Manual Chapter : Secure Web Gateway Statistics

Applies To:

Show Versions Show Versions


  • 13.0.1, 13.0.0
Manual Chapter

About SWG data for threat monitoring

After Secure Web Gateway (SWG) starts proxying web access, it provides information that you can use to monitor threats and to fine-tune URL filters.

On a BIG-IP® system with Access Policy Manager®, SWG can provide logs and reports.

On a BIG-IP system with an SWG subscription, SWG can provide overview statistics in addition to logs and reports.

Note: If you configure high-speed remote event logging, you have data on a remote system from which you can create your own reports.

Overview: Monitoring Internet traffic for threats

You can view Secure Web Gateway (SWG) statistics on the BIG-IP® system and adjust URL filters to handle new threats based on the information that you gather from logs and reports.

Before you begin, event logging should be configured. SWG reports and charts depend on event logging for URL filters. For event logging to occur, log settings must be configured and then specified in the access profile, and a Category Lookup item must be run in the per-request policy.

Task summary

About the Secure Web Gateway Overview

The Secure Web Gateway (SWG) overview provides multiple reports and charts that summarize the top requests, such as top URLs, top categories by blocked request count, top users by permitted request count or by blocked request count, and so on. The overview can be customized to show the specific type of data that you are interested in.

Note: SWG overview is available only on a BIG-IP® system with an SWG subscription.

In addition to the reports and charts on the overview, SWG provides the All Requests and Blocked Requests reports and charts. The reports can be filtered to show the information that you want to see.

Configuring statistics collection for SWG reports

Configure report settings to specify whether to gather statistics for Secure Web Gateway (SWG) reports and whether to use data sampling.
  1. On the Main tab, click Access > Overview > SWG Reports > Settings .
    The Report Settings screen displays.
  2. To enable statistics gathering, select the Collect Data check box.
    If you clear the check box, data collection stops.
  3. To enable dynamic data sampling, select the Sample Data check box.
    In exchange for a performance gain, data sampling might provide slightly inaccurate statistics. If statistics must be more accurate, then disable data sampling.

Examining statistics on the SWG Overview

Note: Newer browsers (Internet Explorer 9 or later, Firefox 3.6 or later, or Chrome 14 or later) support viewing charts with no additional plug-in. If using older browsers (Internet Explorer 8 or earlier), Adobe® Flash® Player (version 8 or later) must be installed on the computer where you plan to view charts.
You can review charts that show statistical information about traffic from your enterprise to the Internet. The charts provide visibility into the top requests for URL categories, blocked URL categories, top users, and so on.
Note: The system updates the statistics every five minutes; you can refresh the charts periodically to see the updates.
  1. On the Main tab, click Access Policy > Secure Web Gateway > Overview .
    Note: The Overview is available only on a BIG-IP® system with an SWG subscription.
    The Overview screen displays.
  2. From the Override time range to list, select a new time frame to apply to all of the widgets in the overview.
    Tip: Within each widget you can override the default time range, as needed.
  3. For each widget, select the data format and the time range to display, as needed.
  4. To focus on the specific details you want more information about, click the chart or the View Details link.
    The system refreshes the charts and displays information about the item.
  5. From the View By list, select the specific network object type for which you want to display statistics.
    You can also click Expand Advanced Filters to filter the information that displays.
  6. On the screen, the system displays the path you followed to reach the current display, including the items you clicked. For example, to review details for the top categories, follow these steps:
    1. In the Top categories by Request Count chart, click the category that interests you.
      Assume that your URL filters allow access to some news and media sites and that News and Media is among the top categories. Click News and Media.
      Charts display the request count per action over time and the request count per action. A details table lists the request count for allowed actions.
    2. In the View By list, select URLs.
      Charts update and a list of URLs displays in the details table. These are the top news and media URLs.
    3. To see which filter allowed this URL, from here you can continue to drill down successively by clicking a link in each details table that displays. As an alternative to drilling down, you can select any of the statistics displayed on the View By list; for example you can select URL Filter directly.
    The Overview charts display summarized data. You might notice as you drill down that details display on the Reports screen.
You can review the access policy to ensure that you use the optimal strategy for processing traffic. You can update URL filters to block, confirm, or allow particular URL categories. You can update URL categories to include new URLs that you have seen in statistics details, or to recategorize existing URLs to fit your policies. You can continue to review the collected metrics and troubleshoot the system as needed.

Focusing the Overview on security threats

You can display attempted access to sites that pose a security risk by adding the security category widget to the Secure Web Gateway (SWG) Overview screen and by filtering a Blocked Request report using the security categories filter.
  1. On the Main tab, click Access Policy > Secure Web Gateway > Overview .
    Note: The Overview is available only on a BIG-IP® system with an SWG subscription.
    The Overview screen displays.
  2. Click the Add Widget link near the bottom of the screen.
    The Add New Widget screen displays.
  3. From the Modules list, select Secure Web Gateway (Blocked).
    The security categories widget includes data requests that were blocked.
  4. From the View by list, select Security Categories.
    Requests that were blocked for URLs because they are included in the Security category or any of its subcategories are included in the data.
  5. Move a measurement from Available measurements to the Select up to 6 measurements to display list.
  6. For Data visualization, select one of the options.
    Details Table is the default option.
  7. Click Done.
    The Add New Widget screen closes.
The Overview screen displays the Security Categories chart.
You can also filter a Blocked Requests report to view this data by selecting Security Categories from the View by list.

Exporting or emailing SWG statistics

You can export or email charts that show Secure Web Gateway (SWG) statistics.
  1. On the Main tab, click Access Policy > Secure Web Gateway > Overview .
    Note: The Overview is available only on a BIG-IP® system with an SWG subscription.
    The Overview screen displays.
  2. Display the charts that show the information you want, clicking any of the options and adjusting the content as needed.
  3. On the upper right of the charts screen, click Export.
    Tip: To send the report to others by email, go to Statistics > Analytics > Scheduled Reports .
  4. Click Export.

Creating an SMTP server configuration

You specify the SMTP server configuration so that you can send emails through an SMTP server.
  1. On the Main tab, click System > Configuration > Device > SMTP .
  2. Click the Create button.
    The New SMTP Configuration screen opens.
  3. In the Name field, type a name for the SMTP server that you are creating.
  4. In the SMTP Server Host Name field, type the fully qualified domain name for the SMTP server host.
  5. In the SMTP Server Port Number field, type a port number.
    For no encryption or TLS encryption, the default is 25. For SSL encryption, the default is 465.
  6. In the Local Host Name field, type the host name used in the SMTP headers in the form of a fully qualified domain name.
    This host name is not the same as the BIG-IP® system's host name.
  7. In the From Address field, type the email address that you want displayed as the reply-to address for the email.
  8. From the Encrypted Connection list, select the encryption level required for the SMTP server.
  9. To require that the SMTP server validates users before allowing them to send email, select the Use Authentication check box, and type the user name and password required to validate the user.
  10. Click the Finish button.
You can now configure the system to use this SMTP server to send emails. For the SMTP mailer to work, you must make sure the SMTP server is on the DNS lookup server list, and configure the DNS server on the BIG-IP® system.

Implementation result

Secure Web Gateway (SWG) is configured to produce reports and charts.

About the reporting interval for charts and reports

The system updates the statistics for charts and reports at five minute intervals: at five minutes after the hour, ten minutes after the hour, and so on. Each five-minute mark includes data from the previous five minutes; so 12:45 includes data starting from 12:40:01 to 12:45:00.

Charts and data that you export from charts reflect the publishing interval of five minutes. For example, if you request data for the time period 12:40-13:40, the data in the chart or in the file that you export is for that time period. But if there is a request for data from 12:42-13:42, the data in the chart is from 12:45-13:45. By default, the BIG-IP® system displays one hour of data.

About statistics aggregation for weekly and longer time ranges

Secure Web Gateway (SWG) reports and charts for weekly, monthly, and yearly time ranges include statistics up through the previously completed hour. The system performs hourly updates to the aggregated statistics.

About Secure Web Gateway statistics

Secure Web Gateway (SWG) reports display statistical information about web traffic on your system. These details are available:

Action (allowed, blocked, or confirmed) taken on the URL request.
Client IP address
IP address from which the request for the URL originated.
Host Name
When available, host name from which the request for the URL originated.
Name of the preconfigured or custom URL category into which a requested URL falls.
Requested URL.
URL filters
Name of the URL filter SWG applied to the request based on the schedule in the scheme.
Security categories
The security category of the URL if it was blocked, because it matched a security category.
Note: Security categories are available on a BIG-IP® system with an SWG subscription.
Name of the user that made the request, if available.
Note: Configuring your system to identify users is optional.
SSL bypass
Whether the request was bypassed (yes or no).
Note: Configuring your system to omit certain SSL traffic from inspection is optional.