OnceĬonfigured, the DNS server resolves the FQDN used in the X.509 certificate for each device's You must specify an external Domain Name System (DNS) server with forward and reverseĭNS entries for the names and IP addresses used in the X.509 certificate authentication. This task on only one device in the device group, and the change is propagated to the otherĪssign fully-qualified domain names (FQDNs).Įach BIG-IP system in the device group, and the remote, secure syslog server, must haveĪ unique fully-qualified domain name (FQDN). In most cases, thisĮliminates the need to manually sync configuration changes to the peer device. You perform this task on only one device inĮnable Automatic Sync on the device group.Įnabling automatic sync for the device group ensures that every change you make to aīIG-IP system is internally propagated to all device group members. The Device Service Clustering (DSC ®) device group must contain theīIG-IP ® systems as members. The result is that when the high speed logging subsystem or the standard syslog service of either BIG-IP system sends TCP syslog traffic, the messages are forwarded to the remote syslog server over an authenticated and encrypted, secure channel.
Until the TCP timeout on the virtual server expires then the next syslog message initiates a The outbound TCP sessions are retained for subsequent syslog messages The local syslog encrypting virtual server sends the outbound encrypted syslog messages to the Once authenticated and connected to the server listed in the remote secure syslog server pool, Sending the BIG-IP system's client certificate to the server for X.509 validation, as well asįor validating the server's X.509 certificate using a locally-installed CA certificate bundle.
The virtual servers are configured using a non-floating IP address on a private VLAN that is
The HSL destination forwards the messages to both the local Each BIG-IP ® system has one or more HSL filters directing certain kinds of log.High-bandwidth logging from the High Speed Logging (HSL) subsystem. In most configurations, the shared, external network should be deployed as a dedicated VLANĬonnecting only the BIG-IP systems and secure syslog server, due to the potential for (DNS) server with forward and reverse DNS entries for the names and IP addresses used in the TheĬonfiguration is based on the assumption that you have configured an external Domain Name System Have the same CA certificate bundle installed, to be used for X.509 certificate validation. In this sampleĬonfiguration, all three certificates are signed by the same Certificate Authority (CA) and each This certificate validation requires a dedicatedĬertificate for each BIG-IP system's logging interface (the self IP address on the logging VLANįor that BIG-IP system) and a certificate for the secure syslog server. ( ) mutually authenticate each other using X.509Ĭertificates and keys on their TLS connections. In the example, the BIG-IP systems ( andī) and the secure syslog server The messages on to the remote secure syslog server. That encrypt log messages using a local virtual In a Device Service Clustering (DSC ®) Sync-Only or Sync-Failover device This implementation describes a sample configuration consisting of two BIG-IP Security (TLS) encryption to a secure syslog server that resides on a shared, external network. The BIG-IP ® system can securely log messages using Transport Layer
0 kommentar(er)
