Access reports focus on session and logging data from Access devices (managed devices with APM licensed and provisioned). F5® Secure Web Gateway Services reports focus on user requests (for URLs or applications, for example) from Access devices with Secure Web Gateway Services provisioned. BIG-IQ® Centralized Management Access also supports high availability. Thus, users can view both Access and SWG reports on a secondary BIG-IQ system.
Access reports and SWG reports provide the following features.
Before you can produce Access reports and SWG reports, you must ensure that these tasks are already complete.
The All Devices option for Access reports includes data from the devices that are currently managed (discovered) in the BIG-IQ® system. This is in addition to data from devices that were managed at some point during the report timeframe, but that are not currently managed. With All Devices selected, if data from unmanaged devices exists, it displays in reports.
An unmanaged device might be unmanaged temporarily or permanently. Any time a configuration management change causes APM® to be undiscovered, the device and its data are moved to All Devices until APM is re-discovered on the device.
You cannot generate a report for an unmanaged device. However, you can generate a report for the timeframe when the device was managed, and then search the report for the unmanaged device name. In the Summary report, All Active Sessions includes the number of sessions that were active on the device when it became unmanaged. Those sessions stay in the Summary and in the Active sessions reports until the next session status update, which occurs every 15 minutes.
When you upgrade a BIG-IQ® Centralized Management system without taking a snapshot, it deletes all reporting data, including both Access and SWG reports. After upgrading, users cannot obtain these reports from the BIG-IP® devices. To prevent the lost of reports, users should take an Elasticsearch snapshot before upgrading, and restore the snapshot after upgrading. For more information on elasticsnapshots, refer to F5 BIG-IQ Centralized Management: Upgrading Logging Nodes to Version x.x.
The Application Summary screen is your starting point to view and download general reports for BIG-IQ Access.
You can monitor your user base by viewing the BIG-IQ® Centralized Management Access user dashboard for data on specific users. The system displays which users created the most sessions, were denied the most sessions, and had the longest total session duration. The administrator can enter a specific user name to get the following details for the user:
You can monitor your applications by viewing the BIG-IQ® Centralized Management Access user dashboard for data on which applications are linked to the BIG-IQ Access component. The system displays the top applications used and the application usage time. Administrators can expand the GUI for a specific application and view the following information:
You can monitor the sessions that BIG-IQ® Centralized Management denies. By using the Access Monitoring option, you can view the following information:
The F5® BIG-IQ® Centralized Management Application Summary dashboard displays statistics for applications and users that are managed by the BIG-IP® system. This includes the most requested applications, and how often individual users access the applications. For example, as an administrator, you can see the application summary report for the SharePoint application managed by the BIG-IQ system. You can use the report to track usage statistics, such as the request count for SharePoint and the most frequent users by request count. You can also adjust the time slider to see statistics for a certain time period.
Before you begin configuring application visibility, refer to Access Reporting and Statistics, in the F5® BIG-IQ® Centralized Management: Monitoring and Reports guide.
Sample Application Summary dashboard
Notice the length of time displayed by the line graph, dictated by the time slider above. Also notice the top ten applications, with SharePoint at number one. You can select an application and view the usage over time and the top users for that application.
The basic BIG-IP® system configuration for BIG-IQ® application visibility is when a classification profile is already available to the administrator. This situation occurs when you want to track predefined access applications in BIG-IQ, such as SharePoint, OWA, PeopleSoft, or Lotus Notes. When you configure the virtual server for one or more of these applications, the BIG-IP system has already configured a classification profile. For most other applications, this basic configuration does not apply, and you must create the classification profile as well as other necessary resources.
In some cases, you might want to define your own signatures. If so, even in a basic configuration, you must upload the signatures in Traffic Intelligence.
Classification signatures define different types of traffic that the BIG-IP® system can recognize through Traffic Intelligence. The system recognizes a predefined set of signatures for common applications and application categories that are updated periodically. You can download signature updates from F5 Networks, and schedule the system to automatically update the signatures (pull the updated signatures automatically). You can also manually install the classification signatures and updates, for example, if the BIG-IP system does not have Internet access.
If you want to display statistics and reports using the Access feature of BIG-IQ® in an application that does not have a predefined classification profile, you must create the classification profile and attach it to the virtual server. This is considered an advanced configuration, and applies to most applications.
|All||Uses the first or best strategy to resolve the conflict of rule match.|
|Best||Applies the actions of the rule specified in the list of defined strategies for the associated policy.|
|First||Applies the actions of only the first rule. This implies that the rule with the lowest ordinal, highest priority, or first in the list is applied.|
In BIG-IQ® application visibility, as part of the advanced configuration, there are two ways to configure the BIG-IP® classification preset and classification profile.
In the BIG-IP® system configuration for BIG-IQ® application tracking reporting, you do not need to allocate separate memory resources to enable the application visibility functionality. The runtime memory consumption depends on the amount of traffic processed, such as concurrent TCP flows.
Type these commands in the BIG-IP® UNIX shell to start and stop debugging and logging.
|tmctl gpa_classification_stats||Displays classification results in a table that lists all applications that were classified, the number of flows, the bytes in, and the bytes out.|
tmsh modify sys db tmm.cec.log.level value Debug
tmsh modify sys db tmm.gpa.log.level value Debug
|Generates debug logs. The log messages are stored in /var/log/tmm.|
tmsh modify sys db tmm.cec.log.level reset-to-default
tmsh modify sys db tmm.gpa.log.level reset-to-default
|Stops debug log messages.|
Top left portion of the Summary report display
Session details popup screen (with addresses and host names blurred)
When you run an Access report or an SWG report, Access can get up to 10,000 records to display to you. After you scroll to the end of those 10,000 records, Access displays a message. At that point, all you can do is select fewer devices or select a shorter timeframe.
|A session is over, but it continues to display in the Active sessions report.||If a session starts when logging nodes are up and working, but terminates during a period when logging modes are unavailable, the session remains in the Active sessions report for 15 minutes. After 15 minutes, the session status is updated and the session is dropped from the report.|
|Active sessions are included in the Summary and Active sessions reports for a device that is no longer managed.||Sessions were active on a device when it was removed from an Access group and became unmanaged. Sessions that were active when the device became unmanaged remain counted in All Active Sessions on the Summary screen and stay in the Active sessions report until the next session status update, which occurs every 15 minutes.|
|A session is over, but Session Termination and Session Duration are blank in a session report.||If a session starts when logging nodes are up and working but terminates during a period when logging nodes are unavailable, the session termination is not recorded and the session duration cannot be calculated.|
Logging nodes are highly available, but it is still possible for them to become unavailable. This could occur, for example, if all logging nodes are on devices in the same rack in a lab, and the power to the lab shuts down.