IP Intelligence Logging¶
IP Intelligence logging can be configured to view traffic matching the configured IP Intelligence policy categories. IPI logging requires F5BigLogHslpub CR configuration, enabling the Firewall section of the F5BigLogProfile CR, and IPIntelligence sub-section. The created logging profile must be associated with F5BigContextSecure or F5BigContextGlobal CRs.
CR parameters¶
The following table lists only a few parameters used in this document. For the full list of CR parameters, refer to the spec.firewall.ipIntelligence page.
| Parameter | Description |
|---|---|
| publisher | Name of the Log publisher to send IP Intelligence logs. Log publisher object is of kind F5BigLogHslpub |
| translation | Enable the Log Translation Fields setting to log both the original IP address and the NAT-translated IP address for IP Intelligence log events. |
| aggregateRate | Sets an Aggregate Rate Limit to define a rate limit for all combined IP Intelligence log messages per second. Beyond this rate limit, log messages are not logged. |
Procedures¶
Follow the steps mentioned in this section to enable IP Intelligence logging.
Apply F5BigLogHslpub CR¶
The example F5BigLogHslpub CR given in this secrion specifies a remote server with IP/port [2002::10:30:2:220]:514, and the UDP protocol.
Note: The F5BigLogHslpub CR will be referenced by the F5BigLogProfile CR.
Copy and paste the following example into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigLogHslpub metadata: name: "cnf-hsl-pub" namespace: "cnf-gateway" spec: pool: - name: "hsl-pool" endpoint: - "[2002::10:30:2:220]:514" syslog: - name: "cnf-syslog" format: "rfc5424" protocol: "udp" pool: "hsl-pool"
Run the following command to apply the
ßF5BigLogHslpubCR.kubectl apply -f cnf-hsl-cr.yaml
In the following example, the BIG-IP Controller logs indicate the
F5BigLogHslpubCR was added/updated:I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub", F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
For more information on how to install and apply the
F5BigLogHslpubCR, see F5BigLogHslpub page.Sample output:
Mar 7 02:22:52 tmm_1 1 2025-03-07T02:22:52.687275+00:00 tmm_1 tmm 8 23003142 [F5@12276 action="Accept"attack_type="overridden_category" hostname="tmm_1" bigip_mgmt_ip="0.0.0.0" context_name="f5local-dns-vs-udp-virtual_server" context_type="Virtual Server" date_time="Mar 07 2025 02:22:52" dest_fqdn="unknown" dest_ip="192.168.0.33" dst_geo="Unknown" dest_port="53" device_product="Advanced Firewall Module" device_vendor="F5" device_version="10.14.2" errdefs_msgno="23003142" errdefs_msg_name="IP Intelligence Event" flow_id="0000000000000000" ip_intelligence_policy_name="my-ipi-policy-ipipolicy" ip_intelligence_threat_name="botnets" ip_protocol="UDP" severity="5" partition_name="" route_domain="0" sa_translation_pool="" sa_translation_type="" source_fqdn="unknown" source_ip="1.170.10.29" src_geo="Unknown" source_port="37581" translated_dest_ip="" translated_dest_port="" translated_ip_protocol="" translated_route_domain="" translated_source_ip="" translated_source_port="" translated_vlan="" vlan="eth1"] "Mar 07 2025 02:22:52","0.0.0.0","tmm_1","Advanced Firewall Module","F5","10.14.2","Virtual Server","f5local-dns-vs-udp-virtual_server","my-ipi-policy-ipipolicy","1.170.10.29","192.168.0.33","37581","53","Unknown","Unknown","unknown","unknown","eth1","UDP","0","botnets","Accept","overridden_category","","","","","","","","","","0000000000000000"
Apply F5BigLogProfile CR¶
Enable the
F5BigLogProfileCR with the firewall section and IP Intelligence logging sub-section configured. Copy and paste the following example into an yaml file.apiVersion: "k8s.f5net.com/v2" kind: F5BigLogProfile metadata: name: log-profile spec: firewall: enabled: true ipIntelligence: publisher: "hsl-publisher" translation: true aggregateRate: 5000
Run the following command to apply the
F5BigLogProfileCR.kubectl apply -f logprof.yaml -n <namespace>
Verify the
F5BigLogProfileCR is applied.For more information on how to install and apply the
F5BigLogProfileCR, see F5BigLogProfile page.
Feedback
To provide feedback and help improve this document, please email us at cnfdocs@f5.com.