F5 HSL

HSL stands for High-Speed Logging, a feature commonly associated with networking and security appliances like F5 Networks' products. High-speed logging refers to the capability of these appliances to capture and record large volumes of data at high speeds. This data typically includes network traffic, system events, security logs, and other relevant information for analysis, troubleshooting, and compliance purposes.

Traceable captures F5’s HSL data through the Traceable Platform agent and sends it to Traceable’s Platform for further processing. Following is a high-level data flow diagram.

Following is a high-level explanation of the data flow through F5 HSL:

1. The request passes through F5 HSL iRule. Traceable captures the request data and stores it.

2. The request is sent to the backend application.

3. The response is sent back, and Traceable captures it.

4. Requests and responses are sent to the Traceable Platform agent in a single request.

5. The response from the backend application is sent back to the client.

Before you begin

Make a note of the following points before you proceed with the configurations:

• Make sure that you have the correct privileges in F5 for administrative tasks like creating pools and working with iRule.

• Download the iRule from Traceable’s download site. Navigate to agent → f5 → hsl → latest.

• Log in to your Traceable Platform account and generate a token. You can obtain a token by completing the following steps:

  1. Log in to your Traceable account.

  2. Navigate to Settings () → Account → Agent Tokens.

  3. Click on Generate Token.

     Make sure to copy and save the generated token, as you cannot access it again. You can only edit or delete the name of the token. This token is used in the steps detailed below. If this token is deleted from Traceable Platform (UI), the communication between Traceable Platform agent and Traceable Platform (UI) will break. In such a case, generate and update a new token in the Platform agent.

     

Configuration

Setting up F5 HSL is composed of the following steps:

• Setting up a Traceable Platform agent with hsl_listener.

• F5 HSL setup.

• Create pools for the Traceable Platform agent and the application.

Step 1 — Setup Traceable Platform agent

You need to set up the Traceable Platform agent on a VM with hsl_listner. You can do this either by editing the Platform agent configuration or using the installation script. For more information on installing the Platform agent on a VM using the installation script, see Install on VM.

Option 1 — Install by editing Platform agent configuration

Edit the config.yaml file to configure hsl_listner. Set the following:

global:
  hsl_server:
  enabled: false # set to true
  endpoint: "0.0.0.0:8443"
  key_file: "/path/to/key.pem"
  cert_file: "/path/to/cert.pem"
  max_queue_size: 1000

Important

• Provide path to Key and Cert in config.yaml in order to setup HSL server over TLS.

• If you do not wish use TLS between F5 and Traceable Platform agent, then leave the key_file and cert_file fields empty. In this case skip steps 3 and 4 and directly use pool that will be created in step 2 in iRule (step 5).

Option 2 — Use install.sh script

You can also use the install.sh script to install the Traceable Platform agent. Follow the instructions to download the installation script.

Enter the following command to install the Platform agent with hsl_listener. Make sure that you have the path to the public and private key, the name for your environment, the service name, and the Platform token you generated in the Before you Begin section.

sudo ./install.sh tpa-only -e <ENVIRONMENT_NAME> -s <SERVICE_NAME> --raw-token <TPA_TOKEN> --hsl-enabled true --hsl-tls-cert <path/to/cert.crt> --hsl-tls-key <path/to/key.key>

Step 2 — Create a Platform agent pool

In your F5 setup, create a Platform agent pool and application pool. Complete the following steps:

Create a Platform agent pool (tpa-pool)

Complete the following steps to create a Platform agent pool:

1. In your F5 setup, navigate to Local traffic → Pools → Pool list and click on Create.

   

2. Provide the IP address of the Traceable Platform agent and port number as 8443. In Health Monitor section, select tcp_half_open.

Step 3 — Create virtual servers for the Platform agent

To create a virtual server for the Platform agent and application, navigate to Local traffic → Virtual Servers → Virtual servers list. Click on Create.

Create a Platform agent virtual server (tpa-vip)

Enter the IP address of the Traceable Platform agent VM with port number 8443. Under Configuration → SSL Profile (Server) section, select serverssl. Complete the following steps:

1. Provide any free IP address and port number. In the screenshot, port 8443 is provided. You can choose any other port number.

   

2. In the Configuration section, set SSL Profile.

   

3. Click on the Resources tab and select the Default pool as the Platform agent (tpa-pool) that you created in Step 2.

   

Step 4 — Create a pool for the virtual server

HSL iRule cannot directly connect to the virtual server, so you must create a pool that uses the virtual server as the backend.

Complete the following steps to create a pool. For example, tpa-vip-pool:

1. In your F5 setup, navigate to Local traffic → Pools → Pool list and click Create.

   

2. Provide the IP address and the port number used in step 3 to create a virtual server.

   ---

   Step 5 — Create an iRule

   To create an iRule, navigate to the Local Traffic → iRules page and click Create to create a new iRule. Provide a name and copy and paste the iRule that you downloaded from Traceable’s download site earlier. Provide the hsl_pool name and service_name. You can also use the default values.

   

   ---

Step 6 — Attach iRule to the application server

Attach the iRule that you created as part of Step 5 to the application’s virtual server. Navigate to the Resources tab of the application virtual server and click on the Manage button under the iRules section. Select the iRule that you created earlier.

Verification

To verify a successful setup, send traffic to your application. The traffic will show in the Traceable Platform, as shown below.