Case Management

MY PRODUCTS & PLANS

Subscriptions

Product Usage

Trials

Registration Keys

Resources
Downloads
Licensing
Activate F5 product registration key
Ihealth
Verify the proper operation of your BIG-IP system

F5 University
Get up to speed with free self-paced courses
Devcentral
Join the community of 300,000+ technical peers

F5 Certification
Advance your career with F5 Certification
Product Manuals
Product Manuals and Release notes

Manual Chapter : Web Application Security Dimensions and Metrics

Applies To:

Show Versions

Show Versions

BIG-IQ Centralized Management

8.3.0, 8.2.0, 8.1.0, 8.0.0

Web Application Security Dimensions and Metrics

The metrics and dimensions listed are provide data regarding the transaction volume and traffic violations detected by your Web Application Security policy. The information provided is found in the dimensions pane tables with the screens that display Web Application Security data. You use this information to filter the on-screen data by specific dimension objects. For example, if you would like to view data that pertains to specific virtual servers, you can select specific virtual servers to filter only their data results. It is important note that all metric data is displayed as a unit over the time period selected for the screen.

Web Application Security Dimensions

The following defines the dimensions that provide traffic analytics for objects protected by a Web Application Security profile.

Some dimensions may not have listed objects, as information may not be available. For example, if your policy is in Transparent mode, or there are no reported attacks, there will be no data listed under the

Actions

dimension.

BIG-IP Host Names: The name of each BIG-IP system that processed the monitored transactions.
BIG-IP Blade Numbers: The individual blades (by number) for all monitored BIG-IP devices.
Applications: The name of each application reporting HTTP traffic data.
Application Services: The name of each HTTP application service reporting transaction data.
Virtual Servers: The name of each virtual server that processes monitored transactions.
ASM Policy Names: The names of the Web Application Security (ASM) policies that protect the virtual servers currently processing application traffic.
Actions: The enforcement applied to a detected attack signature. These actions include:; Learn; Alarm; Block
Violation Ratings: The rating assigned to traffic by the Web Application Security policy. The assigned ratings include:; Legal
, normal traffic that does not contain any threat indicators.; Legal (Staging)
, traffic that is tentatively detected as legal during the policy builder process. The relevant settings in the security policy are in staging.; Likely F.P.
, traffic may present a security threat, but is likely a false positive.; Illegal
, traffic that contains known violations, or abnormalities, that pose a threat to the application's performance.; Malicious
, traffic that contains known threat actors.
Network Protocols: The network protocol (HTTP, HTTPS) in the transaction.
Client IPs: The client IP address that initiated the HTTP request that was processed by the BIG-IP system.
Attack Types: The general category of application-layer attack, as identified by the Web Application Security policy.
Violations: The types of traffic violations, as detected by your Web Application Security policy.
Virus Names: The names of known viruses detected.
Client Device IDs: The unique identifier of the client’s device, derived from a JavaScript injection from BIG-IP to the client device.
IP Reputation: The IP categories configured for IP Intelligence. This dimension is relevant to users who have configured an ASM policy with IP Intelligence.
Countries: The country listed in the HTTP request that was processed by the BIG-IP system.
User Name: The client login name, based on information submitted from a login page. This information is available when Web Application Service is paired with Access service.
Session ID: The unique identifier of an HTTP session between the client and the application. This information is stored along with other client data, such as device ID.
URLs: The URL that initiated the HTTP request that was processed by the BIG-IP system.
Response Code Families: The class of the HTTP response result received by the BIG-IP system.
Methods: The HTTP method included in the HTTP request received by the BIG-IP system.

Web Application Security Metrics

HTTP metrics reflect the quantity, volume and speed of the HTTP traffic processed by your managed BIG-IP systems. Metric sets categorize the metric data according to an aspect of the traffic's progress throughout the transaction process. The table below defines the metric set and the kind of metric data collected.

Metric Set	Metric Set Definition	Metric	Metric Definition
Transactions	Each initiated request between the client and BIG-IP system, regardless of the outcome. Depending on your configuration of Web Application Security, not all legal transactions are included in the transaction totals.	Avg/s	Average number of transactions per second that were processed by the BIG-IP system.
Transactions		Total	Total number of transactions processed by the BIG-IP system.
Violations	The number of violations detected by the Web Application Security policy.	Avg/s	The average number of violations detected per second.
Violations		Total	The total number of violations detected over the selected period of time

Monitoring HTTP application service data