Balanced

Brain dump for at least semi-good ideas

Gather SSL cipher statistics from your F5 device

With the new PCI DSS requirements around the corner it might be interesting to gather some SSL cipher statistics from your F5’s. If you have a syslog server this is a piece of cake using the HSL function in iRules.

To use the iRule below, first create a pool called syslog-514_pool, or simply replace the name with a pool containing your syslog server(s). Then, for each virtual server attach the following iRule:

when HTTP_REQUEST {

    if { [info exists logged] && $logged == 1 }{
        # Do nothing. Already logged for this session
    } else {
        set hsl [HSL::open -proto UDP -pool syslog-514_pool]
        set host [HTTP::host]
        set useragent [HTTP::header "User-Agent"]
        set vs [virtual name]
        set logged 1

        HSL::send $hsl "[string map [list "\t \t" "\t-\t"]\
        "<152>\t\
        [info hostname]\t\
        [IP::local_addr]\t\
        [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"]\t\
        $host\t\
        [IP::remote_addr]\t\
        $useragent\t\
        $vs\t\
        [SSL::cipher name]\t\
        [SSL::cipher version]\t\
        [SSL::cipher bits]\t\
        "]\n"
    }
    
}

 

Essentially, what it does is to send a syslog message for every new SSL session established. This data could easily be indexed by Splunk or Elastic search to generate a report.

PS. If you have a Firewall between your loadbalancer and your syslog server you might want to verify that it’s open first.

Previous

Protecting BigIP Report behind an APM – By Shannon Poole

1 Comment

  1. Hey, Patrik,
    I’ve been doing something similar with a iRule I found on devcentral, courtesy of David Holmes, that lets you show a page with a pie chart indicating client cipher usage. You don’t even need a syslog server – it uses iStats.
    Cheers,
    Joel

Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by WordPress & Theme by Anders Norén