Manual Chapter :
Monitoring and Reporting for Network Security and Web Application
Security Policies
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.0.0
Monitoring and Reporting for Network Security and Web Application
Security Policies
Monitoring Active Firewall Policies
View active firewall policies
You use the Active Policy screen to view summary information about the firewall
policies and rules that are currently active on BIG-IP
devices.
- Click.
- Review the firewall policies, including on what BIG-IP devices they are active.
- To review the rules and rule lists in a policy, click the policy name.The screen displays rules and rule lists in the policy.
- To edit a rule or rule list, click the name of the rule or rule list.
Active firewall policy rule properties
This table describes the rule properties shown for a firewall policy that is active on a BIG-IP device.
Column | Description |
---|---|
# | Specifies the evaluation order of the rule within the policy. Rules are evaluated from the lowest number to the highest. If a rule is contained within a rule list, it will be numbered after the decimal point. For example, a policy with 3 rules, followed by a rule list containing 2 rules, followed by another rule outside of the rule list, would be numbered as: 1, 2, 3, 4, 4.1, 4.2, 5 . In the example, 4 represents the rule list, and 4.1 and 4.2 are the evaluation order of the rules within that rule list. |
Rule Name | Specifies the name of the rule. This contains a reference to the rule list when the row contains a rule list. You can click the rule name for more information. |
Rule List Name | Specifies the name of the rule list that contains one or more rules. This is blank when the row contains a rule. |
UUID | Specifies the universal unique identifier (UUID) associated with the rule. You can use the UUID to search for a rule in a policy. You must enable this feature on the BIG-IP device for UUIDs to be assigned to rules on that device. |
Action | Specifies the action taken when the rule is matched, such as whether it is accepted or rejected. |
Protocol | Specifies the IP protocol used by the rule to compare against the packet. |
Log | Specifies whether the firewall software should write a log entry for any packets that match this rule. |
State | Specifies the activity state of the rule, such as whether it is enabled or disabled. |
Monitoring Firewall Rules
About firewall rule monitoring
In BIG-IQ Centralized Management, you can monitor:
- Firewall rule statistics, such as the number of times inbound network traffic matches a firewall rule on a BIG-IP device (also referred to as a firewall rule hit count) as well as the rule overlap status.
- Firewall rule compilation statistics for a set of rules associated with a firewall context on a BIG-IP device.
Monitoring firewall rule statistics and hit counts
You can monitor firewall rule statistics and hit counts on one or more BIG-IP devices using Network Security monitoring.
Firewall rule statistics are collected for the rules in the enforced policy associated with a firewall, but not the rules in a staged policy.
If a virtual server, route domain or self IP is created using the BIG-IQ system, firewall statistics cannot be collected until the changes are deployed to the device and reimported.
- At the top left of the screen, selectNetwork Securityfrom the BIG-IQ menu.
- ClickMonitoring.
- ClickFirewall Rule Statistics.The Firewall Rule Statistics screen opens and displays a list of firewall contexts, including their name, partition, type, and on what BIG-IP device they occur.
- Click the name of the firewall context to monitor.
- The Firewall Rule Statistics page for that firewall context displays.The following information is listed in the named columns for each firewall rule on the BIG-IP device:
- Rule Name specifies the name of the rule used in the policy. If not listed, the rule is not running.
- Rule List Name specifies the name of the rule list if the rule is in a rule list.
- Rule specifies the name of the rule within a rule list. If the rule is not in a rule list, this field is blank.
- Overlap Status specifies whether the rule overlaps with another rule.
- Hit Count specifies the number of times the rule has been matched.
- Last Hit Time specifies when the rule was last matched.
Monitoring firewall rule compilation statistics
You can monitor rule compilation statistics on one or more BIG-IP devices using Network Security monitoring. This information is similar to what is displayed when using the
tmsh show security firewall container-stat
command.If a firewall context references a policy that is both staged and enforced, there will be two entries in the compilation statistics: one for the enforced policy and one for the staged policy.
- At the top of the screen, clickConfiguration.
- On the left, click.The Firewall Compilation Statistics screen opens and displays the list of BIG-IP devices managed by the BIG-IQ system, including their network name, IP address, and BIG-IP device version.
- Click the name of the BIG-IP device to monitor.
- The Firewall Compilation Statistics page for that BIG-IP device displays.Depending on the version of the BIG-IP device, the following information, or a subset of this information, may be listed in the named columns for the one or more firewall rules within the specified firewall context on the BIG-IP device:
- Context Namespecifies the context name associated with the one or more rules, such as/Common/global-firewall-rules.
- Context Typespecifies the firewall context type associated with the one or more rules, such as global or self IP.
- Policy Namespecifies the name of the policy associated with the one or more rules.
- Policy Typespecifies type of policy associated with the one or more rules, such as enforced or staged.
- Rule CountSpecifies the number of rules compiled for this BIG-IP device context, such as 30. This count includes rules in rule lists as well as rules that are not in rule lists.
- Compile Durationspecifies the amount of time required to compile the rules, expressed ashours:minutes:seconds.
- Overlap Check Durationspecifies the amount of time required to check overlapping rules, expressed ashours:minutes:seconds.
- Sizespecifies the size of the compiled rules in bytes.
- Max Memoryspecifies the maximum amount of memory consumed by the rules in bytes.
- Activation Timespecifies when the rules are activated and available for use.
Monitoring Network Security Activity
Configure logging for Network Security events
Before you configure monitoring of Network Security data logging, you need to ensure that the Network Security service is running on the DCD.
Ensure that the Network Security service is activated by
reviewing the services installed on the DCD on the BIG-IQ Data Collection Devices
screen:
.Note whether the designated DCD listener is
configured to monitor the BIG-IP devices using their self-IP or management
network IP address. It is strongly discouraged to use the management network for
data collection purposes, as it is not intended for production traffic. In the
case that your DCD is using the management network IP, you must define a network
routing gateway on your BIG-IP device as described in
BIG-IP TMOS: Routing
Administration
. If you deactivate
the Network Security service for a DCD, or remove a DCD with that service
enabled, the associated pool member will be removed from the pool when you next
deploy to the BIG-IP device (or devices). The pool
afm-remote-logging-pool_
contains the pool member for the specified BIG-IP device.big-ipname
You configure the collection of Network Security data
logs so that you can better view and monitor information about your Network Security
policies and firewalls. The BIG-IQ Centralized Management system provides a single
button configuration process that creates and configures the needed configuration
objects. The system automatically creates these configuration objects, if needed:
- One or more logging profiles
- A log publisher
- A log destination
- A pool for each device
- Pool members
- A pool monitor
- Click.
- In the list of firewall contexts, select the check box to the left of the one or more virtual servers to use.The virtual servers are listed in the Firewall Type column as vip.
- ClickConfigure Logging.The Network Security Logging Configuration dialog box opens.
- In the dialog box, clickContinue.The dialog box shows the configuration status, including which objects were created.
- ClickClose.
- Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
- Click.
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes some the objects created by the Network Security logging configuration process to be deployed to the device. - Deploy the BIG-IP device for the virtual server using the Network Security service using these steps.
- Click.
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the BIG-IP device to deploy and clickCreate.
The deployment causes the remaining objects created by the Network Security logging configuration process to be deployed to the device.
You have now configured your logging profile to send
Network Security events from the BIG-IP devices associated with the virtual servers.
Once you have deployed your changes, you can view these events on
screens. Once you have completed this process, ensure
that all your changes to your Local Traffic and Shared Security virtual servers are
deployed over the host BIG-IP device. You can deploy your changes by going to,
View Network Security events
You need to configure
the logging of Network Security events before you can view them.
You view Network Security events to better
track the firewall events that occur on your BIG-IP devices.
- Click.The navigation area expands to show the different types of Network Security events available.
- Click the type of event you want to view, such asFirewall.To see all Network Security events, clickAll Network Security Events.
- Review the information on the screen.
- To view additional details about an event:
- Click in the row for the event to see event details listed in the lower pane. You can navigate to events below or above the selected event by clicking the arrows.
- Click any blue links shown in the upper or lower panes to see more details about the linked object or to change the object.
- To focus on a reduced number of events:
- Select a device name from the list at the upper left to view events from only that single BIG-IP device. By default this is set toAll Devices.
- In the Filter field in the upper right, type a text string to use a simple text filter on the events. You can use more complex filters by clicking the filter icon to the left of the Filter field. Note that the simple text filter does not support more complex filter syntax, such as specifying time in minutes and seconds.
- To change how often the event list is refreshed, select a value in the setting in the upper left.
Create filters for Network Security events
You create Network Security event filters so you can save the filters you use frequently to search for events, and not have to recreate them each time.
- Click.
- ClickAdd.
- Type a uniqueFilter Name.
- Create the filter using the Query Parameters area or by entering the query directly into the Query Expression area.In most cases, you should create the filter query using the Query Parameters area and only edit it directly if you need to refine it further.
- If you are creating the filter using the Query Parameters area, supply those parameter settings you want to be part of the filter.Note that as you enter parameter settings, they are used to construct the filter query in the Query Expression area. You can also edit the filter query directly as described in the following step.
- If you are creating the filter by directly entering text into the Query Expression area, use the following syntax for that query text.
- You express elements of the filter query as key value pairs, separated by a colon, such asprofile_name:"MyCurrentProfile".
- You can use the following operators within a filter query.OperatorUsage ExampleANDThis:p1 AND bar:(A AND B AND "another value")AND NOTAND NOT qux:errorORname:"this is a name" OR bar:(A OR B OR C)OR NOTOR NOT qux:error*support_id:*123*. This operator can only be used for text fields.
- You must enclose values that have spaces within quotation marks, such askey:"two words".
- You can query any field for more than one value by enclosing the values with parentheses, such askey:(a b "two words"). In this case, the default operator is OR.
- Only pre-defined values are allowed for fields with a type of multi-value. These values are listed in the Query Parameters area, in the list next to the relevant field.
- Values with a type of date accept valid date formats, such as'Oct 30, 2017 00:00:00'.
- Values of the date range type accept input in the format of[min_date...max_date], such as'[Oct 30, 2017 00:00:00...Oct 30, 2017 06:00:00]'. The date range might also contain only minimum without maximum, and the reverse, such as'[Oct 30, 2017 00:00:00...]'or'[...Oct 30, 2017 00:00:00]'.
- Values of the numeric range type accept input in the format of[min...max], such as'[1...100]'. The numeric range might also contain only minimum without maximum, and the reverse, such as'[1...]'or'[...100]'.
- You must include the full path to the policy in a policy name, such as/Common/MyPolicy.
- You can enter fields in the Query Expression area that are not shown in the Query Parameters area by discovering them in the user interface.
- Click the event row to show the event details in the lower part of the screen.
- Hover over a label name in that area to see the field name to use in the query expression. For example, hovering over Signature Name in the lower screen shows that the matching field issig_name.
- Save your work.
Monitoring DoS Events
Configure logging for DoS events
Before you configure monitoring of DoS events, you need to ensure that the DoS Protection service is enabled on the DCD.
Verify this by reviewing the services installed on the DCD on the
BIG-IQ Data Collection Devices screen. Click
.If the DoS Protection service is not
running, click
Activate
to
start it.If you deactivate the DoS Protection service
for a DCD, or remove a DCD with that service enabled, the associated pool member
will be removed from the pool when you next deploy to the BIG-IP device (or
devices). The pool
dos-remote-logging-pool_
contains the pool member for the specified BIG-IP
device.big-ipname
You configure the collection and viewing of DoS
events so that you can better view and monitor information about your DoS protection.
The BIG-IQ Centralized Management system provides a single-button configuration process
that creates and configures the needed configuration objects. The system automatically
creates the following configuration objects, if needed:
- One or more logging profiles
- A log publisher
- A log destination
- A pool for each device
- Pool members
- A pool monitor
- Click.
- In the list, select the check box to the left of the object that will host the logging profile.
- ClickManage Loggingand selectConfigure DoS Logging.The DoS Logging Configuration dialog box opens.
- In the dialog box, clickContinue.The dialog box shows the configuration status, including which objects were created.
- ClickClose.
- Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
- Click.
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes some of the objects created by the DoS logging configuration process to be deployed to the device. - Deploy the same BIG-IP device using either the Network Security or Web Application Security service using these steps.You can use either service since both include the Shared Security objects.
- Clickor .
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes the rest of the objects created by the DoS logging configuration process to be deployed to the device.
You have now configured your logging profile to send
DoS Protection events from the BIG-IP devices associated with the virtual servers. Once
you have deployed your changes, you can view these events on
screens. To ensure that data is load balanced among
your DCD devices, you must change the remote log destination. For more information see
Edit log publisher destinations
. Once you have completed this process, ensure that all your changes to
your Local Traffic and Shared Security virtual servers are deployed over the host
BIG-IP device. You can deploy your changes by going to,
Configure viewing of device DoS events
Before you configure monitoring of DoS events, you need to ensure that the DoS Protection service is running on the DCD.
Verify this by reviewing the services installed on the DCD on the
BIG-IQ Data Collection Devices screen. Click
.If the DoS Protection service is not
running, click
Activate
to
start it.If you deactivate the DoS Protection service
for a DCD, or remove a DCD with that service enabled, the associated pool member
will be removed from the pool when you next deploy to the BIG-IP device (or
devices). The pool
dos-remote-logging-pool_
contains the pool member for the specified BIG-IP
device.big-ipname
You configure the collection and viewing of device DoS events so that you can better view and monitor information about your DoS protection. The BIG-IQ Centralized Management system provides a single-button configuration process that creates and configures the needed configuration objects. The system creates the following configuration objects, if needed:
- One or more logging profiles
- A log publisher
- A log destination
- A pool for each device
- Pool members
- A pool monitor
The objects that are created are shared among these device
DoS configurations and should not be modified. Modifying these objects could affect
the ability of the BIG-IP devices to send device DoS events to the
DCD.
- Click.
- In the list, select the check box to the left of the one or more device DoS configurations to use.The device DoS configuration has the same name as the BIG-IP device.
- ClickConfigure DoS Logging.The DoS Logging Configuration dialog box opens.
- In the dialog box, clickContinue.The dialog box shows the configuration status, including which objects were created.
- ClickClose.
- Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
- Click.
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes some of the objects created by the Device DoS logging configuration process to be deployed to the device. - Deploy the same BIG-IP device using either the Network Security or Web Application Security service using these steps.You can use either service since both include the Shared Security objects.
- Clickor .
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes the rest of the objects created by the Device DoS logging configuration process to be deployed to the device.
You can now receive device DoS events from the BIG-IP devices and view them on the
screens. View DoS events
You need to configure the logging of DoS or device DoS events before you can view them.
You view DoS events to better track the DoS and device DoS events that occur on your BIG-IP devices.
If
you are monitoring supported versions of BIG-IP version 13.1.0.8 or later, you can
view summary information about ongoing DoS attacks from
. For more information see Monitoring
Ongoing DDoS Attacks.
- Click.The navigation area expands to show the different types of DoS events available.
- Specify the type of information you want to see:
- To see a specific kind of DoS event, click that event type, such asApplication Events.
- To see all DoS attack events in a tabular format, clickAll DoS Attack Events.
- To see a summary of all DoS attack events in a graphical format, clickDoS Summary.
- Review the information on the screen.
- To view additional details about an event:
- Click the row for the event to see event details listed in the lower pane. You can navigate to events below or above the selected event by clicking the arrows.
- Click any blue links shown in the upper or lower panes to see more details about the linked object.
- In the detailed information for values that change over time, current, minimum, maximum, and last values may be shown. For eample, the severity of an attack type might currently have a severity of 3, have a minimum of 2 and a maximum severity of 3 during the time period. After the attack is over, the last value might be 2. Current values are labeled asCurr, minimum values are labeled asMin, maximum values are labeled asMax, and last values asLast.
- On the DoS Attacks Summary screen, click the number for an attack in the Attack ID column to see additional tabular and graphical details about that attack, such as the attack type, the mitigation used, and so on.
- To focus on a reduced number of events:
- Select a device name from the list at the upper left to view events from only that single BIG-IP device. By default this is set toAll Devices.
- In the Filter field in the upper right, type a text string to filter the events. You can create or use advanced filters by clicking the filter icon to the left of the Filter field.
- To change how often the event list is refreshed, select a value in the setting in the upper left.
Create filters for DoS events
You create DoS event filters so you can save the custom filters you use to search for events and not have to recreate them each time.
- Click.
- ClickAdd.
- Type a uniqueFilter Name.
- Create the filter using the Query Parameters area or by entering the query directly into the Query Expression area.In most cases, you should create the filter query using the Query Parameters area and only edit it directly if you need to refine it further.
- If you are creating the filter using the Query Parameters area, supply those parameter settings that you want to be part of the filter.Note that as you enter parameter settings, they are used to construct the filter query in the Query Expression area. You can also edit the filter query directly as described in the following step.
- If you are creating the filter by directly entering text into the Query Expression area, use the following syntax for that query text.
- You express elements of the filter query as key value pairs, separated by a colon, such asprofile_name:"MyCurrentProfile".
- You can use the following operators within a filter query.OperatorUsage ExampleANDThis:p1 AND bar:(A AND B AND "another value")AND NOTAND NOT qux:errorORname:"this is a name" OR bar:(A OR B OR C)OR NOTOR NOT qux:error*support_id:*123*. This operator can only be used for text fields.
- You must enclose values with spaces with quotation marks, such askey:"two words".
- You can query any field for more than one value by enclosing the values with parentheses, such askey:(a b "two words"). In this case, the default operator is OR.
- Only pre-defined values are allowed for fields with a type of multi-value. These values are listed in the Query Parameters area, in the list next to the relevant field.
- Values with a type of date accept valid date formats, such as'Oct 30, 2017 00:00:00'.
- Values of the date range type accept input in the format of[min_date...max_date], such as'[Oct 30, 2017 00:00:00...Oct 30, 2017 06:00:00]'. The date range might also contain only minimum without maximum and the reverse, such as'[Oct 30, 2017 00:00:00...]'or'[...Oct 30, 2017 00:00:00]'.
- Values of the numeric range type accept input in the format of[min...max], such as'[1...100]'. The numeric range might also contain only minimum without maximum and the reverse, such as'[1...]'or'[...100]'.
- You must include the full path to the policy in a policy name, such as/Common/MyPolicy.
- You can enter fields in the Query Expression area that are not shown in the Query Parameters area by discovering them in the user interface.
- Click the event row to show the event details in the lower part of the screen.
- Hover over a label name in that area to see the field name to use in the query expression. For example, hovering over Signature Name in the lower screen shows that the matching field issig_name.
- Save your work.
Managing Firewall Rule Reports
About firewall rule reports
You can generate different types of firewall rule reports for selected BIG-IP devices in either CSV or HTML format. These reports capture information similar to
that gathered using the firewall rule monitoring. The types of reports you can generate include:
- Stale Rule Report. Creates a report on firewall rules that are not being used on the BIG-IP device.
- Overlap Status Stats Report. Creates a report on firewall rules that are overlapping on the BIG-IP device.
- Compilation Status Report. Creates a report on the compilation of firewall rules on the BIG-IP device.
Creating firewall rule reports
You create firewall rule reports to capture statistics about firewall rules in a
report format.
- Navigate to the Firewall Rule Reports screen: Click.
- ClickCreate.The New Firewall Rule Report screen opens.
- Type a name for the report in theNamefield.
- Type an optional description for the report in theDescriptionfield.
- Select a report type from those listed in theReport Typefield.You can generate these types of reports::
- Stale Rule Report
- Overlap Status Stats Report
- Compilation Status Stats Report
Stale Rule Reportreport type is selected, the screen displays the Stale Rule Criteria property, otherwise that property is not displayed. - If you selectStale Rule Report, you can refine the report using the options listed in theStale Rule Criteriasetting:
- To specify that the report should include only rules with a hit count less than the number specified, selectRules with count less thanand specify a number in the provided field.
- To specify that the report should include only rules that have not been hit since the date specified, selectRules that haven't been hit sinceand specify a date in the provided field.
- From theAvailable Devicessetting, select the BIG-IP devices or device group to use for the report:
- SelectGroupand select a group of BIG-IP devices from the list.
- SelectDeviceand select individual BIG-IP devices by moving them from theAvailablelist to theSelectedlist.
- Save the report:
- SelectSaveto save the report. The system displays the Firewall Rule Reports page for that one report, and generates the report data.
- SelectSave & Closeto save the report. The system displays the Firewall Rule Reports page that lists all reports, and generates the report data.
- Select the format for the report:
- SelectCSV Reportto have the report formatted as a CSV file.
- SelectHTML Reportto have the report formatted as an HTML file. The HTML file is displayed in the Web browser when complete.
You can save or print these reports.
Deleting firewall rule reports
You can delete firewall rule reports
that are no longer needed.
- Go to the Firewall Rule Reports screen: Click.
- Select one or more reports to delete, and clickDelete.The reports are deleted from the list on the Firewall Rule Reports screen.
Managing Firewall Packet Trace Reports
About firewall packet trace reports
You can create and view packet trace reports to visually review your firewall settings. You can click
the graphics in the trace report to see detailed results of the packet trace for each firewall
component.
Create firewall packet trace reports
You create packet trace reports to trace
and review your network security firewall settings.
- Click.
- ClickCreate.The Packet Parameters screen opens.
- Enter or modify the parameters.
- In theNamesetting, type a name for the packet trace.
- In theProtocolsetting, select the protocol for the packet you want to trace. The other configuration settings change based on the protocol you select.
- In theTCP Flagssetting, select one or more flags to set in the packet trace. This setting is used only when the TCP protocol is selected.
- In theSource IP Addresssetting, type the IP address to identify as the packet source.
- In theSource Portsetting, type the port to identify as the packet source. This does not apply to ICMP packets.
- In theTTLsetting, type the TTL (Time to Live) for the traced packet, in seconds.
- In theDestination IP Addresssetting, type the IP address to which you want to send the packet for the packet trace.
- In theDestination Portsetting, type the port to which you want to send the packet for the packet trace. This does not apply to ICMP packets.
- In theUse Staged Policysetting, select whether to use a staged policy, if one exists, for the packet.
- In theTrigger Logsetting, select whether to write a log message based on the packet from the packet trace, if it would be logged by the system.
- In the Devices area, select the BIG-IP devices and source VLANs to be traced.
- ClickAdd.The Devices dialog box is displayed.
- In the Devices dialog box, select the BIG-IP devices to use by moving them from the Available to the Selected list.
- ClickAddto finalize the list and close the dialog box.
- In the Source VLAN column, select the one or more VLANs to use for each device in the list.IfApply these VLANs to all Devicesis selected, the VLANs selected for the first device in the list are applied to all other devices in the list. Do not select this option to select different VLANs for each device.
- ClickRun Trace.The packet is traced and the results are displayed on the screen.
- In the Trace Results area, review the trace diagram created by running the trace.
- Review the colors of the graphics for each network security component.
- Green graphics indicate rules that were evaluated and allowed the traffic to pass, including whitelist matches and Allow firewall, DoS, and IP intelligence matches.
- Red graphics indicate packets that were evaluated and dropped, or that matched firewall or IP intelligence rules.
- Gray graphics indicate packets that did not match a rule of the type indicated.
- Click each graphic to see detailed results of the packet trace for that component.
- To copy this packet trace, clickClone.
- To compare this packet trace to one or more other packet traces, clickCompareand then select the packet traces to which it should be compared.
The packet trace has been run and reviewed.
Managing Firewall Packet Flow Reports
About firewall packet flow reports
You create and review packet flow reports to inspect the currently active packet flows on BIG-IP devices. You can use these reports to determine if a packet flow meeting certain parameters is active on the BIG-IP devices. You can combine using the packet flow reports with packet trace reports to see if a BIG-IP device may be blocking certain flows at a firewall.
You can also review prior packet flow reports. The Centralized Management Packet Flows feature is similar to the Flow Inspector feature in the Advanced Firewall Manager (AFM) on the BIG-IP device.
Create packet flow reports
You create a packet flow report to identify what flows are currently active on BIG-IP devices that match the given parameters. You specify the parameters and the BIG-IP devices that the BIG-IQ Centralized Management system examines to generate the report.
- Click.
- ClickCreate.
- In the Flow Parameters area, enter the packet flow parameters.
- Type aNamefor the packet flow report.
- Specify theProtocolfor the flows.SelectAllto view all protocols. SelectSpecifyand specify the protocol to view flows using that protocol.
- Specify theSource IP Addressfor the flows.The default isAnywhich indicates that any source IP address is used, rather than a specific IP address.
- Specify theSource Portfor the flows.By default, an asterisk (*) is shown, indicating that all ports are selected. If the selected protocol is ICMP, this setting is not used.
- Specify theDestination IP Addressfor the flows.The default isAnywhich indicates that any destination IP address is used, rather than a specific IP address.
- Specify theDestination Portfor the flows.By default, an asterisk (*) is shown, indicating that all ports are selected. If the selected protocol is ICMP, this setting is not used.
- In theVisible Flow Countsetting, specify the maximum number of flows on which to report.
- In the Select Devices area, select the BIG-IP devices on which to inspect the packet flows by moving them from theAvailablelist to theSelectedlist.
- ClickGet Flowsto generate the packet flow report for the specified parameters.The screen is updated to show the generated packet flow report. You can expand the Flow Parameters area to show the parameters used to create the list of packet flows. The Flow Table area shows the list of packet flows.
- In the Flow Table area, you can display additional information about a selected packet flow.
- To review details about a packet flow and any packet trace history for that flow, click the row for that packet flow. The detailed information for that packet flow is displayed in the lower pane on the screen. Click a link in the packet trace history to see details of that packet trace.
- To create a packet trace of a packet flow, click the row for that packet flow and clickCreate Packet Trace. A new packet trace is created, pre-filled with data from the selected packet flow.
To manage which packet flows are shown, you can:- ClickExpand Allto expand all flows that are collapsed under their device name.
- ClickCollapse Allto have all packet flows collapsed under their device name.
- Use the Filter field to display only those packet flows matching the filter. Any value displayed should be usable in the filter field, including an IPV4 subnet.
Viewing Web Application Security Event Logs
Monitoring application security events logs
You can view Web Application Security event logs to review applications and
virtual server activities. You can use these logs to view event details, which can
provide insights into your current application protection. This information can be
useful for editing your current protection policy. Application security event logs
provide certain quick links in each event, which allow you to make immediate
adjustments, if necessary.
Due to the configuration of an AS3
application, some event details may not be available.
Tagging and filtering logs
BIG-IQ Centralized Management enables a single view of all
filters and log entries (and details for each entry) from multiple BIG-IP
devices.
You use tags and filters to allow you to select which events to
view.
- Filters allow you to select the events to view by constructing a query that the events must match.
- You can assign tags to events to label them, so that you can use that label in queries.
Event logs based on user privileges
The system administrator has the ability to provide granular access to view and/or edit specific BIG-IP objects, such as virtual servers, applications,
Monitor event logs and define tags
You
can review Web Application Security events on applications and servers from one or more
BIG-IP devices. By default, the events are filtered to show only illegal requests. You
can use the Web Application Security Event Logs s to view the affected virtual server
or applications, and mitigate certain actions and protection configuration directly from
event details.
- Go to.To view a logging profile of a specific protected object, go toand select the logging profile link associate with the object in the dashboard's list.
- To see details of an event log entry, click in the event entry row.A screen on the right opens and shows details of the event. This view provides information, such as the reporting application or virtual server. Details also include client information, protection and logging policies, and full HTTP request/response header information.
- In the details screen, you can specify the kind of information to see.
- You can specify compact or full information. At the top of the screen, clickCompactfor summary information, or clickFullfor complete information.
- You can view either HTTP header request or response information. ClickRequestfor request information orResponsefor response information. Both kinds of information contain violation links in blue that you can click for more information.
- Select links in the details area to complete the following actions:It is recommended to view inFulldetails format.FieldLink DescriptionSource IP AddressAdd a source IP address directly to the Web Application Security policy's allowlist settings.GeolocationDisallow traffic from an event's geolocation.Security PolicyEdit the policy's settings.Destination IP AddressView the virtual server's properties, when available
- To create and apply tags to events, select the events using the check box to the left, and clickTagsabove the event list.A dialog box opens.
- To create a tag, type the tag name in the provided field and click+.
- To apply a tag to the selected events, select the check box to the left of the tag and clickApply.
Tags are useful for sorting event types that the system does not categorize, by default. You can use tags to quickly sort and filter the event list. - To export selected events as a CSV or PDF file, select the event using the check box to the left, and clickExport.
- To display only events that contain a specified string, type that string in the Filter field in the upper right of the screen.
You can create a search filter to quickly view events that match pre-defined
criteria.
Create a new log filter
You can create new filters to better manage the
events in your logs. The filters are based on a fixed set of query parameters, with an
option to manually enter all available parameters into a query expression. For more
details about the required syntax, see
Query expression
syntax for log
filters.
- From the log screen, click the filter icon at the top right of the screen ().
- ClickCreate.The New Filter configuration popup screen opens.
- Type a uniqueFilter Name.
- In the Query Parameters area, add the query information.Adding information to these fields automatically populates theQuery Expressionbox. Refer to the Query expression syntax for log filters to view all query options.
- Once you have the custom filter the way you want it, clickSave & Apply.
The new filter is added to the filter list. You can select this filter later to query the list according to the set parameters.
Query expression syntax for log filters
On the New Filter configuration popup screen, the Query Expression area for creating a new log filter
requires specific syntax. To manually run query parameters, use the syntax requirements
listed here.
General Syntax
- Express elements of the filter query as key value pairs, separated by a colon, such asprofile_name:"MyCurrentProfile".
- Use the following operators within a filter query.OperatorUsage ExampleANDThis:p1 AND bar:(A AND B AND "another value")AND NOTAND NOT qux:errorORname:"this is a name" OR bar:(A OR B OR C)OR NOTOR NOT qux:error*support_id:*123*. This operator can only be used for text fields.
- Enclose values that havespaces within quotation marks, such askey:"two words".
- Query any field for more than one value by enclosing the values with parentheses, such askey:(a b "two words"). In this case, the default operator is OR.
- Only pre-defined values are allowed for fields with a type of multi-value. These values are listed in the Query Parameters area, next to the relevant field.
- In a policy name, you must include the full path to the policy, such as/Common/MyPolicy.
Dates
- Values with a type of date can accept valid date formats, such as'Oct 30, 2017 00:00:00'.
- Values of the date range type can accept input in the format of[min_date...max_date], such as'[Oct 30, 2017 00:00:00...Oct 30, 2017 06:00:00]'. The date range might also contain only minimum without maximum, and the reverse, such as'[Oct 30, 2017 00:00:00...]'or'[...Oct 30, 2017 00:00:00]'.
Numeric Values
- Values of the numeric range type can accept input in the format of[min...max], such as'[1...100]'. The numeric range might also contain only minimum without maximum, and the reverse, such as'[1...]'or'[...100]'.
Use event log filters
You use event log filters to refine your searches through the event logs, including searches through event logs from multiple BIG-IP devices.
- Click.
- To remove a filter, select the check box to the left of the filter and clickRemove, then confirm the deletion in the dialog box that opens.The filter is removed from the Filters screen.
- To modify a filter, click the name of the filter.The filter properties screen opens.
- Review or revise the settings as needed.
- In the Query Expression area, review the current filter query, or type into the text box to modify it directly.In most cases, you will want to modify the query expression using the settings in the Query Parameters area, since that builds the query automatically, and so reduces the chance of error.The query has the formatmethod:'value' protocol:'value' severity:'value'. For example:method:'GET' protocol:'HTTPS' severity:'error'.
- In the Query Parameters area, supply the parameter settings you want to be part of the filter.As you enter parameter settings, they are used to construct the filter query in the Query Expression area.
- Save your work.
View and delete event log tags
You can review the tags defined for
use with Web Application Security events and remove the tags.
- Click.The Tags screen shows the defined tags.
- To remove a tag, select the check box to the left of it and clickRemove, then confirm the deletion in the dialog box that opens.The tag is removed from the Tags screen.
Viewing Brute Force Attack Events
View brute force attack events
You can view a summary of the brute force attack events for your Web Application Security policies. The summary information includes the number of login attempts, the anomaly attack type, which login page is being attacked, the attack status, and when the mitigation began and ended.
- Click.
- Specify what information you want to see, and review the events.
- To see more details about a specific attack, click the row for that attack. A screen opens on the right giving additional information, such as the attack summary, mitigated IP address, mitigated device identifiers, mitigated user names, and known leaked credentials. As you review this information, you can click any blue links in the information for additional details.
- To display only those events that contain a specified string, type that string in the Filter field.
- To create named filters to use to filter the brute force attack events more completely, click the filter icon to the left of the Filter field in the upper right of the screen. In the dialog box that opens, clickCreate.
Managing Security Reports
About security reporting
Reporting for BIG-IQ Network Security
You can use BIG-IQ Network Security Reporting to view reports for managed BIG-IP devices that are provisioned for Application Visibility and Reporting (AVR). Reports can be for a single BIG-IP device or can contain aggregated data for multiple BIG-IP devices (that are of the same BIG-IP device version).
Network Firewall, DoS and IP Intelligence reports can be created. Analytic reports provide detailed metrics about application performance such as transactions per second, server and client latency, request and response throughput, and sessions. Metrics are provided for applications, virtual servers, pool members, URLs, specific countries, and additional detailed statistics about application traffic running through one or more managed devices. You can view the analytics reports for a single device, view aggregated reports for a group of devices, and create custom lists to view analytics for only specified devices.
For managed BIG-IP
devices v13.0 or earlier, you can view Network Security reports from the Network
Security Reporting screen (
)For managed BIG-IP devices v13.1.0.8 or later, you can view Network Security reports and analytics from the DDoS Protection Summary screen (
). For more information, see the Monitoring ongoing DDoS
attacks section. Reporting for BIG-IQ Web Application Security
You can use BIG-IQ Web Application Security Reporting to view reports for managed BIG-IP devices that are provisioned for Application Visibility and Reporting (AVR). Similar to the availability of the AVR reporting on a single device, you have the ability to get visibility into application traffic passing through a single managed BIG-IP device or an aggregated system (aggregated data for multiple BIG-IP devices.
You can generate reports and charts in the following areas:
- Application. You can view information about requests based on applications (iApps), virtual servers, security policies, attack types, violations, URLs, client IP addresses, IP address intelligence (reputation), client countries, severities, response codes, request types, methods, protocols, viruses detected, usernames, and session identification numbers.
- Anomalies. You can view charts of statistical information in graphs about anomaly attacks, such as brute force attacks and web scraping attacks. You can use these charts to evaluate traffic to the web application, and to evaluate the vulnerabilities in the security policy.
- DoS. If you have configured DoS protection on the BIG-IP system, you can view charts and reports that show information about DoS attacks and mitigations in place on the system.For managed BIG-IP devices v13.1.0.8 or later, you can view DDoS reports and analytics from the DDoS Protection Summary screen (). For more information, see theMonitoring ongoing DDoSattacks section.