Automap enabled-f5-all

Automap enabled-f5-all
0

Automap enabled-f5-all

Vendor: f5

OS: all

Description:
Automap works great for assymetric routing, but can result in port exhaustion. indeni will alert if automap is used.

Remediation Steps:
Information about automap, SNAT Pools and port exhaustion is available at https://support.f5.com/csp/article/K7820#exhaustion

How does this work?
This alert uses the iControl REST interface to extract the use of automap on virtual servers.

Why is this important?
Using automap is a great way to troubleshoot assymetric routing, but is considered not ideal in a busy live environment because of a risk of port exhaustion. In case of high amount of traffic it is better to create a “SNAT Pool” with multiple IP addresses on the member networks.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Local Traffic” and then “Virtual servers”. For each of the Virtual Servers, verify that automap is not used as “Source Address Translation”.

f5-rest-mgmt-tm-ltm-virtual

name: f5-rest-mgmt-tm-ltm-virtual
description: Determine use of automap, and if any wildcard forwarding servers listening
    on all VLANs exists.
type: monitoring
monitoring_interval: 60 minute
requires:
    vendor: f5
    product: load-balancer
    rest-api: 'true'
comments:
    f5-automap-used:
        why: |
            Using automap is a great way to troubleshoot assymetric routing, but is considered not ideal in a busy live environment because of a risk of port exhaustion. In case of high amount of traffic it is better to create a "SNAT Pool" with multiple IP addresses on the member networks.
        how: |
            This alert uses the iControl REST interface to extract the use of automap on virtual servers.
        without-indeni: |
            Login to the device's web interface and click on "Local Traffic" and then "Virtual servers". For each of the Virtual Servers, verify that automap is not used as "Source Address Translation".
        can-with-snmp: true
        can-with-syslog: false
    f5-wildcard-forwarding-servers:
        why: |
            It is generally not recommended to have a virtual server listening on all VLANs with a destination of any. This can short circuit any VLANs behind the load balancer and is not ideal in terms of security.
        how: |
            This alert uses the iControl REST interface to extract any virtual forwarding servers listening to all destinations and on all VLANs.
        without-indeni: |
            Login to the device's web interface and click on "Local Traffic" and then "Virtual servers". For each of the Virtual Servers, verify if it is listening to any destination and on all VLANs.
        can-with-snmp: true
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /mgmt/tm/ltm/virtual?$select=fullPath,sourceAddressTranslation,ipForward,destination,source,vlans
    parse:
        type: JSON
        file: rest-mgmt-tm-ltm-virtual.parser.1.json.yaml

f5_automap_enabled

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.f5

import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SingleSnapshotValueCheckTemplateRule
import com.indeni.server.rules.library.RuleHelper

/**
  *
  */
case class f5_automap_enabled() extends SingleSnapshotValueCheckTemplateRule(
  ruleName = "f5_automap_enabled",
  ruleFriendlyName = "F5 Devices: Automap enabled",
  ruleDescription = "Automap works great for assymetric routing, but can result in port exhaustion. indeni will alert if automap is used.",
  metricName = "f5-automap-used",
  applicableMetricTag = "name",
  alertItemsHeader = "Virtual Servers Affected",
  alertDescription = "Automap works great when avoiding asymmetric routing, but in scenarios with a lot of traffic there could be port exhaustion unless more than one floating IP is defined for the member VLAN. For this reason it's better to use a SNAT Pool containing the appropriate amount of IP addresses used for address translation.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"https://se.linkedin.com/in/patrik-jonsson-6527932\">Patrik Jonsson</a>.",
  baseRemediationText = "Information about automap, SNAT Pools and port exhaustion is available at https://support.f5.com/csp/article/K7820#exhaustion",
  complexCondition = RuleEquals(RuleHelper.createComplexStringConstantExpression("true"), SnapshotExpression("f5-automap-used").asSingle().mostRecent().value().noneable))()