F5 BIG-IP Log Correlation: Mapping External Exposure to Internal Systems
F5 BIG-IP Log Correlation: Mapping External Exposure to Internal Systems
Turning Raw Network Logs into Trusted Security Visibility
Modern infrastructure makes traffic attribution deceptively difficult.
When an external user connects to a public IP address, that destination is often not a real server. It is a load balancer Virtual IP (VIP). Behind that VIP may be multiple internal systems, pools, and dynamic routing decisions.
This project was built to answer a simple but operationally critical question:
When traffic hits a public IP and port, which internal systems actually receive it?
The Problem
Traditional firewall logs typically show:
- Source IP
- Destination IP
- Destination port
- Action (allow/deny)
However, in environments using F5 BIG-IP LTM, the destination IP is often:
- A VIP
- Backed by a pool
- Containing multiple internal members
- Dynamically forwarding traffic
Without correlation, security teams risk attributing exposure incorrectly.
Load balancers break naive attribution.
Project Objective
Build a repeatable pipeline that:
- Normalizes firewall logs
- Parses F5 BIG-IP virtual server configuration
- Correlates VIPs to internal pool members
- Incorporates connection evidence
- Produces confidence-scored exposure reporting
The goal was not just parsing logs — it was building trust in the data.
Architecture Overview
Data Sources
- Firewall logs (external allow/deny events)
- F5 BIG-IP
tmshvirtual server configuration - F5 BIG-IP connection/syslog events
Core Flow
- Ingest raw data
- Normalize into canonical schema
- Generate join keys (IP + port)
- Correlate external destination → VIP
- Resolve VIP → pool → internal members
- Raise confidence if live connection evidence exists
- Export structured report (CSV / JSON)
Step 1: Normalization
Each data source was normalized into a canonical structure:
```text timestamp_utc source_ip destination_ip destination_port protocol action