You can configure a physical interface on a BIG-IP ®system to operate in passive mode. In this mode, the interface accepts mirrored traffic from another device to collect data for analysis and intrusion detection.
The BIG-IP system analyzes the mirrored traffic, drops it, and then sends the resulting analytics data and log messages to a remote analytics and logging server. The mirrored traffic never leaves the system, and the BIG-IP system never acts on the headers and payload.
You don't need to deploy the BIG-IP system in line with your BIG-IP application delivery controller (ADC), which means there's no need to make changes to your network infrastructure.
This illustration shows a configuration that includes a BIG-IP passive monitoring system.
As we see in the illustration, a Layer 2/Layer 3 switch receives client traffic on the 10.10.10.x network. The traffic comes into the switch, which mirrors it to a SPAN port on the BIG-IP system. A SPAN port is an interface that can receive traffic mirrored to it from another device.
After analyzing the traffic, the BIG-IP system forwards all analytics data and log messages through interface 1.2 to a remote analytics and logging server and then discards its copy of the application traffic.
We've also configured two virtual servers to listen on the SPAN port. One virtual server listens for any mirrored HTTP traffic destined for a particular destination address on port 80, while the other listens for any traffic not caught by the HTTP virtual server.
Typical reasons for deploying a BIG-IP system as a passive monitoring device are:
Before you set up a BIG-IP system as a passive monitoring system, make sure you have configured these things:
To configure the BIG-IP ® system to do passive monitoring, you designate an interface on the BIG-IP passive monitoring system as a SPAN port and assign the interface to the ingress VLAN. Then, you configure a Fast L4 profile to disable SYN cookie support and Packet Velocity® Asic (PVA) acceleration. Finally, you set up whatever virtual servers you need to listen for mirrored traffic.
The result is that the system will analyze ingress traffic and send log messages and analytics data to a remote analytics and high-speed logging server.
This illustration shows the order in which you need to perform these tasks.
Before performing this task, make sure that you have configured a VLAN with a tagged interface on the upstream switch that will mirror ingress application traffic and send it to this BIG-IP® system.
For any BIG-IP interface that you've configured to receive mirrored application traffic, you must create a VLAN and assign the interface to the VLAN.
You create a TCP profile to disable the SYN Challenge Handling setting.
You create a Fast L4 profile to disable the Packet Velocity® ASIC settings and disable the SYN Challenge Handling setting.
You create a log destination of the Remote High-Speed Log type to specify that log messages are sent to a pool of remote log servers.
You create a formatted logging destination to specify that log messages are sent to a pool of remote log servers, such as Remote Syslog, Splunk, or ArcSight servers.