Applies To:

Show Versions Show Versions

Manual Chapter: Displaying Reports
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

15 
You can use several reporting tools in Application Security Manager (ASM) to analyze incoming requests, track trends in violations, generate security reports, and evaluate possible attacks. The statistics and monitoring reporting tools are described here:
Application security overview
Displays a summary of all configured web applications showing the active security policies, attacks that have occurred, anomaly statistics, and networking and traffic statistics. See Displaying an application security overview, for details.
Application Security Manager dashboard
Provides a summary of attacks, anomalies, and traffic statistics on this BIG-IP® system.
Requests summary
Summarizes the requested URLs for web applications. See Reviewing details about requests, for more information.
Charts
Displays graphical reports about security policy violations and provides tools that let you view the data by different criteria, drill down for more data, create customized reports, and export reports. See Viewing charts, for more information.
Charts Scheduler
Allows you to periodically generate specific reports and distribute them using email.
DoS Attacks report
Displays DoS attack events, listed by the web application targeted, and the attack start and end times. See Viewing DoS Attacks reports, more information.
Brute Force Attacks report
Displays brute-force attack events, including the web application attacked, login URL, and attack start and end times. See Viewing Brute Force Attack reports, for more information.
IP Enforcer Statistics
Lists the IP addresses containing requests that exceeded the maximum number of blocked violations, and you can see additional details about the request and associated violations.
Web Scraping Statistics
Displays details about web scraping attacks that the system detected and logged.
PCI Compliance report
Displays a printable Payment Card Industry (PCI) compliance report for each web application showing each security measure required for PCI-DSS 1.2, and compliance details.
CPU Utilization report
Displays the amount of the available CPU that the Application Security Manager uses over a period of time.
1.
On the Main tab, expand Application Security, and click Overview.
The Overview screen opens and summarizes system activity at a glance.
2.
In the Statistics area, from the Web Application list, select an application to narrow down the statistics. By default, statistics for all web applications are displayed.
3.
To specify how far back you want to view the statistics, after Time Period, click Last Hour, Last Day, or Last Week.
Tip: See the online help for details about the tables and graphs.
Figure 15.1 shows what the Application Security Overview screen (top part) looks if attacks have occurred, with a pie chart showing the types of attacks. The bottom of the screen includes additional traffic and networking statistics that you can scroll down to see.
The BIG-IP system provides a dashboard that you can use to monitor overall system performance and specific modules. The Application Security Manager dashboard displays anomaly statistics (the number of anomaly type attacks, dropped requests, and total anomaly type violations detected), a summary of BIG-IP® ASM traffic (throughput, TPS, and requests per second), and attack types detected by the system. You can filter all statistics according to web application or time (last hours, day, week, or month).
1.
On the Main tab, expand Overview and click Dashboard.
The BIG-IP dashboard opens in a separate window.
2.
In the Views menu of the dashboard, point to Standard, then choose Application Security Manager.
The Application Security Manager dashboard opens.
Figure 15.2 shows an example of the dashboard with application security statistics.
For each web application, the Application Security Manager logs requests according to the logging profile (Options > Logging Profiles). If you use local logging, you can review those requests in the Requests List on the Requests screen. For more information on configuring logging profiles, refer to Logging web application data.
The Requests List provides information about a request such as: the request category, the time of the request, its severity, the source IP address of the request, the server response code, and the requested URL itself, as shown in Figure 15.3. Icons on each request line provide additional status information such as whether the request is legal or illegal, blocked, truncated, or has a response. The request legend describes these icons.
You can view additional details about a request, including viewing the full request itself, and any violations associated with it. You can also drill down to view detailed descriptions of the violations and potential attacks, including violations found for staged entities.
When viewing details about an illegal request, if you decide that the request is trusted and you want to allow it, you can accept the violations shown for this specific request.
You can use a filter to view only those requests and events that are of interest to you, as described in Filtering reports. The filter list has several built-in options that you can use to display all requests, legal requests, illegal requests, or requests that occurred within a certain time range. You can also create a custom filter and view requests by violation, attack type, source IP address, HTTP method used, and many other options.
1.
On the Main tab, expand Application Security and click Reporting.
The Requests screen opens, where you can review a list of requests for all web applications.
Note: If Filter details are displayed, the Requests List appears below them.
2.
In the Requests List, click anywhere on a request if you want to view information about the request and any violations associated with it.
Click elsewhere on the line to display details on the same screen, below the Requests List. If later you want to hide the details, click the heading line.
Either place, you see any violations associated with the request and other details, such as the web application it relates to, the support ID, severity, and potential attacks that it could cause. As an example, Figure 15.4 shows information about a request that caused two potential violations.
Click the violation name to view details about this specific violation such as the file type, the expected and actual length of the query, or similar relevant information. As an example, Figure 15.5 shows details about the Expired Timestamp violation.
4.
For violations that you want to allow (false positives), click the Learn button.
If there are learning suggestions, the violations learning screen opens where you can accept the suggestions one at a time.
5.
To view the actual content of the request, click Full Request.
The content of the full request replaces the list of violations.
Figure 15.4 Request details
1.
On the Main tab, expand Application Security and click Reporting.
The Requests screen opens.
2.
If you want to export specific requests, select those requests from the list. You can export up to 100 entries in PDF format.
3.
At the bottom of the Requests List, click Export.
The Select Export Method popup screen provides options.
To export selected requests into a document, click Export selected requests in PDF format.
You can choose to open or save the file created.
To export requests to a document and send it by e-mail, click Send selected requests in PDF format to your E-mail address, and type your e-mail address.
Note: To use this option, first enable the SMTP mailer as described in Configuring an SMTP mail server.
To export all requests to a tar file, click Binary export of all requests defined by filter.
The system creates a *.tar.gz file of the requests, and saves it where you specify.
If you have reviewed and dealt with requests, you may want to clear them from the Requests List. This is an optional task.
1.
On the Main tab, expand Application Security and click Reporting.
The Requests screen opens.
The systems prompts you to confirm the deletion, then removes the requests from the Requests List without changing the security policy.
You can display numerous graphical charts that illustrate the distribution of security alerts. You can filter the data by web application and time period, and you can view illegal requests based on different criteria such as web applications, violations, attack types, URLs, IP addresses, severity, response codes, request types, or protocols.
The system provides several predefined filters that produce charts focused on areas of interest including the top alerted applications, top violations, top attacks, and top attackers. You can use these charts as executive reports that summarize your overall system security.
Figure 15.6 is an example of a chart that shows the violations that have occurred on the system. Details below the chart include the number of occurrences for each type of violation.
You can use a filter to view the security incidents which are of interest to you. The filter list has several predefined options. In addition, you can create a custom filter. See Filtering reports.
The easiest way to learn about the graphical reports is to display a report, then change the view by criteria, and drill down into the report to display details about particular aspects you are interested in. The different steps you take are shown in the Chart Path on the left of the screen.
1.
On the Main tab, expand Application Security, click Reporting.
The Requests screen opens.
2.
From the Charts menu, choose Charts.
The Charts screen opens, where you can view graphical reports.
3.
From the Filter list, select the predefined or custom filter you want to use and click Go. For details, see Filtering reports.
4.
In the Charts section, next to View by, click the viewing criteria for the report you want to see.
The Reports screen displays a graphical report of illegal requests by the selected criteria. For example, if you selected view by Violation, the report shows each type of violation against the security policy in a pie chart (shown previously in Figure 15.6), followed by a details table, and a bar chart, which displays the violations that occurred over time.
5.
Click any slice in the pie chart or detail in the details table to display more information about that specific item.
The graphical report shows more details, and the view by choices are relevant only to the selection you made. For example, if viewing by Attack Type, you can click any attack type to view how many attacks of this type occurred for each application.
Click Reset All to remove all drilldown settings for the report but keep the view by criteria.
Click View Requests to view the requests that relate to the current report.
7.
To create a PDF version of the report that you can save or print (including charts based on your drill downs), at the bottom of the screen, click Export.
The system asks if you want to open or save the PDF file.
You can monitor graphical charts to determine how well your security policies are protecting your web applications. By viewing specific charts, you can check for false positives and adjust security policies accordingly. The contents of the charts can help you to determine why the system flagged certain requests as illegal.
For example, if you notice that many attacks are emanating from one IP address, you have identified a possible attacker. You can check the validity of that IP address. You may want to enable session-based enforcement to block those requests producing too many violations and coming from a single IP address. See Configuring IP address enforcement, for more information.
If you see that the same type of attack is coming from many different IP addresses, this may indicate a false positive, and you may need to adjust your security policy. As an example, if you see many illegal URL violations and find that they are coming from many different IP addresses, you should consider adding this URL to the security policy.
By viewing graphical reports periodically and investigating the illegal requests using different criteria, you can evaluate system vulnerabilities. As you get more familiar with the report details, you can use the information that you get to further secure your application traffic.
You can configure the Charts Scheduler to send predefined and customized charts to specific email addresses periodically. Create a schedule for each chart that you want to send. Figure 15.7 shows the an example of the chart scheduler.
Note: You must configure SMTP before you can send email notifications. If SMTP is not configured, an alert appears on the screen that links to SMTP configuration (Options > SMTP Configuration). Also, make sure the SMTP server is on the DNS lookup server list, and configure the DNS server that you want the system to use (System > Configuration > Device > DNS).
1.
On the Main tab, expand Application Security, point to Reporting, then Charts, and click Charts Scheduler.
The Charts Scheduler screen opens.
3.
Click the Create button.
The Chart Schedule Properties screen opens.
4.
For Schedule Title, type a name for this schedule.
5.
In the Send To (E-Mails) box, type each email address where you want the system to send a copy of the chart, then click Add.
6.
From the Chart list, select the predefined chart to send.
7.
For Send Every, select how often to send the charts, and after starting at, set the time and date to begin sending the charts.
8.
Click Create to save the schedule.
The Chart Scheduler screen shows the schedule you added.
The DoS Attacks report displays information about denial of service (DoS) attacks, including the associated web application and the start and end times of an attack. For details on configuring DoS attack detection, see Preventing DoS attacks for Layer 7 traffic.
1.
On the Main tab, expand Application Security, point to Reporting, Anomaly Statistics, then click DoS Attacks.
The DoS Attacks screen opens.
2.
From the Filter list, select Show All.
3.
Click Go.
The screen refreshes, and the DoS Attacks report displays all DoS attack events.
4.
To view statistical details about a DoS attack, click the View button in the Details column.
The system displays details it has collected about the attack, such as latency history and end time, dropped connections per IP address and URL, mitigation, IP addresses of the attackers, and attacked URLs.
5.
Click the View button next to IP Addresses or URLs to investigate the IP addresses where the attack is coming from and the URLs that are being attacked.
Figure 15.8 shows a sample DoS Attacks report showing details about the web application called perfclass and IP addresses. Information on DoS attacks is organized by web application.
The Brute Force Attack report displays information about brute force attacks, including the web application, login URL, and start and end times of an attack. For details on configuring brute force attack detection, see Mitigating brute force attacks.
1.
On the Main tab, expand Application Security, point to Reporting, Anomaly Statistics, then click Brute Force Attacks.
The Brute Force Attacks screen opens.
2.
From the Filter list, select Show All.
3.
Click Go.
The screen displays a report to show all brute force attack events.
The IP Enforcer statistics are available in the Reporting section of the Application Security Manager. The IP Enforcer Statistics report shows the IP addresses of the clients that were attacking a web application, and which requests were blocked based on a security policy and IP Enforcer configuration. For details about the IP Enforcer, see Configuring IP address enforcement.
Note: To gather IP Enforcer statistics, you must have configured the IP Enforcer in the Blocking or Transparent operation mode, and the security policy must be in Blocking enforcement mode and must block one or more violations.
1.
On the Main tab, expand Application Security, point to Reporting, Anomaly Statistics, then click IP Enforcer Statistics.
The IP Enforcer Statistics screen opens.
2.
From the Filter list, select Show All.
3.
Click Go.
The IP Enforcer Statistics screen displays all IP Enforcer statistics.
1.
On the Main tab, expand Application Security, point to Reporting, Anomaly Statistics, then click IP Enforcer Statistics.
The IP Enforcer Statistics screen opens.
2.
Select the client IP addresses that you want to unblock, and click Release.
The system considers the attack from this IP address to be over, and puts the time you released the IP address in the End Time column. The IP address remains in the list of IP Enforcer statistics.
The Web Scraping Statistics report displays information about web scraping attacks that the system detected and logged. The statistics include the client IP address, web application, start and end time, and the number of dropped and violating requests. For details on configuration web scraping detection, see Detecting and preventing web scraping.
Figure 15.9 shows an example of web scraping statistics that all originate from the IP address 192.168.172.60 for the web application called asas.
1.
On the Main tab, expand Application Security, point to Reporting, Anomaly Statistics, then click Web Scraping Statistics.
The Web Scraping Statistics screen opens.
2.
From the Filter list, select Show All.
3.
Click Go.
The screen refreshes, and the Web Scraping Statistics displays all incidents of web scraping that were detected.
The PCI Compliance report displays details on how closely the security policy of a web application meets Payment Card Industry (PCI) security standards, PCI-DSS 1.2. The report indicates which requirements Application Security Manager can help enforce, and allows you to view details about what to configure differently to meet compliance standards. The PCI Compliance report shows the configuration of the active security policy, if the web application has two or more security policies associated with it.
You can create printable versions of PCI compliance reports for each web application to assure auditors that the BIG-IP system and your web applications are secure.
Figure 15.10 shows a sample PCI Compliance report with one requirement in compliance, four not in compliance, one partially compliant, and several items that you must make compliant outside of Application Security Manager. Note that fixing items outside of Application Security Manager does not change the compliance state in the report.
1.
On the Main tab, expand Application Security and click Reporting.
The Requests screen opens.
2.
On the menu bar, click PCI Compliance.
The PCI Compliance Report screen opens showing a compliance report for the current web application.
3.
To learn more about items that are PCI compliant (items with a green check mark) or those which are not PCI compliant (items with a red X), in the Compliance State column, click the item link in the Requirement column.
The screen shows information about how to make an item compliant. For example, Figure 15.11 shows that vendor-supplied default passwords are used for the root and admin users.
5.
To display a PCI compliance report for a different web application, from the Web Application list, select the web application name.
A PCI compliance report for the new web application opens.
You can use a filter to view the information of interest to you in several of the reports. You can filter reports that show requests, charts, and anomaly statistics.
You can use the predefined filter options that are applicable to each type of information. Alternately, you can create a custom filter that refines the report by criteria such as web application and time period.
1.
On the Main tab, expand Application Security, click Reporting and then display the report you are interested in.
2.
From the Filter list, select the filter you want to use.
3.
Click Go.
The screen displays the filtered report.
1.
On the Main tab, expand Application Security, click Reporting and then display the report you are interested in.
2.
If the filter options are not displayed, to the left of the Filter setting, click the Show/Hide Filter button ().
The screen displays the custom filter options.
3.
Specify the criteria by which you want the Filter option to filter the report. The filter options vary for different reports. Refer to the online help for descriptions of the options.
4.
Click the Save Filter button.
A popup screen opens.
5.
Type a name for the custom filter, and click OK.
The screen refreshes, and you see the custom filter in the Filter list.
6.
From the Filter list, select the custom filter that you just created, and then click Go.
The report displays the filtered information.
You can examine the amount of CPU resources that the Application Security Manager is using, and also check overall BIG-IP system CPU usage.
1.
On the Main tab, expand Application Security, point to Reporting and click CPU Utilization.
The CPU Utilization screen opens and displays CPU usage over the past three hours.
1.
On the Main tab, expand Application Security, point to Reporting and click CPU Utilization.
2.
Click the Clear Performance Data button.
On the Main tab, expand Overview and click Performance.
The Performance screen opens, and you can view system CPU usage.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)