Ingest-F5 - Administrator Guide - Cortex CLOUD

Cortex Cloud Runtime Security Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Runtime Security
Creation date
2024-12-24
Last date published
2026-06-16
Category
Administrator Guide

Notice

Requires the Data Collection add-on.

Integrate F5 with Cortex Cloud to start scanning its APIs for potential threats and vulnerabilities.

You need to integrate a dedicated F5 log plugin. This plugin enables seamless traffic ingestion from your F5 gateway to Cortex Cloud, allowing for comprehensive security measures such as OWASP Top-10, bot detection, access control, and more.

Settings in Cortex Cloud

In Cortex Cloud, set up the F5 data source to integrate with the F5 API Gateway.

  1. From SettingsData Sources & Integrations , click + Add New, search for F5 BIG-IP LTM , then hover over it and click Add or Add Instance.

  2. In the F5 BIG-IP LTM Collector wizard, enter a relevant name and then click Create and Proceed.

  3. Copy the key and paste it somewhere so that you can access it for later.

    If you forget to record the key and close the window, you must generate a new key and repeat this process.

  4. Click the Download iRules LX Plugin link to download the plugin to upload it from the F5 Gateway.

  5. Click Close.

Settings in F5 BIG-IP LTM

  1. Log in to your F5 environment.

  2. Verify that the following is configured:

    Navigate to SystemResource Provisioning and enable iRules Language Extensions (iRulesLX) . Check Provisioning and set to Nominal.

  3. Navigate to Local TrafficiRulesLX Workspaces and follow the steps under the relevant tab:

    LX Workspaces:

    • Click Import. In the General Properties page, enter a Name and for Source, select apisec_bigip_plugin_tar.gz .

      Note

      Extract the files from the F5 plugin to a folder before selecting to upload to F5.

    • In the General Properties page, enter:

      • Name: Enter the name panw_apisec_workspace.

      • Source: Select apisec_bigip_plugin_tar.gz.

    • Select Import to import the plugin.

    LX Plugins:

    • Click Create.

    • In the General Properties page, enter:

      • Name: Enter panw_apisec_plugin.

      • From Workspace: Select panw_apisec_workspace.

    • Click Finished.

  4. Navigate to SystemFile ManagementData Group File ListImport.

    • From File Name, select the panw_apisec_config.txt file that was extracted from the zip that was downloaded from Cortex Cloud.

    • In the Name field, select Create New and enter panw_apisec_config.

    • From File Contents, select String.

    • For Data Group Name, enter panw_apisec_config.

    • Click Import.

  5. Navigate to SystemFile ManagementData Group File List.

    • Click panw_apisec_config.

    • In Definition, fill in the values for the following:

      "context_account_id" := "",
"context_provider" := "",
"context_region" := "",
"cortex_collector_key" := "",
"cortex_collector_url" := "",

      • Paste the F5 VIG-IP LTM Collector key you copied from Cortex Cloud in the "cortex_collector_key".

      • From Cortex Cloud, go to Data Sources & Integrations and from F5 BIG_IP LTM , copy the API URL and paste it in the "cortex_collector_url".

        F5_data_source.png

      • The context_account_id, context_provider, and context_region depend on the cloud environment. In this instance, AWS is the example:

        Note

        • The provider for "context_provider" should always be uppercase.

        • Supported providers: AWS, GCP, Azure, On-prem.

        "context_account_id" := "12345",
"context_provider" := "AWS",
"context_region" := "us-east-2",
"cortex_collector_key" := "collector key",
"cortex_collector_url" := "API URL",

      • Click Update.

  6. Navigate to Local TrafficVirtual ServersVirtual Server List . The virtual server functions as an API Gateway, handling all incoming and outgoing requests and responses, then forwarding that data to the Cortex Cloud collector.

    • From the virtual server that serves as the gateway, click Edit.

    • In the Resources tab, under iRules, click Manage.

    • From the Available list, navigate to /Common/panw_apisec_plugin and select panw_apisec_data_collection and panw_apisec_set_ssl_data , and then click the left arrow button to move them to the Enabled list.

      Note

      Select panw_apisec_set_ssl_data only if your client SSL profile is enabled.

    • Click Finished.

    • Click the Properties tab.

  7. Test the request/response and verify that the logs are sent to Cortex Cloud. This can be verified by checking that the counter has increased. The scanned API endpoint metadata from f5-bigip is ready for investigation in the API inventory.