Skip to main content

F5 LTM

Download With Dependencies

You can use this pack to automate traffic management use cases in integration with F5 Local Traffic Manager (LTM), the integration with F5 LTM included with the pack comes with several commands to get LTM information about nodes, pools and pool members, along with that some of those commands can be used to automate remediation actions such as disabling an active node.

F5 BIG-IP LTM

This pack includes Cortex XSIAM content.

Configuration on Server Side

You need to configure F5 LTM to forward logs in Syslog format.

Go to F5 LTM and navigate to System -> Logs -> Configuration -> Remote Logging and enter the following:

  1. Remote IP: add the Broker VM IP address.
  2. Remote Port: add the designated Broker VM port.

Press Add and Update to apply the new configuration.

Server Screenshot

Collect Events from Vendor

In order to use the collector, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

  1. Navigate to Settings > Configuration > Data Broker > Broker VMs.
  2. Right-click, and select Syslog Collector > Configure.
  3. When configuring the Syslog Collector, set the following values:
    • vendor as vendor - f5
    • product as product - ltm

What does this pack do?

  • Gathers information about F5 LTM Nodes, Pools and Pool Members.
  • Gathers information about F5 LTM Node and Pool Member connection and session statistics.
  • Enables and Disables F5 LTM Nodes.
  • Included with the Pack is a playbook to list all the Pools that are configured with single Nodes.
  • Included with the Pack is a playbook to wait for current connections to a single Node to drop to zero.
  • Adds modeling rules for XSIAM.

For more information, visit the Cortex XSOAR and XSIAM Developer Docs.

F5 BIG-IP LTM

This pack includes Cortex XSIAM content.

Configuration on Server Side

You need to configure F5 LTM to forward logs in Syslog format.

Go to F5 LTM and navigate to System -> Logs -> Configuration -> Remote Logging and enter the following:

  1. Remote IP: add the Broker VM IP address.
  2. Remote Port: add the designated Broker VM port.

Press Add and Update to apply the new configuration.

Server Screenshot

Collect Events from Vendor

In order to use the collector, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

  1. Navigate to Settings > Configuration > Data Broker > Broker VMs.
  2. Right-click, and select Syslog Collector > Configure.
  3. When configuring the Syslog Collector, set the following values:
    • vendor as vendor - f5
    • product as product - ltm

What does this pack do?

  • Gathers information about F5 LTM Nodes, Pools and Pool Members.
  • Gathers information about F5 LTM Node and Pool Member connection and session statistics.
  • Enables and Disables F5 LTM Nodes.
  • Included with the Pack is a playbook to list all the Pools that are configured with single Nodes.
  • Included with the Pack is a playbook to wait for current connections to a single Node to drop to zero.
  • Adds modeling rules for XSIAM.

For more information, visit the Cortex XSIAM and XSIAM Developer Docs.

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Supported ByCommunity
CreatedOctober 10, 2021
Last ReleaseJuly 9, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.