Manual Chapter : Secure Web Gateway Statistics

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.1, 16.0.0, 15.1.0
Manual Chapter

Secure Web Gateway Statistics

About SWG data for threat monitoring

After Secure Web Gateway (SWG) starts proxying web access, it provides information that you can use to monitor threats and to fine-tune URL filters.
On a BIG-IP system with Access Policy Manager, SWG can provide logs and reports.
On a BIG-IP system with an SWG subscription, SWG can provide overview statistics in addition to logs and reports.
If you configure high-speed remote event logging, you have data on a remote system from which you can create your own reports.

About Secure Web Gateway statistics

Secure Web Gateway (SWG) reports display statistical information about web traffic on your system. These details are available:
Actions
Action (allowed, blocked, or confirmed) taken on the URL request.
Client IP address
IP address from which the request for the URL originated.
Host Name
When available, host name from which the request for the URL originated.
Categories
Name of the preconfigured or custom URL category into which a requested URL falls.
URLs
Requested URL.
URL filters
Name of the URL filter SWG applied to the request based on the schedule in the scheme.
Security categories
The security category of the URL if it was blocked, because it matched a security category.
Security categories are available on a BIG-IP system with an SWG subscription.
Users
Name of the user that made the request, if available.
Configuring your system to identify users is optional.
SSL bypass
Whether the request was bypassed (yes or no).
Configuring your system to omit certain SSL traffic from inspection is optional.

Overview: Monitoring Internet traffic for threats

You can view Secure Web Gateway (SWG) statistics on the BIG-IP system and adjust URL filters to handle new threats based on the information that you gather from logs and reports.
Before you begin, event logging should be configured. SWG reports and charts depend on event logging for URL filters. For event logging to occur, log settings must be configured and then specified in the access profile, and a Category Lookup item must be run in the per-request policy.

Task summary

About the Secure Web Gateway Overview

The Secure Web Gateway (SWG) overview provides multiple reports and charts that summarize the top requests, such as top URLs, top categories by blocked request count, top users by permitted request count or by blocked request count, and so on. The overview can be customized to show the specific type of data that you are interested in.
SWG overview is available only on a BIG-IP system with an SWG subscription.
In addition to the reports and charts on the overview, SWG provides the All Requests and Blocked Requests reports and charts. The reports can be filtered to show the information that you want to see.

Configuring statistics collection for SWG reports

Configure report settings to specify whether to gather statistics for Secure Web Gateway (SWG) reports and whether to use data sampling.
  1. On the Main tab, click
    Access
    Overview
    SWG Reports
    Settings
    .
    The Report Settings screen displays.
  2. To enable statistics gathering, select the
    Collect Data
    check box.
    If you clear the check box, data collection stops.
  3. To enable dynamic data sampling, select the
    Sample Data
    check box.
    In exchange for a performance gain, data sampling might provide slightly inaccurate statistics. If statistics must be more accurate, then disable data sampling.

Examining statistics on the SWG Overview

Newer browsers (Internet Explorer 9 or later, Firefox 3.6 or later, or Chrome 14 or later) support viewing charts with no additional plug-in. If using older browsers (Internet Explorer 8 or earlier), Adobe Flash Player (version 8 or later) must be installed on the computer where you plan to view charts.
You can review charts that show statistical information about traffic from your enterprise to the Internet. The charts provide visibility into the top requests for URL categories, blocked URL categories, top users, and so on.
The system updates the statistics every five minutes; you can refresh the charts periodically to see the updates.
  1. On the Main tab, click
    Access Policy
    Secure Web Gateway
    Overview
    .
    The Overview is available only on a BIG-IP system with an SWG subscription.
    The Overview screen displays.
  2. From the
    Override time range to
    list, select a new time frame to apply to all of the widgets in the overview.
    Within each widget you can override the default time range, as needed.
  3. For each widget, select the data format and the time range to display, as needed.
  4. To focus on the specific details you want more information about, click the chart or the
    View Details
    link.
    The system refreshes the charts and displays information about the item.
  5. From the
    View By
    list, select the specific network object type for which you want to display statistics.
    You can also click
    Expand Advanced Filters
    to filter the information that displays.
  6. On the screen, the system displays the path you followed to reach the current display, including the items you clicked. For example, to review details for the top categories, follow these steps:
    1. In the Top categories by Request Count chart, click the category that interests you.
      Assume that your URL filters allow access to some news and media sites and that
      News and Media
      is among the top categories. Click
      News and Media
      .
      Charts display the request count per action over time and the request count per action. A details table lists the request count for allowed actions.
    2. In the
      View By
      list, select
      URLs
      .
      Charts update and a list of URLs displays in the details table. These are the top news and media URLs.
    3. To see which filter allowed this URL, from here you can continue to drill down successively by clicking a link in each details table that displays. As an alternative to drilling down, you can select any of the statistics displayed on the
      View By
      list; for example you can select
      URL Filter
      directly.
    The Overview charts display summarized data. You might notice as you drill down that details display on the Reports screen.
You can review the access policy to ensure that you use the optimal strategy for processing traffic. You can update URL filters to block, confirm, or allow particular URL categories. You can update URL categories to include new URLs that you have seen in statistics details, or to recategorize existing URLs to fit your policies. You can continue to review the collected metrics and troubleshoot the system as needed.

Focusing the Overview on security threats

You can display attempted access to sites that pose a security risk by adding the security category widget to the Secure Web Gateway (SWG) Overview screen and by filtering a Blocked Request report using the security categories filter.
  1. On the Main tab, click
    Access Policy
    Secure Web Gateway
    Overview
    .
    The Overview is available only on a BIG-IP system with an SWG subscription.
    The Overview screen displays.
  2. Click the
    Add Widget
    link near the bottom of the screen.
    The Add New Widget screen displays.
  3. From the
    Modules
    list, select
    Secure Web Gateway (Blocked)
    .
    The security categories widget includes data requests that were blocked.
  4. From the
    View by
    list, select
    Security Categories
    .
    Requests that were blocked for URLs because they are included in the Security category or any of its subcategories are included in the data.
  5. Move a measurement from
    Available measurements
    to the
    Select up to 6 measurements to display
    list.
  6. For
    Data visualization
    , select one of the options.
    Details Table
    is the default option.
  7. Click
    Done
    .
    The Add New Widget screen closes.
The Overview screen displays the Security Categories chart.
You can also filter a Blocked Requests report to view this data by selecting
Security Categories
from the
View by
list.

Exporting or emailing SWG statistics

You can export or email charts that show Secure Web Gateway (SWG) statistics.
  1. On the Main tab, click
    Access Policy
    Secure Web Gateway
    Overview
    .
    The Overview is available only on a BIG-IP system with an SWG subscription.
    The Overview screen displays.
  2. Display the charts that show the information you want, clicking any of the options and adjusting the content as needed.
  3. On the upper right of the charts screen, click
    Export
    .
    To send the report to others by email, go to
    Statistics
    Analytics
    Scheduled Reports
    .
  4. Click
    Export
    .

Creating an SMTP server configuration

You specify the SMTP server configuration so that you can send emails through an SMTP server.
  1. On the Main tab, click
    System
    Configuration
    Device
    SMTP
    .
  2. Click the
    Create
    button.
    The New SMTP Configuration screen opens.
  3. In the
    Name
    field, type a name for the SMTP server that you are creating.
  4. In the
    SMTP Server Host Name
    field, type the fully qualified domain name for the SMTP server host.
  5. In the
    SMTP Server Port Number
    field, type a port number.
  6. In the
    Local Host Name
    field, type the host name used in the SMTP headers in the form of a fully qualified domain name.
    This host name is not the same as the BIG-IP system's host name.
  7. In the
    From Address
    field, type the email address that you want displayed as the reply-to address for the email.
  8. From the
    Encrypted Connection
    list, select the encryption level required for the SMTP server.
  9. To require that the SMTP server validates users before allowing them to send email, select the
    Use Authentication
    check box, and type the user name and password required to validate the user.
  10. Click the
    Finish
    button.
You can now configure the system to use this SMTP server to send emails. For the SMTP mailer to work, you must make sure the SMTP server is on the DNS lookup server list, and configure the DNS server on the BIG-IP system.

Implementation result

Secure Web Gateway (SWG) is configured to produce reports and charts.

About the reporting interval for charts and reports

The system aggregated data over time based on time intervals. This allows for more data accumulation over time, with a lower requirement for data storage resources. These aggregation intervals include: minutes, hours, days, weeks and months. When viewing data in the middle of an aggregation cycle, data is displayed based on the most recent aggregation point, resulting in a possible delay in the most recent data.

Short reporting interval

The system updates the statistics for charts and reports at five minute intervals: at five minutes after the hour, ten minutes after the hour, and so on. Each five-minute mark includes data from the previous five minutes; so 12:45 includes data starting from 12:40:01 to 12:45:00.
Charts and data that you export from charts reflect the publishing interval of five minutes. For example, if you request data for the time period 12:40-13:40, the data in the chart or in the file that you export is for that time period. But if there is a request for data from 12:42-13:42, the data in the chart is from 12:45-13:45. By default, the BIG-IP system displays one hour of data.

Longer reporting interval

As with short reporting intervals, charts that display data at longer intervals (e.g.
Last 4 hours
or longer), the system updates statistics up to the most recent aggregation cycle. This can result in longer delays in the current data in display. For example, if you are viewing a chart that displays several hours of data, there may be a delay of up to one hour when viewing statistics at the top of an aggregation cycle. As more data is collected over that hour, the data delay is reduced.

About statistics aggregation for weekly and longer time ranges

Secure Web Gateway (SWG) reports and charts for weekly, monthly, and yearly time ranges include statistics up through the previously completed hour. The system performs hourly updates to the aggregated statistics.