monitor field, in the Available list, select TCP and click <<. This moves the TCP option from the Available list to the Selected list. Step 5 In the Resource pane, from the Node Name list, select Logging_Node or the name you defined in Step 3. Step 6 In the Address field, type the IP address for the QRadar Console or Event Collector. Step 7 In the Service Port field, type 514. Step 8 Click Add. Step 9 Click Finish. Creating a high-speed log destination The process to configure logging for BIG-IP AFM requires that you create a high-speed logging destination. Procedure Step 1 From the navigation menu, select System > Logs > Configuration > Log Destinations. Step 2 Click Create. Step 3 In the Name field, type a name for the destination. For example, Logging_HSL_dest. Step 4 In the Description field, type a description. Step 5 From the Type list, select Remote High-Speed Log. Step 6 From the Pool Name list, select a logging pool from the list of remote log servers. For example, Logging_Pool. Step 7 From the Protocol list, select TCP. Step 8 Click Finish. IBM Security QRadar DSM Configuration Guide F5 Networks BIG-IP AFM 233 Creating a formatted log destination The formatted log destination allows you to specify any special formatting required on the events forwarded to the high-speed logging destination. Procedure Step 1 From the navigation menu, select System > Logs > Configuration > Log Destinations. Step 2 Click Create. Step 3 In the Name field, type a name for the logging format destination. For example, Logging_Format_dest. Step 4 In the Description field, type a description. Step 5 From the Type list, select Remote Syslog. Step 6 From the Syslog Format list, select Syslog. Step 7 From the High-Speed Log Destination list, select your high-speed logging destination. For example, Logging_HSL_dest. Step 8 Click Finished. Creating a log publisher Creating a publisher allows the BIG-IP appliance to publish the formatted log message to the local syslog database. Procedure Step 1 From the navigation menu, select System > Logs > Configuration > Log Publishers. Step 2 Click Create. Step 3 In the Name field, type a name for the publisher. For example, Logging_Pub. Step 4 In the Description field, type a description. Step 5 From the Destinations field, in the Available list, select the log destination name you created in Step 3 and click << to add items to the Selected list. This moves your logging format destination from the Available list to the Selected list. To include local logging in your publisher configuration, you can add local- db and local-syslog to the Selected list. IBM Security QRadar DSM Configuration Guide 234 F5 NETWORKS Creating a logging profile Logging profiles allow you to configure the types of events that your Advanced Firewall Manager is producing and associates your events with the logging destination. Procedure Step 1 From the navigation menu, select Security > Event Logs > Logging Profile. Step 2 Click Create. Step 3 In the Name field, type a name for the log profile. For example, Logging_Profile. Step 4 In the Network Firewall field, select the Enabled check box. Step 5 From the Publisher list, select the log publisher you configured. For example, Logging_Pub. Step 6 In the Log Rule Matches field, select the Accept, Drop, and Reject check boxes. Step 7 In the Log IP Errors field, select the Enabled check box. Step 8 In the Log TCP Errors field, select the Enabled check box. Step 9 In the Log TCP Events field, select the Enabled check box. Step 10 In the Storage Format field, from the list, select Field-List. Step 11 In the Delimiter field, type , (comma) as the delimiter for events. Step 12 In the Storage Format field, select all of the options in the Available Items list and click <<. This moves the all Field-List options from the Available list to the Selected list. Step 13 In the IP Intelligence pane, from the Publisher list, select the log publisher you configured. For example, Logging_Pub. Step 14 Click Finished. Associate the profile to a virtual server The log profile you created must be associated with a virtual server in theSecurity Policy tab. This allows the virtual server to process your network firewall events, along with local traffic. Procedure Step 1 From the navigation menu, select Local Traffic > Virtual Servers. Step 2 Click the name of a virtual server to modify. Step 3 From the Security tab, select Policies. Step 4 From the Log Profile list, select Enabled. Step 5 From the Profile field, in the Available list, select Logging_Profile or the name you specified in Step 3 and click <<. This moves the Logging_Profile option from the Available list to the Selected list.