Manual Chapter : AFM Reporting

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Manual Chapter

AFM Reporting

Viewing AFM reports

BIG-IP AFM reports are graphical representations of Network Firewall, DoS Protection, and IP Intelligence events that have been detected by the AFM system within a specified period of time. You can select an individual event within a graph to obtain very detailed information about the event.
Viewing AFM reports typically begins by navigating to the appropriate reporting page, filtering by a specific time period, and then selecting a specific event to view the event details. You can export reports in PDF or CSV formats.
These tasks will help familiarize you with the AFM reporting feature.

Task list

  1. View AFM Network Firewall reports.
  2. View AFM DoS reports.
  3. View AFM IP Intelligence reports.

View AFM Network Firewall reports

To view an AFM Network Firewall event, you must have one or more Network Firewall policies assigned to a context, and one or more packet matches must have occurred.
With AFM Network Firewall reporting, you can view three categories of firewall rule events: enforced, staged, and management port. The Network Firewall reporting page is divided into two sections: a graph area and a Details area.
  1. On the Main tab, click
    Security
    Reporting
    Network
    Enforced Rules
    .
    You can click
    Staged Rules
    or
    Enforced Management Rules
    at the top of the page to change the rule event category.
  2. Click the
    View By
    list to review the additional reporting categories for enforced rules.
  3. Click the
    Time Period
    list to review the available reporting time based filters.
  4. Click
    Expand Advanced Filters
    to view additional filters that allow you to customize the currently selected category.
  5. Hover over the graph area to view enforced firewall rule matches presented in an ordered list from the most popular to the least popular rules, and the context on the BIG-IP system where the firewall match occurred.
  6. Familiarize yourself with the available chart actions:
    1. Move the cursor over a specific graph area to view all of the events that occurred during that specific time.
    2. Drag the cursor over a graph area to view all of the events that occurred during that specific time range.
  7. The Details area at the bottom shows the firewall rule context and total number of packet matches.
  8. Click the
    Export
    hyperlink at the upper right of the page to export the report in either PDF or CSV format.
Next, you might want to view DoS event reports.

View AFM DoS reports

To view a DoS event, you must have a DoS protection profile assigned to a protected object, or have enabled device protection, and a DoS attack must have occurred.
With AFM DoS reporting, you can view DoS attacks by type and duration. The DoS reporting page is divided into three sections: a time selector, a charts area, and a dimensions area. The three areas show all DoS events within a selected time period. When you select a specific DoS event in one area, all three areas highlight that specific event.
  1. On the Main tab, click
    Security
    Reporting
    DoS
    Dashboard
    .
  2. In the time selector area at the top of the page, click
    Last Hour
    to review the available time filters.
    You can move the slider bars to the left and right of the time scale to further filter the time period.
  3. Hover over an attack to view the attack summary, or click the attack to highlight the attack in the Attacks area and the Dimentions area.
    The chart's Attack Duration area shows the time and severity of each DoS attack.
  4. Familiarize yourself with these chart actions:
    1. Move the cursor over a specific graph area to view all of the events that occurred during that specific time.
    2. Drag the cursor over a graph area and click the
      +
      icon to view all of the events that occurred during that specific time range.
  5. Use the chart's Attacks area to view the charts labeled # of Attacks, the # of Attacks per Protocol, and also to select and review specific attacks from Attack ID list.
    1. Click a specifc attack ID in the Attack ID list to show statistical information about the attack in the dimensions area to the far right.
    2. Click the chart icon (Open in Analysis Page) to show an in-depth resource analysis of the attack.
  6. At the top of the page, click
    Custom Page
    to open a new screen where you can create a customized DoS report that can be exported in a PDF format.
Next, you might want to view IP Intelligence reports.

View AFM IP Intelligence reports

To view an IP Intelligence event, you must have one or more AFM Network Firewall policies assigned to a context, and one or more packet matches must have occurred.
With AFM IP Intelligence reporting, you can view IP Intelligence blacklist and whitelist matching events by category name. The IP Intelligence reporting page is divided into two sections: a graph area and a Details area. This task shows how to view detailed reporting information about enforced Network Firewall rule events.
  1. On the Main tab, click
    Security
    Reporting
    Network
    IP Intelligence
    .
  2. Click the
    View By
    list to review the additional reporting categories for IP Intelligence matches.
    For this example, select
    Source IP Addresses
    .
  3. Click the
    Time Period
    list to review the available reporting time based filters.
    For this example, select
    Last Month
    .
  4. Hover over the graph area to view IP Intelligence match events, ordered from most popular to least popular, and familiarize yourself with the available chart actions:
    1. Move the cursor over a specific graph area to view all of the events that occurred during that specific time.
    2. Drag the cursor over a graph area to view all of the events that occurred during that specific time range.
  5. Move to the Details area at the bottom of the page to see the IP Intelligence category name and total number of matches.
  6. Click
    Expand Advanced Filters
    to view additional filters that allow you to customize the currently selected category.
  7. To export the report in either PDF or CSV format, click the
    Export
    button at the upper right of the page.