Applies To:
Show Versions![Show Versions](/etc/designs/pcx/techdocs/images/expandversions.gif)
BIG-IP APM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
About SWG data for threat monitoring
After Secure Web Gateway (SWG) starts proxying web access, it provides information that you can use to monitor threats and to fine-tune URL filters.
On a BIG-IP® system with Access Policy Manager®, SWG can provide logs and reports.
On a BIG-IP system with an SWG subscription, SWG can provide overview statistics in addition to logs and reports.
Overview: Monitoring Internet traffic for threats
You can view Secure Web Gateway (SWG) statistics on the BIG-IP® system and adjust URL filters to handle new threats based on the information that you gather from logs and reports.
Before you begin, event logging should be configured. SWG reports and charts depend on event logging for URL filters. For event logging to occur, log settings must be configured and then specified in the access profile, and a Category Lookup item must be run in the per-request policy.
Task summary
About the Secure Web Gateway Overview
The Secure Web Gateway (SWG) overview provides multiple reports and charts that summarize the top requests, such as top URLs, top categories by blocked request count, top users by permitted request count or by blocked request count, and so on. The overview can be customized to show the specific type of data that you are interested in.
In addition to the reports and charts on the overview, SWG provides the All Requests and Blocked Requests reports and charts. The reports can be filtered to show the information that you want to see.
Configuring statistics collection for SWG reports
Examining statistics on the SWG Overview
Focusing the Overview on security threats
Exporting or emailing SWG statistics
Creating an SMTP server configuration
Implementation result
Secure Web Gateway (SWG) is configured to produce reports and charts.
About the reporting interval for charts and reports
The system updates the statistics for charts and reports at five minute intervals: at five minutes after the hour, ten minutes after the hour, and so on. Each five-minute mark includes data from the previous five minutes; so 12:45 includes data starting from 12:40:01 to 12:45:00.
Charts and data that you export from charts reflect the publishing interval of five minutes. For example, if you request data for the time period 12:40-13:40, the data in the chart or in the file that you export is for that time period. But if there is a request for data from 12:42-13:42, the data in the chart is from 12:45-13:45. By default, the BIG-IP® system displays one hour of data.
About statistics aggregation for weekly and longer time ranges
Secure Web Gateway (SWG) reports and charts for weekly, monthly, and yearly time ranges include statistics up through the previously completed hour. The system performs hourly updates to the aggregated statistics.
About Secure Web Gateway statistics
Secure Web Gateway (SWG) reports display statistical information about web traffic on your system. These details are available:
- Actions
- Action (allowed, blocked, or confirmed) taken on the URL request.
- Client IP address
- IP address from which the request for the URL originated.
- Host Name
- When available, host name from which the request for the URL originated.
- Categories
- Name of the preconfigured or custom URL category into which a requested URL falls.
- URLs
- Requested URL.
- URL filters
- Name of the URL filter SWG applied to the request based on the schedule in the scheme.
- Security categories
- The security category of the URL if it was blocked, because it matched a security
category.Note: Security categories are available on a BIG-IP® system with an SWG subscription.
- Users
- Name of the user that made the request, if available. Note: Configuring your system to identify users is optional.
- SSL bypass
- Whether the request was bypassed (yes or no). Note: Configuring your system to omit certain SSL traffic from inspection is optional.