Manual Chapter : Collecting Security Statistics

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0

BIG-IP Analytics

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0

BIG-IP Link Controller

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0

BIG-IP LTM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0

BIG-IP PEM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0

BIG-IP DNS

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0

BIG-IP ASM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Collecting Security Statistics

Overview: Collecting DoS statistics

This implementation describes how to edit the reporting settings for the denial of service (DoS) attack statistics collected from your virtual servers with DoS profile protection. The system can be configured to collect statistics locally or remotely. You use these statistics for troubleshooting and improving DoS protection to your applications or over your network. These statistics include information about the traffic volume, transaction outcomes, packet errors, and IP address information (when available).
When enabling or disabling reporting settings, consider your protection configuration over BIG-IP, and whether your system is currently provisioned with AFM DoS protection coverage (optionally ASM for specific configuration settings).

Customizing security statistics collection and reporting settings

To collect and report statistics from your DoS protected virtual servers, you must ensure that you have licensed and provisioned the AFM module.
If you would like to store data remotely, ensure that your remote server is configured.
The default reporting settings allows AVR to collect and locally store certain security statistics. You can customize the default reporting and collection settings to your system needs, or to ensure that security reporting is available for storage on a remote publisher. Ensure that the enabled settings meets your custom needs, as increased statistics collection requires additional system resources.
  1. On the Main tab, click
    Security
    Reporting
    Settings
    Reporting Settings
    .
  2. Verify that the
    Local Storage
    setting is
    Enabled
    .
    This setting prompts the system to store statistics locally, and you can view the charts on the system by starting at the Main tab, and clicking
    Statistics
    Analytics
    .
  3. To export statistics, select
    Enabled
    for the
    Remote Storage
    setting.
    When enabled, you can select the remote storage server from the
    Publisher
    setting.
  4. Enable or disable the default data collection settings.
    For more information about the specific statistics collected, see Reporting settings statistics.
  5. To email reports, specify an SMTP Configuration. If no configuration is available, click
    Create
    to create one.
  6. Click
    Save
    .
Statistics are collected from the virtual servers with corresponding security settings.

Reporting settings statistics

The reporting settings allow you to configure security statistics collection from virtual servers with network-level (AFM) DoS protection services (unless stated otherwise). The following describes the specific statistics collected per field provided in the Reporting Settings screen (
Security
Reporting
Settings
Reporting Settings
). Depending on your reporting settings, stored statistics either available locally on your BIG-IP, or on an external server.
All data collected is marked with the reported time stamp, system collection interval, and number of data points collected.
Reporting Setting
Data Collected
Collect ACL stats
Detected ACL violations are reported as
Enforced
or
Staged
, based on the configuration of the corresponding ACL rule list.
  • Application name
  • Firewall policy
  • Rule list
  • Matched ACL rule
  • Applied ACL Context (including protocol and action)
  • Translation reason and type (source address translation)
  • Server local and remote IP addresses
  • Client local and remote IP addresses
  • Source VLAN
  • Source port and IP address
  • Destination port and IP address
  • Source and destination geolocation
    • Region
    • User name
    • IP category
Remote Storage Only
  • BIG-IP Hostname and Slot ID
  • Server local and remote IP route domain
  • Client local and remote IP route domain
  • Entity error definition
Collect Network DoS stats
  • Packet Size
  • Number of dropped packets
  • Application Name
  • Virtual Server Name/IP
  • Action Name/ID
  • DoS Profile Name
  • VLAN Name and Group
  • Source and Destination IP
  • Source and Destination Country Code
  • Attack Information
    • ID
    • Type
    • Category
    • Transaction Outcome
    • Vector
    • Trigger
    • Mitigation
    • Suspected Attacker's IP
Remote Storage Only
  • BIG-IP Hostname and Slot ID
  • Server local and remote IP route domain
  • Client local and remote IP route domain
  • Entity type and error definition
Collect Firewall Events Stats
  • Error Reason/ID
  • Action/Action ID
  • VLAN Name
  • Source and Destination IP
  • Source and Destination Port (local log only)
  • Network Protocol
Remote Storage Only
  • BIG-IP Hostname and Slot ID
  • Server local and remote IP route domain
  • Client local and remote IP route domain
  • Entity type and error definition
Collect IP Reputation stats
  • Source IP
  • Context Name
  • IP Reputation Policy Name
  • VLAN Name
  • Hit Type
  • Dropped Status
  • Class Name
Remote Storage Only
  • BIG-IP Hostname and Slot ID
  • Server local and remote IP route domain
  • Entity type and error definition
Collect DNS stats
  • Packet Size
  • Application Name
  • VLAN Name
  • Source IP address and route domain
  • Virtual Server (name or IP)
  • Caller and Callee Name
  • SIP Method
  • DoS Profile Name
  • Attack Information
    • ID
    • Type
    • Transaction Outcome
    • Vector
    • Trigger
    • Mitigation
    • Attacker's IP
Remote Storage Only
  • BIG-IP Hostname and Slot ID
  • BIG-IQ configuration
  • Entity type and error definition
Collect SIP stats
  • Packet Size
  • Application Name
  • VLAN Name
  • Source IP address and route domain
  • Virtual Server (name or IP)
  • Caller and Callee Name
  • SIP Method
  • DoS Profile Name
  • Attack Information
    • ID
    • Type
    • Transaction Outcome
    • Vector
    • Trigger
    • Mitigation
    • Attacker's IP
Remote Storage Only
  • BIG-IP Hostname and Slot ID
  • Entity type and error definition
DoS Network
Destination IP address sent over the network
Network Firewall Rules
  • Source and Destination IP Address
  • Source and Destination Port
  • Server Side Statistics
    • NAT translated addresses and ports
    • Self IP
    • Server IP
  • State Rules
DoS HTTP*
All HTTP analytics data for virtual servers with ASM DoS protection. For more information about the collected information, go to
Local Traffic
Profiles
Analytics
HTTP Analytics
and select the
analytics
profile.