Manual Chapter :
Monitoring and Reporting for Network Security and Web Application
Security Policies
Applies To:
Show VersionsBIG-IQ Centralized Management
- 6.0.1
Monitoring and Reporting for Network Security and Web Application
Security Policies
Monitoring Active Firewall Policies
View active firewall policies
You use the Active Policy screen to view summary information about the firewall
policies and rules that are currently active on BIG-IP
devices.
- Click.
- Review the firewall policies, including on what BIG-IP devices they are active.
- To review the rules and rule lists in a policy, click the policy name.The screen displays rules and rule lists in the policy.
- To edit a rule or rule list, click the name of the rule or rule list.
Active firewall policy rule properties
This table describes the rule properties shown for a firewall policy that is active on a BIG-IP device.
Column | Description |
---|---|
# | Specifies the evaluation order of the rule within the policy. Rules are evaluated from the lowest number to the highest. If a rule is contained within a rule list, it will be numbered after the decimal point. For example, a policy with 3 rules, followed by a rule list containing 2 rules, followed by another rule outside of the rule list, would be numbered as: 1, 2, 3, 4, 4.1, 4.2, 5 . In the example, 4 represents the rule list, and 4.1 and 4.2 are the evaluation order of the rules within that rule list. |
Rule Name | Specifies the name of the rule. This contains a reference to the rule list when the row contains a rule list. You can click the rule name for more information. |
Rule List Name | Specifies the name of the rule list that contains one or more rules. This is blank when the row contains a rule. |
UUID | Specifies the universal unique identifier (UUID) associated with the rule. You can use the UUID to search for a rule in a policy. You must enable this feature on the BIG-IP device for UUIDs to be assigned to rules on that device. |
Action | Specifies the action taken when the rule is matched, such as whether it is accepted or rejected. |
Protocol | Specifies the IP protocol used by the rule to compare against the packet. |
Log | Specifies whether the firewall software should write a log entry for any packets that match this rule. |
State | Specifies the activity state of the rule, such as whether it is enabled or disabled. |
Monitoring Firewall Rules
About firewall rule monitoring
In BIG-IQ Centralized Management, you can monitor:
- Firewall rule statistics, such as the number of times inbound network traffic matches a firewall rule on a BIG-IP device (also referred to as a firewall rule hit count) as well as the rule overlap status.
- Firewall rule compilation statistics for a set of rules associated with a firewall context on a BIG-IP device.
Monitoring firewall rule statistics and hit counts
You can monitor firewall rule statistics and hit counts on one or more BIG-IP devices using Network Security monitoring.
Firewall
rule statistics are collected for the rules in the enforced policy associated with a
firewall, but not the rules in a staged policy.
If a virtual server,
route domain or self IP is created using the BIG-IQ system,
firewall statistics cannot be collected until the changes are deployed to the device
and reimported.
- Log in to the BIG-IQ system with your user name and password.
- At the top left of the screen, selectNetwork Securityfrom the BIG-IQ menu.
- ClickMonitoring.
- ClickFirewall Rule Statistics.The Firewall Rule Statistics screen opens and displays a list of firewall contexts, including their name, partition, type, and on what BIG-IP device they occur.
- Click the name of the firewall context to monitor.
- The Firewall Rule Statistics page for that firewall context displays.The following information is listed in the named columns for each firewall rule on the BIG-IP device:
- Rule Name specifies the name of the rule used in the policy. If not listed, the rule is not running.
- Rule List Name specifies the name of the rule list if the rule is in a rule list.
- Rule specifies the name of the rule within a rule list. If the rule is not in a rule list, this field is blank.
- Overlap Status specifies whether the rule overlaps with another rule.
- Hit Count specifies the number of times the rule has been matched.
- Last Hit Time specifies when the rule was last matched.
Monitoring firewall rule compilation statistics
You can monitor rule compilation statistics on one or more BIG-IP devices using Network Security monitoring. This information is similar to what is displayed when using the
tmsh show security firewall container-stat
command.If a firewall context references a policy that is both staged and enforced, there will be two entries in the compilation statistics: one for the enforced policy and one for the staged policy.
- Log in to the BIG-IQ system with your user name and password.
- At the top left of the screen, selectNetwork Securityfrom the BIG-IQ menu.
- ClickMonitoring.
- Click-[[Firewall ]]-+[[-[[Firewall ]]-+[[+[[Firewall ]]+]]+]]+Compilation Statistics.The Firewall Compilation Statistics screen opens and displays the list of BIG-IP devices managed by the BIG-IQ system, including their network name, IP address, and BIG-IP device version.
- Click the name of the BIG-IP device to monitor.
- The Firewall Compilation Statistics page for that BIG-IP device displays.Depending on the version of the BIG-IP device, the following information, or a subset of this information, may be listed in the named columns for the one or more firewall rules within the specified firewall context on the BIG-IP device:
- Context Namespecifies the context name associated with the one or more rules, such as/Common/global-firewall-rules.
- Context Typespecifies the firewall context type associated with the one or more rules, such as global or self IP.
- Policy Namespecifies the name of the policy associated with the one or more rules.
- Policy Typespecifies type of policy associated with the one or more rules, such as enforced or staged.
- Rule CountSpecifies the number of rules compiled for this BIG-IP device context, such as 30. This count includes rules in rule lists as well as rules that are not in rule lists.
- Compile Durationspecifies the amount of time required to compile the rules, expressed ashours:minutes:seconds.
- Overlap Check Durationspecifies the amount of time required to check overlapping rules, expressed ashours:minutes:seconds.
- Sizespecifies the size of the compiled rules in bytes.
- Max Memoryspecifies the maximum amount of memory consumed by the rules in bytes.
- Activation Timespecifies when the rules are activated and available for use.
Monitoring Network Security Events
Configure viewing of Network Security events
Before you configure monitoring of Network Security events, you need to ensure that the Network Security service is running on the DCD.
Verify this by reviewing the services installed on the DCD on the BIG-IQ Data Collection Devices screen. Click
.If the Network Security service is not running, click
Activate
to start it.If you deactivate the Network Security service for a DCD, or remove a DCD with that service enabled, the associated pool member will be removed from the pool when you next deploy to the BIG-IP device (or devices). The pool
afm-remote-logging-pool_
contains the pool member for the specified BIG-IP device.big-ipname
You configure the collection and viewing of Network Security events so that you can better view and monitor information about your Network Security policies and firewalls. The BIG-IQ Centralized Management system provides a single button configuration process that creates and configures the needed configuration objects. The system creates these configuration objects, if needed:
- One or more logging profiles
- A log publisher
- A log destination
- A pool for each device
- Pool members
- A pool monitor
The configuration objects are shared among the Shared Security virtual servers that were selected. The objects that are created should not be modified. Modifying these objects could affect the ability of the BIG-IP devices to send Network Security events to the DCD.
- Click.
- In the list of firewall contexts, select the check box to the left of the one or more virtual servers to use.The virtual servers are listed in the Firewall Type column as vip.
- ClickConfigure Logging.The Network Security Logging Configuration dialog box opens.
- In the dialog box, clickContinue.The dialog box shows the configuration status, including which objects were created.
- ClickClose.
- Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
- Click.
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes some the objects created by the Network Security logging configuration process to be deployed to the device. - Deploy the BIG-IP device for the virtual server using the Network Security service using these steps.
- Click.
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the BIG-IP device to deploy and clickCreate.
The deployment causes the remaining objects created by the Network Security logging configuration process to be deployed to the device.
You can now receive Network Security events from the BIG-IP devices associated with the virtual servers, and view them on the
screens. View Network Security events
You need to configure
the logging of Network Security events before you can view them.
You view Network Security events to better
track the firewall events that occur on your BIG-IP devices.
- Click.The navigation area expands to show the different types of Network Security events available.
- Click the type of event you want to view, such asFirewall.To see all Network Security events, clickAll Network Security Events.
- Review the information on the screen.
- To view additional details about an event:
- Click in the row for the event to see event details listed in the lower pane. You can navigate to events below or above the selected event by clicking the arrows.
- Click any blue links shown in the upper or lower panes to see more details about the linked object or to change the object.
- To focus on a reduced number of events:
- Select a device name from the list at the upper left to view events from only that single BIG-IP device. By default this is set toAll Devices.
- In the Filter field in the upper right, type a text string to use a simple text filter on the events. You can use more complex filters by clicking the filter icon to the left of the Filter field. Note that the simple text filter does not support more complex filter syntax, such as specifying time in minutes and seconds.
- To change how often the event list is refreshed, select a value in the setting in the upper left.
Create filters for Network Security events
You create Network Security event filters so you can save the filters you use frequently to search for events, and not have to recreate them each time.
- Click.
- ClickAdd.
- Type a uniqueFilter Name.
- Create the filter using the Query Parameters area or by entering the query directly into the Query Expression area.In most cases, you should create the filter query using the Query Parameters area and only edit it directly if you need to refine it further.
- If you are creating the filter using the Query Parameters area, supply those parameter settings you want to be part of the filter.Note that as you enter parameter settings, they are used to construct the filter query in the Query Expression area. You can also edit the filter query directly as described in the following step.
- If you are creating the filter by directly entering text into the Query Expression area, use the following syntax for that query text.
- You express elements of the filter query as key value pairs, separated by a colon, such asprofile_name:"MyCurrentProfile".
- You can use the following operators within a filter query.OperatorUsage ExampleANDThis:p1 AND bar:(A AND B AND "another value")AND NOTAND NOT qux:errorORname:"this is a name" OR bar:(A OR B OR C)OR NOTOR NOT qux:error*support_id:*123*. This operator can only be used for text fields.
- You must enclose values with spaces with quotation marks, such askey:"two words".
- You can query any field for more than one value by enclosing the values with parentheses, such askey:(a b "two words"). In this case, the default operator is OR.
- Only pre-defined values are allowed for fields with a type of multi-value. These values are listed in the Query Parameters area, in the list next to the relevant field.
- Values with a type of date accept valid date formats, such as'Oct 30, 2017 00:00:00'.
- Values of the date range type accept input in the format of[min_date...max_date], such as'[Oct 30, 2017 00:00:00...Oct 30, 2017 06:00:00]'. The date range might also contain only minimum without maximum and the reverse, such as'[Oct 30, 2017 00:00:00...]'or'[...Oct 30, 2017 00:00:00]'.
- Values of the numeric range type accept input in the format of[min...max], such as'[1...100]'. The numeric range might also contain only minimum without maximum and the reverse, such as'[1...]'or'[...100]'.
- You must include the full path to the policy in a policy name, such as/Common/MyPolicy.
- You can enter fields in the Query Expression area that are not shown in the Query Parameters area by discovering them in the user interface.
- Click the event row to show the event details in the lower part of the screen.
- Hover over a label name in that area to see the field name to use in the query expression. For example, hovering over Signature Name in the lower screen shows that the matching field issig_name.
- Save your work.
Monitoring DoS Events
Configure viewing of DoS events
Before you configure monitoring of DoS events,
you need to ensure that the DoS Protection service is running on the DCD.
Verify this by reviewing the services installed on the DCD on the
BIG-IQ Data Collection Devices screen. Click
.If the DoS Protection service is not
running, click
Activate
to
start it.If you deactivate the DoS Protection service
for a DCD, or remove a DCD with that service enabled, the associated pool member
will be removed from the pool when you next deploy to the BIG-IP device (or
devices). The pool
dos-remote-logging-pool_
contains the pool member for the specified BIG-IP
device.big-ipname
You configure the collection and viewing of
DoS events so that you can better view and monitor information about your DoS
protection. The BIG-IQ Centralized Management system provides a single-button
configuration process that creates and configures the needed configuration objects. The
system creates the following configuration objects, if needed:
- One or more logging profiles
- A log publisher
- A log destination
- A pool for each device
- Pool members
- A pool monitor
The configuration objects are shared among the Shared
Security virtual servers that were selected. The objects that are created should not
be modified. Modifying these objects could affect the ability of the BIG-IP devices
to send DoS events to the DCD.
- Click.
- In the list, select the check box to the left of the one or more virtual servers to use.
- ClickConfigure DoS Logging.The DoS Logging Configuration dialog box opens.
- In the dialog box, clickContinue.The dialog box shows the configuration status, including which objects were created.
- ClickClose.
- Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
- Click.
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes some of the objects created by the DoS logging configuration process to be deployed to the device. - Deploy the same BIG-IP device using either the Network Security or Web Application Security service using these steps.You can use either service since both include the Shared Security objects.
- Clickor .
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes the rest of the objects created by the DoS logging configuration process to be deployed to the device.
You can now receive DoS events from the BIG-IP
devices associated with the virtual servers and view them on the
screens. Configure viewing of device DoS events
Before you configure monitoring of DoS events,
you need to ensure that the DoS Protection service is running on the DCD.
Verify this by reviewing the services installed on the DCD on the
BIG-IQ Data Collection Devices screen. Click
.If the DoS Protection service is not
running, click
Activate
to
start it.If you deactivate the DoS Protection service
for a DCD, or remove a DCD with that service enabled, the associated pool member
will be removed from the pool when you next deploy to the BIG-IP device (or
devices). The pool
dos-remote-logging-pool_
contains the pool member for the specified BIG-IP
device.big-ipname
You configure the collection and viewing of
device DoS events so that you can better view and monitor information about your DoS
protection. The BIG-IQ Centralized Management system provides a single-button
configuration process that creates and configures the needed configuration objects. The
system creates the following configuration objects, if needed:
- One or more logging profiles
- A log publisher
- A log destination
- A pool for each device
- Pool members
- A pool monitor
The objects that are created are shared among these device
DoS configurations and should not be modified. Modifying these objects could affect
the ability of the BIG-IP devices to send device DoS events to the
DCD.
- Click.
- In the list, select the check box to the left of the one or more device DoS configurations to use.The device DoS configuration has the same name as the BIG-IP device.
- ClickConfigure DoS Logging.The DoS Logging Configuration dialog box opens.
- In the dialog box, clickContinue.The dialog box shows the configuration status, including which objects were created.
- ClickClose.
- Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
- Click.
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes some of the objects created by the Device DoS logging configuration process to be deployed to the device. - Deploy the same BIG-IP device using either the Network Security or Web Application Security service using these steps.You can use either service since both include the Shared Security objects.
- Clickor .
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes the rest of the objects created by the Device DoS logging configuration process to be deployed to the device.
You can now receive device DoS events from the
BIG-IP devices and view them on the
screens. Configure viewing of DoS events for applications
Before you configure monitoring of DoS events
for applications, you need to ensure that the following conditions are in place:
- A DoS profile and logging profile are associated with the application template used to create the application.Verify this by reviewing the Shared Security area on the Edit Template screen. Click, click the name of the application template, then clickSECURITY POLICIES, and review the Shared Security area to see the DoS profile and logging profile assigned to the template.If the profiles are selected in the Standalone Device row, this indicates that they are used with a standalone BIG-IP device. If they are selected in the Load Balancer or VE devices row, this indicates that they are used with a BIG-IP device in a service scaling group (SSG).
- The DoS Protection service is running on the DCD.Verify this by reviewing the services installed on the DCD on the BIG-IQ Data Collection Devices screen. Click.
You configure the BIG-IQ system so that you
can monitor DoS events for applications to monitor the DoS protection on your
application.
- Click.
- Select the check box to the left of the virtual server that is being used by the application.
- ClickConfigure DoS Logging.The DoS Logging Configuration dialog box opens.
- In the dialog box, clickContinue.The dialog box shows the configuration status, including which objects were created.
- ClickClose.
- Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
- Click.
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes all the objects created by the DoS logging configuration process to be deployed to the device. - Deploy the same BIG-IP device using either the Network Security or Web Application Security service using these steps.You can use either service since both include the Shared Security service that contains logging profiles.
- Clickor .
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
This deployment causes the logging profile associated with the application to be deployed.
You can now receive DoS events from the BIG-IP
devices associated with the application and virtual
server,
and view them on the
screens.View DoS events
You need to configure the logging of DoS or device DoS events before you can view them.
You view DoS events to better track the DoS and device DoS events that occur on your BIG-IP devices.
- Click.The navigation area expands to show the different types of DoS events available.
- Specify the type of information you want to see:
- To see a specific kind of DoS event, click that event type, such asApplication Events.
- To see all DoS attack events in a tabular format, clickAll DoS Attack Events.
- To see a summary of all DoS attack events in a graphical format, clickDoS Summary.
- Review the information on the screen.
- To view additional details about an event:
- Click the row for the event to see event details listed in the lower pane. You can navigate to events below or above the selected event by clicking the arrows.
- Click any blue links shown in the upper or lower panes to see more details about the linked object.
- In the detailed information for values that change over time, current, minimum, maximum, and last values may be shown. For eample, the severity of an attack type might currently have a severity of 3, have a minimum of 2 and a maximum severity of 3 during the time period. After the attack is over, the last value might be 2. Current values are labeled asCurr, minimum values are labeled asMin, maximum values are labeled asMax, and last values asLast.
- On the DoS Attacks Summary screen, click the number for an attack in the Attack ID column to see additional tabular and graphical details about that attack, such as the attack type, the mitigation used, and so on.
- To focus on a reduced number of events:
- Select a device name from the list at the upper left to view events from only that single BIG-IP device. By default this is set toAll Devices.
- In the Filter field in the upper right, type a text string to filter the events. You can create or use advanced filters by clicking the filter icon to the left of the Filter field.
- To change how often the event list is refreshed, select a value in the setting in the upper left.
Create filters for DoS events
You create DoS event filters so you can save the custom filters you use to search for events and not have to recreate them each time.
- Click.
- ClickAdd.
- Type a uniqueFilter Name.
- Create the filter using the Query Parameters area or by entering the query directly into the Query Expression area.In most cases, you should create the filter query using the Query Parameters area and only edit it directly if you need to refine it further.
- If you are creating the filter using the Query Parameters area, supply those parameter settings that you want to be part of the filter.Note that as you enter parameter settings, they are used to construct the filter query in the Query Expression area. You can also edit the filter query directly as described in the following step.
- If you are creating the filter by directly entering text into the Query Expression area, use the following syntax for that query text.
- You express elements of the filter query as key value pairs, separated by a colon, such asprofile_name:"MyCurrentProfile".
- You can use the following operators within a filter query.OperatorUsage ExampleANDThis:p1 AND bar:(A AND B AND "another value")AND NOTAND NOT qux:errorORname:"this is a name" OR bar:(A OR B OR C)OR NOTOR NOT qux:error*support_id:*123*. This operator can only be used for text fields.
- You must enclose values with spaces with quotation marks, such askey:"two words".
- You can query any field for more than one value by enclosing the values with parentheses, such askey:(a b "two words"). In this case, the default operator is OR.
- Only pre-defined values are allowed for fields with a type of multi-value. These values are listed in the Query Parameters area, in the list next to the relevant field.
- Values with a type of date accept valid date formats, such as'Oct 30, 2017 00:00:00'.
- Values of the date range type accept input in the format of[min_date...max_date], such as'[Oct 30, 2017 00:00:00...Oct 30, 2017 06:00:00]'. The date range might also contain only minimum without maximum and the reverse, such as'[Oct 30, 2017 00:00:00...]'or'[...Oct 30, 2017 00:00:00]'.
- Values of the numeric range type accept input in the format of[min...max], such as'[1...100]'. The numeric range might also contain only minimum without maximum and the reverse, such as'[1...]'or'[...100]'.
- You must include the full path to the policy in a policy name, such as/Common/MyPolicy.
- You can enter fields in the Query Expression area that are not shown in the Query Parameters area by discovering them in the user interface.
- Click the event row to show the event details in the lower part of the screen.
- Hover over a label name in that area to see the field name to use in the query expression. For example, hovering over Signature Name in the lower screen shows that the matching field issig_name.
- Save your work.
Managing Firewall Rule Reports
About firewall rule reports
You can generate different types of firewall rule reports for selected BIG-IP® devices in either CSV or HTML format. These reports capture information similar to
that gathered using the firewall rule monitoring. The types of reports you can generate include:
- Stale Rule Report. Creates a report on firewall rules that are not being used on the BIG-IP device.
- Overlap Status Stats Report. Creates a report on firewall rules that are overlapping on the BIG-IP device.
- Compilation Status Report. Creates a report on the compilation of firewall rules on the BIG-IP device.
Creating firewall rule reports
You create firewall rule reports to capture statistics about firewall rules in a
report format.
- Navigate to the Firewall Rule Reports screen: Click.
- ClickCreate.The New Firewall Rule Report screen opens.
- Type a name for the report in theNamefield.
- Type an optional description for the report in theDescriptionfield.
- Select a report type from those listed in theReport Typefield.You can generate these types of reports::
- Stale Rule Report
- Overlap Status Stats Report
- Compilation Status Stats Report
Stale Rule Reportreport type is selected, the screen displays the Stale Rule Criteria property, otherwise that property is not displayed. - If you selectStale Rule Report, you can refine the report using the options listed in theStale Rule Criteriasetting:
- To specify that the report should include only rules with a hit count less than the number specified, selectRules with count less thanand specify a number in the provided field.
- To specify that the report should include only rules that have not been hit since the date specified, selectRules that haven't been hit sinceand specify a date in the provided field.
- From theAvailable Devicessetting, select the BIG-IP devices or device group to use for the report:
- SelectGroupand select a group of BIG-IP devices from the list.
- SelectDeviceand select individual BIG-IP devices by moving them from theAvailablelist to theSelectedlist.
- Save the report:
- SelectSaveto save the report. The system displays the Firewall Rule Reports page for that one report, and generates the report data.
- SelectSave & Closeto save the report. The system displays the Firewall Rule Reports page that lists all reports, and generates the report data.
- Select the format for the report:
- SelectCSV Reportto have the report formatted as a CSV file.
- SelectHTML Reportto have the report formatted as an HTML file. The HTML file is displayed in the Web browser when complete.
You can save or print these reports.
Deleting firewall rule reports
You can delete firewall rule reports
that are no longer needed.
- Go to the Firewall Rule Reports screen: Click.
- Select one or more reports to delete, and clickDelete.The reports are deleted from the list on the Firewall Rule Reports screen.
Managing Firewall Packet Trace Reports
About firewall packet trace reports
You can create and view packet trace reports to visually review your firewall settings. You can click
the graphics in the trace report to see detailed results of the packet trace for each firewall
component.
Create firewall packet trace reports
You create packet trace reports to trace
and review your network security firewall settings.
- Click.
- ClickCreate.The Packet Parameters screen opens.
- Enter or modify the parameters.
- In theNamesetting, type a name for the packet trace.
- In theProtocolsetting, select the protocol for the packet you want to trace. The other configuration settings change based on the protocol you select.
- In theTCP Flagssetting, select one or more flags to set in the packet trace. This setting is used only when the TCP protocol is selected.
- In theSource IP Addresssetting, type the IP address to identify as the packet source.
- In theSource Portsetting, type the port to identify as the packet source. This does not apply to ICMP packets.
- In theTTLsetting, type the TTL (Time to Live) for the traced packet, in seconds.
- In theDestination IP Addresssetting, type the IP address to which you want to send the packet for the packet trace.
- In theDestination Portsetting, type the port to which you want to send the packet for the packet trace. This does not apply to ICMP packets.
- In theUse Staged Policysetting, select whether to use a staged policy, if one exists, for the packet.
- In theTrigger Logsetting, select whether to write a log message based on the packet from the packet trace, if it would be logged by the system.
- In the Devices area, select the BIG-IP devices and source VLANs to be traced.
- ClickAdd.The Devices dialog box is displayed.
- In the Devices dialog box, select the BIG-IP devices to use by moving them from the Available to the Selected list.
- ClickAddto finalize the list and close the dialog box.
- In the Source VLAN column, select the one or more VLANs to use for each device in the list.IfApply these VLANs to all Devicesis selected, the VLANs selected for the first device in the list are applied to all other devices in the list. Do not select this option to select different VLANs for each device.
- ClickRun Trace.The packet is traced and the results are displayed on the screen.
- In the Trace Results area, review the trace diagram created by running the trace.
- Review the colors of the graphics for each network security component.
- Green graphics indicate rules that were evaluated and allowed the traffic to pass, including whitelist matches and Allow firewall, DoS, and IP intelligence matches.
- Red graphics indicate packets that were evaluated and dropped, or that matched firewall or IP intelligence rules.
- Gray graphics indicate packets that did not match a rule of the type indicated.
- Click each graphic to see detailed results of the packet trace for that component.
- To copy this packet trace, clickClone.
- To compare this packet trace to one or more other packet traces, clickCompareand then select the packet traces to which it should be compared.
The packet trace has been run and reviewed.
Managing Firewall Packet Flow Reports
About firewall packet flow reports
You create and review packet flow reports to inspect the currently active packet flows on BIG-IP devices. You can use these reports to determine if a packet flow meeting certain parameters is active on the BIG-IP devices. You can combine using the packet flow reports with packet trace reports to see if a BIG-IP device may be blocking certain flows at a firewall.
You can also review prior packet flow reports. The BIG-IQ Centralized Management Packet Flows feature is similar to the Flow Inspector feature in the Advanced Firewall Manager (AFM) on the BIG-IP device.
Create packet flow reports
You create a packet flow report to identify
what flows are currently active on BIG-IP devices that match the given parameters. You
specify the parameters and the BIG-IP devices that the BIG-IQ Centralized Management
system examines to generate the report.
- Click.
- ClickCreate.
- In the Flow Parameters area, enter the packet flow parameters.
- Type aNamefor the packet flow report.
- Specify theProtocolfor the flows.SelectAllto view all protocols. SelectSpecifyand specify the protocol to view flows using that protocol.
- Specify theSource IP Addressfor the flows.The default isAnywhich indicates that any source IP address is used, rather than a specific IP address.
- Specify theSource Portfor the flows.By default, an asterisk (*) is shown, indicating that all ports are selected. If the selected protocol is ICMP, this setting is not used.
- Specify theDestination IP Addressfor the flows.The default isAnywhich indicates that any destination IP address is used, rather than a specific IP address.
- Specify theDestination Portfor the flows.By default, an asterisk (*) is shown, indicating that all ports are selected. If the selected protocol is ICMP, this setting is not used.
- In theVisible Flow Countsetting, specify the maximum number of flows on which to report.
- In the Select Devices area, select the BIG-IP devices on which to inspect the packet flows by moving them from theAvailablelist to theSelectedlist.
- ClickGet Flowsto generate the packet flow report for the specified parameters.The screen is updated to show the generated packet flow report. You can expand the Flow Parameters area to show the parameters used to create the list of packet flows. The Flow Table area shows the list of packet flows.
- In the Flow Table area, you candisplay additional information about a selected packet flow.
- To review details about a packet flow and any packet trace history for that flow, click the row for that packet flow. The detailed information for that packet flow is displayed in the lower pane on the screen. Click a link in the packet trace history to see details of that packet trace.
- To create a packet trace of a packet flow, click the row for that packet flow and clickCreate Packet Trace. A new packet trace is created, pre-filled with data from the selected packet flow.
To manage which packet flows are shown, you can:- ClickExpand Allto expand all flows that are collapsed under their device name.
- ClickCollapse Allto have all packet flows collapsed under their device name.
- Use the Filter field to display only those packet flows matching the filter. Any value displayed should be usable in the filter field, including an IPV4 subnet.
Viewing Web Application Security Event Logs
About event log viewing
You can view Web Application Security event logs to review applications and server
activities. BIG-IQ® Centralized Management enables a single view of all
filters and log entries (and details for each entry) from multiple BIG-IP® devices.
You use tags and filters to allow you to select which events to view.
- Filters allow you to select the events to view by constructing a query that the events must match.
- You can assign tags to events to label them, so that you can use that label in queries.
Before you can view events, event logging must be configured as follows.
- Discover and activate a BIG-IQ Data Collection Device.
- Configure a BIG-IP device to collect event logs and send them to the BIG-IQ Centralized Management Data Collection Device. Part of this configuration includes a virtual server configured with a logging profile.
- Configure a logging profile for Web Application Security, assign it to a virtual server, and deploy it to the BIG-IP device that has been configured to collect log events. Alogging profileis used to determine which events the system logs, and where, and the format of these events. It then directs security events to a BIG-IQ Data Collection Device, and the BIG-IQ Centralized Management system retrieves them from that node.
View event logs and define filters and
tags
You can review Web Application Security
events on applications and servers from one or more BIG-IP
devices. By default, the events are filtered to show only illegal requests. You can use
the Web Application Security Event Logs screen to define tags and filters to help you
find meaningful events.
- Click.
- To create and apply tags to events, select the events using the check box to the left, and clickTagsabove the event list.A dialog box opens.
- To create a tag, type the tag name in the provided field and click+.
- To apply a tag to the selected events, select the check box to the left of the tag and clickApply.
- To create filters, click the filter icon to the left of the Filter field in the upper right of the screen. In the dialog box that opens, clickCreate.The New Filter dialog box opens.
- In theFilter Namesetting, enter a name.
- In the Query Parameters area, supply those parameter settings you want to be part of the filter.Note that as you enter parameter settings, they are used to construct the filter query in the Query Expression area.
- Save your work.The new filter is listed on the Filters screen.
- To export selected events as a CSV file, select the event using the check box to the left, and clickExport.
- To display only events that contain a specified string, type that string in the Filter field in the upper right of the screen.
- To see details of an event log entry, click in the event entry row.A screen on the right opens and shows details of the event.
- In the details screen, you can specify the kind of information to see.
- You can specify compact or full information. At the top of the screen, clickCompactfor summary information, or clickFullfor complete information.
- You can specify either request or response information. ClickRequestfor request information orResponsefor response information. Both kinds of information contain links in blue that you can click for more information.
Use event log filters
You use event log filters to refine your searches through the event logs, including searches through event logs from multiple BIG-IP devices.
- Click.
- To remove a filter, select the check box to the left of the filter and clickRemove, then confirm the deletion in the dialog box that opens.The filter is removed from the Filters screen.
- To modify a filter, click the name of the filter.The filter properties screen opens.
- Review or revise the settings as needed.
- In the Query Expression area, review the current filter query, or type into the text box to modify it directly.In most cases, you will want to modify the query expression using the settings in the Query Parameters area, since that builds the query automatically, and so reduces the chance of error.The query has the formatmethod:'value' protocol:'value' severity:'value'. For example:method:'GET' protocol:'HTTPS' severity:'error'.
- In the Query Parameters area, supply the parameter settings you want to be part of the filter.As you enter parameter settings, they are used to construct the filter query in the Query Expression area.
- Save your work.
View and delete event log tags
You can review the tags defined for
use with Web Application Security events and remove the tags.
- Click.The Tags screen shows the defined tags.
- To remove a tag, select the check box to the left of it and clickRemove, then confirm the deletion in the dialog box that opens.The tag is removed from the Tags screen.
Viewing Brute Force Attack Events
View brute force attack events
You can view a summary of the brute force attack events for your
Web Application Security policies. The summary information includes the number of
login attempts, the anomaly attack type, which login page is being attacked, the
attack status, and when the mitigation began and ended.
- Click.
- Specify what information you want to see, and review the events.
- To see more details about a specific attack, click the row for that attack. A screen opens on the right giving additional information, such as the attack summary, mitigated IP address, mitigated device identifiers, mitigated user names, and known leaked credentials. As you review this information, you can click any blue links in the information for additional details.
- To display only those events that contain a specified string, type that string in the Filter field.
- To create named filters to use to filter the brute force attack events more completely, click the filter icon to the left of the Filter field in the upper right of the screen. In the dialog box that opens, clickCreate.
Managing Security Reports
About security reporting
Reporting for BIG-IQ Network Security
You can use BIG-IQ Network Security Reporting to view reports for managed BIG-IP devices that are provisioned for Application Visibility and Reporting (AVR). Reports can be for a single BIG-IP device or can contain aggregated data for multiple BIG-IP devices (that are of the same BIG-IP device version).
Network Firewall, DoS and IP Intelligence reports can be created. Analytic reports provide detailed metrics about application performance such as transactions per second, server and client latency, request and response throughput, and sessions. Metrics are provided for applications, virtual servers, pool members, URLs, specific countries, and additional detailed statistics about application traffic running through one or more managed devices. You can view the analytics reports for a single device, view aggregated reports for a group of devices, and create custom lists to view analytics for only specified devices.
Reporting for BIG-IQ Web Application Security
You can use BIG-IQ Web Application Security Reporting to view reports for managed BIG-IP devices that are provisioned for Application Visibility and Reporting (AVR). Similar to the availability of the AVR reporting on a single device, you have the ability to get visibility into application traffic passing through a single managed BIG-IP device or an aggregated system (aggregated data for multiple BIG-IP devices.
You can generate reports and charts in the following areas:
- Application. You can view information about requests based on applications (iApps), virtual servers, security policies, attack types, violations, URLs, client IP addresses, IP address intelligence (reputation), client countries, severities, response codes, request types, methods, protocols, viruses detected, usernames, and session identification numbers.
- Anomalies. You can view charts of statistical information in graphs about anomaly attacks, such as brute force attacks and web scraping attacks. You can use these charts to evaluate traffic to the web application, and to evaluate the vulnerabilities in the security policy.
- DoS. If you have configured DoS protection on the BIG-IP system, you can view charts and reports that show information about DoS attacks and mitigations in place on the system.