Manual Chapter : Managing an Applications Web Application Security Services

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.0.0
Manual Chapter

Managing an Application's Web Application Security Services

Evaluating the security status of all applications

You can quickly verify that your Web Application Security policies are protecting your applications as expected, and evaluate the security status of your applications. Use the security alerts in the Applications screen (for system admins, click Applications > APPLICATIONS) to ensure that applications do not have active security alerts, which indicate a potential security issue. You can then isolate applications to further analyze an application's security data.

Verify the security status of all applications

You can verify that your Web Application Security policies are effectively protecting your applications and do not currently need modification.
  1. Open the Applications screen (click Applications > APPLICATIONS).
  2. At the top right of the screen, view the SECURITY area to ensure that there are no active security alerts.
  3. To ensure that each security policy is configured as expected, in the application list, click the application name.
    This opens the properties screen specific to this application.
  4. In the summary bar, view the SECURITY area for the system message about the PROTECTION MODE, BAD TRAFFIC, and FINDINGS status.
    • PROTECTION MODE indicates whether your application has a Web Application Security policy, and the policy's current enforcement mode (Transparent or Blocking).
      Note: Applications that do not have an assigned security policy show a system message of Not Protected.
    • BAD TRAFFIC indicates whether there were significant changes in the percent of bad traffic over the past 24 hours, as opposed to the average percent for the past week.
    • FINDINGS indicates any traffic behavior that has raised a security alert.
  5. Return to the Application screen, and look at the Last Modified column to see if there were any recent changes to your application's security policy settings, which could result in unexpected alerts.

You can click an application's name to further evaluate its security status in a dedicated application screen.

Evaluating a specific application's security status

You can verify that your Web Application Security policy is protecting your application as expected using the Security charts found in the Analytics area of the application properties screen (for system admins, click Applications > APPLICATIONS > <Application Name>). The charts provide extensive information about your application's security status, including active security alerts and enhanced security analytics data in the dimensions pane.

Verify the security status of a specific application
You verify that the Web Application Security policy is effectively protecting your applications so you know that it does not currently need modification.
  1. Open the single application screen by selecting the application's name from the Applications screen ( click Applications > APPLICATIONS > <Application Name>).
  2. Near the middle of the screen under APPLICATION SERVICES, click Security.
    The screen displays security information in the ANALYTICS and CONFIGURATION areas.
  3. To view application traffic data, select from menu to the left of the screen in the ANALYTICS area.
    This displays charts for the application's traffic data.
    Tip: Expand the chart view by collapsing the summary bar and/or application configuration map using the arrows to the right of these areas.
Users with administrative access can view statistics for multiple applications by clicking Monitoring > DASHBOARDS > Web Application Security.

Detecting false positives in an application security policy

False positives of a Web Application Security policy are indicated by the Blocking Valid Traffic alerts. These alerts are triggered when your application is in blocking mode and likely valid transactions are blocked by your Web Application Security policy. These transactions have been blocked as likely false positive (or Likely F.P.), which have a low violating rating (threat level). You can use these alerts to fine tune your security policy to include specific parameters that will reduce the rate of false positives as they occur. Detect false positives by isolating the specific applications that are blocking valid traffic in the all application screen (for system admins click Applications > Applications). Once an application is isolated ( for system admins click Applications > Applications > <Application Name>), you can identify the application's blocked transactions with low violation ratings.

Blocking valid traffic alerts

Blocking Valid Traffic alerts are triggered when the number of blocked transactions with a likely false positive rating (default: 1 or 2), out of all transactions over the past 24 hours, exceeds a defined threshold (default: >0.01%).

Isolate applications with blocked valid traffic

Isolate applications that have active Blocking Valid Traffic alerts, which indicate that transactions with a low violation rating, and may be false positives, are being blocked by your Web Application Security policy.
  1. Open the Applications screen (click Applications > APPLICATIONS).
  2. In the SECURITY area, located at the top right of the summary bar, click Blocking Valid Traffic
    This filters the list of applications to display the applications that have an active Blocking Valid Traffic alert.
  3. Select the isolated application's name.
    The screen for this application opens, where you can identify characteristics of the blocked transactions that triggered the Blocking Valid Traffic alert to an application.

Identify valid traffic blocked by a security policy

Identify when your security policy blocked valid transactions in order to establish which valid transactions were blocked and why.
  1. Open the single application screen by selecting the application's name from the Applications screen ( click Applications > APPLICATIONS > <Application Name>).
  2. Near the middle of the screen under APPLICATION SERVICES, click Security.
    The screen displays security information in the ANALYTICS and CONFIGURATION areas.
  3. In the time settings area above the chart, adjust the time period to match when the Blocking Valid Traffic alert was triggered, and make sure the Events button is on to view when the alert was triggered.
  4. To characterize transactions that are likely false positives, select Illegal Transactions from the ANALYTICS menu to the left.
    1. While viewing the Blocked and Non-Blocked Illegal Transactions Rate (TPS) chart, expand the Dimensions pane using the tabs to the left of the chart and then expand the Violation Ratings dimension.
    2. Select the Likely F.P. violation rating to filter chart and dimension data by transactions received a low violation rating, and were blocked by the security policy.
      Tip: Expand the chart view by collapsing the summary bar and/or application configuration map using the arrows to the right of these areas.
  5. If you cannot sufficiently characterize the transactions with a Likely F.P violation rating, you can do additional troubleshooting by clicking Enhanced Analytics to view additional dimension objects for traffic and security.
If you have administrative access, you can view the Web Application Security settings for multiple applications on the Web Application Security dashboard Monitoring > DASHBOARDS > Web Application Security.

Collect additional data to troubleshoot an application's performance

You can use the Analytics area of the Application screen to collect additional data about application traffic data. This prompts the system to collect additional metrics about your application's performance, which enhances your troubleshooting capabilities.
Tip: You can enable Enhanced Analytics on multiple applications at once to the enhanced data objects in the HTTP dashboard (click Monitoring > DASHBOARDS > Local Traffic > HTTP).
  1. Open the single application screen by selecting the application's name from the Applications screen ( click Applications > APPLICATIONS > <Application Name>).
  2. Click the Enhanced Analytics button to Enhanced Analytics Settings popup screen.
    Note: By default, all HTTP metrics (check boxes) are enabled (selected). Selecting only one, or a focused number of metrics, improves the quality of the data collected.
  3. Ensure that the Collect HTTP metrics for <Application Name> check box is selected.
  4. Leave selected only the check boxes you want, to view specific data within the chart dimensions of the Analytics area.
  5. To view details about your application's security, select Collect Security metrics for all devices hosting <Application Name>.
  6. Click Start.
    The detail screen for this application displays an aqua banner across the top of the screen, Enhanced Analytics On, with a Stop button. The main Applications screen highlights the health icon in the applications list to indicate which application is running Enhanced Analytics.
  7. To disable Enhanced Analytics, click the Stop button in the Enhanced Analytics On banner.
    Tip: You can also click Enhanced Analytics, and click Stop in the Enhanced Analytics Settings popup window.
    Important: Once you have completed troubleshooting, disable Enhanced Analytics to reduce disk usage allocated for statistics data collection.
    Once you click the Stop button, the Enhanced Analytics On banner is removed.
When Enhanced Analytics mode is off, dimension statistics persist in the dimension object list, when viewing a time period from when Enhanced Analytics was enabled.

Detecting successful attacks to an application in transparent mode

The number of malicious attacks on an application are indicated by the Successful Attacks alerts. These alerts are triggered when your application has a Web Application Security policy in transparent (non-blocking) mode. This means that your application's transactions are monitored according to a defined policy, but does not block any traffic.

You can use the Successful Attacks alerts to evaluate the effectiveness of a new, or updated, Web Application Security policy to an application, before blocking mode is enabled. Detect known, malicious transactions by isolating the specific applications that are in transparent mode that have Successful Attack alerts in the all applications dashboard (for system admins click Applications > Applications). Once an application is isolated (for system admins click Applications > Applications > <Application Name>), you can identify malicious transactions and enable a blocking enforcement mode for your Web Application Security policy.

Successful attacks alert

Successful Attacks alerts are triggered when the number of transactions with a malicious violations rating (4 or 5) has significantly increased (default: exceeds 0.1 percent), out of all transactions, over the past 24 hours.

Isolating applications with successful attacks

You can isolate applications that have Successful Attacks alerts to analyze your the Web Application Security policy settings under transparent mode (non-blocking), and identify if an application's security policy should be in Blocking mode.
  1. Open the Applications screen (click Applications > APPLICATIONS).
  2. In the SECURITY area located at the top right of the summary bar, click Successful Attacks.
    This filters the list of applications to display the applications that have an active Successful Attacks alert.
  3. Select the application's name.
    The screen for this application opens, where you can identify characteristics of the transactions that triggered the Successful Attacks alert to an application.

Identify successful attacks characteristics

Identify when the transactions for successful attacks were initiated, and isolate the characteristics associated with the attacks, to evaluate the need to prevent attacks by adjusting your Web Application Security policy.
  1. Open the single application screen by selecting the application's name from the Applications screen ( click Applications > APPLICATIONS > <Application Name>).
  2. Near the middle of the screen under APPLICATION SERVICES, click Security.
    The screen displays security information in the ANALYTICS and CONFIGURATION areas.
  3. In the time settings area above the chart, adjust the time period to match when the Blocking Valid Traffic alert was triggered, and make sure the Events button is on to view when the alert was triggered.
  4. To identify successful attacks by application transactions at each violation rating, select All Transactions from the ANALYTICS menu to the left.
    1. While viewing the Transactions Rate by Violation Rating (TPS) chart, expand the Dimensions pane using the tabs to the left of the chart and then expand the Violation Ratings dimension.
    2. Select the Malicious violation rating to filter chart and dimension data by transactions that were identified as successful attacks.
    Tip: Expand the chart view by collapsing the summary bar and/or application configuration map using the arrows to the right of these areas.
  5. To characterize the successful attacks by type of violation, select Violations for the ANALYTICS menu to the left
    1. While viewing the Top 6 Violations (Violation/s) chart, expand the Dimensions pane using the tabs to the left of the chart and then expand the Violation Ratings dimension.
    2. Select the Malicious violation rating to filter chart and dimension data by transactions that were identified as successful attacks.
    3. Expand the Attack Types and Violations dimensions to view additional attack data.
  6. If you cannot sufficiently characterize the transactions successful attacks, you can do additional troubleshooting by clicking Enhanced Analytics to view additional dimension objects for traffic and security.
If you have administrative access, you can view the Web Application Security settings for multiple applications on the Web Application Security dashboard Monitoring > DASHBOARDS > Web Application Security.

Collect additional data to troubleshoot an application's performance

You can use the Analytics area of the Application screen to collect additional data about application traffic data. This prompts the system to collect additional metrics about your application's performance, which enhances your troubleshooting capabilities.
Tip: You can enable Enhanced Analytics on multiple applications at once to the enhanced data objects in the HTTP dashboard (click Monitoring > DASHBOARDS > Local Traffic > HTTP).
  1. Open the single application screen by selecting the application's name from the Applications screen ( click Applications > APPLICATIONS > <Application Name>).
  2. Click the Enhanced Analytics button to Enhanced Analytics Settings popup screen.
    Note: By default, all HTTP metrics (check boxes) are enabled (selected). Selecting only one, or a focused number of metrics, improves the quality of the data collected.
  3. Ensure that the Collect HTTP metrics for <Application Name> check box is selected.
  4. Leave selected only the check boxes you want, to view specific data within the chart dimensions of the Analytics area.
  5. To view details about your application's security, select Collect Security metrics for all devices hosting <Application Name>.
  6. Click Start.
    The detail screen for this application displays an aqua banner across the top of the screen, Enhanced Analytics On, with a Stop button. The main Applications screen highlights the health icon in the applications list to indicate which application is running Enhanced Analytics.
  7. To disable Enhanced Analytics, click the Stop button in the Enhanced Analytics On banner.
    Tip: You can also click Enhanced Analytics, and click Stop in the Enhanced Analytics Settings popup window.
    Important: Once you have completed troubleshooting, disable Enhanced Analytics to reduce disk usage allocated for statistics data collection.
    Once you click the Stop button, the Enhanced Analytics On banner is removed.
When Enhanced Analytics mode is off, dimension statistics persist in the dimension object list, when viewing a time period from when Enhanced Analytics was enabled.

Detecting bad traffic increases in an application

Bad traffic can indicate a number of things and is tool for investigation of prevention of attacks on your applications. For example, an increase in bad traffic can be localized to a specific country or URL.

Significant increases in bad traffic to an application are indicated by Bad Traffic Growth alerts. The violation rating (threat level) of transactions to your application is monitored by your Web Application Security policy, whether the application is in Transparent (non-blocking) or Blocking mode. This alert is useful for identifying the traits of new security threats that are not yet fine-tuned to your application's security policy. You can detect new threats by isolating the specific applications that have a significant increase in bad traffic (for system admins click Applications > Applications). Once an application is isolated (for system admins click Applications > Applications > <Application Name>), you can identify whether there are defined characteristics to the transactions that were defined as bad traffic, and then adjust your security policy accordingly.

Bad traffic growth alerts

Bad Traffic Growth alerts are triggered when the average daily ratio of bad traffic, as defined by your Web Application Security policy, has significantly increased (default: >10%) in comparison to the average ratio of bad traffic for the past week.

Bad traffic is characterized by any transaction that receives a violation rating. A violation rating indicates that a transaction has been detected as non-legal by the Web Application Security policy. There is a range of violation ratings, which indicate the severity of the violation and the likelihood of an attack:
  • Likely False Positive (Likely F.P.): 1 or 2
  • Illegal: 3
  • Malicious: 4 or 5

Isolate applications that have an increase in bad traffic

You can isolate applications with active Bad Traffic Growth alerts that were detected by the Web Application Security policy to identify the specific threats to an application, and to adjust the security policy according to the detected changes.
  1. Open the Applications screen (click Applications > APPLICATIONS).
  2. In the SECURITY area, located at the top right of the summary bar, click Bad Traffic Growth.
    This filters the list of applications to display the applications that have an active Bad Traffic Growth alert.
  3. Select the isolated application's name.
    The screen for this application opens, where you can identify characteristics of the malicious transactions that triggered the Bad Traffic Growth alert to an application.

Identify new threats to an application's security

You can identify the characteristics of the transactions that led to an increase in bad traffic to your application, and which pool members were affected, to evaluate if the bad traffic is a threat to your application's performance.
  1. Open the single application screen by selecting the application's name from the Applications screen ( click Applications > APPLICATIONS > <Application Name>).
  2. Near the middle of the screen under APPLICATION SERVICES, click Security.
    The screen displays security information in the ANALYTICS and CONFIGURATION areas.
  3. To characterize malicious transaction characteristics by when they were detected by the Web Application Security policy, from the ANALYTICS menu at the left, select Illegal Transactions or All Transactions.
    Tip: Expand the chart view by collapsing the summary bar and/or application configuration map using the arrows to the right of these areas.
  4. If you selected Illegal Transactions:
    1. While viewing the Blocked and Non-Blocked Illegal Transactions Rate (TPS) chart, expand the Dimensions pane using the tabs to the left of the chart and then expand the Actions dimension.
    2. Select one or more of the Web Application Security policy actions to filter the chart and dimension data.
  5. If you selected All Transactions:
    1. From the Transactions by Violation Rating (TPS) chart, expand the Dimensions pane using the tabs to the left of the chart and expand the Violation Ratings dimension.
    2. Select a violation rating to filter chart and dimension data by your selection.
  6. To characterize the HTTP transaction times and connections during a bad traffic increase, from APPLICATION SERVICES and select Traffic Management.
  7. From the ANALYTICS menu on the left, select one of the options to display transaction latency and connection data.
  8. To characterize HTTP traffic transactions to your pool members during a bad traffic increase:
    1. In the SERVERS circle click the number.
    2. From the ANALYTICS menu on the left, select an option to display application pool member-oriented HTTP traffic data in the charts and dimensions.
  9. If you cannot sufficiently characterize the transactions during a bad traffic increase, you can click Enhanced Analytics to view additional dimension objects for traffic and security.
If you have administrative access, you can view the HTTP or Web Application Security settings for multiple applications on the HTP and Web Application Security dashboards Monitoring > DASHBOARDS > Web Application Security or Monitoring > DASHBOARDS > Local Traffic > HTTP.

Identifying additional application security and traffic parameters

When you are troubleshooting the security status of an application, additional data can help you isolate details that characterize potential, or ongoing, vulnerabilities. On the Application screen, the Enhanced Analytics option provides you with the ability to collect more information about the Web Application Security policy for your application's BIG-IP® host device. When this feature is enabled, the enhanced data displays additional dimension objects and data for the security dimensions found in the Analytics area.

In addition to displaying enhanced traffic data, you can select additional HTTP traffic data to view details about the application's traffic during the time of an attack (for example, Client IPs, Geolocations, or URLs).

The Enhanced Analytics option does not impact your BIG-IQ® system performance. By default,you can enable up to 20 applications simultaneously in Enhanced Analytics mode.
Note: System administrators can adjust the maximum number of applications by modifying the maxNumberOfApps parameter value in the /var/config/rest/config/restjavad.properties.json file.

Collect additional data to troubleshoot an application's performance

You can use the Analytics area of the Application screen to collect additional data about application traffic data. This prompts the system to collect additional metrics about your application's performance, which enhances your troubleshooting capabilities.
Tip: You can enable Enhanced Analytics on multiple applications at once to the enhanced data objects in the HTTP dashboard (click Monitoring > DASHBOARDS > Local Traffic > HTTP).
  1. Open the single application screen by selecting the application's name from the Applications screen ( click Applications > APPLICATIONS > <Application Name>).
  2. Click the Enhanced Analytics button to Enhanced Analytics Settings popup screen.
    Note: By default, all HTTP metrics (check boxes) are enabled (selected). Selecting only one, or a focused number of metrics, improves the quality of the data collected.
  3. Ensure that the Collect HTTP metrics for <Application Name> check box is selected.
  4. Leave selected only the check boxes you want, to view specific data within the chart dimensions of the Analytics area.
  5. To view details about your application's security, select Collect Security metrics for all devices hosting <Application Name>.
  6. Click Start.
    The detail screen for this application displays an aqua banner across the top of the screen, Enhanced Analytics On, with a Stop button. The main Applications screen highlights the health icon in the applications list to indicate which application is running Enhanced Analytics.
  7. To disable Enhanced Analytics, click the Stop button in the Enhanced Analytics On banner.
    Tip: You can also click Enhanced Analytics, and click Stop in the Enhanced Analytics Settings popup window.
    Important: Once you have completed troubleshooting, disable Enhanced Analytics to reduce disk usage allocated for statistics data collection.
    Once you click the Stop button, the Enhanced Analytics On banner is removed.
When Enhanced Analytics mode is off, dimension statistics persist in the dimension object list, when viewing a time period from when Enhanced Analytics was enabled.

Application security charts

This table describes the charts found in the application properties screen( > Applications > Applications > <Application Name>) if you have clicked Security, in the APPLICATION SERVICES area. Use the ANALYTICS menu on the left to select the different charts. These charts display the trends of application traffic processed by a Web Application Security policy. Each chart displays an aspect of application traffic as a function of the selected time period.

ANALYTICS Menu Option Chart Title Description
Illegal Transactions Blocked and Non-Blocked Illegal Transactions Rate The average transaction security outcome assigned by the Web Application Security policy.

Metric Unit: Average Transactions per Second

Legend:

Blocked TPS: The number of transactions that were blocked by the Web Application Security policy and did not pass through the system.

Non-Blocked TPS: The number of transactions that passed through the Web Application Security policy.

All Transactions Transactions Rate by Violation Rating The average Web Application Security policy outcome, based on the violation rating (threat level) for the application's transactions.

Metric Unit: Average Transactions per Second

Legend:

Legal: Transactions that are considered legal. Violation rating is 0.

Likely F.P. : Transactions that are not legal, based on the security policy, but are likely false positives. Violation rating is 1 or 2.

Illegal: Transactions that are considered illegal. Violation rating is 3.

Malicious: Transactions that are considered malicious attacks. Violation rating is 4 or 5.

Violations Top 6 Violations The number of violations per second for the most common violation types monitored by Web Application Security policy.

Metric Unit: Violation per second

Legend:

Up to 6 violation types

Security metrics collected in Enhanced Analytics settings

This table lists and describes the security dimensions that can display additional metric data, when Collect Security metrics for all devices hosting <Application Name> is selected in the Enhanced Analytics Settings popup screen. When Enhanced Analytics is enabled, the added data is displayed in the Web Application Security charts. When disabled, these dimensions display aggregated data in the dimension object list.

Enhanced Setting Metric Affected Dimension(s) Description Value displayed when disabled
Collect Security metrics for all devices hosting <Application Name> Network Protocols The network protocols of the requests to your application. N/A
Client IPs The client IP addresses sending requests to your application. Aggregated
Client Device IDs The client IDs generated for requests to your application. Aggregated
IPs Reputation The client IP reputation categories for requests to your application. N/A
Countries The countries from which your application receives requests. N/A
Users Name The user name input for your application. N/A
Session IDs The assigned session IDs for requests to your application. N/A
URLs The URLs from which your application receives requests. N/A
Methods The HTTP request methods to your application's resources. N/A
Mobile App Types The mobile application type from which a user sent a request. N/A
Mobile App Versions The mobile application version from which a user sent a request. N/A
Violations The types of violations from requests to your application N/A
Virus Names The names of viruses from requests application N/A

HTTP metrics provided in Enhanced Analytics settings

This table lists and describes HTTP options in the Enhanced Analytics Settings popup screen displays additional metric data for the corresponding dimensions, when enabled. The added data is displayed in the HTTP traffic charts. When disabled, these dimensions display aggregated data.

Enhanced Metric Setting Affected Dimension(s) Description Value displayed when disabled
IP Address Client IPs The IP addresses from which your application receives requests.

Suggested Uses: General application performance testing.

N/A
Geolocation Countries The countries from which your application receives requests.

Suggested Uses: General application performance testing, identifying user personas, security validation.

N/A
Operating System & Browser

OSs

Browsers

The operating systems and browsers from which your application receives requests.

Suggested Uses: General application performance testing, testing performance of URLs with high resource requirements.

N/A
HTTP Method Methods The HTTP request methods to your application's resources.

Suggested Uses: General application performance testing, identifying user personas.

N/A
Subnet Subnets The client subnets from which your application receives requests.

Suggested Uses: General application performance testing.

N/A
URL URLs The URLs from which your application receives requests.

Suggested Uses: General application performance testing, testing performance of URLs with high resource requirements.

N/A