Modules for Adding Security Log Profiles

[kevinrobertssealingtech]

Is your feature request related to a problem? Please describe.

I do not believe an ansible module exists that can build "security log profiles". These are located at Security --> Event Logs --> Logging Profiles in the GUI and security log profile in tmsh

Describe the solution you'd like

F5 creates an ansible module that implements this capability so future users will not be dependent on using non-idempotent tmsh shell commands to create these in an automated build.

Describe alternatives you've considered

I wound up using tmsh shell and doing it twice doesn't hurt anything. But Ansible modules would be cleaner.

Additional context

Hello, hope you are doing well today. I am working on automating the deployment and configuration of an F5 Big-IP VM using Ansible. After spending a week or two getting fairly familiar with all of the configuration options and behind the scenes configurations that happen when building objects through the GUI I was able to use Ansible modules to do just about everything I wanted to do. These modules are great! Thank you for your hard work.

The only module I was not able to find or figure out a way to do with another existing related module was a module to build "security log profiles". I believe these are a feature of ASM (and possibly other security features.) They correlate to Security --> Event Logs --> Logging Profiles in the GUI.

I was able to work around my issue by building the desired profiles in the GUI, grabbing the config via CLI, and then figuring out how to build them automatically using tmsh shell. That Ansible module tells you to create a feature request if you need to use it, so this is that request!

For clarity, my full workflow is something like this:

• Deploy F5 VM using Terraform to deploy the OVA
• Setup system level configurations on F5 (NTP, DNS, SSH, Syslog, Hostname, etc.)
• Install Licensing
• Enable Appropriate Features
• Setup Interfaces, VLANs, tagging, routes, etc.
• Import certificates
• Setup Security Log Profiles / Logging Policy (this one is the one that I can't find an ansible module for)
• Setup ASM Security Policy (had to import an existing one, but I can see why. It would be a pretty complex implementation otherwise)
• Create virtual server that is setup to use the features created with the rest of the automation.

Code I wound up using for the log profiles:

  - name: F5 Logging Profile Setup - Traffic-Plane - Create Logging Profiles for ASM Security Policy using tmsh shell  #Relates to Security  -->  Event Logs --> Logging Profiles
    f5networks.f5_modules.bigip_command:
      commands:
        - "{{f5_configuration_tmsh_command_local_apm_log_profile_create}}"
        - "{{f5_configuration_tmsh_command_remote_apm_log_profile_create}}"
      provider:
        password: "{{f5_provider_password}}"
        server: "{{f5_provider_server}}"
        user: "{{f5_provider_user}}"
        validate_certs: "{{f5_provider_validate_certs}}"
    delegate_to: localhost

ansible vars / tmsh code:

f5_configuration_local_apm_log_profile_name="CUSTOM-APM-LOCAL-LOG-PROFILE"
f5_configuration_remote_apm_log_profile_name="CUSTOM-APM-REMOTE-LOG-PROFILE"

f5_configuration_tmsh_command_local_apm_log_profile_create= "create /security log profile {{f5_configuration_local_apm_log_profile_name}} application add { {{f5_configuration_local_apm_log_profile_name}} { filter add { log-challenge-failure-requests { values add { disabled } } request-type { values add { all } } } response-logging all } }"
f5_configuration_tmsh_command_remote_apm_log_profile_create="create /security log profile {{f5_configuration_remote_apm_log_profile_name}} application add { {{f5_configuration_remote_apm_log_profile_name}} { filter add { log-challenge-failure-requests { values add { disabled } } request-type { values add { all } } } format { fields { attack_type blocking_exception_reason captcha_result client_type compression_method conviction_traps credential_stuffing_lookup_result date_time dest_ip dest_port device_id enforced_by enforcement_action epoch_time fragment geo_location http_class_name ip_address_intelligence ip_client ip_with_route_domain is_truncated likely_false_positive_sig_ids login_result management_ip_address management_ip_address_2 method microservice mobile_application_name mobile_application_version operation_id password_hash_prefix policy_apply_date policy_name protocol protocol_info query_string request request_status response response_code route_domain session_id severity sig_cves sig_ids sig_names sig_set_names slot_number src_port staged_sig_cves staged_sig_ids staged_sig_names staged_sig_set_names staged_threat_campaign_names sub_violations support_id tap_event_id tap_requested_action tap_sent_token tap_transaction_id tap_vid threat_campaign_names unit_hostname uri username violation_details violation_rating violations virus_name vs_name websocket_direction websocket_message_type x_forwarded_for_header_value } } local-storage disabled logger-type remote maximum-entry-length 64k remote-storage remote report-anomalies enabled report-challenge-failure-messages enabled response-logging all servers add { {{f5_configuration_syslog_remote_host}}:{{f5_configuration_syslog_remote_port}} { } } } }"

The actual commands with some variables filled in:

##NOTE commplex-main is what port 5000 translates to in the F5 configs

create /security log profile CUSTOM-APM-LOCAL-LOG-PROFILE-2 application add { CUSTOM-APM-LOCAL-LOG-PROFILE-2 { filter add { log-challenge-failure-requests { values add { disabled } } request-type { values add { all } } } response-logging all } }
create /security log profile CUSTOM-APM-REMOTE-LOG-PROFILE-1 application add { CUSTOM-APM-REMOTE-LOG-PROFILE-1 { filter add { log-challenge-failure-requests { values add { disabled } } request-type { values add { all } } } format { fields { attack_type blocking_exception_reason captcha_result client_type compression_method conviction_traps credential_stuffing_lookup_result date_time dest_ip dest_port device_id enforced_by enforcement_action epoch_time fragment geo_location http_class_name ip_address_intelligence ip_client ip_with_route_domain is_truncated likely_false_positive_sig_ids login_result management_ip_address management_ip_address_2 method microservice mobile_application_name mobile_application_version operation_id password_hash_prefix policy_apply_date policy_name protocol protocol_info query_string request request_status response response_code route_domain session_id severity sig_cves sig_ids sig_names sig_set_names slot_number src_port staged_sig_cves staged_sig_ids staged_sig_names staged_sig_set_names staged_threat_campaign_names sub_violations support_id tap_event_id tap_requested_action tap_sent_token tap_transaction_id tap_vid threat_campaign_names unit_hostname uri username violation_details violation_rating violations virus_name vs_name websocket_direction websocket_message_type x_forwarded_for_header_value } } local-storage disabled logger-type remote maximum-entry-length 64k remote-storage remote report-anomalies enabled report-challenge-failure-messages enabled response-logging all servers add { 1.1.1.1:commplex-main { } } } }

Hopefully this is a helpful feature request for someone at F5. It doesn't really impact my project since I have two fairly static configs that are unlikely to change but for others it could.

If I totally blew it and there IS a pre-existing module to do this I apologize for wasting your time. In this case, please let me know and it would be greatly appreciated

Additionally, If there is anything else I can do to help, please let me know. Thanks!

[pgouband]

Hi @kevinrobertssealingtech,

I think your request is a duplicate:
#2397 linked to F5Networks/f5-ansible-bigip#83

Have you tried using AS3 and Ansible declarative collection?

Here is the link to AS3 Ansible module with examples:
https://clouddocs.f5.com/products/orchestration/ansible/devel/f5_bigip/modules_2_0/bigip_as3_deploy_module.html#bigip-as3-deploy-module-2

Here is the link to AS3 declaration examples:
https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/declarations/

[kevinrobertssealingtech]

Thank you, I was not aware of the AS3 and declarative collections. I don't think I will need them for my use-case since this one part will be incredibly static for my team's use case, but I will keep it in mind for future reference.

It does look like the issues you linked would be the same as what I referenced here. Sounds like its an existing request and its up to your team how best to proceed with feature requests like this one if you're favoring the declarative + JSON methodology.

I don't need anything else at this time so feel free to handle this feature request as you see fit. Thanks for the info and apologies if I wasted anyone's time by missing out on the alternative functionalities.

[pgouband]

Hi @kevinrobertssealingtech,

No problem.
I'll close this issue because it's a duplicate of:
#2397
F5Networks/f5-ansible-bigip#83