You can use this pack to automate traffic management use cases in integration with F5 Local Traffic Manager (LTM), the integration with F5 LTM included with the pack comes with several commands to get LTM information about nodes, pools and pool members, along with that some of those commands can be used to automate remediation actions such as disabling an active node.
F5 BIG-IP LTM
This pack includes Cortex XSIAM content.
Configuration on Server Side
You need to configure F5 LTM to forward logs in Syslog format.
Go to F5 LTM and navigate to System -> Logs -> Configuration -> Remote Logging and enter the following:
- Remote IP: add the Broker VM IP address.
- Remote Port: add the designated Broker VM port.
Press Add and Update to apply the new configuration.
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings > Configuration > Data Broker > Broker VMs.
- Right-click, and select Syslog Collector > Configure.
- When configuring the Syslog Collector, set the following values:
- vendor as vendor - f5
- product as product - ltm
What does this pack do?
- Gathers information about F5 LTM Nodes, Pools and Pool Members.
- Gathers information about F5 LTM Node and Pool Member connection and session statistics.
- Enables and Disables F5 LTM Nodes.
- Included with the Pack is a playbook to list all the Pools that are configured with single Nodes.
- Included with the Pack is a playbook to wait for current connections to a single Node to drop to zero.
- Adds modeling rules for XSIAM.
For more information, visit the Cortex XSOAR and XSIAM Developer Docs.
F5 BIG-IP LTM
This pack includes Cortex XSIAM content.
Configuration on Server Side
You need to configure F5 LTM to forward logs in Syslog format.
Go to F5 LTM and navigate to System -> Logs -> Configuration -> Remote Logging and enter the following:
- Remote IP: add the Broker VM IP address.
- Remote Port: add the designated Broker VM port.
Press Add and Update to apply the new configuration.
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings > Configuration > Data Broker > Broker VMs.
- Right-click, and select Syslog Collector > Configure.
- When configuring the Syslog Collector, set the following values:
- vendor as vendor - f5
- product as product - ltm
What does this pack do?
- Gathers information about F5 LTM Nodes, Pools and Pool Members.
- Gathers information about F5 LTM Node and Pool Member connection and session statistics.
- Enables and Disables F5 LTM Nodes.
- Included with the Pack is a playbook to list all the Pools that are configured with single Nodes.
- Included with the Pack is a playbook to wait for current connections to a single Node to drop to zero.
- Adds modeling rules for XSIAM.
For more information, visit the Cortex XSIAM and XSIAM Developer Docs.
