Manual Chapter : Monitoring HTTP application service data

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.0.0
Manual Chapter

Monitoring HTTP application service data

Monitoring HTTP traffic data

HTTP network traffic provides insights into the health, status and request-types to your applications. When monitoring HTTP traffic over time you can evaluate local, such as latency and end-to-end times, and Web Application Security data, such as volume of illegal transactions. In addition, you can use this data to profile the users who request to access your application.
If you have Web Application security provisioned to the BIG-IP device managing your application, select
Security
from the F5 Services list in the center of the screen. The remaining information in the charts and dimensions, pertains to traffic management services.
To evaluate data for all your HTTP applications, go to
Monitoring
DASHBOARDS
Local Traffic
HTTP
. For Web Application Security, go to
Monitoring
DASHBOARDS
Web Application Security
.

Detecting application performance issues that require mitigation

An HTTP application service's performance issues might be caused by changes in a pool member's status. Issues with a pool member can lead to increases in application response time, server-side round trip time (RTT), incomplete transactions, and server errors. An application that sustains these increases can result in a critical or moderate health status. You can use application alerts to isolate managed objects, such as pool members, or virtual servers that reported issues. You can use your findings to adjust your application's managed objects (LTM pool members) in order to improve performance.
You identify an application with changes in pool member status by using the application health status screen (
Applications
APPLICATIONS
). Once an application and application service (either HTTP or TCP) is identified, you can further evaluate which pool member(s) is affecting performance.

Identify pool members causing traffic performance issues

You can isolate pool members that are causing performance issues to mitigate the performance impact by evaluating your HTTP application services.
You can apply this procedure to identify server status for TCP traffic as well. However, you will have fewer options to view pool data, or change configuration directly from the application service dashboard.
  1. Open the application properties screen by selecting the application's name from the Applications screen ( click
    Applications
    APPLICATIONS
    <Application Name>
    <Application Service>
    ).
  2. Near the middle of the screen in the SERVERS area, click the numbered icon below to display pool member information in the ANALYTICS area.
  3. To view pool member traffic data, select from menu to the left of the screen in the ANALYTICS area (
    Server Latency
    ,
    Application Response Time
    , or
    Server Side RTT
    ).
  4. In the time settings above the chart, ensure that the
    Events
    button is set to
    ON
    .
  5. You can click the Category buttons below the chart such that only the
    System
    button is active.
    The buttons below the chart have a gray background when disabled, and a blue background, when enabled.
    This action filters out all other alert and event categories displayed in the charts.
  6. Click an event icon in the chart to display the events and alerts that correspond with the traffic data.
    This displays the event table below the chart, which includes details about the events and alerts that occurred at that time.
    You can further filter so that only pool member and virtual server events appear, use the
    Search events
    field, and type "server-readiness".
  7. Isolate the affected pool member address from the Title column in the event table, or click the event row to view event details in the Description area.
  8. You can analyze additional data for the isolated pool member by expanding the Dimension pane to the right of the chart and selecting the pool member address from the
    Pool Members Address
    list.

Mitigating a traffic performance issue

To manage LTM objects to mitigate a performance issue that you isolated using analytics, you use essentially the same screens that you used to find the problem. But instead of using the ANALYTICS option in the details area, you use the CONFIGURATION option.
Resolving this issue requires the following:
  • Create a replacement for the object triggering the issue.
  • Delete or remove the object from service.
In these tasks, we provide an example of a problem pool member. But you can use the same strategy for other Traffic Management object types in your application.

Create a replacement pool member

When you isolate a pool member that is affecting traffic performance, you can create a replacement for the member that is triggering the performance issues.
  1. Select the application that needs attention from the all applications screen (
    Applications
    APPLICATIONS
    Application Name
    ).
  2. Find the pool member that needs attention: At the right, center of the screen, click the number in the Servers circle.
    This displays the pool member information in the CONFIGURATION area.
  3. Create a new pool member.
    1. At the left click
      CONFIGURATION
      .
    2. Under Servers, click
      Create
      (a Create Servers popup screen opens).
    3. Type the
      IP Address
      and
      Port
      for the new pool member.
    4. Click
      Create
      . (This creates the pool member and closes the popup screen.)
The next thing you probably want to do is take this pool member out of service so that your application traffic can return to normal.

Solve a performance issue due to pool member status

Before you start, you probably want to create a replacement pool member to handle the traffic of the problem member.
When you isolate a pool member that is affecting traffic performance, you have a couple of ways to remedy the issue. Depending on what kind of issues the pool member is experiencing, you might want to delete it immediately, disable it, or force it offline.
  1. Select the application that needs attention from the all applications screen (
    Applications
    APPLICATIONS
    Application Name
    ).
  2. Find the pool member that needs attention: At the right, center of the screen, click the number in the Servers circle.
    This displays the pool member information in the CONFIGURATION area.
  3. Select the pool member that needs attention:
    1. Click
      CONFIGURATION
      .
    2. Select the check box for the pool member.
  4. Determine what you want to do with this pool member based on the nature of the performance issue, and take the most appropriate action.
    What do you want the member to do?
    Select this option
    Cease all traffic immediately
    Select
    Delete
    .
    BIG-IQ removes the pool member from the pool, but does not delete the associated node.
    This option is most appropriate when an issue requires a quick response. Current connections will be interrupted.
    Stop processing new connections but continue to process persistent or active connections.
    Select
    Disable
    .
    BIG-IQ continues to process persistent and active connections for this member. New connections are accepted only if they belong to an existing persistence session.
    This option is appropriate when you can afford the time for traffic to dissipate before the member stops processing traffic.
    Stop processing new connections but continue to process active connections.
    Select
    Force Offline
    .
    BIG-IQ continues to process active connections for this member. New connections are accepted only if they belong to an existing persistence session.
    This option is appropriate when you can afford the time for traffic to dissipate before the member stops processing traffic.
The next thing you probably want to do is repeat the troubleshooting steps you used to isolate this pool member as the problem source and confirm that the issue is resolved.

HTTP server traffic charts

This table lists and defines the charts found under the ANALYTICS tab in the application service dashboard (
Applications
APPLICATIONS
<Application Name>
<Application HTTP Service>
). Select the option marked in the image to view charts at the bottom of the screen. These charts display the trends of the application pool members. Each chart displays an aspect of pool member performance, as function of the selected time period.
ANALYTICS Menu Options
Chart Title
Description
Server Latency
Top 5 Pool Members by Server Latency
The average number of milliseconds (ms) it took for the BIG-IP system to receive a response message from a pool member once a request was sent. This includes application response time and server RTT.
Metric Unit: ms
Legend:
Top 5 pool member IP addresses
Application Response Time
Top 5 Pool Members by Application Response Time
The average time it takes for the pool member to send a response message once the pool member receives the request from the BIG-IP system.
Metric Unit: ms
Legend:
Top 5 pool member IP addresses
Server Side RTT
Top 5 Pool Members by Server Side Round-Trip Time
The time it takes for the BIG-IP system to send a request and receive a response from the pool member, not including the application response time. This is a system performance indicator.
Metric Unit: ms
Legend:
Pool member addresses
TPS
Top 5 Pool Members by TPS
The average number of request transactions per second (TPS) received by a pool member.
Metric Unit: TPS
Legend:
Pool member addresses

HTTP Dimensions and Metrics

The dimensions and metrics listed are gathered to monitor traffic data pertaining to the HTTP layer. The information provided is found in the dimensions pane tables with the screens that display HTTP data. It is important note that all metric data is displayed as a unit over the time period selected for the screen.

HTTP Dimensions

The following defines the dimensions found in the dimensions pane that report HTTP traffic analytics.
BIG-IP Host Names
The name of each BIG-IP system that processed the monitored transactions.
Applications
The name of each application reporting HTTP traffic data.
Application Services
The name of each HTTP application service reporting transaction data.
Virtual Servers
The name of each virtual server that processes monitored transactions.
Pool Member Addresses
The IP addresses of the servers assigned to a pool configured to a managed BIG-IP.
Transaction Outcomes
The outcome assigned to each HTTP request as they are processed by the BIG-IP system.
URLs
The URL that initiated the HTTP request that was processed by the BIG-IP system.
Client IPs
The client IP address that initiated the HTTP request that was processed by the BIG-IP system.
Subnets
The subnet of the client IP address that initiated the HTTP request that was processed by the BIG-IP system.
Countries
The country listed in the HTTP request that was processed by the BIG-IP system.
Response Codes
The result code listed HTTP response received by the BIG-IP system.
Response Code Families
The class of the HTTP response result received by the BIG-IP system.
Methods
The HTTP method included in the HTTP request received by the BIG-IP system.
Browsers
The type of browser included in the HTTP request that was received by the BIG-IP system.
OSs
The operating system included in the HTTP request received by the BIG-IP system.
User Agents
The browser and operating system information included in the HTTP request received by the BIG-IP system.

HTTP Metric

HTTP metrics reflect the quantity, volume and speed of the HTTP traffic processed by your managed BIG-IP systems. Metric sets categorize the metric data according to an aspect of the traffic's progress throughout the transaction process. The table below defines the metric set and the kind of metric data collected.
Metric Set
Metric Set Definition
Metric
Metric Definition
Transactions
Each initiated request between the client and BIG-IP system, regardless of the outcome.
Avg/s
Average number of transactions per second that were processed by the BIG-IP system.
Total
Total number of transactions processed by the BIG-IP system.
Request Volume
The volume (in bytes) of a request that is processed by the BIG-IP system.
Avg Size
The average number of bytes sent per transaction request.
Throughput
The average rate of bytes per second sent in transaction requests.
Volume
The total number of bytes sent in all transaction requests.
Response Volume
The volume (in bytes) of a response that is processed by the BIG-IP system.
Avg Size
The average number of bytes sent per transaction response.
Throughput
The average rate of bytes per second sent in transaction responses.
Volume
The total number of bytes sent in all transaction responses.
Server Latency
Server latency is the time (in ms) from when the BIG-IP system sends the first request byte to the web application server, until the BIG-IP system receives the first response byte.
Avg
The average server latency observed by the system.
Trans Count
Total number of transactions processed by the BIG-IP system.
Max
The highest server latency observed by the system.
Page Load Time
Page load time is the time (in ms) from when the client sends the first byte of a request until the last byte of the response is received by the client.
Page load time is how long (in milliseconds) it takes from the time an end user makes a request for a web page, until the web page from the application server finishes loading on the client-side browser.
Trans Count
The number of client responses from the system that include page load time information.
Max
The longest page load time observed by the system.
Avg
The average page load time observed by the system.
Application Response Time
The time (in ms) from when the server receives the first request byte from the BIG-IP system until the server sends the first byte of the response.
Avg
The average application response time observed by the system.
Min
The shortest application response time observed by the system.
StdDev
The the standard deviation (in ms) of all application response times observed by the system.
Trans Count
The number of application response times observed by the system.
Max
The longest application response time observed by the system.
E2E time
The time (in ms) from when the client sends the first packet of a request until the client receives the last packet of the response.
Max
The longest client end to end time observed by the system.
Min
The shortest client client end to end time observed by the system.
StdDev
The standard deviation (in ms) for all observed client end to end time.
Trans Count
The number of client responses that include client end to end time information.
Avg
The average client end to end time for all observed transactions.
Client Side RTT
Client side round trip time (RTT) is the sum of time (in ms) observed from when the first byte from a client request is received by the BIG-IP system and when the first byte of a response is sent from the BIG-IP system to the client. Or, Client TTFB not including request duration.
StdDev
The standard deviation (in ms) for all observed client side RTTs.
Min
The shortest client side RTT for all observed transactions.
Max
The longest client side RTT for all observed transactions.
Avg
The average client side RTT for all observed transactions.
Server Side RTT
Server side round trip time (RTT) is the sum of the times (in ms) observed from when the server receives the first request byte from the BIG-IP system and from when the BIG-IP receives the first byte of the response from the server. Or the time observed from when the BIG-IP system sends the first request byte, until it receives the first response byte, not including application response time.
Trans Count
The number of server responses to the system that include RTT information.
StdDev
The standard deviation (in ms) for all observed server side RTTs.
Avg
The average server side RTT for all observed transactions.
Max
The longest server side RTT observed by the system.
Min
The shortest server side RTT observed by the system.
Request Duration
The time it takes (in ms) the BIG-IP system to send the first byte until the last byte of a request to the server.
Max
The longest request duration observed by the system
Trans Count
The number of requests observed by the system.
StdDev
The standard deviation (in ms) of request duration for all observed requests.
Avg
The average request duration for all observed requests.
Min
The shortest request duration observed by the system.
Responses Duration
The time it takes (in ms) the BIG-IP system to send the first byte until the last byte of a response to the client.
Trans Count
The number of responses observed by the system.
Avg
The average response duration for all observed responses.
Max
The longest response duration observed by the system.
Min
The shortest response duration observed by the system.
StdDev
The standard deviation (in ms) of response duration for all observed responses.

HTTP client traffic charts

This table lists and defines the charts found under the ANALYTICS tab in the application service dashboard (
Applications
APPLICATIONS
<Application Name>
<Application HTTP Service>
). Select the option marked in the image to view charts at the bottom of the screen. These charts display the trends of application traffic processed by the BIG-IP system. Each chart displays an aspect of application traffic as a function of the selected time period.
ANALYTICS Menu Options
Chart Title
Description
Transactions
HTTP Transaction Outcomes
The average outcome assigned by the BIG-IP system to the request and response between the client, BIG-IP system and server.
Metric Unit: Average Transactions per Second
Legend:
Passthrough: HTTP transactions that completed the request and response exchange using the BIG-IP system.
Incomplete: HTTP transactions that did not complete the entire request and response exchange.
Cached by BIG-IP: Requests stored by the BIG-IP system to reduce the traffic load on back-end servers.
BIG-IP Response: HTTP requests that received a response directly from the BIG-IP.
Page Load Time
Page Load Time
The average time it takes for a client request to receive a full response from the server and BIG-IP system.
Metric Unit: ms
Legend:
Avg: The average page load time observed.
Max: The highest page load time observed.
Client Side RTT
Client Side Round-Trip Time
The time it takes for a client to send a request and receive a response over the BIG-IP system. This includes the time it takes for client's request to reach the BIG-IP system and the time it takes for the client to receive a response from the BIG-IP system.
Metric Unit: ms
Legend:
Min:The lowest server RTT observed.
Avg: The average server RTT observed.
Max: The highest server RTT observed.
E2E Time
End-to-End-Time
The time required for an application request and response transaction, not including system latency and transmission times.
Metric Unit: ms
Legend:
Client RTT: The average time it takes for a client to send a request and receive a response over the BIG-IP system.
Server RTT: The average time it takes for a client to send a request and receive a response over the BIG-IP system.
Application Response Time: The average time it takes for a server to send a response, after receiving a request.

Web Application Security Charts

The charts that reflect Web Application Security data allow you to analyze current trends in traffic to applications with Web Application Security. The parameters found in the charts described display the detected layer 7 security threats, out of all HTTP traffic. The configuration of application service the in view is indicated in the Properties icon, as indicated in the image of an AS3 application service.
Illegal Transactions Rate (TPS)
The average number of illegal transactions per second that were identified by the Web Application Security profile. These transactions were detected based on the violation rating and your Web Application Security policy's action settings. Increases in illegal traffic over time can indicate an increase in attacks to your applications, or it can indicate an overly-strict protection policy. The current protection mode is indicated by Blocked or transparent transactions. You can use the
Violation Rating
dimension to filter violations above a certain threat level. This will allow you to identify specific violations types that were detected.
A single illegal transaction can include multiple violations. Therefore, comparing the number of illegal transactions vs the number of violations may not accurately reflect your system's status. It is recommended to primarily evaluate the number of illegal transactions.
Transactions Rate by Violation Rating (TPS)
The average number of transactions per second by the detected threat level assigned by your Web Application Security policy. The threat level of the traffic is shown in ascending order; from
Legal
to
Malicious
.
Top 6 Violations (Violations/s)
The six types of violations most commonly detected (per second). Violation information can be useful in adjusting your Web Application Security policy for optimized protection against the most common attacks.

Web Application Security Dimensions and Metrics

The metrics and dimensions listed are provide data regarding the transaction volume and traffic violations detected by your Web Application Security policy. The information provided is found in the dimensions pane tables with the screens that display Web Application Security data. You use this information to filter the on-screen data by specific dimension objects. For example, if you would like to view data that pertains to specific virtual servers, you can select specific virtual servers to filter only their data results. It is important note that all metric data is displayed as a unit over the time period selected for the screen.

Web Application Security Dimensions

The following defines the dimensions that provide traffic analytics for objects protected by a Web Application Security profile.
Some dimensions may not have listed objects, as information may not be available. For example, if your policy is in Transparent mode, or there are no reported attacks, there will be no data listed under the
Actions
dimension.
BIG-IP Host Names
The name of each BIG-IP system that processed the monitored transactions.
BIG-IP Blade Numbers
The individual blades (by number) for all monitored BIG-IP devices.
Applications
The name of each application reporting HTTP traffic data.
Application Services
The name of each HTTP application service reporting transaction data.
Virtual Servers
The name of each virtual server that processes monitored transactions.
ASM Policy Names
The names of the Web Application Security (ASM) policies that protect the virtual servers currently processing application traffic.
Actions
The enforcement applied to a detected attack signature. These actions include:
Learn
Alarm
Block
Violation Ratings
The rating assigned to traffic by the Web Application Security policy. The assigned ratings include:
Legal
, normal traffic that does not contain any threat indicators.
Legal (Staging)
, traffic that is tentatively detected as legal during the policy builder process. The relevant settings in the security policy are in staging.
Likely F.P.
, traffic may present a security threat, but is likely a false positive.
Illegal
, traffic that contains known violations, or abnormalities, that pose a threat to the application's performance.
Malicious
, traffic that contains known threat actors.
Network Protocols
The network protocol (HTTP, HTTPS) in the transaction.
Client IPs
The client IP address that initiated the HTTP request that was processed by the BIG-IP system.
Attack Types
The general category of application-layer attack, as identified by the Web Application Security policy.
Violations
The types of traffic violations, as detected by your Web Application Security policy.
Virus Names
The names of known viruses detected.
Client Device IDs
The unique identifier of the client’s device, derived from a JavaScript injection from BIG-IP to the client device.
IP Reputation
The IP categories configured for IP Intelligence. This dimension is relevant to users who have configured an ASM policy with IP Intelligence.
Countries
The country listed in the HTTP request that was processed by the BIG-IP system.
User Name
The client login name, based on information submitted from a login page. This information is available when Web Application Service is paired with Access service.
Session ID
The unique identifier of an HTTP session between the client and the application. This information is stored along with other client data, such as device ID.
URLs
The URL that initiated the HTTP request that was processed by the BIG-IP system.
Response Code Families
The class of the HTTP response result received by the BIG-IP system.
Methods
The HTTP method included in the HTTP request received by the BIG-IP system.

Web Application Security Metrics

HTTP metrics reflect the quantity, volume and speed of the HTTP traffic processed by your managed BIG-IP systems. Metric sets categorize the metric data according to an aspect of the traffic's progress throughout the transaction process. The table below defines the metric set and the kind of metric data collected.
Metric Set
Metric Set Definition
Metric
Metric Definition
Transactions
Each initiated request between the client and BIG-IP system, regardless of the outcome.
Depending on your configuration of Web Application Security, not all legal transactions are included in the transaction totals.
Avg/s
Average number of transactions per second that were processed by the BIG-IP system.
Total
Total number of transactions processed by the BIG-IP system.
Violations
The number of violations detected by the Web Application Security policy.
Avg/s
The average number of violations detected per second.
Total
The total number of violations detected over the selected period of time