Skip to content

F5 Mirroring Integration with ApiFort

Overview

F5 Networks is a company that specializes in application delivery networking technology. They provide a variety of products and services that are used to improve the availability, security, and performance of applications and data center infrastructure. One of their main products is the BIG-IP platform, which is a family of hardware and virtual appliances that provide application delivery services such as load balancing, traffic management, and security. These appliances can be used to improve the availability and performance of web applications, as well as to secure them from various types of attacks.

ApiFort provides a mirroring agent for capturing or mirroring data packets passing through your F5 setup. Since this is a mirroring or a completely out-of-band setup, it does not affect your current deployment or interfere with your data flow.

F5 Mirroring Architecture

Traffic Flow

The traffic flow works as follows:

  • The client sends the traffic to the external network interface of the virtual load balancer
  • The traffic is then sent to the backend server through the load balancer's internal network interface
  • ApiFort captures the data packet from the internal network interface
  • The captured data packet is sent to the ApiFort HttpCap agent from the server clone pool

To configure the setup, add the IP address of ApiFort's Httpcap agent to the server clone pool.

The F5 mirroring deployment consists of deploying an ApiFort Httpcap agent on a VM and configuring your F5 setup for mirroring.

Before You Begin

Prerequisites

Make a note of the following points before configuring mirroring for F5:

  • ApiFort supports BIG-IP software 11.x and later
  • Make sure that mirroring is enabled in F5
  • Knowledge of BIG-IP software

Recommendation

We recommend to place secondary Interface on Apifort VM to capture Mirrored traffic from F5.

Deployment

F5 mirroring deployment with ApiFort agent consists of the following steps:

  1. Install ApiFort mirroring agent
  2. Configuring mirroring in F5 BIG-IP

Step 1 — Install HttpCap Agent

Install the ApiFort mirroring agent using the mirroring agent install script. For complete set of instructions to install, see the Mirroring on Linux machine topic.

Agent Installation

Note the ApiFort Platform agent's IP address or hostname. In the next step, you will use this information to configure the mirroring agent.

Step 2 - F5 Configuration

Before configuring mirroring for ApiFort agent, make sure that mirroring is enabled in F5. For more information, see K13392: Configuring the BIG-IP system to send traffic to an intrusion detection system (11.x - 15.x).

Complete the following steps:

1. Log in to F5 Management UI

Access your F5 BIG-IP management interface.

2. Create a Pool

Add a node to the node group. After adding the node to the node group, configure it with the secondary interface's IP of the VM that is hosting the ApiFort Platform agent.

  1. Navigate to Main > Local Traffic > Pools
  2. Create a new pool
  3. Add a new node to the node group with the ApiFort HttpCap agent instance's secondary interface's IP address
  4. Leave the port as *

F5 Clonepool howto 1

3. Configure Clone Pool

Make sure that the virtual server is using this pool, by editing the virtual server's setting to use the newly created server pool as Clone Pool (server).

  1. Navigate to Main > Local Traffic > Virtual Servers > Virtual Server List
  2. Select any of existing virtual server
  3. Change configuration from basic to advanced
  4. Scroll down to select Clone Pool (Server)
  5. Select mirror-pool from the drop-down list
  6. Update virtual server

F5 Clonepool howto 2

Verification

Testing the Integration

Send some traffic through your F5 BIG-IP and verify that the traces are reaching ApiFort platform.

Uninstall

To uninstall, delete the VM on which the ApiFort agent was installed. Also, remove the mirroring configuration from F5.

Troubleshooting

Spans Not Reporting to the ApiFort Platform

Enter the following command to analyze network traffic:

Bash
sudo tcpdump -i eth1

If you do not see any traffic, then:

Troubleshooting Steps

  • Disable the source/destination check on BIG-IP > Network Interfaces
  • Try to disable security policy by navigating to Virtual Server List > serverMain > Security settings > Policies > disable the Application Security Policy

Support

For additional support and troubleshooting, please refer to the ApiFort documentation or contact support.