Manual Chapter : Displaying Reports and Monitoring ASM

Applies To:

Show Versions Show Versions


  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

ASM Reporting Tools

You can use several reporting tools in Application Security Manager (ASM) to analyze incoming requests, track trends in violations, generate security reports, and evaluate possible attacks. The statistics and monitoring reporting tools are described in this table.

Reporting Tool Description
Application security overview Displays a summary of all configured security policies showing the active security policies, attacks that have occurred, anomaly statistics, and networking and traffic statistics. You can save the information or send it as an email attachment.
Requests summary Summarizes the requested URLs for security policies.
Event correlation Displays a list of incidents (suspected attacks on the web application). Requests become incidents when at least two illegal requests are sent to the web application within 15 minutes, and the system groups them according to criteria. The criteria concern illegal requests for a specific URL, a specific parameter, or a specific source IP address.
Charts Displays graphical reports about security policy violations and provides tools that let you view the data by different criteria, drill down for more data, create customized reports, and send or export reports.
Charts scheduler Allows you to periodically generate specific reports and distribute them using email.
DoS Attacks report Displays graphic charts about DoS attacks, viewed by selected category, and includes the attack start and end times.
Brute Force Attacks report Displays graphic charts about brute-force attacks, viewed by selected category, and includes the attack start and end times.
Web Scraping statistics Displays graphic charts about web scraping attacks, viewed by selected category, and includes the attack start and end times.
Session Tracking status Displays the users, sessions, and IP addresses that the system is currently tracking, and for which the system is taking action as a result of having triggered one of the violation detection thresholds.
PCI Compliance report Displays a printable Payment Card Industry (PCI) compliance report for each security policy showing each security measure required for PCI-DSS 1.2, and compliance details.
CPU Utilization report Displays the amount of the available CPU that the Application Security Manager uses over a period of time.

Displaying an application security overview report

To view data in the security overview, the system must be logging data internally. Some default logging profiles are already set up on the system but you may want to customize them.
The Application Security Manager (ASM) can display a security overview where you can quickly see what is happening on your system. The overview is configurable and can include statistics concerning attack types, violations, and anomalies, traffic summaries, transactions per second, throughput, and top requested URLs, IP addresses, and request types. You can also export the statistics into a PDF, and email them as an attachment.
  1. On the Main tab, click Security > Overview > Application > Traffic. The Overview Traffic screen opens and summarizes ASM system activity at a glance.
  2. To change the default time frame for all widgets, select a time period from the Override time range to list.
  3. From the Security Policy list, select a security policy to narrow down the statistics. By default, statistics for all active security policies are shown.
  4. Review the summary statistics (organized into areas called widgets) to determine what is happening on the system.
  5. If you want to create a new area of information customized to your specifications, at the bottom of the screen, click Add Widget. The Add New Widget popup screen opens.
  6. Optionally, for each widget, you can adjust the time range, data measurements, and format of data to display from the Time Period list (Last Hour, Last Day, Last Week, Last Month, or Last Year) or the configuration gear settings. You can also delete any widget that you do not need on the screen.
  7. To save the summary as a PDF file on your computer:
    1. Click the Export link.
    2. In the popup screen that opens, click Export again to save the file on your computer.
  8. To send the report as an email attachment, click the Export link.
    Note: To send email, you need to configure an SMTP server. If one is not configured, on the Main tab,click System > Configuration > Device > SMTP, and then click Create to configure one first.
    1. Click Send the report file via E-Mail as an attachment.
    2. In the Target E-Mail Address(es) field, type the one or more email addresses (separated by commas or semi-colons).
    3. From the SMTP Server list, select the SMTP server.
    4. Click Export.
    The systems sends an email with the PDF to the specified addresses.
You can adjust the overview and create widgets for the information you are interested in.

Viewing details about requests and violations

To review requests related to learning suggestions, you need to have a security policy that is already handling traffic that is causing violations. If no violations have occurred, you will not see any learning suggestions.
You can view details about a request, including viewing the full request itself, and any violations associated with it. You can also drill down to view detailed descriptions of the violations and potential attacks, including violations found for staged entities. When viewing details about an illegal request, if you decide that the request is trusted and you want to allow it, you can accept the violations shown for this specific request.
  1. On the Main tab, click Security > Event Logs > Application > Requests. The Requests screen opens, where, by default, you can view a list of illegal requests for all security policies.
  2. In the Requests List, click a request to view information about the request and any violations associated with it. You see any violations associated with the request and other details, such as the security policy it relates to, the support ID, severity, and potential attacks that it could cause.
  3. To view details about a violation associated with an illegal request:
    • To view details about this specific violation such as the file type, the expected and actual length of the query, or similar relevant information, click the violation name.
    • To display a general description of that type of violation, click the icon to the left of the violation.
  4. For violations that you want to allow (false positives), click the Learn button. If there are learning suggestions, the violation’s learning screen opens where you can accept or clear the suggestions one at a time.
  5. To view the actual contents of the request, click HTTP Request or HTTP Response.
  6. When you are done looking at the request details, click Close.
The Requests List provides information about a request such as: the request category, the time of the request, its severity, the source IP address of the request, the server response code, and the requested URL itself. Icons on each request line provide additional status information such as whether the request is legal or illegal, blocked, truncated, or has a response. By reviewing the request details, you can investigate whether it was an attack or a false positive.

Exporting requests

You can export a list of selected requests in PDF or binary format for troubleshooting purposes.
  1. On the Main tab, click Security > Event Logs > Application > Requests. The Requests screen opens, where, by default, you can view a list of illegal requests for all security policies.
  2. If you want to export specific requests, select those requests from the list. You can export up to 100 entries in PDF format.
  3. Beneath the Requests List, click Export. The Select Export Method popup screen provides options.
  4. Select the export method to use, then click Export.
    • To export selected requests into a document, click Export selected requests in PDF format.

      You can choose to open or save the file created.

    • To export requests to a document and send it by e-mail, click Send selected requests in PDF format to your E-mail address, and type your e-mail address. (Note an SMTP server must be configured on the BIG-IP system.)
    • To export all requests currently displayed to a tar file, click Binary export of all requests defined by filter.

      The system creates a *.tar.gz file of the requests, and saves it where you specify.