Manual Chapter : Monitoring Security for Managing BIG-IP Devices

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.2.0, 8.1.0
Manual Chapter

Monitoring Security for Managing BIG-IP Devices

About Monitoring Security

Use BIG-IQ to monitor Network Security, Web Application Security, and DoS (Shared Security) activity on your managed BIG-IP devices. View reports for managed BIG-IP devices that are provisioned for Application Visibility and Reporting (AVR). Similar to the availability of the AVR reporting on a single device, you have the ability to get visibility into application traffic passing through a single managed BIG-IP device or an aggregated system (aggregated data for multiple BIG-IP devices. When viewing security data, you can view all managed devices, or specified devices and protected objects.
In addition, you can monitor event logs of security activities detected by your managed BIG-IP systems. These event logs list the issue detected by your security policy, or profile, and allows you to see details of the specific occurrence.
Security reporting varies depending on the version of your managed BIG-IP system. If you are managing a BIG-IP system that is v13.0 or earlier, Network Security, Web Application Security, and DoS (Shared Security) activities will appear in the
REPORTS
and
EVENTS
areas of the Monitoring tab. If you are managing more recent versions of BIG-IP (v13.0.8, or later), you will be able to view security activity for the
DASHBOARDS
For more information about configuring Analytics for your security service modules, see Configuring Statistics Collection.
For more information about pre-requisites for monitoring security data and BIG-IP version support for monitoring security, see https://support.f5.com/csp/article/K12418426.

Monitoring BIG-IP Devices v13.0.8, or later

To find more information about monitoring the security on managed BIG-IP devices v13.0.8, or later, see the following:
Network Security
For IPS activity, see
Monitoring and Managing Intrusion Prevention System Using BIG-IQ
on
support.f5.com
.
Web Application Security
For monitoring general Web Application Security activity, see
BIG-IQ Web Application Security on
support.f5.com
.
For monitoring layer 7 security objects, see
Modifying and Managing Layer 7 Security Objects using BIG-IQ on
support.f5.com
.
For monitoring Bot Defense (applies to managed devices v14.1 or later), see
Managing Bot Defense using BIG-IQ
on
support.f5.com
.
DoS (Shared Security)
For monitoring DoS protection against attacks on application-layer, network-layer, and DNS-layer attacks, see
Monitoring DDoS Attacks using BIG-IQ
on
support.f5.com
.
For monitoring DoS Protected objects, see
Modifying and Managing Layer 7 Security Objects using BIG-IQ on
support.f5.com
.

Monitoring Network Security

When Analytics is enabled on BIG-IQ, and AVR is provisioned on managed BIG-IP devices, you can view detailed insights about Network Firewall and IP Intelligence events that have been detected by the AFM system within a specified period of time. Data can indicate the need for changes to your system's Network Security (AFM) protection.
Policy management indicators can include, but are not limited to:
  • Firewall context enforcement settings: A policy/rule context may be deployed in
    Staged
    or
    Enforced
    modes. Depending on your environment you may want to change these settings.
  • Changes in rule matches: Drill down into traffic details, such as traffic destination, or contexts. Based on these results, you can asses whether rules and contexts require changes in firewall actions.
Centralized management supports statistics monitoring for AS3, Legacy, and Service Catalog application services. For more information about BIG-IP support for security information, see
Configuring Statistics Collection
in
BIG-IQ: Monitoring and Reports
at
support.f5.com
.
If you are running BIG-IP v13.0.8, or later, you are able to view the dynamic Web Application Security dashboards found on
Monitoring
DASHBOARDS
AFM
or
IPS
. For more information about what you can see in these dashboards, see:
  • For ACL Rules see
    ​Monitoring ACL Rules to Improve Network Security
    in this guide.
  • For IPS see
    Monitoring and Managing Intrusion Prevention System Using BIG-IQ
    at
    support.f5.com
    .
To view traffic statistics for objects with Network Security protection, you must have the following settings configured.
  • A BIG-IQ data collection device configured for the BIG-IQ device
  • The BIG-IP device located in your network and running a compatible software version
  • Statistics collection enabled for managed BIG-IP devices
  • AVR provisioned on your BIG-IP devices

Network Security Reports (BIG-IP versions 13.0 or earlier)

For managed BIG-IP devices running version 13.0, or earlier, you can use BIG-IQ Network Security Reporting to view and create reports for managed BIG-IP devices that are provisioned for Application Visibility and Reporting (AVR). Similar to the availability of the AVR reporting on a single device, you have the ability to get visibility into application traffic passing through a single managed BIG-IP device or an aggregated system (aggregated data for multiple BIG-IP devices).
If you are managing BIG-IP devices running version 13.0.8, or later, you are able to see Network Security data on full dashboards. For more information about monitoring Network Security for later version of BIG-IP, see :
  • For ACL Rules see
    ​Monitoring ACL Rules to Improve Network Security
    in this guide.
  • For IPS see
    Monitoring and Managing Intrusion Prevention System Using BIG-IQ
    at
    support.f5.com
    .
You can generate reports and charts, per selected BIG-IP devices, in the following areas:
  • Network: View reports for network firewall events based on traffic, traffic management, and stale requests in your network. You can view reports for
    Enforced Rules
    ,
    Staged Rules
    , and
    TCP IP Errors
    .
  • IP Intelligence: View reports for illegal requests detected and managed by IP Intelligence..
  • DoS Protection: If you have configured DoS protection on the BIG-IP system, for Network, DNS or SIP protocols, you can view charts and reports that show information about DoS attacks.

Monitoring Network Security Reports

The following are general pre-requisites for viewing security data:
  • A managed BIG-IP version 13.1, or earlier.
  • Managed BIG-IP devices have AFM provisioned for managing security policies
  • A BIG-IQ data collection device configured for the BIG-IQ device
  • The BIG-IP device located in your network and running a compatible software version
  • Statistics collection enabled for managed BIG-IP devices
  • AVR provisioned on your BIG-IP devices
View graphic charts and reports about transactions detected on a selected device that has Network Security. You can then use these charts to evaluate traffic to the web application, and to evaluate the vulnerabilities in the security policy.
  1. Go To
    Monitoring
    REPORTS
    Network Security
    Reporting
    .
  2. From the left menu, select:
    Some options may not be visible due to your current system configuration.
    1. Network
      view charts for general application traffic data as it relates to
      Enforced Rules
      ,
      Staged Rules
      , or
      TCP IP Errors
      .
      You can further select
      Traffic
      ,
      Management
      , or
      Stale
      .
    2. IP Intelligence
      view charts about IP Intelligence.view charts about IP Intelligence view charts about anomaly attacks ( such as brute force attacks and web scraping)
    3. DoS
      view charts for DoS Protection, and select the protocol from the tabs above the selection area.
      This will only display results if you have configured a DoS profile for the selected protocol.
  3. From the
    Devices
    list, select a device.
    A chart will display at the bottom of the screen.
  4. From the
    Time Period
    list, select a time period for the chart display.
You have now created a Network Security report for a managed BIG-IP device running a legacy version.

Managing Firewall Rule Reports

About firewall rule reports
You can generate different types of firewall rule reports for selected BIG-IP devices in either CSV or HTML format. These reports capture information similar to that gathered using the firewall rule monitoring. The types of reports you can generate include:
  • Stale Rule Report. Creates a report on firewall rules that are not being used on the BIG-IP device.
  • Overlap Status Stats Report. Creates a report on firewall rules that are overlapping on the BIG-IP device.
  • Compilation Status Report. Creates a report on the compilation of firewall rules on the BIG-IP device.
Creating firewall rule reports
You create firewall rule reports to capture statistics about firewall rules in a report format.
  1. Navigate to the Firewall Rule Reports screen: Click
    Monitoring
    REPORTS
    Security
    Network Security
    Firewall Rule Reports
    .
  2. Click
    Create
    .
    The New Firewall Rule Report screen opens.
  3. Type a name for the report in the
    Name
    field.
  4. Type an optional description for the report in the
    Description
    field.
  5. Select a report type from those listed in the
    Report Type
    field.
    You can generate these types of reports::
    • Stale Rule Report
    • Overlap Status Stats Report
    • Compilation Status Stats Report
    If the
    Stale Rule Report
    report type is selected, the screen displays the Stale Rule Criteria property, otherwise that property is not displayed.
  6. If you select
    Stale Rule Report
    , you can refine the report using the options listed in the
    Stale Rule Criteria
    setting:
    • To specify that the report should include only rules with a hit count less than the number specified, select
      Rules with count less than
      and specify a number in the provided field.
    • To specify that the report should include only rules that have not been hit since the date specified, select
      Rules that haven't been hit since
      and specify a date in the provided field.
  7. From the
    Available Devices
    setting, select the BIG-IP devices or device group to use for the report:
    • Select
      Group
      and select a group of BIG-IP devices from the list.
    • Select
      Device
      and select individual BIG-IP devices by moving them from the
      Available
      list to the
      Selected
      list.
  8. Save the report:
    • Select
      Save
      to save the report. The system displays the Firewall Rule Reports page for that one report, and generates the report data.
    • Select
      Save & Close
      to save the report. The system displays the Firewall Rule Reports page that lists all reports, and generates the report data.
  9. Select the format for the report:
    • Select
      CSV Report
      to have the report formatted as a CSV file.
    • Select
      HTML Report
      to have the report formatted as an HTML file. The HTML file is displayed in the Web browser when complete.
    You can save or print these reports.
Deleting firewall rule reports
You can delete firewall rule reports that are no longer needed.
  1. Go to the Firewall Rule Reports screen: Click
    Monitoring
    REPORTS
    Security
    Network Security
    Firewall Rule Reports
    .
  2. Select one or more reports to delete, and click
    Delete
    .
    The reports are deleted from the list on the Firewall Rule Reports screen.

Managing Firewall Packet Trace Reports

About firewall packet trace reports
You can create and view packet trace reports to visually review your firewall settings. You can click the graphics in the trace report to see detailed results of the packet trace for each firewall component.
Create firewall packet trace reports
You create packet trace reports to trace and review your network security firewall settings.
  1. Click
    Monitoring
    REPORTS
    Security
    Network Security
    Packet Traces
    .
  2. Click
    Create
    .
    The Packet Parameters screen opens.
  3. Enter or modify the parameters.
    • In the
      Name
      setting, type a name for the packet trace.
    • In the
      Protocol
      setting, select the protocol for the packet you want to trace. The other configuration settings change based on the protocol you select.
    • In the
      TCP Flags
      setting, select one or more flags to set in the packet trace. This setting is used only when the TCP protocol is selected.
    • In the
      Source IP Address
      setting, type the IP address to identify as the packet source.
    • In the
      Source Port
      setting, type the port to identify as the packet source. This does not apply to ICMP packets.
    • In the
      TTL
      setting, type the TTL (Time to Live) for the traced packet, in seconds.
    • In the
      Destination IP Address
      setting, type the IP address to which you want to send the packet for the packet trace.
    • In the
      Destination Port
      setting, type the port to which you want to send the packet for the packet trace. This does not apply to ICMP packets.
    • In the
      Use Staged Policy
      setting, select whether to use a staged policy, if one exists, for the packet.
    • In the
      Trigger Log
      setting, select whether to write a log message based on the packet from the packet trace, if it would be logged by the system.
  4. In the Devices area, select the BIG-IP devices and source VLANs to be traced.
    1. Click
      Add
      .
      The Devices dialog box is displayed.
    2. In the Devices dialog box, select the BIG-IP devices to use by moving them from the Available to the Selected list.
    3. Click
      Add
      to finalize the list and close the dialog box.
    4. In the Source VLAN column, select the one or more VLANs to use for each device in the list.
      If
      Apply these VLANs to all Devices
      is selected, the VLANs selected for the first device in the list are applied to all other devices in the list. Do not select this option to select different VLANs for each device.
  5. Click
    Run Trace
    .
    The packet is traced and the results are displayed on the screen.
  6. In the Trace Results area, review the trace diagram created by running the trace.
    • Review the colors of the graphics for each network security component.
      • Green graphics indicate rules that were evaluated and allowed the traffic to pass, including whitelist matches and Allow firewall, DoS, and IP intelligence matches.
      • Red graphics indicate packets that were evaluated and dropped, or that matched firewall or IP intelligence rules.
      • Gray graphics indicate packets that did not match a rule of the type indicated.
    • Click each graphic to see detailed results of the packet trace for that component.
    • To copy this packet trace, click
      Clone
      .
    • To compare this packet trace to one or more other packet traces, click
      Compare
      and then select the packet traces to which it should be compared.
The packet trace has been run and reviewed.

Managing Firewall Packet Flow Reports

About firewall packet flow reports
You create and review packet flow reports to inspect the currently active packet flows on BIG-IP devices. You can use these reports to determine if a packet flow meeting certain parameters is active on the BIG-IP devices. You can combine using the packet flow reports with packet trace reports to see if a BIG-IP device may be blocking certain flows at a firewall.
You can also review prior packet flow reports. The Centralized Management Packet Flows feature is similar to the Flow Inspector feature in the Advanced Firewall Manager (AFM) on the BIG-IP device.
Create packet flow reports
You create a packet flow report to identify what flows are currently active on BIG-IP devices that match the given parameters. You specify the parameters and the BIG-IP devices that the BIG-IQ Centralized Management system examines to generate the report.
  1. Click
    Monitoring
    REPORTS
    Security
    Network Security
    Packet Flows
    .
  2. Click
    Create
    .
  3. In the Flow Parameters area, enter the packet flow parameters.
    1. Type a
      Name
      for the packet flow report.
    2. Specify the
      Protocol
      for the flows.
      Select
      All
      to view all protocols. Select
      Specify
      and specify the protocol to view flows using that protocol.
    3. Specify the
      Source IP Address
      for the flows.
      The default is
      Any
      which indicates that any source IP address is used, rather than a specific IP address.
    4. Specify the
      Source Port
      for the flows.
      By default, an asterisk (*) is shown, indicating that all ports are selected. If the selected protocol is ICMP, this setting is not used.
    5. Specify the
      Destination IP Address
      for the flows.
      The default is
      Any
      which indicates that any destination IP address is used, rather than a specific IP address.
    6. Specify the
      Destination Port
      for the flows.
      By default, an asterisk (*) is shown, indicating that all ports are selected. If the selected protocol is ICMP, this setting is not used.
    7. In the
      Visible Flow Count
      setting, specify the maximum number of flows on which to report.
  4. In the Select Devices area, select the BIG-IP devices on which to inspect the packet flows by moving them from the
    Available
    list to the
    Selected
    list.
  5. Click
    Get Flows
    to generate the packet flow report for the specified parameters.
    The screen is updated to show the generated packet flow report. You can expand the Flow Parameters area to show the parameters used to create the list of packet flows. The Flow Table area shows the list of packet flows.
  6. In the Flow Table area, you can display additional information about a selected packet flow.
    • To review details about a packet flow and any packet trace history for that flow, click the row for that packet flow. The detailed information for that packet flow is displayed in the lower pane on the screen. Click a link in the packet trace history to see details of that packet trace.
    • To create a packet trace of a packet flow, click the row for that packet flow and click
      Create Packet Trace
      . A new packet trace is created, pre-filled with data from the selected packet flow.
    To manage which packet flows are shown, you can:
    • Click
      Expand All
      to expand all flows that are collapsed under their device name.
    • Click
      Collapse All
      to have all packet flows collapsed under their device name.
    • Use the Filter field to display only those packet flows matching the filter. Any value displayed should be usable in the filter field, including an IPV4 subnet.

Monitoring Active Firewall Policies

View active firewall policies

You use the Active Policy screen to view summary information about the firewall policies and rules that are currently active on BIG-IP devices.
  1. Click
    Monitoring
    REPORTS
    Security
    Network Security
    Active Firewall Policies
    .
  2. Review the firewall policies, including on what BIG-IP devices they are active.
  3. To review the rules and rule lists in a policy, click the policy name.
    The screen displays rules and rule lists in the policy.
  4. To edit a rule or rule list, click the name of the rule or rule list.

Active firewall policy rule properties

This table describes the rule properties shown for a firewall policy that is active on a BIG-IP device.
Column
Description
#
Specifies the evaluation order of the rule within the policy. Rules are evaluated from the lowest number to the highest. If a rule is contained within a rule list, it will be numbered after the decimal point. For example, a policy with 3 rules, followed by a rule list containing 2 rules, followed by another rule outside of the rule list, would be numbered as:
1, 2, 3, 4, 4.1, 4.2, 5
. In the example, 4 represents the rule list, and 4.1 and 4.2 are the evaluation order of the rules within that rule list.
Rule Name
Specifies the name of the rule. This contains a reference to the rule list when the row contains a rule list. You can click the rule name for more information.
Rule List Name
Specifies the name of the rule list that contains one or more rules. This is blank when the row contains a rule.
UUID
Specifies the universal unique identifier (UUID) associated with the rule. You can use the UUID to search for a rule in a policy. You must enable this feature on the BIG-IP device for UUIDs to be assigned to rules on that device.
Action
Specifies the action taken when the rule is matched, such as whether it is accepted or rejected.
Protocol
Specifies the IP protocol used by the rule to compare against the packet.
Log
Specifies whether the firewall software should write a log entry for any packets that match this rule.
State
Specifies the activity state of the rule, such as whether it is enabled or disabled.

Monitoring Firewall Rules

About firewall rule monitoring

In BIG-IQ Centralized Management, you can monitor:
  • Firewall rule statistics, such as the number of times inbound network traffic matches a firewall rule on a BIG-IP device (also referred to as a firewall rule hit count) as well as the rule overlap status.
  • Firewall rule compilation statistics for a set of rules associated with a firewall context on a BIG-IP device.

Monitoring firewall rule statistics and hit counts

You can monitor firewall rule statistics and hit counts on one or more BIG-IP devices using Network Security monitoring.
Firewall rule statistics are collected for the rules in the enforced policy associated with a firewall, but not the rules in a staged policy.
If a virtual server, route domain or self IP is created using the BIG-IQ system, firewall statistics cannot be collected until the changes are deployed to the device and reimported.
  1. At the top left of the screen, select
    Network Security
    from the BIG-IQ menu.
  2. Click
    Monitoring
    .
  3. Click
    Firewall Rule Statistics
    .
    The Firewall Rule Statistics screen opens and displays a list of firewall contexts, including their name, partition, type, and on what BIG-IP device they occur.
  4. Click the name of the firewall context to monitor.
  5. The Firewall Rule Statistics page for that firewall context displays.
    The following information is listed in the named columns for each firewall rule on the BIG-IP device:
    • Rule Name specifies the name of the rule used in the policy. If not listed, the rule is not running.
    • Rule List Name specifies the name of the rule list if the rule is in a rule list.
    • Rule specifies the name of the rule within a rule list. If the rule is not in a rule list, this field is blank.
    • Overlap Status specifies whether the rule overlaps with another rule.
    • Hit Count specifies the number of times the rule has been matched.
    • Last Hit Time specifies when the rule was last matched.

Monitoring firewall rule compilation statistics

You can monitor rule compilation statistics on one or more BIG-IP devices using Network Security monitoring. This information is similar to what is displayed when using the
tmsh show security firewall container-stat
command.
If a firewall context references a policy that is both staged and enforced, there will be two entries in the compilation statistics: one for the enforced policy and one for the staged policy.
  1. On the left, click
    REPORTS
    Security
    Network Security
    Complication Statistics
    .
    The Firewall Compilation Statistics screen opens and displays the list of BIG-IP devices managed by the BIG-IQ system, including their network name, IP address, and BIG-IP device version.
  2. Click the name of the BIG-IP device to monitor.
  3. The Firewall Compilation Statistics page for that BIG-IP device displays.
    Depending on the version of the BIG-IP device, the following information, or a subset of this information, may be listed in the named columns for the one or more firewall rules within the specified firewall context on the BIG-IP device:
    • Context Name
      specifies the context name associated with the one or more rules, such as
      /Common/global-firewall-rules
      .
    • Context Type
      specifies the firewall context type associated with the one or more rules, such as global or self IP.
    • Policy Name
      specifies the name of the policy associated with the one or more rules.
    • Policy Type
      specifies type of policy associated with the one or more rules, such as enforced or staged.
    • Rule Count
      Specifies the number of rules compiled for this BIG-IP device context, such as 30. This count includes rules in rule lists as well as rules that are not in rule lists.
    • Compile Duration
      specifies the amount of time required to compile the rules, expressed as
      hours:minutes:seconds
      .
    • Overlap Check Duration
      specifies the amount of time required to check overlapping rules, expressed as
      hours:minutes:seconds
      .
    • Size
      specifies the size of the compiled rules in bytes.
    • Max Memory
      specifies the maximum amount of memory consumed by the rules in bytes.
    • Activation Time
      specifies when the rules are activated and available for use.

Monitoring Network Security Event Logs

Configure logging for Network Security events

Before you configure monitoring of Network Security data logging, you need to ensure that the Network Security service is running on the DCD.
Ensure that the Network Security service is activated by reviewing the services installed on the DCD on the BIG-IQ Data Collection Devices screen:
System
BIG-IQ DATA COLLECTION
BIG-IQ Data Collection Devices
.
Note whether the designated DCD listener is configured to monitor the BIG-IP devices using their self-IP or management network IP address. It is strongly discouraged to use the management network for data collection purposes, as it is not intended for production traffic. In the case that your DCD is using the management network IP, you must define a network routing gateway on your BIG-IP device as described in
BIG-IP TMOS: Routing Administration
.
If you deactivate the Network Security service for a DCD, or remove a DCD with that service enabled, the associated pool member will be removed from the pool when you next deploy to the BIG-IP device (or devices). The pool
afm-remote-logging-pool_
big-ipname
contains the pool member for the specified BIG-IP device.
You configure the collection of Network Security data logs so that you can better view and monitor information about your Network Security policies and firewalls. The BIG-IQ Centralized Management system provides a single button configuration process that creates and configures the needed configuration objects. The system automatically creates these configuration objects, if needed:
  • One or more logging profiles
  • A log publisher
  • A log destination
  • A pool for each device
  • Pool members
  • A pool monitor
  1. Click
    Configuration
    SECURITY
    Network Security
    Contexts
    .
  2. In the list of firewall contexts, select the check box to the left of the one or more virtual servers to use.
    The virtual servers are listed in the Firewall Type column as vip.
  3. Click
    Configure Logging
    .
    The Network Security Logging Configuration dialog box opens.
  4. In the dialog box, click
    Continue
    .
    The dialog box shows the configuration status, including which objects were created.
  5. Click
    Close
    .
  6. Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Local Traffic & Network
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    The deployment causes some the objects created by the Network Security logging configuration process to be deployed to the device.
  7. Deploy the BIG-IP device for the virtual server using the Network Security service using these steps.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Network Security
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the BIG-IP device to deploy and click
      Create
      .
    The deployment causes the remaining objects created by the Network Security logging configuration process to be deployed to the device.
You have now configured your logging profile to send Network Security events from the BIG-IP devices associated with the virtual servers. Once you have deployed your changes, you can view these events on
Monitoring
EVENTS
Network Security
screens.
Once you have completed this process, ensure that all your changes to your Local Traffic and Shared Security virtual servers are deployed over the host BIG-IP device. You can deploy your changes by going to,
Deployment
EVALUATE & DEPLOY
Local Traffic & Network
Deployment
EVALUATE & DEPLOY
Shared Security

View Network Security events

You need to configure the logging of Network Security events before you can view them.
You view Network Security events to better track the firewall events that occur on your BIG-IP devices.
  1. Click
    Monitoring
    EVENTS
    Network Security
    .
    The navigation area expands to show the different types of Network Security events available.
  2. Click the type of event you want to view, such as
    Firewall
    .
    To see all Network Security events, click
    All Network Security Events
    .
  3. Review the information on the screen.
    • To view additional details about an event:
      • Click in the row for the event to see event details listed in the lower pane. You can navigate to events below or above the selected event by clicking the arrows.
      • Click any blue links shown in the upper or lower panes to see more details about the linked object or to change the object.
    • To focus on a reduced number of events:
      • Select a device name from the list at the upper left to view events from only that single BIG-IP device. By default this is set to
        All Devices
        .
      • In the Filter field in the upper right, type a text string to use a simple text filter on the events. You can use more complex filters by clicking the filter icon to the left of the Filter field. Note that the simple text filter does not support more complex filter syntax, such as specifying time in minutes and seconds.
    • To change how often the event list is refreshed, select a value in the setting in the upper left.

Create filters for Network Security events

You create Network Security event filters so you can save the filters you use frequently to search for events, and not have to recreate them each time.
  1. Click
    Monitoring
    EVENTS
    Network Security
    Filters
    .
  2. Click
    Add
    .
  3. Type a unique
    Filter Name
    .
  4. Create the filter using the Query Parameters area or by entering the query directly into the Query Expression area.
    In most cases, you should create the filter query using the Query Parameters area and only edit it directly if you need to refine it further.
  5. If you are creating the filter using the Query Parameters area, supply those parameter settings you want to be part of the filter.
    Note that as you enter parameter settings, they are used to construct the filter query in the Query Expression area. You can also edit the filter query directly as described in the following step.
  6. If you are creating the filter by directly entering text into the Query Expression area, use the following syntax for that query text.
    • You express elements of the filter query as key value pairs, separated by a colon, such as
      profile_name:"MyCurrentProfile"
      .
    • You can use the following operators within a filter query.
      Operator
      Usage Example
      AND
      This:p1 AND bar:(A AND B AND "another value")
      AND NOT
      AND NOT qux:error
      OR
      name:"this is a name" OR bar:(A OR B OR C)
      OR NOT
      OR NOT qux:error
      *
      support_id:*123*
      . This operator can only be used for text fields.
    • You must enclose values that have spaces within quotation marks, such as
      key:"two words"
      .
    • You can query any field for more than one value by enclosing the values with parentheses, such as
      key:(a b "two words")
      . In this case, the default operator is OR.
    • Only pre-defined values are allowed for fields with a type of multi-value. These values are listed in the Query Parameters area, in the list next to the relevant field.
    • Values with a type of date accept valid date formats, such as
      'Oct 30, 2017 00:00:00'
      .
    • Values of the date range type accept input in the format of
      [min_date...max_date]
      , such as
      '[Oct 30, 2017 00:00:00...Oct 30, 2017 06:00:00]'
      . The date range might also contain only minimum without maximum, and the reverse, such as
      '[Oct 30, 2017 00:00:00...]'
      or
      '[...Oct 30, 2017 00:00:00]'
      .
    • Values of the numeric range type accept input in the format of
      [min...max]
      , such as
      '[1...100]'
      . The numeric range might also contain only minimum without maximum, and the reverse, such as
      '[1...]'
      or
      '[...100]'
      .
    • You must include the full path to the policy in a policy name, such as
      /Common/MyPolicy
      .
  7. You can enter fields in the Query Expression area that are not shown in the Query Parameters area by discovering them in the user interface.
    1. Click the event row to show the event details in the lower part of the screen.
    2. Hover over a label name in that area to see the field name to use in the query expression. For example, hovering over Signature Name in the lower screen shows that the matching field is
      sig_name
      .
  8. Save your work.

Monitoring Web Application Security

When Analytics is enabled on BIG-IQ, and AVR is provisioned on managed BIG-IP devices, you can view detailed insights about the traffic that violated your layer 7 security policies. Data can indicate the need for changes to the application service's Web Application Security (ASM) protection.
Policy management indicators can include, but are not limited to:
  • Policy enforcement settings: A security policy may be deployed in
    Transparent
    or
    Blocking
    enforcement modes. Depending on your environment you may want to change these settings following the application service's deployment.
  • Increased bad traffic: Drill down into traffic details, such as geolocation or malicious requests, or targeted URLs to identify sources of an attack. Based on these results, the security admin can enable strict enforcement for specific objects.
  • False Positives: Application service alerts of increased false positives may indicate that enforcement settings are too strict and need adjustment.
Centralized management supports statistics monitoring for AS3, Legacy, and Service Catalog application services. For more information about BIG-IP support for security information, see
Configuring Statistics Collection
in
BIG-IQ: Monitoring and Reports
at
support.f5.com
.
If you are running BIG-IP v13.0.8, or later, you are able to view the dynamic Web Application Security dashboards found on
Monitoring
DASHBOARDS
Web Application Security
. For more information about the information you can see in these dashboards, see
Monitoring Web Application Security Activity
.
To view traffic statistics for objects with Web Application Security policy protection, you must have the following settings configured.
  • A BIG-IQ data collection device configured for the BIG-IQ device
  • The BIG-IP device located in your network and running a compatible software version
  • Statistics collection enabled for managed BIG-IP devices
  • AVR provisioned on your BIG-IP devices

Web Application Security Reports (BIG-IP versions 13.0 or earlier)

For managed BIG-IP devices running version 13.0, or earlier, you can use BIG-IQ Web Application Security Reporting to view reports for managed BIG-IP devices that are provisioned for Application Visibility and Reporting (AVR). Similar to the availability of the AVR reporting on a single device, you have the ability to get visibility into application traffic passing through a single managed BIG-IP device or an aggregated system (aggregated data for multiple BIG-IP devices).
If you are managing BIG-IP devices running version 13.0.8, or later, you are able to see Web Application Security data on full dashboards. For more information about monitoring Web Application Security for later version of BIG-IP, see
BIG-IQ Web Application Security
on
support.f5.com
.
You can generate reports and charts in the following areas:
  • Application: You can view information about requests based on applications (iApps), virtual servers, security policies, attack types, violations, URLs, client IP addresses, IP address intelligence (reputation), client countries, severity, response codes, request types, methods, protocols, viruses detected, usernames, and session identification numbers.
  • Anomalies: You can view charts of statistical information in graphs about anomaly attacks, such as brute force attacks and web scraping attacks. You can use these charts to evaluate traffic to the web application, and to evaluate the vulnerabilities in the security policy.
  • DoS application layer: If you have configured DoS protection on the BIG-IP system, you can view charts and reports that show information about DoS attacks and their impact on transaction outcomes and URL latency.

Monitoring Web Application Security Reports

The following are general pre-requisites for viewing security data:
  • A managed BIG-IP version 13.0, or earlier.
  • Managed BIG-IP devices have ASM provisioned for managing security policies
  • A BIG-IQ data collection device configured for the BIG-IQ device
  • The BIG-IP device located in your network and running a compatible software version
  • Statistics collection enabled for managed BIG-IP devices
  • AVR provisioned on your BIG-IP devices
View graphic charts and reports about transactions detected on a selected device that has Web Application Security. You can then use these charts to evaluate traffic to the web application, and to evaluate the vulnerabilities in the security policy.
  1. Go To
    Monitoring
    REPORTS
    Web Application Security
    Reporting
    .
  2. From the left menu, select:
    1. Application
      view charts for general application traffic data as it relates to
      Transaction Outcomes
      or
      URL Latencies
      .
    2. Anomalies
      view charts about anomaly attacks ( such as brute force attacks and web scraping)
    3. DoS
      view charts for DoS Protection.
      This will only display results if you have configured a DoS profile for Application Security.
  3. From the
    Devices
    list, select a device.
    A chart will display at the bottom of the screen.
  4. From the
    Time Period
    list, select a time period for the chart display.
You have now created a Web Application Security report for a managed BIG-IP device running a legacy version.

View correlated application security events

You can view application security events correlated into groups called
incidents
. These incidents are based on security common considerations such as application area, the source of transactions, and so on. Using this screen might be more effective than reviewing all the application security events using the event log, where events are not grouped.
  1. Click
    Monitoring
    EVENTS
    Web Application Security
    Event Correlation
    .
  2. Specify what information you want to see, and review the events.
    • To see details of a correlated event incident, click the event entry row. In the screen that opens below, the Event Correlation area shows details of the incident, including blue links that you can click for additional information.
    • To see details and samples of a correlated event incident, click the link in the Incident Type column for the event entry row. A screen opens below with additional details.
      • The Event Correlation area shows details of the incident, including blue links that you can click for additional information.
      • The Samples area shows samples of the incident that you can click for more details. When you click a sample link, a screen on the right opens and displays sample details.
        • In the sample details screen, you can choose to see compact or full information. At the top of the screen, click
          Compact
          for summary information, or click
          Full
          for complete information.
        • In the sample details screen, you can choose to see either request or response information. Click
          Request
          for request information, or
          Response
          for response information. Both kinds of information contain links in blue that you can click for more information.
    • To disable the automatic refreshing of the data on this screen, click
      Disable Auto Refresh
      . The screen updates.
      • To manually refresh the data on the screen, click
        Refresh
        .
      • To enable automatic refreshing of the data on the screen, click
        Enable Auto Refresh
        .
    • To display only those events that contain a specified string, type that string in the Filter field.
    • To create filters to use to filter the correlation events, click the filter icon to the left of the Filter field in the upper right of the screen. In the dialog box that opens, click
      Create
      .

View brute force attack events

You can view a summary of the brute force attack events for your Web Application Security policies. The summary information includes the number of login attempts, the anomaly attack type, which login page is being attacked, the attack status, and when the mitigation began and ended.
  1. Click
    Monitoring
    EVENTS
    Web Application Security
    Brute Force Attacks
    .
  2. Specify what information you want to see, and review the events.
    • To see more details about a specific attack, click the row for that attack. A screen opens on the right giving additional information, such as the attack summary, mitigated IP address, mitigated device identifiers, mitigated user names, and known leaked credentials. As you review this information, you can click any blue links in the information for additional details.
    • To display only those events that contain a specified string, type that string in the Filter field.
    • To create named filters to use to filter the brute force attack events more completely, click the filter icon to the left of the Filter field in the upper right of the screen. In the dialog box that opens, click
      Create
      .

Monitoring DoS Events

Configure logging for DoS events on a virtual server

Before you configure monitoring of DoS events, you need to ensure that the DoS Protection service is enabled on the DCD.
Verify this by reviewing the services installed on the DCD on the BIG-IQ Data Collection Devices screen. Click
System
BIG-IQ DATA COLLECTION
BIG-IQ Data Collection Devices
.
If the DoS Protection service is not running, click
Activate
to start it.
If you deactivate the DoS Protection service for a DCD, or remove a DCD with that service enabled, the associated pool member will be removed from the pool when you next deploy to the BIG-IP device (or devices). The pool
dos-remote-logging-pool_
big-ipname
contains the pool member for the specified BIG-IP device.
You configure the collection and viewing of DoS events so that you can better view and monitor information about your DoS protection. The BIG-IQ Centralized Management system provides a single-button configuration process that creates and configures the needed configuration objects. The system automatically creates the following configuration objects, if needed:
  • One or more logging profiles
  • A log publisher
  • A log destination
  • A pool for each device
  • Pool members
  • A pool monitor
  1. Click
    Configuration
    SECURITY
    Shared Security
    Virtual Servers
    .
  2. In the list, select the check box to the left of the object that will host the logging profile.
  3. Click
    Manage Logging
    and select
    Configure DoS Logging
    .
    The DoS Logging Configuration dialog box opens.
  4. In the dialog box, click
    Continue
    .
    The dialog box shows the configuration status, including which objects were created.
  5. Click
    Close
    .
  6. Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Local Traffic & Network
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    The deployment causes some of the objects created by the DoS logging configuration process to be deployed to the device.
  7. Deploy the same BIG-IP device using either the Network Security or Web Application Security service using these steps.
    You can use either service since both include the Shared Security objects.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Network Security
      or
      Deployment
      EVALUATE & DEPLOY
      Web Application Security
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    The deployment causes the rest of the objects created by the DoS logging configuration process to be deployed to the device.
You have now configured your logging profile to send DoS Protection events from the BIG-IP devices associated with the virtual servers. Once you have deployed your changes, you can view these events on
Monitoring
EVENTS
DoS
screens.
To ensure that data is load balanced among your DCD devices, you must change the remote log destination. For more information see
Edit log publisher destinations
.
Once you have completed this process, ensure that all your changes to your Local Traffic and Shared Security virtual servers are deployed over the host BIG-IP device. You can deploy your changes by going to,
Deployment
EVALUATE & DEPLOY
Local Traffic & Network
Deployment
EVALUATE & DEPLOY
Shared Security

Configure device DoS configuration

Before you configure monitoring of DoS events, you need to ensure that the DoS Protection service is running on the DCD.
Verify this by reviewing the services installed on the DCD on the BIG-IQ Data Collection Devices screen. Click
System
BIG-IQ DATA COLLECTION
BIG-IQ Data Collection Devices
.
If the DoS Protection service is not running, click
Activate
to start it.
If you deactivate the DoS Protection service for a DCD, or remove a DCD with that service enabled, the associated pool member will be removed from the pool when you next deploy to the BIG-IP device (or devices). The pool
dos-remote-logging-pool_
big-ipname
contains the pool member for the specified BIG-IP device.
You configure the collection and viewing of device DoS events so that you can better view and monitor information about your DoS protection. The BIG-IQ Centralized Management system provides a single-button configuration process that creates and configures the needed configuration objects. The system creates the following configuration objects, if needed:
  • One or more logging profiles
  • A log publisher
  • A log destination
  • A pool for each device
  • Pool members
  • A pool monitor
The objects that are created are shared among these device DoS configurations and should not be modified. Modifying these objects could affect the ability of the BIG-IP devices to send device DoS events to the DCD.
  1. Click
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    Device DoS Configurations
    .
  2. In the list, select the check box to the left of the one or more device DoS configurations to use.
    The device DoS configuration has the same name as the BIG-IP device.
  3. Click
    Configure DoS Logging
    .
    The DoS Logging Configuration dialog box opens.
  4. In the dialog box, click
    Continue
    .
    The dialog box shows the configuration status, including which objects were created.
  5. Click
    Close
    .
  6. Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Local Traffic & Network
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    The deployment causes some of the objects created by the Device DoS logging configuration process to be deployed to the device.
  7. Deploy the same BIG-IP device using either the Network Security or Web Application Security service using these steps.
    You can use either service since both include the Shared Security objects.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Network Security
      or
      Deployment
      EVALUATE & DEPLOY
      Web Application Security
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    The deployment causes the rest of the objects created by the Device DoS logging configuration process to be deployed to the device.
You can now receive device DoS events from the BIG-IP devices and view them on the
Monitoring
EVENTS
DoS
screens.

View DoS events

You need to configure the logging of DoS or device DoS events before you can view them.
You view DoS events to better track the DoS and device DoS events that occur on your BIG-IP devices.
If you are monitoring supported versions of BIG-IP version 13.1.0.8 or later, you can view summary information about ongoing DoS attacks from
Monitoring
DASHBOARDS
DDoS
Protection Summary
. For more information see
Monitoring Ongoing DDoS Attacks.
  1. Click
    Monitoring
    EVENTS
    DoS
    .
    The navigation area expands to show the different types of DoS events available.
  2. Specify the type of information you want to see:
    • To see a specific kind of DoS event, click that event type, such as
      Application Events
      .
    • To see all DoS attack events in a tabular format, click
      All DoS Attack Events
      .
    • To see a summary of all DoS attack events in a graphical format, click
      DoS Summary
      .
  3. Review the information on the screen.
    • To view additional details about an event:
      • Click the row for the event to see event details listed in the lower pane. You can navigate to events below or above the selected event by clicking the arrows.
      • Click any blue links shown in the upper or lower panes to see more details about the linked object.
      • In the detailed information for values that change over time, current, minimum, maximum, and last values may be shown. For example, the severity of an attack type might currently have a severity of 3, have a minimum of 2 and a maximum severity of 3 during the time period. After the attack is over, the last value might be 2. Current values are labeled as
        Curr
        , minimum values are labeled as
        Min
        , maximum values are labeled as
        Max
        , and last values as
        Last
        .
      • On the DoS Attacks Summary screen, click the number for an attack in the Attack ID column to see additional tabular and graphical details about that attack, such as the attack type, the mitigation used, and so on.
    • To focus on a reduced number of events:
      • Select a device name from the list at the upper left to view events from only that single BIG-IP device. By default this is set to
        All Devices
        .
      • In the Filter field in the upper right, type a text string to filter the events. You can create or use advanced filters by clicking the filter icon to the left of the Filter field.
    • To change how often the event list is refreshed, select a value in the setting in the upper left.

Create filters for DoS events

You create DoS event filters so you can save the custom filters you use to search for events and not have to recreate them each time.
  1. Click
    Monitoring
    EVENTS
    DoS
    Filters
    .
  2. Click
    Add
    .
  3. Type a unique
    Filter Name
    .
  4. Create the filter using the Query Parameters area or by entering the query directly into the Query Expression area.
    In most cases, you should create the filter query using the Query Parameters area and only edit it directly if you need to refine it further.
  5. If you are creating the filter using the Query Parameters area, supply those parameter settings that you want to be part of the filter.
    Note that as you enter parameter settings, they are used to construct the filter query in the Query Expression area. You can also edit the filter query directly as described in the following step.
  6. If you are creating the filter by directly entering text into the Query Expression area, use the following syntax for that query text.
    • You express elements of the filter query as key value pairs, separated by a colon, such as
      profile_name:"MyCurrentProfile"
      .
    • You can use the following operators within a filter query.
      Operator
      Usage Example
      AND
      This:p1 AND bar:(A AND B AND "another value")
      AND NOT
      AND NOT qux:error
      OR
      name:"this is a name" OR bar:(A OR B OR C)
      OR NOT
      OR NOT qux:error
      *
      support_id:*123*
      . This operator can only be used for text fields.
    • You must enclose values with spaces with quotation marks, such as
      key:"two words"
      .
    • You can query any field for more than one value by enclosing the values with parentheses, such as
      key:(a b "two words")
      . In this case, the default operator is OR.
    • Only pre-defined values are allowed for fields with a type of multi-value. These values are listed in the Query Parameters area, in the list next to the relevant field.
    • Values with a type of date accept valid date formats, such as
      'Oct 30, 2017 00:00:00'
      .
    • Values of the date range type accept input in the format of
      [min_date...max_date]
      , such as
      '[Oct 30, 2017 00:00:00...Oct 30, 2017 06:00:00]'
      . The date range might also contain only minimum without maximum and the reverse, such as
      '[Oct 30, 2017 00:00:00...]'
      or
      '[...Oct 30, 2017 00:00:00]'
      .
    • Values of the numeric range type accept input in the format of
      [min...max]
      , such as
      '[1...100]'
      . The numeric range might also contain only minimum without maximum and the reverse, such as
      '[1...]'
      or
      '[...100]'
      .
    • You must include the full path to the policy in a policy name, such as
      /Common/MyPolicy
      .
  7. You can enter fields in the Query Expression area that are not shown in the Query Parameters area by discovering them in the user interface.
    1. Click the event row to show the event details in the lower part of the screen.
    2. Hover over a label name in that area to see the field name to use in the query expression. For example, hovering over Signature Name in the lower screen shows that the matching field is
      sig_name
      .
  8. Save your work.