Monitor HTTP Load Balancer

• Select the Multi-Cloud App Connect service.

• Select your namespace from the drop-down list of namespaces.

• Select Overview > Applications or Overview > Performanceon the configuration menu to view the Application or Performance dashboard, respectively.
• Scroll down the the Load Balancers section to see a list of load balancers. Each load balancer is shown in a table row with some high-level information about the load balancer.
• Click the name of the load balancer you want to monitor. The Dashboard tab will show by default.

The dashboard tab offers a snapshot view for entire performance monitoring information. The performance monitoring dashboard shows overview sections such as health, alerts, metrics, clients, devices, policy, security, etc. Some sections contain links to more details. For instance, selecting the section name Active Alerts will display the alert tabs where you can see much more information about these and other alerts.

The following list provides overview on the dashboard and the various sections it offers:

• Metrics include requests, throughput, and latency. However, you can filter the Top Clients view to display error rate also.
• Client information includes details such as top clients, TLS fingerprints, client location, etc.
• Device information includes device type and browser type.
• Security information includes details such as top ASN, TSL/SSL statistics, URLs visited, service policy, etc. Also, HTTP error code trend is presented.

Select the Metrics tab to load the load balancer application metrics view:

The metrics present the trend of the following metrics in graph view over a default or configured time interval:

• Health score in terms of percentage.
• Request Rate, Error Rate, and Drop Rate.
• Latency.
• App Latency.
• Client and Server Round-Trip Time (RTT).
• Connection Duration.
• Upstream and Downstream Throughput.

Note: The metrics are grouped into fields such as Rate, Throughput, etc. A field may have one or more metrics.

Select a metric from the available fields on the right-hand side to display its trend. Hover your mouse pointer over a graph bar to view information specific to the time interval of that bar. You can also select the bar to switch to Requests tab.

A red bar indicates a time period where the request rate is outside the confidence window, which is shown in light blue as part of the graph background.

You can select any two metrics under a field such as Rate to display the combined graph for them. To do this, do the following:

• Each metric has two small graph bar buttons to its left arranged in a vertical stack. Select a metric under one field.
• Select the lower graph button for the other metric of the same field to display combined graph.

Note: Select Last 1 hour dropdown on the upper right end of the dashboard and select a time interval to inspect your site dashboard for that interval. The default for this is one hour and maximum allowed interval is 24 hours. You can customize the interval by selecting the Custom option and choosing date range. This can also be set graphically by adjusting the controls beneath the main graph.

Select the Traffic tab to view the monitoring page for traffic from requestor to origin server. The following information is displayed:

• The view shows a graphical representation where the traffic trend is presented between requestor and origin server. The representation shows sections for the trend of traffic from requesting site to load balancer and then from load balancer to origin server.

• Hover mouse pointer over any border bar to view details of the entity represented by that bar. For example, select the bar representing origin servers to view detailed information on the applications at those origin servers.

• Hover mouse pointer over any section to view details such as source, target, and request rate.
• Select the Request Rate filter above the graphical representation and select Response Throughput to change the details to show response throughput instead of requests.
• Select the Group by Service filter and select an option to change the origin server details. For example, if you select Group by Site, the bar representing origin server shows the site of origin server upon hovering mouse pointer over it.

Select the Origin Servers tab to view the monitoring information for origin servers. In this view, you can see the list of origin servers for your load balancer and metrics associated with the origin server.

Select > for an origin server entry to view its data in JSON format.

Select the Alerts tab to load the alerts view. The active alerts are displayed by default.

You can filter the display for alerts of a specific severity using the severity selection options. All severity types are selected by default. Select a severity selection option to hide the alerts for that severity. You can again select it to display alerts for that severity.

Note: Severity selection options are color-coded and located beneath the Add filter option.

Use the toggle selection and select All Alerts to view alerts. The All Alerts view shows graph for alerts over a specific period. The list of alerts is displayed beneath the graph.

Hover mouse pointer over a graph bar to view the alerts information specific to the time interval in which the bar is generated. Selecting the bar updates the graph and the list beneath the graph for the interval in which the bar is generated.

Note: You can also set a time interval in the All Alerts view to display alerts over a specific period of time.

Select > for any alert entry to display its details in JSON format.

Select the Requests tab to load the view for the trend of sampled HTTP requests.

The requests are displayed in a graphical trend as well as in a list for the default or specific time interval. Select > for any listed request to display detailed information in JSON format. Use the Hide Chart option on the top right side of the page to hide the graph and display only list entries.

Note: The system performs rate adaptive sampling to guarantee that a fair number of logs are stored even when the traffic loads are high.

Note: A custom time period must be within the last 7 days, which is the log retention limit.

You can apply filters to display the trend for specific HTTP codes. For example, de-select all and select only 2xx to display the requests for HTTP code 2XX.

You can apply filters to the display using the Forensics option at the right of the graph to show the Forensics side panel. Select a filter and select Apply to filter the display accordingly. You can also include more filter options by editing the default options and adding more from the displayed list.

Note: You can apply filters using the Add Filter option located above the requests graph.

Select the Errors tab to load the view for the trend of client or origin server errors.

The errors are displayed in a graphical trend for the default or specific time interval. You can adjust the time interval either using the drop-down selector located on the top right side of the page or using the controls beneath the graph.

The dashboard tab displayed by default and offers a snapshot view for entire security monitoring information. Dashboards show various security details such as security events by type and country, sources of events, API endpoint targets, DDoS, Bots, etc.

The following list provides overview on the dashboard and the various sections it offers:

• Security Events by Type section shows the trend of security events over time. Select Line or Area to to view the information in either a line or area graph. Select any event type above the graph to display or hide that type of event. Hover over the graph to see information for that time period. Select the section title, Security Events by Type to switch to the Security Analytics tab analyze these security events.

• Security Events by Country section shows the security events arranged in a map view. Use the Security Events drop-down filter to change the section to show DDoS events. Select a location with hits to switch to the Security Analytics or DDoS tab showing the events from that country.

• Top Attack Sources section shows a list of the sources with the most security events. Use the top-right drop-down menu to select top attack sources based on IP address, ASN (Autonomous System Number), or TLS Fingerprint. Select an item in the left column (IP address, ASN, or TLS Fingerprint) to those events in the Security Analytics tab.

• Top Attacked section shows where the most security events have occurred. Use the drop-down menu in the upper-right corner switch between top domains or top paths being attacked. Select a domain or path from the list to view the security events for that particular target.

• Top Attacked API Endpoints section shows a list of the domains and paths that being attacked the most, as well as the HTTP method associated with the security event. Select a domain, method, or path to see the specific events associated with your selection in the Security Analytics tab.

• API Classification section shows the count of API endpoints by category. The data shown is not dependent on the selected date and time range. Select the section title to get a complete view in the API Endpoints tab.

• Bot Classification section shows how many security events are caused by bots classified as suspicious. Select Suspicious Bots to see the events in the Security Analytics tab.

• Bot Defense: Top 3 Automations (Last 24 hr) shows the top three Bot automation types. Bot Defense must be configured in each HTTP Load Balancer in order to see Bot automation types in the section. Select the section title to get a complete view in the Bot Defense tab.

• Client-Side Defense section shows the complete security instance in the Client-Side Defense service for all namespaces and load balancers.

• Top Attacks by Signature section shows which attacks as defined by their signature are being used against your app. Attack signatures are rules or patterns that identify attack sequences or classes of attacks on a web application and its components. You can look up signatures in the F5 Attack Signature database by the signature ID or other details.

• Top Attacks by Attack Types section shows the primary methods of attack that are being utilized. Attack types are the rules or patterns that identify attacks or classes of attacks on a web application and its components, such as Cross-site Scripting or Server Side Code Injection.

• Top Attacks by Violations section shows the top ways your security policy is being violated. Violations occur when some aspect of a request or response does not comply with the security policy.

• Top Attacks by Threat Campaigns provide another view of the types of attacks being seen. Threat Campaigns are signatures of pervasive attacks that are often coordinated by organized crime and nation states. Threat campaign signatures are based on current “in-the-wild” attacks that exploit the latest vulnerabilities and/or new ways to exploit old vulnerabilities.

• Malicious Users shows the list of users flagged as malicious, and shows information such as their user ID, risk score, etc.

• DDoS Security Events shows the events flagged as DDoS events and suspicious clients. Select an entry in the time column to see more details in the DDos tab.

• Top Policy Policies Hit shows the service policies ranked by policy violations for this load balancer.

Select the API Endpoints tab to view the discovered API endpoints and information on the various metrics associated with each API endpoint. API discovery is based on requests to specific endpoints.

There are two ways to view the API endpoints data, selectable using the Graph and Table buttons at the top left of the API Endpoints tab. There are also three colored check box filters that allow you to show or hide certain types of endpoints:

• Inventory APIs: These API Endpoints are defined per the user's API Definition and are known as API Inventory.

• Discovered APIs: These API Endpoints are discovered by Console using AI/ML and are based on traffic to them. These may contain the Inventory APIs and more. The discovered API limit is 5000 endpoints per application.

• Shadow APIs: These APIs are discovered but not in inventory.

You can also select the Download Swagger option to download the API specifications in a machine-readable Swagger JSON file.

Note: The downloaded Swagger file will only show information discovered from requests. For instance, if an endpoint supports two HTTP methods, but only GET is seen, then only the GET method will be documented.

The API Endpoints tab also provides a summary of all discovered endpoints for each domain. When you select a specific domain, schema and sensitive data are presented as learned for this specific domain. If multiple domains are selected, the presented schema is learned across all domains. You can see a summary of the following:

• Top Attacked APIs: Presents the top three API endpoints with the highest percentage of attacks over traffic per endpoint.

• Top Sensitive Data: Presents the top three sensitive types detected in maximum number of API endpoints. The widget represents only current state, not effected by selected time range.

• Total API Calls: Presents the distribution of API calls by response codes.

• Most Active APIs: Presents the top three API endpoints with the highest percentage of traffic over all detected API traffic for the load balancer.

Note: For more information about API endpoints, see API Endpoint Discovery and Schema Learning.

Graph view

The graph view shows your API by segments and leaves in a railroad style diagram.

• Select a segment number at the top of the graph to toggle the display of all successive segments for all segments in that column.

• Select an individual segment to toggle the display of all successive segments for that branch.

• Select an HTTP request type or leaf to see endpoint details. The three tabs give overview information, personally identifiable information (PII) and discovered specs, and the Open API spec in JSON format.

• Select a non-leaf element to hide all path information beyond that point.

• Hover over a vertical or horizontal colored bar (including black) to see summary information for that portion of the path.

• Select the Fit button in the lower right corner of the graph to toggle the zoom factor of the graph contents between fitting in the current view or possibly requiring scrolling to see al contents.

Table view

The table view lists the paths in the API (including the endpoint) in a table along with summary information in the columns. The endpoints are shown with domains grouped.

• Select an entry in the Path column to see endpoint details. The three tabs give overview information, personally identifiable information (PII) and discovered specs, and the Open API spec in JSON format.

• Select ... > Show Security Events to see any flagged requests for that endpoint in the Security Analytics tab.

• Select ... > Edit Protection Rule to make changes to the protection rules for this endpoint. This selection will open the HTTP load balancer setup in the appropriate location allowing you to make changes to the endpoint protection rules.

• Select ... > Edit Rate Limit to update the rate limiting for your app. This selection will open the HTTP load balancer setup in the security configuration section allowing you to adjust the rate limiting for your origin servers.

Select the Malicious Users tab to view trend and list of events flagged as malicious user activity.

The malicious users view shows a bar chart representing the trend of malicious user activity over a default or selected time period. The view shows a graphical representation as well as a tiled list of users flagged as malicious (to the left side of the graph). Upon selection of a user entry from the left-side list, the graph on the right-side reflects that user's activity.

The view also displays a timeline section beneath the graph where risk scores for a user over the selected time period is displayed. The scores are categorized in terms of the severity of the events.

Malicious user mitigation is supported using the Block User option located on the top of the view. You can also use the Add to Allow List option to remove the user from the malicious users list.

Note: A malicious user is identified when a risk score is assigned to the user based on the user activity. A risk score is computed based on the malicious user detection configuration and this computation takes into account all the configuration parameters (such as login failure threshold and forbidden activity) enabled in the malicious user detection settings. Depending on the risk score, a threat level is attached to a malicious user and mitigation actions are applied based on the configuration set for each threat level. The risk score for a user is decayed over time, if no further suspicious activity is observed.

Select the Security Analytics tab to load security analytics view, which can be viewed in two ways: Events and Incidents. Both of these views will show data for the time period specified to the right of the Events/Incidents selector.

Events

Security events are individual violations of policy that may be attacks. The Events view shows security events over the time period set above the view. This page also displays filters for various types of events that are represented in different colored check boxes corresponding to the different colored bars in the chart. Beneath the graph, the security events page displays the events in a list showing summary information of each event.

Perform the following to analyze the security events:

• Select the time interval drop-down list on the top right side of the page to select another time interval or specify a custom interval.

• Select the Add Filter option and select a key-value pair to apply specific filters. You can select available key-value pairs. You can also choose a custom entry. Type a key, select Select Custom Key, type a value, and select Select Custom Value to apply a custom filter.

• Check or uncheck a colored check box to select or deselect those events from being displayed in both the graph and the event list below.

• Hover over a bar in the chart to get summary information for that time period.

• Enter a string in the Search field to only display table entries containing that string. Note that the search function only looks at the summary information in the table, not the complete event record.

• Select the Download CSV button to download a CSV file containing the full content of each event record shown in the table. Using the Add Filter option will reduce the table contents and therefore reduce the size of the CSV file subsequently downloaded, as indicated by the row count shown in the Download CSV button. Using the Search option merely hides non-matching rows, so it does not affect the CSV download.

• Select > at the left of a list item to display information of that event in a fully expanded view. Select the JSON tab to obtain the information in JSON format.

• Select ... in the Actions column of a list item to create a WAF exclusion rule or to add the client (source IP) to either the Blocked Clients list or Trusted Clients list.

You can apply filters to the display using the Forensics option at the right of the graph to show the Forensics side panel. Select a filter and then select Apply to filter the display accordingly. You can also include more filter options by editing the default options and adding more from the displayed list.

Note: See Attack Signature States for information on the states of signatures displayed on the Security Analytics view.

Incidents

Security Incidents simplify the investigation of attacks by grouping thousands of events into a few incidents based on context and common characteristics. The Incidents view shows a list of security incidents in a table based on the time period set above the view.

• Select the Add Filter option and select a key-value pair to apply specific filters. You can select available key-value pairs. You can also choose a custom entry. Type a key, select Select Custom Key, type a value, and select Select Custom Value to apply a custom filter.

• Enter a Search value to see only incidents that contain that search string. For instance, enter ongoing to see all incidents that are listed as Ongoing in the Last Status column. The search string is not case sensitive.

• Select the Download CSV button to download a CSV file containing the full content of each incident record shown in the table. Using the Add Filter option will reduce the table contents and therefore reduce the size of the CSV file subsequently downloaded, as indicated by the row count shown in the Download CSV button. Using the Search option merely hides non-matching rows, so it does not affect the CSV download.

• Select > at the left of a list item to display information of that incident in a fully expanded view, including a recommendation for resolving the incident. Select the JSON tab to obtain the information in JSON format.

Select the DDoS tab to monitor the DDoS information for this load balancer. The DDoS view shows the information on DDoS events occurring over the default or selected time interval. The view shows a geographical map showing the event location(s). Hover the mouse pointer over the location to view attack score and location information.

Select the Timeline option at the bottom of the map to display the trend for request rate, error rate, and throughput. This indicates which metric is associated with the DDoS event.

Select the DDoS Events drop down located at the top of the page to display the trend of DDoS events with list of events beneath the graph. Hover the mouse pointer over a graph bar to view the start time, end time, and number of events represented by that bar.

Select > for an entry to view detailed information in JSON format. The information includes IP addresses of users flagged as suspicious users.

Select Auto Mitigations above the graph to see rules created by the DDoS Auto Mitigation feature (See step 5.4 in How To - HTTP Load balancer for more details). Some rules are created for multiple IP prefixes, in which case you can select link in the IP Prefixes column to see the IP prefixes. The time columns show when the rule was created and when it will expire. You can delete the rule before it expires by selecting ... > Delete.

Select Analytics on the top of the page to view DDoS statistics for top IP addresses, regions, ASNs, and TLS fingerprints. Select the downward arrow for any field such as Top IPs to view the member list of that field. You can select members of any field and select Apply to filter the display for the selected members.

After selecting members, select Add Rule to create and apply a DDoS mitigation rule to the load balancer. This opens the load balancer configuration rule with the selected members.

For example, you can select an IP address and select Apply to filter the display for that IP address. Then selecting Add Rule opens the load balancer edit view with the DDoS rule populated with IP address as the source and blocking that IP address as the mitigation action. Select Apply and Save and Exit to apply the rule to load balancer.

Note: Select View Rules to open the load balancer DDoS rules configuration page and view the existing rules.

Select the Alerts tab to view the alerts for your load balancer. The active alerts are displayed by default.

You can filter the display for alerts of a specific severity using the severity selection options. All severity types are selected by default. Select a severity selection checkbox to show/hide the alerts for that severity.

Note: Severity selection checkboxes are color-coded and located beneath the Add filter option.

Use the toggle selection and select All Alerts to view alerts. The All Alerts view shows graph for alerts over a specific period. The list of alerts is displayed beneath the graph.

Hover the mouse pointer over a graph bar to view the alerts information specific to the time interval for which the bar is generated. Selecting the bar updates the graph and the list beneath the graph for the interval for which the bar is generated.

Note: You can also set a time interval in the All Alerts view to display alerts over a specific period of time.

Select > for any alert entry to display its details in JSON format.

Select the Requests tab to load the view for the trend of sampled HTTP requests.

The requests are displayed in a graphical bar chart as well as in a list for the default or specific time interval. Select > for any listed request to display detailed information in either a human-readable format or JSON format. Use the Hide Chart option on the top right side of the page to hide the graph and display only list entries.

Note: The system performs rate adaptive sampling to guarantee that a fair number of logs are stored even when the traffic loads are high.

Note: A custom time period must be within the last 7 days, which is the log retention limit.

You can apply filters to display the trend for specific HTTP codes. For example, de-select all and select only 2xx to display the requests for HTTP code 2XX.

You can apply filters to the display using the Forensics option at the right of the graph to show the Forensics side panel. Select a filter and select Apply to filter the display accordingly. You can also include more filter options by editing the default options and adding more from the displayed list.

Note: You can apply filters using the Add Filter option located above the requests graph.

The Bot Defense tab provides information on Bot activity, including traffic types, the top automation type, Bot vs. human traffic, top malicious Bots, and top endpoints attacked.

• In the Top Automation Type section, hover over the value bar to see the percentage associated with that automation type.

• Select Area or Bar in the Traffic Overview section to change the graph from an area chart to a bar chart.

• Hover over the graph in the Traffic Overview section to get specific Humans/Malicious Bots values for that time point.

• The Top Malicious Bots section shows a table of the top malicious Bots sorted first by malicious requests and then by the left column. Use the drop-down menu to select which information is in the left column, which also changes the following columns. Select a link element in the table to the security events associated with that item during that time period.

• In the Top Endpoints Attacked section, hover over a table entry ending in ... to see the full entry.