Manual Chapter : Working with Passive Monitoring

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Overview: Configuring the BIG-IP System Passive Monitoring

You can configure a physical interface on a BIG-IP ®system to operate in passive mode. In this mode, the interface accepts mirrored traffic from another device for analysis of Layer 7 traffic.

Passive mode behavior

Using a configured ASM passive monitoring policy and/or ASM DoS profile, the system analyzes the mirrored traffic, displays the resulting reports and sends the resulting analytics data and log messages to a remote analytics and logging server. The mirrored traffic never leaves the system, and the BIG-IP system never acts on the headers and payload. The logs report the actions the system would have taken if it were not in passive mode.

Benefits of DoS Layer 7 passive monitoring

It allows Layer 7 monitoring of attacks and discovers system vulnerabilities while being quick and easy to deploy. The existing network topology does not need to be changed and VLANS and IP addresses are not configured.

Sample configuration

There are two passive monitoring options, and their sample configurations are different.
  • ASM Layer 7 policy: DoSL7 and ASM need to be mirrored after the SSL terminator since they need to work with unencrypted data.
  • ASM DoS profile: Network DoS needs to work on traffic mirrored before the SSL terminator. Otherwise, we are not protecting the SSL terminator.

This illustration shows a configuration for ASM policy passive monitoring.

This illustration shows a configuration for DoS profile passive monitoring

Common use case

Passive monitoring of DoS Layer 7 is for evaluation purposes only.

Prerequisite configuration

Before you begin to configure your ASM passive mode policy or your DoS profile, ensure that you have set up your network and configured your BIG-IP system according to the BIG-IP Passive Monitoring Configuration Guide. You need an SSL terminator to open mirrored traffic for analysis.
  • DoS Layer 7 and ASM traffic works on unencrypted data so their traffic needs to be mirrored after the SSL terminator.
  • Network DoS works on encrypted data so its traffic needs to be mirrored before the SSL terminator.

In addition, you need to enable the appropriate database variable depending on the configuration you are using. This allows you to associate the ASM policy or DoS profile with a FastL4 virtual server, which is required for this feature. If you are configuring passive monitoring with a DoS profile, on the command line, type the following:

             tmsh modify sys db dosl7.fastl4_allow value enable

If you are configuring passive monitoring with an ASM security policy, type the following:

             tmsh modify sys db asm.fastl4_allow value enable

Creating a passive monitoring ASM security policy

Only certain features are supported for passive monitoring. Unsupported features must be disabled in the security policy.
  1. On the Main tab, click Security > Application Security > Security Policies > Policies List .
    The Policies List screen opens.
  2. Click Create New Policy.
    You only see this button when no policy is selected.
  3. In the Policy Name field, enter a meaningful name to reflect that this is a passive monitoring policy.
  4. Leave Policy Type set to Security.
  5. Set the Policy Template to Passive Monitoring
  6. Set the Enforcement Mode to Transparent.
  7. Click Create Policy to create the security policy.
ASM creates the passive monitoring security policy.
Now you must configure the policy's Learning and Blocking Settings.

Passive security policy supported features

The following details the ASM security policy features and what is supported in passive mode.

Feature Parts Supported Parts Not Supported
Enforcement Mode Transparent

Blocking

If this is selected, blocked transactions will be shown in the logs as being blocked, while they are actually passed.

Violations Settings Learn, Alarm

Block

If this is selected, blocked transactions will be shown in the logs as being blocked, while they are actually passed.

Policy Building

Manual, Automatic

Based on IP addresses only (including trusted IPs)

Centralized Policy Builder (Requires a Separate Forwarding Port)

Learning based on Device ID is not supported.
Attack Signatures Fully Supported (Request and Response) -
Content Profiles Fully Supported Content-Based Routing
File Types Fully Supported -
IP Intelligence Fully Supported -
Geolocation Enforcement Fully Supported -
Headers Fully Supported -
Dynamic Session ID in URL Fully Supported -
Vulnerability Assessments Resolutions are supported according to the features they enable as specified in this table.

(Requires a Separate Forwarding Port)

-
Antivirus protection (ICAP) None Not Supported
Database Security None Not Supported
Bypassing of Search Engines None Not Supported
Login Enforcement None Not Supported
Session Tracking None Not Supported
CSRF Protection Only Verify Origin enforcement mode is supported. Verify CSRF Token is not supported.
Web Scraping None Not Supported
Single Page Application None Not Supported
Content-Based Routing (CBR) None Not Supported
Brute Force
  • Alarm
  • Automatic detection of Login Page
  • Statistics are collected
Any action except for "Alarm"
  • Device ID
  • Alarm and Blocking Page
  • Alarm and CAPTCHA
  • Alarm and Client Side Integrity
  • Alarm and Client Side Integrity Followed by CAPTCHA
  • Alarm and Drop
  • Alarm and Honeypot Page

CORS

(Cross-Origin Request Sharing)

Only when "Enforce on ASM" is selected, and only for alarming a violation upon an illegal origin.
  • Remove all CORS headers
  • Replace CORS headers"

CORS headers are not modified.

WebSocket Enforcement All Except ---->

Remove all CORS headers

WebSocket Extensions:

  • Remove Headers is not supported
  • Block is supported only for logging
URL Enforcement All Except ----> URL Flows
Parameters All Except ----> Dynamic Extractions
Data Guard
  • Detection and triggering violations
  • Mask Data: only affecting response logging (local and remote)
Mask Data: Masking the responses on the network will not be done.
Cookies Allowed Cookies Enforced Cookies
iRules None Not Supported
Logging and Reporting
  • Local Event Log
  • Remote Event Log (requires a separate forwarding port)
  • Response Logging
  • Event Correlation
  • ASM Charts
  • Chart Schedule
  • Brute Force Attacks Statistics
  • Web Scraping Reports
  • Session Tracking Reports

Passive monitoring DoS profile

Creating a passive monitoring DoS profile

  1. On the Main tab, click Security > DoS Protection > DoS Profiles .
    The DoS Profiles list screen opens.
  2. Click Create.
    The Create New DoS Profile screen opens.
  3. In the Name field, type the name for the profile, then click Finished.
  4. In the list of DoS profiles, click the name of the profile you just created, and click the Application Security tab.
  5. In the General Settings tab, for Application Security, click Edit and select the Enabled check box.
    General settings are displayed. The following features are supported. All other features are not supported in passive mode.
    Feature Parts Supported Parts Not Supported
    Heavy URL Protection Fully Supported -
    Geolocations

    Fully Supported:

    • Blacklist
    • Whitelist
    -
    Trigger iRule IN_DOSL7_ATTACK event Blocking or modifying traffic from iRules
  6. In the TPS-based Detection tab, select Transparent for the Operation Mode.
    The Operation Mode settings are displayed. The following features are supported. All other features are not supported in passive mode.
    Feature Parts Supported Parts Not Supported
    Thresholds Mode Fully Supported:
    • Manual
    • Automatic
    -
    How to detect attackers and which mitigation to use
    • Client Side Integrity Defense
    • CAPTCHA Challenge
    • Request Blocking
    -
    Prevention Duration No prevention Resolutions are supported according to the features they enable as specified in this table.
  7. In the Behavioral & Stress-based Detection tab, select Transparent for the Operation Mode.
    The Operation Mode settings are displayed. The following features are supported. All other features are not supported in passive mode.
    Feature Parts Supported Parts Not Supported
    Thresholds Mode

    Fully Supported:

    • Manual
    • Automatic
    -
    Stress-based Detection and Mitigation
    • Client Side Integrity Defense
    • CAPTCHA Challenge
    • Request Blocking
    Detection of Server Stress is done as "best effort".

    In case the switch that is doing the mirroring becomes congested, a Layer 7 DoS attack may be detected, although the problem is actually at the Layer 3 switch.

    Behavioral Detection and Mitigation: Bad actors behavior detection Detection Mitigation
    Behavioral Detection and Mitigation: Request signatures detection Detection Mitigation
    Behavioral Detection and Mitigation: Mitigation No Mitigation
    • Conservative Protection
    • Standard Protection
    • Aggressive Protection

Passive monitoring volumentric DoS Layer 7

The following details the ASM volumetric DoS Layer 7 features and what is supported in passive mode.

Features Parts Supported Parts Not Supported

TPS-Based Detection

(Enforcement mode)

  • Transparent Mode
  • Blocking Mode* (See NOTE below)
-

Stress-based Detection

(Enforcement mode)

  • Transparent Mode
  • Blocking Mode* (See NOTE below).

Detection of Server Stress is done as "best effort".

In case the switch that is doing the mirroring becomes congested, a Layer 7 DoS attack may be detected, although the problem is actually at the Layer 3 switch.

Mitigation
  • Transparent
  • Client Side Integrity Defense* (See NOTE below)
  • CAPTCHA Challenge* (See NOTE below)
  • Request Blocking* (See NOTE below)
-
Thresholds Mode

Fully Supported:

  • Manual
  • Automatic
-
Heavy URL Protection Fully Supported -
Record Traffic Supported on single host VS Not supported on catch-all Virtual Servers (those with any/any destination)
Bot Signatures
  • Report
  • Block* (See NOTE below)
  • Search Engines (Requires a Separate Forwarding Port)
-
Geolocations

Fully Supported:

  • Blacklist* (See NOTE below)
  • Whitelist
-
Proactive Bot Defense None Not Supported
Single Page Application None Not Supported
Trigger iRule IN_DOSL7_ATTACK event Blocking or modifying traffic from iRules
Logging and Reporting

Fully Supported:

  • DoS Visibility
  • Local Event Log
  • Remote Event Log (Requires a Separate Forwarding Port)

Note: Server Health and average server latency is on "best effort":

In case the switch that is doing the mirroring becomes congested, these values may be wrong.

The server health may be shown as low, although the problem is actually at the L3 layer switch.

Note: All the "block" or "mitigation" parts mentioned above are for reporting purposes only. The traffic is always sent to the server without mitigation. When selecting blocking mode and a specific mitigation, all the reports will show as if the mitigation was applied, or the traffic was blocked. This is a "what if" report, and is supported. However, using this mode will show error messages in /var/log/ltm such as the following: Feb 25 18:33:46 bigip29 err tmm2[26547]: 011f0016:3: http_process_state_prepend - Invalid action:0x109010 Server sends too much data. serverside (1.1.1.1:80 -> 1.1.1.2:9785) clientside (1.1.1.2:45710 -> 1.1.1.3:80) (Server side: vip=/Common/vs_39_80 profile=http pool=/Common/pool_80 server_ip=1.1.1.1)

Passive monitoring behavioral analysis DoS Layer 7

The following details the ASM behavrioral analysis DoS Layer 7 features and what is supported in passive mode.

Features Parts Supported Parts Not Supported
Mitigation -
  • Conservative Protection
  • Standard Protection
  • Aggressive Protection
Bad actors behavior detection Detection Mitigation
Request signatures detection Detection Mitigation
Logging and Reporting

Fully Supported:

  • DoS Visibility
  • Local Event Log
  • Remote Event Log

Note:

  • Server Health and average server latency is on "best effort":
  • In case the switch that is doing the mirroring becomes congested, these values may be wrong.
  • The server health may be shown as low, although the problem is actually at the L3 layer switch.
  • A Layer 7 DoS attack may be detected, although the problem is actually at the Layer 3 switch.

Passive monitoring test considerations

When testing the passive monitoring feature, keep the following observations in mind.

Feature Notes Observations when feature is enabled
Login Enforcement - Even after a successful login, every request for the Authenticated URL would cause a violation.
Session Tracking Includes Session Hijacking and Session Awareness. Request is not logged after the first 10 requests and there is no violation.
Web Scraping - Request is not logged after the first 10 requests and there is no violation.
Single Page Application - This feature is completely based on injected JavaScript. Since JavaScript is not injected in passive mode, the feature does not work.
CSRF Protection Verify CSRF Token is not supported. The enforcement based on origin works the same as for inline BIG-IP systems.

CSRF token enforcement does not work because it is based on JavaScript and cookies injection.

Every Request to URL where token verification is required raises a CSRF violation.

Brute Force The following are not supported:
  • Blocking Mode
  • Session-based
  • Device ID
  • Client Side Integrity Defense
  • Rate Limiting
Under one of the following conditions, a request is not logged after the first 10 requests and there is no violation:
  1. Blocking mode/violation + username based + Alarm and CAPTCHA.
  2. Blocking mode/violation + username based + Alarm and CS-challenge.
  3. Blocking mode/violation + IP based + Alarm and CAPTCHA.
  4. Blocking mode/violation + IP based + Alarm and CS-challenge.
  5. Device ID based.
  6. Detect Distributed Attack + any of the conditions 1 through 5.
  7. Credential Stuffing + any of the conditions 1 through 5.
  8. As in all other use cases, Blocking mode does not block any request.
CORS The following are not supported:
  • Remove all CORS headers
  • Replace CORS headers
CORS headers are not modified.
CORS headers are not removed and not replaced.
WebSocket Enforcement The following are not supported:
  • Remove all CORS headers
  • WebSocket Extensions: Remove Headers is not supported.
Block is supported only for logging.
CORS headers are not removed and not replaced.
Enforced Cookies - Every request with one enforced cookie included causes a violation.
URL Flow - Every request for the configured URL causes a violation.
Dynamic Extractions - Every request related to dynamic extraction causes a violation.
Session Tracking Reports - Reports only show the first 10 requests.
Web Scraping Reports - Statistics are not reported.
Policy Builder Learning based on Device ID is NOT supported. No effect on traffic after enabling Device ID. Policy builder still learns suggestions from IP
Anti-Virus protection (ICAP) - Violation is not detected and there is no side effect.
Database Security - Not tested
Bypassing of Search Engines - No matter what User Agent / XFF value is used, only the first 10 requests are logged. There is no violation
iRules -
  1. If ASM_REQUEST_DONE event triggers for request, then IO_PLUGIN|ERR appear in bd.log and request is not logged (Bug 655562).
  2. If ASM_REQUEST_BLOCKING event triggers for request, then request logged as illegal only (Bug 655818).
  3. If ASM_RESPONSE_VIOLATION event triggers for request, then request is not logged (Bug 655823).