F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IQ Web Application Security
  3. ce file for analytics
Manual Chapter : ce file for analytics

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

ce file for analytics

Definitions of terms, metrics, dimensions, and charts in analytics. In addition, common screen elements for Applications tab dashboard elements
Before you begin this task, isolate a service scaling group device that is experiencing health issues by using the service scaling group screen (
Applications
ENVIRONMENTS
Service Scaling Group
<Service Scaling Group Name>
 ).
Prereqs for visibility:
  • A BIG-IQ data collection device configured for the BIG-IQ device
  • The BIG-IP device located in your network and running a compatible software version
  • Statistics collection enabled for managed BIG-IP devices
  • AVR provisioned on your BIG-IP devices
  • A Data Collection Device (DCD) configured to your BIG-IQ system.
  • Managed BIG-IP devices have ASM provisioned for managing security policies.
  • The BIG-IQ system has Shared Security (SSM) discovered to manage virtual servers' DoS and logging profiles.
  • Managed BIG-IP devices have AVR provisioned (recommended).
If you have administrative access, you can view the Web Application Security settings for multiple applications on the Web Application Security dashboard
Monitoring
DASHBOARDS
Web Application Security
.
  1. Application Traffic Metrics
    Application response time indicates the time (in ms) it takes an application server to respond once it receives a request.
    HTTP transactions include the entire process from when a client sends an HTTP request to the application server, until the client receives a response.
    Concurrent connections indicate the number of connections that are open at the same time, either on the client-, or server- side.
    You must have Web Application Security services installed on your application management devices in order to view security data. The BIG-IP device hosting these services must have AVR provisioned with version 13.1.0.5, or later, to view data.
    To view application health or traffic data, your application must have be managed by a BIG-IP device version 13.1.0.5 or later with the following device configuration:
    • AVR is provisioned
    • HTTP statistics collection is enabled
    BIG-IP devices earlier than version 13.1.0.5 do not collect data that supports metric alerts. Applications that are managed by earlier versions of a BIG-IP device do not receive metric alerts.
  2. Open the application summary screen (
    Applications
    APPLICATIONS
    ).
  3. Go to
    Applications
    APPLICATIONS
  4. Go to
    Applications
    APPLICATION TEMPLATES
    .
  5. TBD
    The application service's dashboard is displayed. Ensure the
    ANALYTICS
     tab at the center of the screen is selected
  6. The summary bar at the top of the screen provides high-level information that indicates the status of your applications.
  7. Adjust the view setting for the applications listed on the screen using the grid or tile buttons .
    1. To filter applications in either view, select an option from the filter , and search according to key words.
    2. Press
      Enter
       to filter.
    3. To sort applications in grid view, click the column header.
    4. To sort applications in tile view, select an option from the
      Sort by
       menu.
  8. You can adjust the view setting for the service scaling groups listed on the screen using the grid or tile buttons .
    1. To filter service scaling groups in either view, select an option from the filter , and search according to key words.
    2. To sort service scaling groups in grid view, click the column header.
    3. To sort service scaling groups in tile view, select an option from the
      Sort by
       menu.
  9. In the single service scaling group screen (
    Applications
    ENVIRONMENTS
    Service Scaling Groups
    <Service Scaling Group Name)>
    ), click
    CONFIGURATION
    .
  10. Scroll to the ANALYTICS area at the lower half of the screen.
  11. To view application traffic data, select from options to the left of the screen in the ANALYTICS area.
    This displays charts for the application's traffic data.
    Expand the chart view by collapsing the summary bar and/or application configuration map using the arrows to the right of these areas.
    Users with administrative access can view statistics for multiple applications by clicking
    Monitoring
    DASHBOARDS
    Web Application Security
    .
  12. To view your application's current security settings, click CONFIGURATION to display the security policies and settings.
    Users with administrative access can edit the application's associated security policy. Select a policy based on the security service:
    • For Network (AFM) go to
      Configuration
      SECURITY
      Network Security
      Network Firewall
      Firewall Policies
      .
    • For Access Policy (APM) go to
      Configuration
      ACCESS
      Access Groups
      .
    • For Web Application Security (ASM) go to
      Configuration
      SECURITY
      Web Application Security
      Policies
      .
  13. Adjust the time settings using the controls at the top of the screen according to your monitoring needs.
    These time settings persist when navigating among charts.
  14. Use the tab at the right of the chart to expand the dimension pane.
  15. Expand the dimension widgets to view the metric data for each dimension object.
    Some dimensions present aggregated data. To view detailed dimension data objects, enable the
    Enhanced Analytics
     settings.
  16. Select one or more dimension objects to filter by that data in the charts and other dimensions.
    Certain dimensions objects are only available when Enhanced Analytics data collection is enabled.
  17. Open the application properties screen by selecting the application's name from the Applications screen ( click
    Applications
    APPLICATIONS
    <Application Name>
    <Application Service>
    ).
  18. All data presented on the screen is updated according to the refresh cycle, which you can adjust using the refresh button .
  19. Near the middle of the screen under APPLICATION SERVICES, click
    Security
    .
    The screen displays security information in the ANALYTICS and CONFIGURATION areas.
  20. Adjust the time settings using the controls at the top of the chart based on when the alert was triggered, or as needed.
  21. To view security alerts in the chart, click the
    Security
     button from the Category filters found below the chart.
    Enable
    Events
     in the time settings to view corresponding alerts.
  22. Expand the dimensions pane using the handle at the right side of the screen.
  23. In the Health area, click a health status to filter the screen list by that selection.
    This filters the service scaling group list on the screen.
  24. To customize dashboards filters:
  25. To sort the screen list:
    • In grid view: Click one of the column headers to sort by ascending or descending order.
      If a column does not appear in the grid view, click the
      Select columns
       icon to adjust the displayed view.
    • In tile view: Select an option from the Sort By list at the top left of the tiles.
  26. To sort the screen list by health status:
    1. In grid view, click the Health column header.
      If the Health column is not displayed, click the gear icon, to the right of the filter field, and select Health.
    2. In tile view: From the
      Sort by
       menu, click
      Health Status - High-to-Low
      .
  27. To sort the screen list by SSGs with the most active alerts:
    1. In grid view, click the Alerts column header
      If the Alerts column is not displayed, click the gear icon, to the right of the filter field, and select
      Active Alerts
      .
    2. In tile view: From the
      Sort by
       menu, select
      Active Alerts- High-to-Low
  28. The Health area displays the number of applications that are currently at each health status. Use this summary to identify which applications require additional analysis due to changes in performance thresholds.
  29. The Health area displays the number of service scaling groups that are currently at each health status. Use this summary to identify which service scaling groups require additional analysis due to changes in performance thresholds. You can select a health status to filter the service scaling group list.
  30. Go to the
    Applications
     tab, and click
    Elastic BIG-IP
    .
    The Elastic BIG-IP dashboard opens, showings all monitored service scaling groups, and highlighting health, active alerts, and performance data.
  31. Locate the Active Alerts area at the top right of the screen.
    This area lists the thresholds that are currently crossed.
  32. Go to the Active Alerts area at the top right of the screen to review if there are ongoing alerts. These alerts will indicate (up to) the five most severe thresholds that are currently surpassed. These thresholds are configured according to specific alert rule data collected.
    To see a full list of active alerts, and their details, click
    See All
    .
  33. In the CONFIGURATION area, click
    Devices
     from the left.
    This opens a chart that lists all the devices that are providing BIG-IP system services to the service scaling group.
  34. Click to return to the previous screen.
  35. In a VMware environment, you can select
    Load Balancing Devices
     to display device information for load balancers to the service scaling group.
    This area displays device configuration and details, including health and performance information. A load balancer with poor health or performance issues might impact all the devices in the service scaling group.
  36. Click the application's name for additional data and information about that specific application.
    This automatically opens the application's dashboard, where you can further isolate its performance issues, and edit its configuration and security policies.
  37. Click the service scaling group's name for additional data and information about that specific service scaling group.
    This automatically opens the service scaling group's dashboard, where you can further isolate its devices' performance, evaluate connected applications and edit its configuration.
  38. Security Filter
    Select the number of affected applications to filter the screen list by that selection.
  39. Spark Line
    You can hover over the spark line to view data values over the past hour.
  40. Summary Bar Filters
    Click this area to filter the list data by value in descending order.
    This automatically filters the screen list.
  41. Click the application's name to open the single application dashboard.
  42. Alert Concept definition
    The system triggers alerts based on stateful and stateless data that is collected from the various system elements that are monitored. Once triggered, the alert remains active until its status changes.
    The following alert rule set does not apply to the BIG-IP VE devices in a service scaling group. The default rules do apply to the load balancer BIG-IP device in a service scaling group.
  43. You can adjust the Warning and Critical threshold values for enabled metrics.
    A metric threshold violation must be sustained for 5 minutes to trigger an alert. A subsequent alert is triggered once another threshold is crossed (either an increase or decrease in severity, or cleared).
    To ensure that metric conditions are improving, metrics are declining in severity (critical to warning), or cleared, an alert is triggered only when the value is sustained for five minutes at ten percent below the threshold value. For example, if a threshold value is configured for greater than 60 percent, a declining severity must be sustained at 54 percent or less to trigger an alert.
  44. Click
    Save
     at the bottom of the screen, or click
    Save & Close
     to save and return to the Alert Rules screen.
  45. Go to
    Monitoring
    DASHBOARDS
    DDoS
    Protection Summary
    .
  46. Click the DEVICES area in the summary bar at the top of the screen to display the list of devices with ongoing DoS attacks.
  47. Click the PROTECTED OBJECTS area in the summary bar at the top of the screen.
    The screen displays details of all protected objects, including the object's health status, number of attacks detected, protection mode, and host BIG-IP device.
  48. Locate the ATTACKS area at the top left side of the screen to view a summary of all ongoing DDoS attacks.
  49. To isolate attacks by severity, select one of the severity levels from ATTACK SEVERITY.
    • The Warning alert. The attack's details indicate that an non-mitigated attack would have a moderate impact on your protected objects.
    • The Critical alert. The attack's details indicate that a non-mitigated attack would have a critical impact on your protected objects
  50. To filter attacks by protection mode, specify how to view them:
    • Click
      Mitigated
       to view attacks detected by a DoS profile that is configured to mitigate or block traffic recognized at an attack.
    • Click
      Not Mitigated
       to view attacks detected by a DoS profile that is configured to monitor traffic recognized as an attack.
  51. Go to
    Monitoring
    EVENTS
    Web Application Security
    Events
    .
    To view a logging profile of a specific protected object, go to
    Monitoring
    DASHBOARDS
    L7 Dashboard
     and select the logging profile link associate with the object in the dashboard's list.
  52. Go to
    Monitoring
    DASHBOARDS
    L7 Dashboard
    The screen displays your protected objects, and provides summary data, based on the selected time settings. To change the scope of the time settings, use the control to the top left of the screen.
  53. To display the attacks list, click ATTACKS at the top left of the screen.
  54. Select an attack from the Attack ID column.
    The screen displays attack details and statistics about the attack vectors, BIG-IP devices, and protected objects. By default, the statistics at the bottom of the screen display transaction data from the virtual server(s) that reported the attack.
  55. To view detailed information about the virtual server transactions, use the dimension pane to the left of the chart.
    You can expand these dimensions and select objects to filter displayed data.
  56. Go to
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    Protected Objects
    .
    The screen displays a list of all DoS protected objects managed by your BIG-IP devices.
  57. Go to
    Configuration
    SECURITY
    Web Application Security
    Policies
    .
  58. Configuration
    SECURITY
    Web Application Security
    Threat Campaigns
  59. Go to
    Configuration
    SECURITY
    Threat Intelligence
    Web Application Security
    .
  60. Configuration
    SECURITY
    Web Application Security
    Devices
  61. Go to
    Configuration
    LOCAL TRAFFIC
    Profiles
    .
    This screen lists the profiles that are configured for the managed BIG-IP devices in your network.
  62. Go to
    Monitoring
    Events
    Bot
    Bot Requests
    .
    The screen displays a list of all bot requests. Each request in the list displays request parameters detected by your bot defense.
  63. Go to
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    Protected Objects
    .
  64. Go to
    Configuration
    SECURITY
    Network Security
    Protocol Security
    Inspection Profiles
    .
  65. Configuration
    SECURITY
    Network Security
    Protocol Security
    Inspection List
  66. Go to
    Monitoring
    DASHBOARDS
    IPS
    .
    You can use the other lists to further filter the displayed objects. Additional objects include options to filter an object based on attack status, protection profiles under shared security, and additional policies.
  67. Go to
    Monitoring
    DASHBOARDS
    SSL Orchestrator
    SSLO Overview
    .
    The overview screen displays tiles with current information about your SSLO configurations.
  68. If you are creating the filter by directly entering text into the Query Expression area, use the following syntax for that query text.
    • You express elements of the filter query as key value pairs, separated by a colon, such as
      profile_name:"MyCurrentProfile"
      .
    • You can use the following operators within a filter query.
      Operator
      Usage Example
      AND
      This:p1 AND bar:(A AND B AND "another value")
      AND NOT
      AND NOT qux:error
      OR
      name:"this is a name" OR bar:(A OR B OR C)
      OR NOT
      OR NOT qux:error
      *
      support_id:*123*
      . This operator can only be used for text fields.
    • You must enclose values that have spaces within quotation marks, such as
      key:"two words"
      .
    • You can query any field for more than one value by enclosing the values with parentheses, such as
      key:(a b "two words")
      . In this case, the default operator is OR.
    • Only pre-defined values are allowed for fields with a type of multi-value. These values are listed in the Query Parameters area, in the list next to the relevant field.
    • Values with a type of date accept valid date formats, such as
      'Oct 30, 2017 00:00:00'
      .
    • Values of the date range type accept input in the format of
      [min_date...max_date]
      , such as
      '[Oct 30, 2017 00:00:00...Oct 30, 2017 06:00:00]'
      . The date range might also contain only minimum without maximum, and the reverse, such as
      '[Oct 30, 2017 00:00:00...]'
       or
      '[...Oct 30, 2017 00:00:00]'
      .
    • Values of the numeric range type accept input in the format of
      [min...max]
      , such as
      '[1...100]'
      . The numeric range might also contain only minimum without maximum, and the reverse, such as
      '[1...]'
       or
      '[...100]'
      .
    • You must include the full path to the policy in a policy name, such as
      /Common/MyPolicy
      .
You can identify the status of protected objects and BIG-IP devices that have reported DoS attacks. This way you can evaluate the performance impact of the attack, and whether changes to your security policy or DoS profile are required.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information