Skip to content
Find out how we support MDR.

Integrate F5

You must have the Firewall integrations license pack to use this feature.

You can integrate F5 BIG-IP ASM with Sophos Central so that it sends alerts to Sophos.

This integration uses a log collector hosted on a virtual machine (VM). Together they're called an integration appliance. The appliance receives third-party data and sends it to the Sophos Data Lake.

This page describes integration using an appliance on ESXi or Hyper-V. If you want to integrate using an appliance on AWS, see Integrations on AWS.

Key steps

The key steps in an integration are as follows:

  • Add an integration for this product. In this step, you create an image of the appliance.
  • Download and deploy the image on your VM. This becomes your appliance.
  • Configure F5 BIG-IP ASM to send data to the appliance.

Requirements

Appliances have system and network access requirements. To check that you meet them, see Appliance requirements.

Add an integration

To add the integration, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
  2. Click F5 BIG-IP ASM.

    The F5 BIG-IP ASM page opens. You can add integrations here and see a list of any you've already added.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration setup steps appears.

Configure the appliance

In Integration setup steps, you can configure a new appliance or use an existing one.

We assume here that you configure a new appliance. To do this, create an image as follows:

  1. Enter an integration name and description.
  2. Click Create new appliance.
  3. Enter a name and description for the appliance.
  4. Select the virtual platform. Currently we support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.
  5. Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the appliance.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

  6. Select the Syslog IP version and enter the Syslog IP address.

    You'll need this syslog IP address later, when you configure F5 BIG-IP ASM to send data to your appliance.

  7. Select a Protocol.

    You must use the same protocol when you configure F5 BIG-IP ASM to send data to your appliance.

  8. Click Save.

    We create the integration and it appears in your list.

    In the integration details, you can see the port number for the appliance. You'll need this later when you configure F5 BIG-IP ASM to send data to it.

    It might take a few minutes for the appliance image to be ready.

Deploy the appliance

Restriction

If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.

Use the image to deploy the appliance as follows:

  1. In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
  2. When the image download finishes, deploy it on your VM. See Deploy an appliance.

Configure F5 BIG-IP ASM

You now configure F5 BIG-IP ASM to send alerts to us, using syslog forwarding.

Note

You can configure multiple instances of F5 BIG-IP ASM to send data to Sophos via the same appliance. After you finish integration, repeat the steps in this section for your other instances of F5 BIG-IP ASM. You don't need to repeat the steps in Sophos Central.

To configure alert forwarding, do as follows:

Create a logging profile

You must create a custom logging profile to log application security events.

  1. On the Main tab, click Security > Event Logs > Logging Profiles.
  2. In Logging Profiles, click Create.

    The New Logging Profile screen opens.

  3. In Profile Name, enter a unique name for the profile.

  4. Select Application Security.

    The screen displays additional fields.

  5. On the Application Security tab, under Configuration, select Advanced.

  6. Select Remote Storage to store logs remotely.
  7. In Response Logging list, select For Illegal Requests Only.

    By default, the system logs the first 10,000 bytes of responses, up to 10 responses per second. You can change the limits by using the response logging system variables.

    By default, the system logs all requests. To limit the type of requests that the system or server logs, set up the Storage Filter.

Continue to set up remote logging.

Set up remote logging

You can configure your logging profile to log application security events remotely on a syslog server.

  1. On the Main tab, click Security > Event Logs > Logging Profiles.
  2. In Logging Profiles, click the name of the logging profile for which you want to set up remote logging.
  3. Select Remote Storage.

    In the Remote Storage Type list, select Remote. Messages are in syslog format.

  4. In Protocol, select the protocol you set in Sophos Central: UDP or TCP.

    The selected protocol applies to all remote server settings on this screen, including all server IP addresses.

  5. In Server Addresses, specify the server on which to log traffic. Enter the IP Address and Port Number you specified earlier in Sophos Central, and click Add.

  6. In Facility, select the category of the logged traffic. For this integration, it doesn’t matter which you choose.
  7. In the Storage Format setting, you can specify how the log displays information, which traffic items the server logs, and what order it logs them in.
  8. In Maximum Query String Size, you can specify how much of a request the server logs. Select Any.
  9. In Maximum Entry Length, you can specify how much of the entry length the server logs. Accept the default length (1K for remote servers that support UDP, and 2K for remote servers that support TCP).
  10. Select Report Detected Anomalies. The system will send a report to the remote system log when a brute force attack or web scraping attack starts and ends.
  11. In Storage Filter area, make any changes as required.
  12. Click Finished.

When you create a logging profile for remote storage, the system stores the data for the associated security policy on one or more remote systems.

Associate a logging profile with a security policy

A logging profile records requests to the virtual server. By default when you create a security policy, the system associates the Log Illegal Requests profile with the virtual server used by the policy.

You can change which logging profile is associated with the security policy or assign a new one by editing the virtual server.

  1. Click Local Traffic > Virtual Servers.
  2. Click the name of the virtual server used by the security policy. The system displays the general properties of the virtual server.
  3. From the Security menu, select Policies.

    The system displays the policy settings for the virtual server.

  4. Make sure that the Application Security Policy setting is Enabled and that Policy is set to the security policy you want.

  5. For Log Profile, do as follows:

    • Check that it's set to Enabled.
    • From the Available list, select the profile to use for the security policy, and move it into the Selected list.
  6. Click Update.

Information related to traffic controlled by the security policy is logged using the logging profile or profiles specified in the virtual server.