Logging traffic from span port

Question

Hello, &nbsp;
I'm trying to log traffic coming from a SPAN port. The traffic is arriving properly to the F5 (if I do a tcpdump in the interface, I can see the traffic) but for some reason the F5 is not logging the traffic. Is there a special way to configure the F5 (BIG-IP)? I've searched in the documentation but I haven't found any kind of answer. Notice that I don't want the F5 to be a load balancer, I just want to it to alert in case of web attack. I've created a new profile of logging which logs all the traffic.&nbsp;
Can anyonw help me on this? I've tried different configs but no luck. &nbsp;
Thank you very much. &nbsp;
Regards. &nbsp;

steigman1978_87 · Answer

Hi Rodquin, &nbsp;
you had a look into https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13392.html?&nbsp;
cheers,
Steigman&nbsp;

rodquin_211279 · Answer

Hello Steigman,

First of all thank you very much for your quick response. :) What I want to do is the opposite thing, I mean, I want the F5 to act like an IDS. The F5 is receiving traffic from a SPAN port and I just want to generate an alert if it detects a web attack.

Thank you very much.

Regards.

kevin_stewart · Answer

A bit confusing. An F5 BIG-IP is not an IDS, it's a proxy. ASM (the F5 web application firewall) does detect and alert/block web attacks, but it generally does so in a proxy configuration - where application traffic flows through the proxy to the web servers.

rodquin_211279 · Answer

Can anyone help me on this issue please? 
Thank you in advance. 
Regards. &nbsp;

Forum Discussion

Logging traffic from span port

4 Replies

Recent Discussions

Inquiry on F5's Maintenance Mode Feature for Pool Members

ASM Bot Defense JS and CSP

iRule interpretation assistance

CWE-20: Improper Input Validation

Errors in setup of BIGIP-NEXT CM VE on KVM

Related Content

iRule to log traffic details

fellow traffic

ASM logs

ASM LOGS

Logging DNS Requests