Manual Chapter : Monitoring Firewall Rules

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.0.0
Manual Chapter

About firewall rule monitoring

In BIG-IQ™ Network Security, you can monitor:

  • Firewall rule statistics, such as the number of times inbound network traffic matches a firewall rule on a BIG-IP™device (also referred to as a firewall rule hit count) as well as the rule overlap status.
  • Firewall rule compilation statistics for a set of rules associated with a firewall context on a BIG-IP device.

You access this firewall rule monitoring by selecting Network Security from the BIG-IQ menu and then clicking Monitoring.

You can generate reports about firewall rules by selecting Network Security from the BIG-IQ menu and then clicking Policy Editor, and then selecting Firewall Rule Reports.

Monitoring firewall rule statistics and hit counts

You can monitor firewall rule statistics and hit counts on one or more BIG-IP™ devices using Network Security monitoring.
Note: Firewall rule statistics are collected for the rules in the enforced policy associated with a firewall, but not the rules in a staged policy.
Note: If a virtual server, route domain or self IP is created using the BIG-IQ™ system, firewall statistics cannot be collected until the changes are deployed to the device and reimported.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Monitoring.
  4. Click Firewall Rule Statistics.
    The Firewall Rule Statistics screen opens and displays a list of firewall contexts, including their name, partition, type, and on what BIG-IP device they occur.
  5. Click the name of the firewall context to monitor.
  6. The Firewall Rule Statistics page for that firewall context displays.
    The following information is listed in the named columns for each firewall rule on the BIG-IP device:
    • Rule Name specifies the name of the rule used in the policy. If not listed, the rule is not running.
    • Rule List Name specifies the name of the rule list if the rule is in a rule list.
    • Rule specifies the name of the rule within a rule list. If the rule is not in a rule list, this field is blank.
    • Overlap Status specifies whether the rule overlaps with another rule.
    • Hit Count specifies the number of times the rule has been matched.
    • Last Hit Time specifies when the rule was last matched.

Monitoring firewall rule compilation statistics

You can monitor rule compilation statistics on one or more BIG-IP™ devices using Network Security monitoring. This information is similar to what is displayed when using the tmsh show security firewall container-stat command.
Note: If a firewall context references a policy that is both staged and enforced, there will be two entries in the compilation statistics: one for the enforced policy and one for the staged policy.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Monitoring.
  4. Click Firewall Compilation Statistics.
    The Firewall Compilation Statistics screen opens and displays the list of BIG-IP devices managed by the BIG-IQ system, including their network name, IP address, and BIG-IP device version.
  5. Click the name of the BIG-IP device to monitor.
  6. The Firewall Compilation Statistics page for that BIG-IP device displays.
    Depending on the version of the BIG-IP device, the following information, or a subset of this information, may be listed in the named columns for the one or more firewall rules within the specified firewall context on the BIG-IP device:
    • Context Name specifies the context name associated with the one or more rules, such as /Common/global-firewall-rules.
    • Context Type specifies the firewall context type associated with the one or more rules, such as global or self IP.
    • Policy Name specifies the name of the policy associated with the one or more rules.
    • Policy Type specifies type of policy associated with the one or more rules, such as enforced or staged.
    • Rule CountSpecifies the number of rules compiled for this BIG-IP device context, such as 30. This count includes rules in rule lists as well as rules that are not in rule lists.
    • Compile Duration specifies the amount of time required to compile the rules, expressed as hours:minutes:seconds.
    • Overlap Check Duration specifies the amount of time required to check overlapping rules, expressed as hours:minutes:seconds.
    • Size specifies the size of the compiled rules in bytes.
    • Max Memory specifies the maximum amount of memory consumed by the rules in bytes.
    • Activation Time specifies when the rules are activated and available for use.