Manual Chapter : Monitoring and Reporting for Network Security and Web Application Security Policies

Applies To:

Show Versions Show Versions
Manual Chapter

Monitoring and Reporting for Network Security and Web Application Security Policies

Monitoring Active Firewall Policies

View active firewall policies

You use the Active Policy screen to view summary information about the firewall policies and rules that are currently active on BIG-IP devices.
  1. Click
    Monitoring
    REPORTS
    Security
    Network Security
    Active Firewall Policies
    .
  2. Review the firewall policies, including on what BIG-IP devices they are active.
  3. To review the rules and rule lists in a policy, click the policy name.
    The screen displays rules and rule lists in the policy.
  4. To edit a rule or rule list, click the name of the rule or rule list.

Active firewall policy rule properties

This table describes the rule properties shown for a firewall policy that is active on a BIG-IP device.
Column
Description
#
Specifies the evaluation order of the rule within the policy. Rules are evaluated from the lowest number to the highest. If a rule is contained within a rule list, it will be numbered after the decimal point. For example, a policy with 3 rules, followed by a rule list containing 2 rules, followed by another rule outside of the rule list, would be numbered as:
1, 2, 3, 4, 4.1, 4.2, 5
. In the example, 4 represents the rule list, and 4.1 and 4.2 are the evaluation order of the rules within that rule list.
Rule Name
Specifies the name of the rule. This contains a reference to the rule list when the row contains a rule list. You can click the rule name for more information.
Rule List Name
Specifies the name of the rule list that contains one or more rules. This is blank when the row contains a rule.
UUID
Specifies the universal unique identifier (UUID) associated with the rule. You can use the UUID to search for a rule in a policy. You must enable this feature on the BIG-IP device for UUIDs to be assigned to rules on that device.
Action
Specifies the action taken when the rule is matched, such as whether it is accepted or rejected.
Protocol
Specifies the IP protocol used by the rule to compare against the packet.
Log
Specifies whether the firewall software should write a log entry for any packets that match this rule.
State
Specifies the activity state of the rule, such as whether it is enabled or disabled.

Monitoring Firewall Rules

About firewall rule monitoring

In BIG-IQ Centralized Management, you can monitor:
  • Firewall rule statistics, such as the number of times inbound network traffic matches a firewall rule on a BIG-IP device (also referred to as a firewall rule hit count) as well as the rule overlap status.
  • Firewall rule compilation statistics for a set of rules associated with a firewall context on a BIG-IP device.

Monitoring firewall rule statistics and hit counts

You can monitor firewall rule statistics and hit counts on one or more BIG-IP devices using Network Security monitoring.
Firewall rule statistics are collected for the rules in the enforced policy associated with a firewall, but not the rules in a staged policy.
If a virtual server, route domain or self IP is created using the BIG-IQ system, firewall statistics cannot be collected until the changes are deployed to the device and reimported.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top left of the screen, select
    Network Security
    from the BIG-IQ menu.
  3. Click
    Monitoring
    .
  4. Click
    Firewall Rule Statistics
    .
    The Firewall Rule Statistics screen opens and displays a list of firewall contexts, including their name, partition, type, and on what BIG-IP device they occur.
  5. Click the name of the firewall context to monitor.
  6. The Firewall Rule Statistics page for that firewall context displays.
    The following information is listed in the named columns for each firewall rule on the BIG-IP device:
    • Rule Name specifies the name of the rule used in the policy. If not listed, the rule is not running.
    • Rule List Name specifies the name of the rule list if the rule is in a rule list.
    • Rule specifies the name of the rule within a rule list. If the rule is not in a rule list, this field is blank.
    • Overlap Status specifies whether the rule overlaps with another rule.
    • Hit Count specifies the number of times the rule has been matched.
    • Last Hit Time specifies when the rule was last matched.

Monitoring firewall rule compilation statistics

You can monitor rule compilation statistics on one or more BIG-IP devices using Network Security monitoring. This information is similar to what is displayed when using the
tmsh show security firewall container-stat
command.
If a firewall context references a policy that is both staged and enforced, there will be two entries in the compilation statistics: one for the enforced policy and one for the staged policy.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top left of the screen, select
    Network Security
    from the BIG-IQ menu.
  3. Click
    Monitoring
    .
  4. Click
    +[[Firewall ]]+Compilation Statistics
    .
    The Firewall Compilation Statistics screen opens and displays the list of BIG-IP devices managed by the BIG-IQ system, including their network name, IP address, and BIG-IP device version.
  5. Click the name of the BIG-IP device to monitor.
  6. The Firewall Compilation Statistics page for that BIG-IP device displays.
    Depending on the version of the BIG-IP device, the following information, or a subset of this information, may be listed in the named columns for the one or more firewall rules within the specified firewall context on the BIG-IP device:
    • Context Name
      specifies the context name associated with the one or more rules, such as
      /Common/global-firewall-rules
      .
    • Context Type
      specifies the firewall context type associated with the one or more rules, such as global or self IP.
    • Policy Name
      specifies the name of the policy associated with the one or more rules.
    • Policy Type
      specifies type of policy associated with the one or more rules, such as enforced or staged.
    • Rule Count
      Specifies the number of rules compiled for this BIG-IP device context, such as 30. This count includes rules in rule lists as well as rules that are not in rule lists.
    • Compile Duration
      specifies the amount of time required to compile the rules, expressed as
      hours:minutes:seconds
      .
    • Overlap Check Duration
      specifies the amount of time required to check overlapping rules, expressed as
      hours:minutes:seconds
      .
    • Size
      specifies the size of the compiled rules in bytes.
    • Max Memory
      specifies the maximum amount of memory consumed by the rules in bytes.
    • Activation Time
      specifies when the rules are activated and available for use.

Monitoring Network Security Activity

Configure viewing of Network Security data logs

Before you configure monitoring of Network Security data logging, you need to ensure that the Network Security service is running on the DCD.
Ensure that the Network Security service is activated by reviewing the services installed on the DCD on the BIG-IQ Data Collection Devices screen:
System
BIG-IQ DATA COLLECTION
BIG-IQ Data Collection Devices
.
Note whether the designated DCD listener is configured to monitor the BIG-IP devices using their self-IP or management network IP address. It is strongly discouraged to use the management network for data collection purposes, as it is not intended for production traffic. In the case that your DCD is using the management network IP, you must define a network routing gateway on your BIG-IP device as described in
BIG-IP TMOS: Routing Administration
.
If you deactivate the Network Security service for a DCD, or remove a DCD with that service enabled, the associated pool member will be removed from the pool when you next deploy to the BIG-IP device (or devices). The pool
afm-remote-logging-pool_
big-ipname
contains the pool member for the specified BIG-IP device.
You configure the collection of Network Security data logs so that you can better view and monitor information about your Network Security policies and firewalls. The BIG-IQ Centralized Management system provides a single button configuration process that creates and configures the needed configuration objects. The system creates these configuration objects, if needed:
  • One or more logging profiles
  • A log publisher
  • A log destination
  • A pool for each device
  • Pool members
  • A pool monitor
The configuration objects are shared among the Shared Security virtual servers that were selected. The objects that are created should not be modified. Modifying these objects could affect the ability of the BIG-IP devices to send Network Security events to the DCD.
  1. Click
    Configuration
    SECURITY
    Network Security
    Contexts
    .
  2. In the list of firewall contexts, select the check box to the left of the one or more virtual servers to use.
    The virtual servers are listed in the Firewall Type column as vip.
  3. Click
    Configure Logging
    .
    The Network Security Logging Configuration dialog box opens.
  4. In the dialog box, click
    Continue
    .
    The dialog box shows the configuration status, including which objects were created.
  5. Click
    Close
    .
  6. Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Local Traffic & Network
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    The deployment causes some the objects created by the Network Security logging configuration process to be deployed to the device.
  7. Deploy the BIG-IP device for the virtual server using the Network Security service using these steps.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Network Security
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the BIG-IP device to deploy and click
      Create
      .
    The deployment causes the remaining objects created by the Network Security logging configuration process to be deployed to the device.
You can now receive Network Security events from the BIG-IP devices associated with the virtual servers, and view them on the
Monitoring
EVENTS
Network Security
screens.

View Network Security events

You need to configure the logging of Network Security events before you can view them.
You view Network Security events to better track the firewall events that occur on your BIG-IP devices.
  1. Click
    Monitoring
    EVENTS
    Network Security
    .
    The navigation area expands to show the different types of Network Security events available.
  2. Click the type of event you want to view, such as
    Firewall
    .
    To see all Network Security events, click
    All Network Security Events
    .
  3. Review the information on the screen.
    • To view additional details about an event:
      • Click in the row for the event to see event details listed in the lower pane. You can navigate to events below or above the selected event by clicking the arrows.
      • Click any blue links shown in the upper or lower panes to see more details about the linked object or to change the object.
    • To focus on a reduced number of events:
      • Select a device name from the list at the upper left to view events from only that single BIG-IP device. By default this is set to
        All Devices
        .
      • In the Filter field in the upper right, type a text string to use a simple text filter on the events. You can use more complex filters by clicking the filter icon to the left of the Filter field. Note that the simple text filter does not support more complex filter syntax, such as specifying time in minutes and seconds.
    • To change how often the event list is refreshed, select a value in the setting in the upper left.

Create filters for Network Security events

You create Network Security event filters so you can save the filters you use frequently to search for events, and not have to recreate them each time.
  1. Click
    Monitoring
    EVENTS
    Network Security
    Filters
    .
  2. Click
    Add
    .
  3. Type a unique
    Filter Name
    .
  4. Create the filter using the Query Parameters area or by entering the query directly into the Query Expression area.
    In most cases, you should create the filter query using the Query Parameters area and only edit it directly if you need to refine it further.
  5. If you are creating the filter using the Query Parameters area, supply those parameter settings you want to be part of the filter.
    Note that as you enter parameter settings, they are used to construct the filter query in the Query Expression area. You can also edit the filter query directly as described in the following step.
  6. If you are creating the filter by directly entering text into the Query Expression area, use the following syntax for that query text.
    • You express elements of the filter query as key value pairs, separated by a colon, such as
      profile_name:"MyCurrentProfile"
      .
    • You can use the following operators within a filter query.
      Operator
      Usage Example
      AND
      This:p1 AND bar:(A AND B AND "another value")
      AND NOT
      AND NOT qux:error
      OR
      name:"this is a name" OR bar:(A OR B OR C)
      OR NOT
      OR NOT qux:error
      *
      support_id:*123*
      . This operator can only be used for text fields.
    • You must enclose values that have spaces within quotation marks, such as
      key:"two words"
      .
    • You can query any field for more than one value by enclosing the values with parentheses, such as
      key:(a b "two words")
      . In this case, the default operator is OR.
    • Only pre-defined values are allowed for fields with a type of multi-value. These values are listed in the Query Parameters area, in the list next to the relevant field.
    • Values with a type of date accept valid date formats, such as
      'Oct 30, 2017 00:00:00'
      .
    • Values of the date range type accept input in the format of
      [min_date...max_date]
      , such as
      '[Oct 30, 2017 00:00:00...Oct 30, 2017 06:00:00]'
      . The date range might also contain only minimum without maximum, and the reverse, such as
      '[Oct 30, 2017 00:00:00...]'
      or
      '[...Oct 30, 2017 00:00:00]'
      .
    • Values of the numeric range type accept input in the format of
      [min...max]
      , such as
      '[1...100]'
      . The numeric range might also contain only minimum without maximum, and the reverse, such as
      '[1...]'
      or
      '[...100]'
      .
    • You must include the full path to the policy in a policy name, such as
      /Common/MyPolicy
      .
  7. You can enter fields in the Query Expression area that are not shown in the Query Parameters area by discovering them in the user interface.
    1. Click the event row to show the event details in the lower part of the screen.
    2. Hover over a label name in that area to see the field name to use in the query expression. For example, hovering over Signature Name in the lower screen shows that the matching field is
      sig_name
      .
  8. Save your work.

Monitoring DoS Events

Configure viewing of DoS events

Before you configure monitoring of DoS events, you need to ensure that the DoS Protection service is running on the DCD.
Verify this by reviewing the services installed on the DCD on the BIG-IQ Data Collection Devices screen. Click
System
BIG-IQ DATA COLLECTION
BIG-IQ Data Collection Devices
.
If the DoS Protection service is not running, click
Activate
to start it.
If you deactivate the DoS Protection service for a DCD, or remove a DCD with that service enabled, the associated pool member will be removed from the pool when you next deploy to the BIG-IP device (or devices). The pool
dos-remote-logging-pool_
big-ipname
contains the pool member for the specified BIG-IP device.
You configure the collection and viewing of DoS events so that you can better view and monitor information about your DoS protection. The BIG-IQ Centralized Management system provides a single-button configuration process that creates and configures the needed configuration objects. The system creates the following configuration objects, if needed:
  • One or more logging profiles
  • A log publisher
  • A log destination
  • A pool for each device
  • Pool members
  • A pool monitor
The configuration objects are shared among the Shared Security virtual servers that were selected. The objects that are created should not be modified. Modifying these objects could affect the ability of the BIG-IP devices to send DoS events to the DCD.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Virtual Servers
    .
  2. In the list, select the check box to the left of the one or more virtual servers to use.
  3. Click
    Configure DoS Logging
    .
    The DoS Logging Configuration dialog box opens.
  4. In the dialog box, click
    Continue
    .
    The dialog box shows the configuration status, including which objects were created.
  5. Click
    Close
    .
  6. Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Local Traffic & Network
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    The deployment causes some of the objects created by the DoS logging configuration process to be deployed to the device.
  7. Deploy the same BIG-IP device using either the Network Security or Web Application Security service using these steps.
    You can use either service since both include the Shared Security objects.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Network Security
      or
      Deployment
      EVALUATE & DEPLOY
      Web Application Security
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    The deployment causes the rest of the objects created by the DoS logging configuration process to be deployed to the device.
You can now receive DoS events from the BIG-IP devices associated with the virtual servers and view them on the
Monitoring
EVENTS
DoS
screens.

Configure viewing of device DoS events

Before you configure monitoring of DoS events, you need to ensure that the DoS Protection service is running on the DCD.
Verify this by reviewing the services installed on the DCD on the BIG-IQ Data Collection Devices screen. Click
System
BIG-IQ DATA COLLECTION
BIG-IQ Data Collection Devices
.
If the DoS Protection service is not running, click
Activate
to start it.
If you deactivate the DoS Protection service for a DCD, or remove a DCD with that service enabled, the associated pool member will be removed from the pool when you next deploy to the BIG-IP device (or devices). The pool
dos-remote-logging-pool_
big-ipname
contains the pool member for the specified BIG-IP device.
You configure the collection and viewing of device DoS events so that you can better view and monitor information about your DoS protection. The BIG-IQ Centralized Management system provides a single-button configuration process that creates and configures the needed configuration objects. The system creates the following configuration objects, if needed:
  • One or more logging profiles
  • A log publisher
  • A log destination
  • A pool for each device
  • Pool members
  • A pool monitor
The objects that are created are shared among these device DoS configurations and should not be modified. Modifying these objects could affect the ability of the BIG-IP devices to send device DoS events to the DCD.
  1. Click
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    Device DoS Configurations
    .
  2. In the list, select the check box to the left of the one or more device DoS configurations to use.
    The device DoS configuration has the same name as the BIG-IP device.
  3. Click
    Configure DoS Logging
    .
    The DoS Logging Configuration dialog box opens.
  4. In the dialog box, click
    Continue
    .
    The dialog box shows the configuration status, including which objects were created.
  5. Click
    Close
    .
  6. Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Local Traffic & Network
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    The deployment causes some of the objects created by the Device DoS logging configuration process to be deployed to the device.
  7. Deploy the same BIG-IP device using either the Network Security or Web Application Security service using these steps.
    You can use either service since both include the Shared Security objects.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Network Security
      or
      Deployment
      EVALUATE & DEPLOY
      Web Application Security
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    The deployment causes the rest of the objects created by the Device DoS logging configuration process to be deployed to the device.
You can now receive device DoS events from the BIG-IP devices and view them on the
Monitoring
EVENTS
DoS
screens.

Configure viewing of DoS events for applications

Before you configure monitoring of DoS events for applications, you need to ensure that the following conditions are in place:
  • A DoS profile and logging profile are associated with the application template used to create the application.
    Verify this by reviewing the Shared Security area on the Edit Template screen. Click
    Applications
    SERVICE CATALOG
    , click the name of the application template, then click
    SECURITY POLICIES
    , and review the Shared Security area to see the DoS profile and logging profile assigned to the template.
    If the profiles are selected in the Standalone Device row, this indicates that they are used with a standalone BIG-IP device. If they are selected in the Load Balancer or VE devices row, this indicates that they are used with a BIG-IP device in a service scaling group (SSG).
  • The DoS Protection service is running on the DCD.
    Verify this by reviewing the services installed on the DCD on the BIG-IQ Data Collection Devices screen. Click
    System
    BIG-IQ DATA COLLECTION
    BIG-IQ Data Collection Devices
    .
You configure the BIG-IQ system so that you can monitor DoS events for applications to monitor the DoS protection on your application.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Virtual Servers
    .
  2. Select the check box to the left of the virtual server that is being used by the application.
  3. Click
    Configure DoS Logging
    .
    The DoS Logging Configuration dialog box opens.
  4. In the dialog box, click
    Continue
    .
    The dialog box shows the configuration status, including which objects were created.
  5. Click
    Close
    .
  6. Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Local Traffic & Network
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    The deployment causes all the objects created by the DoS logging configuration process to be deployed to the device.
  7. Deploy the same BIG-IP device using either the Network Security or Web Application Security service using these steps.
    You can use either service since both include the Shared Security service that contains logging profiles.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Network Security
      or
      Deployment
      EVALUATE & DEPLOY
      Web Application Security
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    This deployment causes the logging profile associated with the application to be deployed.
You can now receive DoS events from the BIG-IP devices associated with the application and virtual server, and view them on the
Monitoring
EVENTS
DoS
screens.

View DoS events

You need to configure the logging of DoS or device DoS events before you can view them.
You view DoS events to better track the DoS and device DoS events that occur on your BIG-IP devices.
If you are monitoring supported versions of BIG-IP version 13.1.0.8 or later, you can view summary information about ongoing DoS attacks from
Monitoring
DASHBOARDS
DDoS
Protection Summary
. For more information see
Monitoring Ongoing DDoS Attacks.
  1. Click
    Monitoring
    EVENTS
    DoS
    .
    The navigation area expands to show the different types of DoS events available.
  2. Specify the type of information you want to see:
    • To see a specific kind of DoS event, click that event type, such as
      Application Events
      .
    • To see all DoS attack events in a tabular format, click
      All DoS Attack Events
      .
    • To see a summary of all DoS attack events in a graphical format, click
      DoS Summary
      .
  3. Review the information on the screen.
    • To view additional details about an event:
      • Click the row for the event to see event details listed in the lower pane. You can navigate to events below or above the selected event by clicking the arrows.
      • Click any blue links shown in the upper or lower panes to see more details about the linked object.
      • In the detailed information for values that change over time, current, minimum, maximum, and last values may be shown. For eample, the severity of an attack type might currently have a severity of 3, have a minimum of 2 and a maximum severity of 3 during the time period. After the attack is over, the last value might be 2. Current values are labeled as
        Curr
        , minimum values are labeled as
        Min
        , maximum values are labeled as
        Max
        , and last values as
        Last
        .
      • On the DoS Attacks Summary screen, click the number for an attack in the Attack ID column to see additional tabular and graphical details about that attack, such as the attack type, the mitigation used, and so on.
    • To focus on a reduced number of events:
      • Select a device name from the list at the upper left to view events from only that single BIG-IP device. By default this is set to
        All Devices
        .
      • In the Filter field in the upper right, type a text string to filter the events. You can create or use advanced filters by clicking the filter icon to the left of the Filter field.
    • To change how often the event list is refreshed, select a value in the setting in the upper left.

Create filters for DoS events

You create DoS event filters so you can save the custom filters you use to search for events and not have to recreate them each time.
  1. Click
    Monitoring
    EVENTS
    DoS
    Filters
    .
  2. Click
    Add
    .
  3. Type a unique
    Filter Name
    .
  4. Create the filter using the Query Parameters area or by entering the query directly into the Query Expression area.
    In most cases, you should create the filter query using the Query Parameters area and only edit it directly if you need to refine it further.
  5. If you are creating the filter using the Query Parameters area, supply those parameter settings that you want to be part of the filter.
    Note that as you enter parameter settings, they are used to construct the filter query in the Query Expression area. You can also edit the filter query directly as described in the following step.
  6. If you are creating the filter by directly entering text into the Query Expression area, use the following syntax for that query text.
    • You express elements of the filter query as key value pairs, separated by a colon, such as
      profile_name:"MyCurrentProfile"
      .
    • You can use the following operators within a filter query.
      Operator
      Usage Example
      AND
      This:p1 AND bar:(A AND B AND "another value")
      AND NOT
      AND NOT qux:error
      OR
      name:"this is a name" OR bar:(A OR B OR C)
      OR NOT
      OR NOT qux:error
      *
      support_id:*123*
      . This operator can only be used for text fields.
    • You must enclose values with spaces with quotation marks, such as
      key:"two words"
      .
    • You can query any field for more than one value by enclosing the values with parentheses, such as
      key:(a b "two words")
      . In this case, the default operator is OR.
    • Only pre-defined values are allowed for fields with a type of multi-value. These values are listed in the Query Parameters area, in the list next to the relevant field.
    • Values with a type of date accept valid date formats, such as
      'Oct 30, 2017 00:00:00'
      .
    • Values of the date range type accept input in the format of
      [min_date...max_date]
      , such as
      '[Oct 30, 2017 00:00:00...Oct 30, 2017 06:00:00]'
      . The date range might also contain only minimum without maximum and the reverse, such as
      '[Oct 30, 2017 00:00:00...]'
      or
      '[...Oct 30, 2017 00:00:00]'
      .
    • Values of the numeric range type accept input in the format of
      [min...max]
      , such as
      '[1...100]'
      . The numeric range might also contain only minimum without maximum and the reverse, such as
      '[1...]'
      or
      '[...100]'
      .
    • You must include the full path to the policy in a policy name, such as
      /Common/MyPolicy
      .
  7. You can enter fields in the Query Expression area that are not shown in the Query Parameters area by discovering them in the user interface.
    1. Click the event row to show the event details in the lower part of the screen.
    2. Hover over a label name in that area to see the field name to use in the query expression. For example, hovering over Signature Name in the lower screen shows that the matching field is
      sig_name
      .
  8. Save your work.

Managing Firewall Rule Reports

About firewall rule reports

You can generate different types of firewall rule reports for selected BIG-IP devices in either CSV or HTML format. These reports capture information similar to that gathered using the firewall rule monitoring. The types of reports you can generate include:
  • Stale Rule Report. Creates a report on firewall rules that are not being used on the BIG-IP device.
  • Overlap Status Stats Report. Creates a report on firewall rules that are overlapping on the BIG-IP device.
  • Compilation Status Report. Creates a report on the compilation of firewall rules on the BIG-IP device.

Creating firewall rule reports

You create firewall rule reports to capture statistics about firewall rules in a report format.
  1. Navigate to the Firewall Rule Reports screen: Click
    Monitoring
    REPORTS
    Security
    Network Security
    Firewall Rule Reports
    .
  2. Click
    Create
    .
    The New Firewall Rule Report screen opens.
  3. Type a name for the report in the
    Name
    field.
  4. Type an optional description for the report in the
    Description
    field.
  5. Select a report type from those listed in the
    Report Type
    field.
    You can generate these types of reports::
    • Stale Rule Report
    • Overlap Status Stats Report
    • Compilation Status Stats Report
    If the
    Stale Rule Report
    report type is selected, the screen displays the Stale Rule Criteria property, otherwise that property is not displayed.
  6. If you select
    Stale Rule Report
    , you can refine the report using the options listed in the
    Stale Rule Criteria
    setting:
    • To specify that the report should include only rules with a hit count less than the number specified, select
      Rules with count less than
      and specify a number in the provided field.
    • To specify that the report should include only rules that have not been hit since the date specified, select
      Rules that haven't been hit since
      and specify a date in the provided field.
  7. From the
    Available Devices
    setting, select the BIG-IP devices or device group to use for the report:
    • Select
      Group
      and select a group of BIG-IP devices from the list.
    • Select
      Device
      and select individual BIG-IP devices by moving them from the
      Available
      list to the
      Selected
      list.
  8. Save the report:
    • Select
      Save
      to save the report. The system displays the Firewall Rule Reports page for that one report, and generates the report data.
    • Select
      Save & Close
      to save the report. The system displays the Firewall Rule Reports page that lists all reports, and generates the report data.
  9. Select the format for the report:
    • Select
      CSV Report
      to have the report formatted as a CSV file.
    • Select
      HTML Report
      to have the report formatted as an HTML file. The HTML file is displayed in the Web browser when complete.
    You can save or print these reports.

Deleting firewall rule reports

You can delete firewall rule reports that are no longer needed.
  1. Go to the Firewall Rule Reports screen: Click
    Monitoring
    REPORTS
    Security
    Network Security
    Firewall Rule Reports
    .
  2. Select one or more reports to delete, and click
    Delete
    .
    The reports are deleted from the list on the Firewall Rule Reports screen.

Managing Firewall Packet Trace Reports

About firewall packet trace reports

You can create and view packet trace reports to visually review your firewall settings. You can click the graphics in the trace report to see detailed results of the packet trace for each firewall component.

Create firewall packet trace reports

You create packet trace reports to trace and review your network security firewall settings.
  1. Click
    Monitoring
    REPORTS
    Security
    Network Security
    Packet Traces
    .
  2. Click
    Create
    .
    The Packet Parameters screen opens.
  3. Enter or modify the parameters.
    • In the
      Name
      setting, type a name for the packet trace.
    • In the
      Protocol
      setting, select the protocol for the packet you want to trace. The other configuration settings change based on the protocol you select.
    • In the
      TCP Flags
      setting, select one or more flags to set in the packet trace. This setting is used only when the TCP protocol is selected.
    • In the
      Source IP Address
      setting, type the IP address to identify as the packet source.
    • In the
      Source Port
      setting, type the port to identify as the packet source. This does not apply to ICMP packets.
    • In the
      TTL
      setting, type the TTL (Time to Live) for the traced packet, in seconds.
    • In the
      Destination IP Address
      setting, type the IP address to which you want to send the packet for the packet trace.
    • In the
      Destination Port
      setting, type the port to which you want to send the packet for the packet trace. This does not apply to ICMP packets.
    • In the
      Use Staged Policy
      setting, select whether to use a staged policy, if one exists, for the packet.
    • In the
      Trigger Log
      setting, select whether to write a log message based on the packet from the packet trace, if it would be logged by the system.
  4. In the Devices area, select the BIG-IP devices and source VLANs to be traced.
    1. Click
      Add
      .
      The Devices dialog box is displayed.
    2. In the Devices dialog box, select the BIG-IP devices to use by moving them from the Available to the Selected list.
    3. Click
      Add
      to finalize the list and close the dialog box.
    4. In the Source VLAN column, select the one or more VLANs to use for each device in the list.
      If
      Apply these VLANs to all Devices
      is selected, the VLANs selected for the first device in the list are applied to all other devices in the list. Do not select this option to select different VLANs for each device.
  5. Click
    Run Trace
    .
    The packet is traced and the results are displayed on the screen.
  6. In the Trace Results area, review the trace diagram created by running the trace.
    • Review the colors of the graphics for each network security component.
      • Green graphics indicate rules that were evaluated and allowed the traffic to pass, including whitelist matches and Allow firewall, DoS, and IP intelligence matches.
      • Red graphics indicate packets that were evaluated and dropped, or that matched firewall or IP intelligence rules.
      • Gray graphics indicate packets that did not match a rule of the type indicated.
    • Click each graphic to see detailed results of the packet trace for that component.
    • To copy this packet trace, click
      Clone
      .
    • To compare this packet trace to one or more other packet traces, click
      Compare
      and then select the packet traces to which it should be compared.
The packet trace has been run and reviewed.

Managing Firewall Packet Flow Reports

About firewall packet flow reports

You create and review packet flow reports to inspect the currently active packet flows on BIG-IP devices. You can use these reports to determine if a packet flow meeting certain parameters is active on the BIG-IP devices. You can combine using the packet flow reports with packet trace reports to see if a BIG-IP device may be blocking certain flows at a firewall.
You can also review prior packet flow reports. The Centralized Management Packet Flows feature is similar to the Flow Inspector feature in the Advanced Firewall Manager (AFM) on the BIG-IP device.

Create packet flow reports

You create a packet flow report to identify what flows are currently active on BIG-IP devices that match the given parameters. You specify the parameters and the BIG-IP devices that the BIG-IQ Centralized Management system examines to generate the report.
  1. Click
    Monitoring
    REPORTS
    Security
    Network Security
    Packet Flows
    .
  2. Click
    Create
    .
  3. In the Flow Parameters area, enter the packet flow parameters.
    1. Type a
      Name
      for the packet flow report.
    2. Specify the
      Protocol
      for the flows.
      Select
      All
      to view all protocols. Select
      Specify
      and specify the protocol to view flows using that protocol.
    3. Specify the
      Source IP Address
      for the flows.
      The default is
      Any
      which indicates that any source IP address is used, rather than a specific IP address.
    4. Specify the
      Source Port
      for the flows.
      By default, an asterisk (*) is shown, indicating that all ports are selected. If the selected protocol is ICMP, this setting is not used.
    5. Specify the
      Destination IP Address
      for the flows.
      The default is
      Any
      which indicates that any destination IP address is used, rather than a specific IP address.
    6. Specify the
      Destination Port
      for the flows.
      By default, an asterisk (*) is shown, indicating that all ports are selected. If the selected protocol is ICMP, this setting is not used.
    7. In the
      Visible Flow Count
      setting, specify the maximum number of flows on which to report.
  4. In the Select Devices area, select the BIG-IP devices on which to inspect the packet flows by moving them from the
    Available
    list to the
    Selected
    list.
  5. Click
    Get Flows
    to generate the packet flow report for the specified parameters.
    The screen is updated to show the generated packet flow report. You can expand the Flow Parameters area to show the parameters used to create the list of packet flows. The Flow Table area shows the list of packet flows.
  6. In the Flow Table area, you can display additional information about a selected packet flow.
    • To review details about a packet flow and any packet trace history for that flow, click the row for that packet flow. The detailed information for that packet flow is displayed in the lower pane on the screen. Click a link in the packet trace history to see details of that packet trace.
    • To create a packet trace of a packet flow, click the row for that packet flow and click
      Create Packet Trace
      . A new packet trace is created, pre-filled with data from the selected packet flow.
    To manage which packet flows are shown, you can:
    • Click
      Expand All
      to expand all flows that are collapsed under their device name.
    • Click
      Collapse All
      to have all packet flows collapsed under their device name.
    • Use the Filter field to display only those packet flows matching the filter. Any value displayed should be usable in the filter field, including an IPV4 subnet.

Viewing Web Application Security Event Logs

About event log viewing

You can view Web Application Security event logs to review applications and server activities. BIG-IQ Centralized Management enables a single view of all filters and log entries (and details for each entry) from multiple BIG-IP devices.
You use tags and filters to allow you to select which events to view.
  • Filters allow you to select the events to view by constructing a query that the events must match.
  • You can assign tags to events to label them, so that you can use that label in queries.
Before you can view events, event logging must be configured as follows.
  1. Discover and activate a BIG-IQ Data Collection Device.
  2. Configure a BIG-IP device to collect event logs and send them to the BIG-IQ Centralized Management Data Collection Device. Part of this configuration includes a virtual server configured with a logging profile.
  3. Configure a logging profile for Web Application Security, assign it to a virtual server, and deploy it to the BIG-IP device that has been configured to collect log events. A
    logging profile
    is used to determine which events the system logs, and where, and the format of these events. It then directs security events to a BIG-IQ Data Collection Device, and the BIG-IQ Centralized Management system retrieves them from that node.

View event logs and define filters and tags

You can review Web Application Security events on applications and servers from one or more BIG-IP devices. By default, the events are filtered to show only illegal requests. You can use the Web Application Security Event Logs screen to define tags and filters to help you find meaningful events.
  1. Click
    Monitoring
    EVENTS
    Web Application Security
    Events
    .
  2. To create and apply tags to events, select the events using the check box to the left, and click
    Tags
    above the event list.
    A dialog box opens.
    • To create a tag, type the tag name in the provided field and click
      +
      .
    • To apply a tag to the selected events, select the check box to the left of the tag and click
      Apply
      .
  3. To create filters, click the filter icon to the left of the Filter field in the upper right of the screen. In the dialog box that opens, click
    Create
    .
    The New Filter dialog box opens.
    1. In the
      Filter Name
      setting, enter a name.
    2. In the Query Parameters area, supply those parameter settings you want to be part of the filter.
      Note that as you enter parameter settings, they are used to construct the filter query in the Query Expression area.
    3. Save your work.
      The new filter is listed on the Filters screen.
  4. To export selected events as a CSV file, select the event using the check box to the left, and click
    Export
    .
  5. To display only events that contain a specified string, type that string in the Filter field in the upper right of the screen.
  6. To see details of an event log entry, click in the event entry row.
    A screen on the right opens and shows details of the event.
  7. In the details screen, you can specify the kind of information to see.
    • You can specify compact or full information. At the top of the screen, click
      Compact
      for summary information, or click
      Full
      for complete information.
    • You can specify either request or response information. Click
      Request
      for request information or
      Response
      for response information. Both kinds of information contain links in blue that you can click for more information.

Use event log filters

You use event log filters to refine your searches through the event logs, including searches through event logs from multiple BIG-IP devices.
  1. Click
    Monitoring
    EVENTS
    Web Application Security
    Filters and Tags
    Filters
    .
  2. To remove a filter, select the check box to the left of the filter and click
    Remove
    , then confirm the deletion in the dialog box that opens.
    The filter is removed from the Filters screen.
  3. To modify a filter, click the name of the filter.
    The filter properties screen opens.
  4. Review or revise the settings as needed.
    1. In the Query Expression area, review the current filter query, or type into the text box to modify it directly.
      In most cases, you will want to modify the query expression using the settings in the Query Parameters area, since that builds the query automatically, and so reduces the chance of error.
      The query has the format
      method:'value' protocol:'value' severity:'value'
      . For example:
      method:'GET' protocol:'HTTPS' severity:'error'
      .
    2. In the Query Parameters area, supply the parameter settings you want to be part of the filter.
      As you enter parameter settings, they are used to construct the filter query in the Query Expression area.
    3. Save your work.

View and delete event log tags

You can review the tags defined for use with Web Application Security events and remove the tags.
  1. Click
    Monitoring
    EVENTS
    Web Application Security
    Filters and Tags
    Tags
    .
    The Tags screen shows the defined tags.
  2. To remove a tag, select the check box to the left of it and click
    Remove
    , then confirm the deletion in the dialog box that opens.
    The tag is removed from the Tags screen.

Viewing Correlated Web Application Security Events

View correlated application security events

You can view application security events correlated into groups called
incidents
. These incidents are based on security common considerations such as application area, the source of transactions, and so on. Using this screen might be more effective than reviewing all the application security events using the event log, where events are not grouped.
  1. Click
    Monitoring
    EVENTS
    Web Application Security
    Event Correlation
    .
  2. Specify what information you want to see, and review the events.
    • To see details of a correlated event incident, click the event entry row. In the screen that opens below, the Event Correlation area shows details of the incident, including blue links that you can click for additional information.
    • To see details and samples of a correlated event incident, click the link in the Incident Type column for the event entry row. A screen opens below with additional details.
      • The Event Correlation area shows details of the incident, including blue links that you can click for additional information.
      • The Samples area shows samples of the incident that you can click for more details. When you click a sample link, a screen on the right opens and displays sample details.
        • In the sample details screen, you can choose to see compact or full information. At the top of the screen, click
          Compact
          for summary information, or click
          Full
          for complete information.
        • In the sample details screen, you can choose to see either request or response information. Click
          Request
          for request information, or
          Response
          for response information. Both kinds of information contain links in blue that you can click for more information.
    • To disable the automatic refreshing of the data on this screen, click
      Disable Auto Refresh
      . The screen updates.
      • To manually refresh the data on the screen, click
        Refresh
        .
      • To enable automatic refreshing of the data on the screen, click
        Enable Auto Refresh
        .
    • To display only those events that contain a specified string, type that string in the Filter field.
    • To create filters to use to filter the correlation events, click the filter icon to the left of the Filter field in the upper right of the screen. In the dialog box that opens, click
      Create
      .

Viewing Brute Force Attack Events

View brute force attack events

You can view a summary of the brute force attack events for your Web Application Security policies. The summary information includes the number of login attempts, the anomaly attack type, which login page is being attacked, the attack status, and when the mitigation began and ended.
  1. Click
    Monitoring
    EVENTS
    Web Application Security
    Brute Force Attacks
    .
  2. Specify what information you want to see, and review the events.
    • To see more details about a specific attack, click the row for that attack. A screen opens on the right giving additional information, such as the attack summary, mitigated IP address, mitigated device identifiers, mitigated user names, and known leaked credentials. As you review this information, you can click any blue links in the information for additional details.
    • To display only those events that contain a specified string, type that string in the Filter field.
    • To create named filters to use to filter the brute force attack events more completely, click the filter icon to the left of the Filter field in the upper right of the screen. In the dialog box that opens, click
      Create
      .

Managing Security Reports

About security reporting

Reporting for BIG-IQ Network Security

You can use BIG-IQ Network Security Reporting to view reports for managed BIG-IP devices that are provisioned for Application Visibility and Reporting (AVR). Reports can be for a single BIG-IP device or can contain aggregated data for multiple BIG-IP devices (that are of the same BIG-IP device version).
Network Firewall, DoS and IP Intelligence reports can be created. Analytic reports provide detailed metrics about application performance such as transactions per second, server and client latency, request and response throughput, and sessions. Metrics are provided for applications, virtual servers, pool members, URLs, specific countries, and additional detailed statistics about application traffic running through one or more managed devices. You can view the analytics reports for a single device, view aggregated reports for a group of devices, and create custom lists to view analytics for only specified devices.
For managed BIG-IP devices v13.0 or earlier, you can view Network Security reports from the Network Security Reporting screen (
Monitoring
REPORTS
Security
Network Security
Reporting
)
For managed BIG-IP devices v13.1.0.8 or later, you can view Network Security reports and analytics from the DDoS Protection Summary screen (
Monitoring
DASHBOARDS
DDoS
Protection Summary
). For more information, see the
Monitoring ongoing DDoS
attacks section.

Reporting for BIG-IQ Web Application Security

You can use BIG-IQ Web Application Security Reporting to view reports for managed BIG-IP devices that are provisioned for Application Visibility and Reporting (AVR). Similar to the availability of the AVR reporting on a single device, you have the ability to get visibility into application traffic passing through a single managed BIG-IP device or an aggregated system (aggregated data for multiple BIG-IP devices.
You can generate reports and charts in the following areas:
  • Application. You can view information about requests based on applications (iApps), virtual servers, security policies, attack types, violations, URLs, client IP addresses, IP address intelligence (reputation), client countries, severities, response codes, request types, methods, protocols, viruses detected, usernames, and session identification numbers.
  • Anomalies. You can view charts of statistical information in graphs about anomaly attacks, such as brute force attacks and web scraping attacks. You can use these charts to evaluate traffic to the web application, and to evaluate the vulnerabilities in the security policy.
  • DoS. If you have configured DoS protection on the BIG-IP system, you can view charts and reports that show information about DoS attacks and mitigations in place on the system.
    For managed BIG-IP devices v13.1.0.8 or later, you can view DDoS reports and analytics from the DDoS Protection Summary screen (
    Monitoring
    DASHBOARDS
    DDoS
    Protection Summary
    ). For more information, see the
    Monitoring ongoing DDoS
    attacks section.