IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

F5 Networks BIG-IP LTM/ASM/APM current Software Version V16.x

  • 1.  F5 Networks BIG-IP LTM/ASM/APM current Software Version V16.x

    Posted Wed October 13, 2021 09:40 AM

    Hi,

    the current DSM Guide describes the configuration for F5 Networks BIG-IP APM/LTM/ASM for V11.x to V14.x. However, there is already a current version of F5 BIG-IP APM/LTM/ASM V16.x out there. This means that some events from a F5 Logsource running the current Release V16.x are not normalized as expected. When can an updated DSM for F5 with V16.x be expected? Who may have already had this experience?

    Regards,

    Ralph



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: F5 Networks BIG-IP LTM/ASM/APM current Software Version V16.x
    Best Answer

    Posted Wed October 13, 2021 02:30 PM

    Ralph,

    We we list in the DSM Guide is typically what has been validated and tested to confirm that all events parse and categorize as expected. If the DSM Guide lists support for V11.x to V14.x, it doesn't necessarily mean that V16.x does not work. In Support, we typically recommend that users configure and collect events to determine if it works and log cases when errors occur. Unless the format changed and broke our parsing logic, probably 80+% of the time there is not an issue with a DSM not being listed at the latest version. It just means that it hasn't been QA'd against that specific version.

    If you are on BIG-IP V16 and see events categorized as 'Stored', then you can open a case for us to review. You might also see events categorize as 'Unknown F5 BIG-IP', which means that we might need to update our QID map or talk with the vendor to update our QID. These are common issues and we might need development to update parsing or add new QID map entries to support minor changes between BIG-IP V14 and V16.

    Reference: What do you do if the product version or device you have is not listed in the DSM Configuration Guide?

    Hope this helps, let me know if you have follow-up questions or concerns.



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: F5 Networks BIG-IP LTM/ASM/APM current Software Version V16.x

    Posted Wed September 27, 2023 04:02 AM
    Edited by Alex Ahsras Wed September 27, 2023 04:02 AM
    Hey Ralph,
     
    I completely understand your concern regarding the F5 Networks BIG-IP APM/LTM/ASM DSM Guide not covering the latest V16.x release. It can be frustrating when your log events aren't normalized as expected. I've had some experience in dealing with similar situations.
     
    In my experience, what's mentioned in the DSM Guide is usually a reflection of what's been thoroughly tested and validated. The absence of V16.x in the guide doesn't necessarily mean it won't work. It's often a matter of QA and testing resources. Most of the time, it's not a significant issue as long as the format hasn't drastically changed.
     
    At Andersen, we've encountered scenarios like this before, and we specialize in finding innovative solutions to compatibility challenges. I'd suggest configuring and collecting events from your BIG-IP V16.x to see how they behave. If you notice events categorized as 'Stored' or 'Unknown F5 BIG-IP', consider opening a support case. These occurrences might require updates to parsing or QID maps to align with changes between V14 and V16.
     
    Remember, it's essential to keep an eye on updates or patches from F5 Networks, as they might address compatibility issues. 



    ------------------------------
    Alex Ahsras
    ------------------------------

    Original Message


Related Content