F5 HSL

HSL stands for High-Speed Logging, a feature commonly associated with networking and security appliances like F5 Networks' products. High-speed logging refers to the capability of these appliances to capture and record large volumes of data at high speeds. This data typically includes network traffic, system events, security logs, and other relevant information for analysis, troubleshooting, and compliance purposes.

Traceable captures F5’s HSL data through the Traceable Platform agent and sends it to Traceable’s Platform for further processing. Following is a high-level data flow diagram.

Following is a high-level explanation of the data flow through F5 HSL:

1. The request passes through F5 HSL iRule. Traceable captures the request data and stores it.

2. The request is sent to the backend application.

3. The response is sent back, and Traceable captures it.

4. Requests and responses are sent to the Traceable Platform agent in a single request.

5. The response from the backend application is sent back to the client.

Before you begin

Make a note of the following points before you proceed with the configurations:

• Make sure that you have the correct privileges in F5 for administrative tasks like creating pools and working with iRule.

• Download the iRule from Traceable’s download site. Navigate to agent → f5 → hsl → latest.

• Log in to your Traceable Platform account and generate a token. You can obtain a token by completing the following steps:

  1. Log in to your Traceable account.

  2. Navigate to Administration () → Account → Agent Tokens.

  3. Click on Generate Token.

     Make sure to copy and save the generated token, as you cannot access it again. You can only edit or delete the name of the token. This token is used in the steps detailed below. If this token is deleted from Traceable Platform (UI), the communication between Traceable Platform agent and Traceable Platform (UI) will break. In such a case, generate and update a new token in the Platform agent.

     

Configuration

Setting up F5 HSL is composed of the following steps:

• Setting up a Traceable Platform agent with hsl_listener.

• F5 HSL setup.

• Create pools for the Traceable Platform agent and the application.

Step 1 — Setup Traceable Platform agent

You need to set up the Traceable Platform agent on a VM with hsl_listner. You can do this either by editing the Platform agent configuration or using the installation script. For more information on installing the Platform agent on a VM using the installation script, see Install on VM.

Option 1 — Install by editing Platform agent configuration

Edit the config.yaml file to configure hsl_listner. Set the following:

global:
  hsl_server:
  enabled: false # set to true
  endpoint: "0.0.0.0:8443"
  key_file: ""
  cert_file: ""
  max_queue_size: 1000

Option 2 — Use install.sh script

You can also use the install.sh script to install the Traceable Platform agent. Follow the instructions to download the installation script.

Enter the following command to install the Platform agent with hsl_listener. Make sure that you have the path to the public and private key, the name for your environment, the service name, and the Platform token you generated in the Before you Begin section.

sudo ./install.sh tpa-only -e <ENVIRONMENT_NAME> -s <SERVICE_NAME> --raw-token <TPA_TOKEN> --hsl-enabled true --hsl-tls-cert <path/to/cert.crt> --hsl-tls-key <path/to/key.key>

Step 2 — Create Platform agent and application pool

In your F5 setup, create a Platform agent pool and application pool. Complete the following steps:

Create a Platform agent pool

Complete the following steps to create a Platform agent pool:

1. In your F5 setup, navigate to Local traffic → Pools → Pool list and click on Create.

   

2. Provide the IP address of the Traceable Platform agent and port number as 8443. In Health Monitor section, select tcp_half_open.

   

Create application server pool

As explained above, in the Create a Platform Agent pool section, click on Local traffic → Pools → Pool list and click on Create. Select http in the Health Monitors section. In the Address field, provide the IP address of the VM of your application.

Step 3 — Create an iRule

To create an iRule, navigate to the Local Traffic → iRules page and click Create to create a new iRule. Provide a name and copy and paste the iRule that you downloaded from Traceable’s download site earlier. Provide the hsl_pool name and service_name. You can also use the default values.

Step 4 — Create virtual servers for the Platform agent and application

To create a virtual server for the Platform agent and application, navigate to Local traffic → Virtual Servers → Virtual servers list. Click on Create.

Create a Platform agent virtual server

Enter the IP address of the Traceable Platform agent VM with port number 8443. Under Configuration → SSL Profile (Server) section, select serverssl. Complete the following steps:

1. Enter the Traceable Platform agent VM IP address and port number.

   

2. In the configuration section, set SSL Profile.

   

3. Click on the Resources tab and select the Default pool as the Platform agent pool that you created in Step 2.

   

Create an application virtual server

As detailed above, create the application virtual server. In the Destination Address/Mask field, provide the application VM's IP address and port number as 443. In the Resources tab, select the application server pool that you created in Step 2.

Step 5 — Attach iRule to the application server

Attach the iRule that you created as part of Step 3 to the application virtual server you created in Step 4. Navigate to the Resources tab of the application virtual server and click on the Manage button under the iRules section. Select the iRule that you created earlier.

The attached iRule is shown in the Resources tab of the application's virtual server.

Verification

To verify a successful setup, send traffic to your application. The traffic will show in the Traceable Platform, as shown below.