Closing the gap between developers and F5 Application Security Manager using Splunk

Most companies that have a F5 Application Security Manager (ASM) to secure their production web applications, also use this to protect their acceptance environment. Main reason is to make sure that the security policy of ASM is not blocking allowed traffic to the web application.

Functional testers and developers deploying on acceptance can be blocked by the ASM when the policy is in blocking mode and is really tight. What typically happens is that the tester/developer receives an error message from F5 ASM with a support ID and without any information about the reason why they are blocked. And they don't have access to the F5 console and the F5 logs, so they have to copy-and-paste this support ID and ask the operations team of F5, probably in the networking team, to retrieve the HTTP payload to learn why F5 ASM blocked the request. This takes time and can be annoying for debugging and troubleshooting...especially when you are near your deadline!

Splunk to the rescue! Splunk indexes and lets you search, alert and report on all your IT infrastructure data from a single location in real time. Logs, configurations, messages, traps and alerts, scripts and metrics; if a machine can generate it, Splunk can index it. So what you need to do if you have F5 ASM and want to give the tester/developer access to the F5 logs, just download Splunk here and add a logging profile to F5 like this:

  1. Install Splunk on a machine of your choice
  2. Add a TCP Listener in Splunk Manager on port 4444 for example. You can also create a new Splunk index, like asm_log
  3. Configure F5 ASM with a new logging profile and a remote reporting server. Use the IP address of Splunk and port 4444. Here you can also configure to log all HTTP requests and responses, not only the blocks 
  4. If you want you can download and install the new and free Splunk for F5 app from the SplunkBase website  This shows you all the information with nice graphs and a dashboard

But in a production environment you don't want to give everybody full read access to the F5 logs. With Splunk Enterprise Edition you can build your own app in Splunk and restrict access using a Splunk role so that the tester/developer can only search for the support ID they received when blocked and immediatly lookup the HTTP request and the block reason. And only that.

Add comment