F5 mirroring

F5 Networks is a company that specializes in application delivery networking technology. They provide a variety of products and services that are used to improve the availability, security, and performance of applications and data center infrastructure. One of their main products is the BIG-IP platform, which is a family of hardware and virtual appliances that provide application delivery services such as load balancing, traffic management, and security. These appliances can be used to improve the availability and performance of web applications, as well as to secure them from various types of attacks.

Traceable provides a mirroring agent for capturing or mirroring data packets passing through your F5 setup. Since this is a mirroring or a completely out-of-band setup, it does not affect your current deployment or interferes with your data flow. 

The client sends the traffic to the external network interface of the virtual load balancer. The traffic is then sent to the backend server through internal network interface of the load balancer. Traceable captures the data packet from the internal network interface. The captured data packet is sent to the Traceable mirroring agent from the server clone pool. To configure the setup, add the IP address of Traceable's mirroring agent to server clone pool.

The F5 mirroring deployment consists of deploying a Traceable mirroring agent on a VM and then configuring your F5 setup for mirroring. For more information, see the Deployment section.

Before you begin

Make a note of the following points before configuring mirroring for F5. 

• Traceable supports BIG-IP software 11.x and later.
• Make sure that mirroring is enabled in F5.
• Save Traceable agent token. Navigate to Traceable's platform and navigate to Administration () > Account > Access Tokens > Agent Token. Copy and save the token. It would be required in the Traceable agent installation process.
• Knowledge of BIG-IP software. 

Deployment

F5 mirroring deployment with Traceable agent consists of the following steps:

1. Deploying Traceable agent - Download a install script from Traceable's download site. 
2. Configuring mirroring in F5 BIG-IP.

Step 1 - Deploy Traceable agent

You can deploy Traceable agent on a VM, ECS container, or in a Kubernetes environment. In the following steps the Traceable agent is installed on a CentOS 7 VM. You can choose to install on Amazon Linux 2 or Ubuntu also. For more information, see Virtual Machine topic. 

Complete the following steps:

1. Launch a CentOS 7 VM with two network interfaces. Note the following points:
   1. At least 4 vCPUs and 16 GB of RAM.
   2. The primary interface should have access to the Traceable Platform. 
   3. The secondary interface should be in the same VLAN as internal interface F5 BIG-IP.
2. Log in to the VM that you launched in the previous step.
3. Download the install script from Traceable's download site. Navigate to install > traffic-mirroring > linux > latest. Download the install.sh file.  
4. Execute the script. The script installs Traceable agent and Suricata. 
   1. ActionScript

      curl -O "https://downloads.traceable.ai/install/traffic-mirroring/linux/latest/install.sh"
      

   2. chmod +x install.sh

   3. sudo ./install.sh mirror -i eth1 -e f5-mirroring -s f5-mirroring-service -r <url-of-traceable-backend>

      Make sure that you have entered the correct interface. In the command above, it is eth1.

      For example,

      sudo ./install.sh mirror -i eth1 -e f5-mirroring -s f5-mirroring-service -r api.traceable.ai

5. Enter the following command to verify Suricata and Traceable agent services.
   ActionScript

   sudo systemctl status suricata
   sudo systemctl status traceable

6. Add the Traceable agent token that you copied in the Before you begin section in the token file.
   ActionScript

   sudo vi /etc/traceable/agent/token

7. Restart Traceable agent. Enter the following command:
   ActionScript

   sudo systemctl restart traceable

Make sure that no error logs are present and a Started metric exporter message appears in the traceable.log.

cat /var/traceable/log/traceable.YYYY_mm_dd_ss_mil.log

Step 2 - F5 Configuration

Before configuring mirroring for Traceable agent, make sure that mirroring is enabled in F5. For more information, see K13392: Configuring the BIG-IP system to send traffic to an intrusion detection system (11.x - 15.x).

Complete the following steps:

1. Log in to F5 management UI.
2. Create a pool- Add a node to the node group. After adding the node to the node group, configure it with the secondary interface’s IP of the VM that is hosting the Traceable Platform agent.
   1. Navigate to Main > Local Traffic > Pools
   2. Create a new pool:
      1. Add a new node to the node group with the Traceable platform agent instance’s secondary interface’s IP address. 
      2. Leave the port as *.
3. Clone pool - Make sure that the virtual server is using this pool, by editing the virtual server’s setting to use the newly created server pool as Clone Pool (server).
   1. Navigate to Main > Local Traffic > Virtual Servers > Virtual Server List. Select any of existing  virtual server.
   2. Change configuration from basic to advanced.
   3. Scroll down to select Clone Pool (Server).
   4. Select mirror-pool from the drop-down list. 
   5. Update virtual server.

Verification

Send some traffic through your F5 BIG-IP and verify that the traces are reaching Traceable platform. 

Upgrade

To upgrade the Traceable agent, download and rerun the install.sh script. The scripts pulls the latest Traceable Platform agent and installs it. 

Uninstall

To uninstall, delete the VM on which Traceable agent was installed. Also, remove the mirroring configuration from F5.

Troubleshooting

Spans not reporting to Traceable platform

Enter the following command to analyze network traffic:

sudo tcpdump -i eth1

If you do not see any traffic, then:

• Disable the source/destination check on BIG-IP > Network Interfaces.
• Try to disable security policy by navigating to Virtual Server List > serverMain > Security settings > Policies > disable the Application Security Policy.