Manual Chapter :
AFM Reporting
Applies To:
Show VersionsBIG-IP AFM
- 14.1.3, 14.1.2, 14.1.0
AFM Reporting
Viewing AFM reports
BIG-IP AFM reports are graphical representations of Network Firewall, DoS Protection, and IP Intelligence events that have been detected by the AFM system within a specified period of time. You can select an individual event within a graph to obtain very detailed information about the event.
Viewing AFM reports typically begins by navigating to the appropriate reporting page, filtering by a specific time period, and then selecting a specific event to view the event details. You can export reports in PDF or CSV formats.
These tasks will help familiarize you with the AFM reporting feature.
Task list
- View AFM Network Firewall reports.
- View AFM DoS reports.
- View AFM IP Intelligence reports.
View AFM Network Firewall reports
To view an AFM Network Firewall event, you must have one or more Network Firewall policies assigned to a context, and one or more packet matches must have occurred.
With AFM Network Firewall reporting, you can view three categories of firewall rule events: enforced, staged, and management port. The Network Firewall reporting page is divided into two sections: a graph area and a Details area.
- On the Main tab, click.You can clickStaged RulesorEnforced Management Rulesat the top of the page to change the rule event category.
- Click theView Bylist to review the additional reporting categories for enforced rules.
- Click theTime Periodlist to review the available reporting time based filters.
- ClickExpand Advanced Filtersto view additional filters that allow you to customize the currently selected category.
- Hover over the graph area to view enforced firewall rule matches presented in an ordered list from the most popular to the least popular rules, and the context on the BIG-IP system where the firewall match occurred.
- Familiarize yourself with the available chart actions:
- Move the cursor over a specific graph area to view all of the events that occurred during that specific time.
- Drag the cursor over a graph area to view all of the events that occurred during that specific time range.
- The Details area at the bottom shows the firewall rule context and total number of packet matches.
- Click theExporthyperlink at the upper right of the page to export the report in either PDF or CSV format.
Next, you might want to view DoS event reports.
View AFM DoS reports
To view a DoS event, you must have a DoS protection profile assigned to a protected object, or have enabled device protection, and a DoS attack must have occurred.
With AFM DoS reporting, you can view DoS attacks by type and duration. The DoS reporting page is divided into three sections: a time selector, a charts area, and a dimensions area. The three areas show all DoS events within a selected time period. When you select a specific DoS event in one area, all three areas highlight that specific event.
- On the Main tab, click.
- In the time selector area at the top of the page, clickLast Hourto review the available time filters.You can move the slider bars to the left and right of the time scale to further filter the time period.
- Hover over an attack to view the attack summary, or click the attack to highlight the attack in the Attacks area and the Dimentions area.The chart's Attack Duration area shows the time and severity of each DoS attack.
- Familiarize yourself with these chart actions:
- Move the cursor over a specific graph area to view all of the events that occurred during that specific time.
- Drag the cursor over a graph area and click the+icon to view all of the events that occurred during that specific time range.
- Use the chart's Attacks area to view the charts labeled # of Attacks, the # of Attacks per Protocol, and also to select and review specific attacks from Attack ID list.
- Click a specifc attack ID in the Attack ID list to show statistical information about the attack in the dimensions area to the far right.
- Click the chart icon (Open in Analysis Page) to show an in-depth resource analysis of the attack.
- At the top of the page, clickCustom Pageto open a new screen where you can create a customized DoS report that can be exported in a PDF format.
Next, you might want to view IP Intelligence reports.
View AFM IP Intelligence reports
To view an IP Intelligence event, you must have one or more AFM Network Firewall policies assigned to a context, and one or more packet matches must have occurred.
With AFM IP Intelligence reporting, you can view IP Intelligence blacklist and whitelist matching events by category name. The IP Intelligence reporting page is divided into two sections: a graph area and a Details area. This task shows how to view detailed reporting information about enforced Network Firewall rule events.
- On the Main tab, click.
- Click theView Bylist to review the additional reporting categories for IP Intelligence matches.For this example, selectSource IP Addresses.
- Click theTime Periodlist to review the available reporting time based filters.For this example, selectLast Month.
- Hover over the graph area to view IP Intelligence match events, ordered from most popular to least popular, and familiarize yourself with the available chart actions:
- Move the cursor over a specific graph area to view all of the events that occurred during that specific time.
- Drag the cursor over a graph area to view all of the events that occurred during that specific time range.
- Move to the Details area at the bottom of the page to see the IP Intelligence category name and total number of matches.
- ClickExpand Advanced Filtersto view additional filters that allow you to customize the currently selected category.
- To export the report in either PDF or CSV format, click theExportbutton at the upper right of the page.