Monitoring ASM System Resources
This implementation describes how to set up the BIG-IP system to collect Application Security Managerâ„¢ (ASM) resource usage and send alerts when the system has surpassed threshold usage. These alerts allow you to troubleshoot any system resource limitations that can impact ASM performance. You can specify the resources monitored and the thresholds that you want the system to use, or let the system send alerts about your selected resources based on default settings. You can also specify whether these alerts are sent over the local system log, SNMP or SMTP (email) when a threshold is surpassed and when the threshold is then below the set value.
To set up email alerts you must specify an SMTP configuration. If you have not already done so, you can click Create in the SMTP Configuration field.
Monitoring aspects of system resource usage can assist in system troubleshooting and prevent long-term ASM performance issues. You can configure which system resources and corresponding thresholds trigger your alert notifications, and where these notifications can be logged or sent.
-
On the main tab, click Security > Reporting > Settings > ASM Alerts.
The ASM Alerts screen opens.
-
Select the Enabled checkbox to receive alerts when that system resource exceeds its threshold.
In the Threshold field of each resource, adjust the threshold according to your system monitoring needs.
-
If you want the system to send email notifications, review the SMTP Configuration field to ensure that a configuration is specified and not the value None.
You can configure SMTP only in the default Analytics profile. If it is not configured, you can save the profile and edit the default profile where you can select an existing SMTP configuration or create a new one. (If you click the analytics link without saving the new profile you are working on, you will lose the unsaved changes.)
-
For the Notification Type setting, select how you want the system to send alerts and notifications.
When you select a notification type, the screen displays the Alerts and Notifications Configuration area, where you can indicate the criteria for alerts and notifications.Type Description Syslog Select Syslog if you want the system to send notification and alert messages to the local log system. You can view the messages on the System > Logs > Local Traffic screen. SNMP Select SNMP if you want the system to send notification and alert messages as SNMP traps. You can create the trap by clicking Configuration can be found here ( System > SNMP > Traps > Destination). Enabling SNMP automatically sets up Syslog notifications, too. E-mail Select E-mail if you want the system to send notification and alert messages to email addresses. Type each email address in the Notification E-Mails field, and click Add to create the list. This option requires that the default analytics profile includes an SMTP configuration. -
Click Update save your alert settings.
Enabling alerts has a minimal performance impact when all alerts are enabled.
Note: Immediately following configuration, you may receive an alert notification that the system had surpassed a low value threshold. You may disregard this initial notification.
You can receive alerts for Application Security Manager (ASM) system resources when system these resources pass a defined usage thresholds. This table provides an overview of the system resources used directly, or indirectly, by ASM. Alert notifications reflect the average system values, per blade, collected over the past minute. These alerts allow you to mitigate resource usage that impacts ASM performance. For sustained alerts, you may need to adjust your memory configuration, virtual server configuration, or add a new device. For assistance, contact F5 Support.
| System Resource | Resource Description and Impact | Default Threshold |
|---|---|---|
| TMM CPU Usage | The average CPU usage for TMM processes over all system cores. The TMM processes all load-balanced traffic on the BIG-IP system. Reaching maximum usage impacts system performance for all TMM-based processes, which results in a loss of network information. | 85% |
| Total CPU Usage | The average CPU usage for the entire system over all system cores. Reaching maximum usage impacts system performance as a whole, and results in a loss of network information. | 90% |
| ASM CPU Usage | The average CPU usage for the BD processes over all system cores. Reaching maximum usage impacts ASM performance, by preventing ASM policy enforcement. | 85% |
| ASM CPU Usage per VS | The average CPU usage for the ASM enforcer per virtual server. This can indicate that an application requires higher resource usage. Reaching maximum usage impacts the ASM performance for virtual server’s corresponding the application/s. | 35% |
| TMM Memory Utilization | The average TMM memory usage out of the total memory provisioned for the system TMM. Reaching maximum usage impacts system performance for all TMM-based processes, which results in a loss of network information. | 95% |
| UMU Memory Utilization | The average UMU memory usage out of the total memory provisioned for ASM enforcer. UMU memory is the internal memory used to process all of ASM traffic, excluding XML traffic. High memory usage can result from unusually large requests. Reaching maximum usage impacts ASM performance. | 90% |
| XML Memory Utilization | The average XML memory usage out of the total memory provisioned for the ASM enforcer. XML memory is the internal memory provisioned for an application that uses web services or XML. Reaching maximum memory usage impacts ASM performance for traffic associated with an XML profile. | 90% |
| Total Swap Memory Utilization | The average swap memory usage for all system processes out of the total swap area. High swap usage can indicate that UMU or TMM memory has reached maximum usage. High system swap usage can impact system performance. | 10% |
| ASM Swap Memory in MB | The average amount of swap (MB) usage for ASM enforcer. ASM swap memory provides swap memory for ASM enforcer until more system memory becomes available. Relying on swap memory for an extended period of time will affect the overall ASM performance. | 5MB |
| Event Message Queue Utilization | The percent memory used for events waiting for ASM enforcer processing in the message queue out to the total memory for all queues. Reaching high usage can indicate that ASM enforcer is not processing incoming traffic. This can also indicate a change in the total CPU availability. | 90% |
| Backlog Message Queue Utilization | The percent memory usage for messages removed from the message queues and transferred to the backlog queue out of the total memory for all queues. This can indicate that messages are redirected from the event message queue. Reaching high usage can eventually result in bypassed or dropped messages. | 5% |
| Bypassed Transaction Rate | The number of HTTP transactions per second (TPS) that bypassed ASM processing due to the unavailability of the ASM enforcer. Bypassed translations indicate that some traffic is not evaluated by your ASM policy. | 0.1 Million TPS |