Applies To:
Show VersionsBIG-IQ Centralized Management
- 6.0.0
Managing an Application's Web Application Security Services
Evaluating the security status of all applications
You can quickly verify that your Web Application Security policies are protecting your applications as expected, and evaluate the security status of your applications. Use the security alerts in the Applications screen (for system admins, click
) to ensure that applications do not have active security alerts, which indicate a potential security issue. You can then isolate applications to further analyze an application's security data.Verify the security status of all applications
You can click an application's name to further evaluate its security status in a dedicated application screen.
Evaluating a specific application's security status
You can verify that your Web Application Security policy is protecting your application as expected using the Security charts found in the Analytics area of the application properties screen (for system admins, click
). The charts provide extensive information about your application's security status, including active security alerts and enhanced security analytics data in the dimensions pane.Verify the security status of a specific application
Detecting false positives in an application security policy
False positives of a Web Application Security policy are indicated by the Blocking Valid Traffic alerts. These alerts are triggered when your application is in blocking mode and likely valid transactions are blocked by your Web Application Security policy. These transactions have been blocked as likely false positive (or Likely F.P.), which have a low violating rating (threat level). You can use these alerts to fine tune your security policy to include specific parameters that will reduce the rate of false positives as they occur. Detect false positives by isolating the specific applications that are blocking valid traffic in the all application screen (for system admins click
). Once an application is isolated ( for system admins click ), you can identify the application's blocked transactions with low violation ratings.
Blocking valid traffic alerts
Blocking Valid Traffic alerts are triggered when the number of blocked transactions with a likely false positive rating (default: 1 or 2), out of all transactions over the past 24 hours, exceeds a defined threshold (default: >0.01%).
Isolate applications with blocked valid traffic
Identify valid traffic blocked by a security policy
Collect additional data to troubleshoot an application's performance
Detecting successful attacks to an application in transparent mode
The number of malicious attacks on an application are indicated by the Successful Attacks alerts. These alerts are triggered when your application has a Web Application Security policy in transparent (non-blocking) mode. This means that your application's transactions are monitored according to a defined policy, but does not block any traffic.
You can use the Successful Attacks alerts to evaluate the effectiveness of a new, or updated, Web Application Security policy to an application, before blocking mode is enabled. Detect known, malicious transactions by isolating the specific applications that are in transparent mode that have Successful Attack alerts in the all applications dashboard (for system admins click
). Once an application is isolated (for system admins click ), you can identify malicious transactions and enable a blocking enforcement mode for your Web Application Security policy.Successful attacks alert
Successful Attacks alerts are triggered when the number of transactions with a malicious violations rating (4 or 5) has significantly increased (default: exceeds 0.1 percent), out of all transactions, over the past 24 hours.
Isolating applications with successful attacks
Identify successful attacks characteristics
Collect additional data to troubleshoot an application's performance
Detecting bad traffic increases in an application
Bad traffic can indicate a number of things and is tool for investigation of prevention of attacks on your applications. For example, an increase in bad traffic can be localized to a specific country or URL.
Significant increases in bad traffic to an application are indicated by Bad Traffic Growth alerts. The violation rating (threat level) of transactions to your application is monitored by your Web Application Security policy, whether the application is in Transparent (non-blocking) or Blocking mode. This alert is useful for identifying the traits of new security threats that are not yet fine-tuned to your application's security policy. You can detect new threats by isolating the specific applications that have a significant increase in bad traffic (for system admins click
). Once an application is isolated (for system admins click ), you can identify whether there are defined characteristics to the transactions that were defined as bad traffic, and then adjust your security policy accordingly.Bad traffic growth alerts
Bad Traffic Growth alerts are triggered when the average daily ratio of bad traffic, as defined by your Web Application Security policy, has significantly increased (default: >10%) in comparison to the average ratio of bad traffic for the past week.
- Likely False Positive (Likely F.P.): 1 or 2
- Illegal: 3
- Malicious: 4 or 5
Isolate applications that have an increase in bad traffic
Identify new threats to an application's security
Identifying additional application security and traffic parameters
When you are troubleshooting the security status of an application, additional data can help you isolate details that characterize potential, or ongoing, vulnerabilities. On the Application screen, the Enhanced Analytics option provides you with the ability to collect more information about the Web Application Security policy for your application's BIG-IP® host device. When this feature is enabled, the enhanced data displays additional dimension objects and data for the security dimensions found in the Analytics area.
In addition to displaying enhanced traffic data, you can select additional HTTP traffic data to view details about the application's traffic during the time of an attack (for example, Client IPs, Geolocations, or URLs).
Collect additional data to troubleshoot an application's performance
Application security charts
This table describes the charts found in the application properties screen(Security, in the APPLICATION SERVICES area. Use the ANALYTICS menu on the left to select the different charts. These charts display the trends of application traffic processed by a Web Application Security policy. Each chart displays an aspect of application traffic as a function of the selected time period.
) if you have clickedANALYTICS Menu Option | Chart Title | Description |
---|---|---|
Illegal Transactions | Blocked and Non-Blocked Illegal Transactions Rate | The average transaction security outcome
assigned by the Web Application Security policy. Metric Unit: Average Transactions per Second Legend: Blocked TPS: The number of transactions that were blocked by the Web Application Security policy and did not pass through the system. Non-Blocked TPS: The number of transactions that passed through the Web Application Security policy. |
All Transactions | Transactions Rate by Violation Rating | The average Web Application Security policy
outcome, based on the violation rating (threat level) for the
application's transactions. Metric Unit: Average Transactions per Second Legend: Legal: Transactions that are considered legal. Violation rating is 0. Likely F.P. : Transactions that are not legal, based on the security policy, but are likely false positives. Violation rating is 1 or 2. Illegal: Transactions that are considered illegal. Violation rating is 3. Malicious: Transactions that are considered malicious attacks. Violation rating is 4 or 5. |
Violations | Top 6 Violations | The number of violations per second for the
most common violation types monitored by Web Application Security
policy. Metric Unit: Violation per second Legend: Up to 6 violation types |
Security metrics collected in Enhanced Analytics settings
This table lists and describes the security dimensions that can display additional metric data, when Collect Security metrics for all devices hosting <Application Name> is selected in the Enhanced Analytics Settings popup screen. When Enhanced Analytics is enabled, the added data is displayed in the Web Application Security charts. When disabled, these dimensions display aggregated data in the dimension object list.
Enhanced Setting Metric | Affected Dimension(s) | Description | Value displayed when disabled |
---|---|---|---|
Collect Security metrics for all devices hosting <Application Name> | Network Protocols | The network protocols of the requests to your application. | N/A |
Client IPs | The client IP addresses sending requests to your application. | Aggregated | |
Client Device IDs | The client IDs generated for requests to your application. | Aggregated | |
IPs Reputation | The client IP reputation categories for requests to your application. | N/A | |
Countries | The countries from which your application receives requests. | N/A | |
Users Name | The user name input for your application. | N/A | |
Session IDs | The assigned session IDs for requests to your application. | N/A | |
URLs | The URLs from which your application receives requests. | N/A | |
Methods | The HTTP request methods to your application's resources. | N/A | |
Mobile App Types | The mobile application type from which a user sent a request. | N/A | |
Mobile App Versions | The mobile application version from which a user sent a request. | N/A | |
Violations | The types of violations from requests to your application | N/A | |
Virus Names | The names of viruses from requests application | N/A |
HTTP metrics provided in Enhanced Analytics settings
This table lists and describes HTTP options in the Enhanced Analytics Settings popup screen displays additional metric data for the corresponding dimensions, when enabled. The added data is displayed in the HTTP traffic charts. When disabled, these dimensions display aggregated data.
Enhanced Metric Setting | Affected Dimension(s) | Description | Value displayed when disabled |
---|---|---|---|
IP Address | Client IPs | The IP addresses from which your application receives
requests. Suggested Uses: General application performance testing. |
N/A |
Geolocation | Countries | The countries from which your application receives
requests. Suggested Uses: General application performance testing, identifying user personas, security validation. |
N/A |
Operating System & Browser |
OSs Browsers |
The operating systems and browsers from which your
application receives requests. Suggested Uses: General application performance testing, testing performance of URLs with high resource requirements. |
N/A |
HTTP Method | Methods | The HTTP request methods to your application's
resources. Suggested Uses: General application performance testing, identifying user personas. |
N/A |
Subnet | Subnets | The client subnets from which your application receives
requests. Suggested Uses: General application performance testing. |
N/A |
URL | URLs | The URLs from which your application receives requests. Suggested Uses: General application performance testing, testing performance of URLs with high resource requirements. |
N/A |