F5 mirroring
  • 07 Apr 2022
  • 3 Minutes to read

F5 mirroring


Traceable provides a mirroring agent for capturing or mirroring data packets passing through your F5 setup. Since this is a mirroring or a completely out-of-band setup, it does not affect your current deployment or interferes with your data flow. 

The client sends the traffic to the external network interface of the virtual load balancer. The traffic is then sent to the backend server through internal network interface of the load balancer. Traceable captures the data packet from the internal network interface. The captured data packet is sent to the Traceable mirroring agent from the server clone pool. To configure the setup, add the IP address of Traceable's mirroring agent to server clone pool.

The F5 mirroring deployment consists of deploying a Traceable mirroring agent on a VM and then configuring your F5 setup for mirroring. For more information, see the Deployment section.


Before you begin

Make a note of the following points before configuring mirroring for F5. 

  • Traceable supports BIG-IP software 11.x and later.
  • Make sure that mirroring is enabled in F5.
  • Save Traceable agent token. Navigate to Traceable's platform and navigate to Administration (image-1638268402925) > Account > Access Tokens > Agent Token. Copy and save the token. It would be required in the Traceable agent installation process.
  • Knowledge of BIG-IP software. 

Deployment

F5 mirroring deployment with Traceable agent consists of the following steps:

  1. Deploying Traceable agent - Download a install script from Traceable's download site. 
  2. Configuring mirroring in F5 BIG-IP.

Step 1 - Deploy Traceable agent

You can deploy Traceable agent on a VM, ECS container, or in a Kubernetes environment. In the following steps the Traceable agent is installed on a CentOS 7 VM. You can choose to install on Amazon Linux 2 or Ubuntu also. For more information, see Virtual Machine topic. 

Complete the following steps:

  1. Launch a CentOS 7 VM with two network interfaces. Note the following points:
    1. At least 4 vCPUs and 16 GB of RAM.
    2. The primary interface should have access to the Traceable Platform. 
    3. The secondary interface should be in the same VLAN as internal interface F5 BIG-IP.
  2. Log in to the VM that you launched in the previous step.
  3. Download the install script from Traceable's download site. Navigate to install > traffic-mirroring > linux > latest. Download the install.sh file.  
  4. Execute the script. The script installs Traceable agent and Suricata. 
    1. ActionScript
      curl -O "https://downloads.traceable.ai/install/traffic-mirroring/linux/latest/install.sh"
      
    2. chmod +x install.sh
    3. sudo ./install.sh -i eth1 -e f5-mirroring -s f5-mirroring-service -r <url-of-traceable-backend>:443

      Make sure that you have entered the correct interface. In the command above, it is eth1.

      For example

      sudo ./install.sh -i eth1 -e f5-mirroring -s f5-mirroring-service -r api.traceable.ai:443
  5. Enter the following command to verify Suricata and Traceable agent services.
    ActionScript
    systemctl status suricata
    systemctl status traceable
  6. Add the Traceable agent token that you copied in the Before you begin section in the token file.
    ActionScript
    sudo vi /etc/traceable/agent/token
  7. Restart Traceable agent. Enter the following command:
    ActionScript
    sudo systemctl restart traceable

Make sure that no error logs are present and a Started metric exporter message appears in the traceable.log.

cat /var/traceable/log/traceable.YYYY_mm_dd_ss_mil.log

Step 2 - F5 Configuration

Before configuring mirroring for Traceable agent, make sure that mirroring is enabled in F5. For more information, see K13392: Configuring the BIG-IP system to send traffic to an intrusion detection system (11.x - 15.x).

Complete the following steps:

  1. Log in to F5 management UI.
  2. Create a pool- Add a node to the node group. After adding the node to the node group, configure it with the secondary interface’s IP of the VM that is hosting the Traceable Platform agent.
    1. Navigate to Main > Local Traffic > Pools
    2. Create a new pool:
      1. Add a new node to the node group with the Traceable platform agent instance’s secondary interface’s IP address. 
      2. Leave the port as *.
  3. Clone pool - Make sure that the virtual server is using this pool, by editing the virtual server’s setting to use the newly created server pool as Clone Pool (server).
    1. Navigate to Main > Local Traffic > Virtual Servers > Virtual Server List. Select any of existing  virtual server.
    2. Change configuration from basic to advanced.
    3. Scroll down to select Clone Pool (Server).
    4. Select mirror-pool from the drop-down list. 
    5. Update virtual server.

Verification

Send some traffic through your F5 BIG-IP and verify that the traces are reaching Traceable platform. 


Upgrade

To upgrade the Traceable agent, download and rerun the install.sh script. The scripts pulls the latest Traceable Platform agent and installs it. 


Uninstall

To uninstall, delete the VM on which Traceable agent was installed. Also, remove the mirroring configuration from F5.


Troubleshooting

Spans not reporting to Traceable platform

Enter the following command to analyze network traffic:

sudo tcpdump -i eth1

If you do not see any traffic, then:

  • Disable the source/destination check on BIG-IP > Network Interfaces.
  • Try to disable security policy by navigating to Virtual Server List > serverMain > Security settings > Policies > disable the Application Security Policy.

Was this article helpful?