Monitor Web App & API Protection

Objective

This document provides instructions on how to monitor your Apps and APIs from a security standpoint. F5® Distributed Cloud Services provides the Web App and API Protection (WAAP) service to help you mitigate application threats and vulnerabilities across multi-cloud and edge environments. WAAP provides a web application firewall (WAF), DDoS mitigation, bot defense, API security, and Client-side defense.

Using the instructions provided in this document, you can assess your current security situation and dive into details for areas of concern.


Prerequisites


Monitor Web App and API Protection

The Distributed Cloud Platform offers two types of monitoring for WAAP: performance monitoring and security monitoring. Performance monitoring offers operational information such as metrics, traffic, alerts, etc. Security monitoring offers security related information such as threat intelligence, bot traffic, DDoS activity, attack sources, and more.

From the Home page or the Select service drop-down menu, select the Web App & API Protection service and then select your namespace from the drop-down list of namespaces. The monitoring options are in the Overview section at the top of the left navigation panel.

The following sections show how to see detailed information on the monitoring options.

Explore Security Monitoring

Select Overview > Security to see the security page with three tabs offering different views of the state of your security.

WAAPSecDash
Figure: WAAP Security Dashboard
General Page Options

Each tab consists of a number of widgets that display information related to the title at the top of the widget. For example, the Bot Traffic widget only shows information related to bots. Above the widgets is a set of options that relate to all widgets below (unless otherwise noted).

  • Export PDF will allow you to record and/or share the information on the Security Dashboard.

  • The All HTTP LB drop-down menu determines which load balancer(s) to use for the information shown in the dashboard. You can use the drop-down menu to select one to five load balancers. If no load balancers are selected, then data will be shown for all load balancers, which is the default.

  • The time drop-down menu allows you to show data only for the specified time. This is convenient for assessing your "current" security situation or looking at longer term trends. You can also look at a specific time period by selecting Custom, which can cover any time period with the last 30 days.

  • The Refresh option updates the information shown in the dashboard.

Dashboard

The dashboard tab is displayed by default and offers a snapshot view of your entire security monitoring information. The following list provides overview on the dashboard and the widgets it offers:

  • Threat Intelligence display the number of threat campaigns detected and attacks mitigated based on IP reputation.

  • Bot Traffic shows the percentage of total traffic coming from Bots (good, suspicious, or malicious) and the percentage of total traffic that comes from malicious bots.

  • API Classification shows a count of the total number of API endpoints as well as the number of endpoints with Personal Identifiable Information (PII). These counts show the current state and do not take into account the date/time selected at the top of the page.

  • DDoS Attack Activity shows the number of load balancers that have experienced level 7 DDoS attack activity.

  • Security Events shows the trend of security events over time. Select Line or Area to to view the information in either a line or area graph. Select any event type above the graph to display or hide that type of event. Hover over the graph to see information for that time period. Click and drag within the graph to zoom into that time period, and use the Reset button at the top (next to the Refresh button) to return to the original time period (Zoom back out).

  • Top Attack Sources shows a list of the sources with the most security events. Use the top-right drop-down menu to select top attack sources based on IP address, ASN (Autonomous System Number), or TLS Fingerprint.

  • Top Attacked Paths shows a list of paths that being have been attacked the most, as well as the domain, HTTP method, and security events.

  • Events by Country shows the security events arranged in a map view. Use the Security Events drop-down filter to change the section to show DDoS events.

  • Active Configuration shows the total number of load balancers. Out of these load balancers, it shows how many have WAF, Bot Defense, API Discovery and DDoS Detection configured for protection. This information is based on the current configuration and does not take into account the date/time period selected at the top of the page.

  • Load Balancers at the bottom of the page shows a table of load balancers in the namespace along with a summary information for a number of security categories. Click on the gear icon ( ⚙ ) to select which summary information is shown in the table columns. Click on the name of a load balancer go to the security monitoring page specific to that load balancer. For more details on load balancer specific security monitoring, see Monitor HTTP Load Balancer.

Malicious Users

The Malicious Users tab provides a view of malicious users for the entire namespace. You can zoom in on a particular malicious user and navigate to individual load balancer malicious users page from there.

Note: A malicious user is identified when a risk score is assigned to the user based on the user activity. A risk score is computed based on the malicious user detection configuration and this computation takes into account all the configuration parameters (such as login failure threshold and forbidden activity) enabled in the malicious user detection settings. Depending on the risk score, a threat level is attached to a malicious user and mitigation actions are applied based on the configuration set for each threat level. The risk score for a user is decayed over time, if no further suspicious activity is observed.

Figure: Malicious User Map
Figure: Malicious Users Map

Note: The malicious users in a geographical location are shown as collection of nodes with threat-level indicated in different colors. You can check the legend filter to find severity versus color mapping.

  • The data shown is by default for all HTTP load balancers in the namespace. You can use the Attacked Load Balancers filter on the top of the page to limit the view to a specific set of load balancers. Similarly, you can use the time filter to display the insights for a specific time interval.

  • Place the mouse pointer over a node group to view details of malicious users for that location. Number of malicious users and corresponding threat-levels are displayed.

  • Click on a node group to display all malicious users in a group represented as collection individual nodes. Place mouse pointer on any individual node to view the user's identifier, threat-level, and risk score.

Note: The user identifier is based on the configured user identification such as IP address, Cookie, etc.

  • Click on any malicious user node, and details for that user are displayed in a modeless window. The details include user identifier, attacked load balancers, and user attributes such as source IP, country, region, etc.

    Figure: Malicious User Details
    Figure: Malicious User Details
    • Select Block User or Add to Allow List to add user to deny list or allow list respectively. This opens the associated load balancer's client blocking rule section or trusted client rules section with name and IP address populated. In case of trusted client rule, the Skip Malicious Users action is populated. Click Apply to complete enabling the rule on the load balancer.
  • Click on any of the attacked load balancers in the details window. This will switch to the Malicious Users tab of that load balancer's security monitoring page with the view filtered to display the data for that particular user.

Threat Campaigns

The Threat Campaigns tab opens a Sankey chart showing the threat campaigns run against load balancers and their source IP addresses.

Figure
Figure: Threat Campaign Insights

Note: The threat campaigns insights also displays in graph view beneath the Sankey chart. Here, the graph shows allowed and blocked statistics.

  • The data shown is by default for all HTTP load balancers in the namespace. You can use Add Filter on the top of the page to limit the view to allowed or denied requests. Similarly, you can use the time filter to display the insights for a specific time interval.

  • Place the mouse pointer over any bar section in the middle of the chart to view name of threat campaign, associated source IP addresses, and destination load balancers highlighted in the chart. Click on the bar to view more details for that threat campaigns in a modeless window. Details include risk, attack type, description, references, etc.

  • Click on any IP address to the left of the chart to display more details for that IP address. The following details are displayed:

    • Source IP address.
    • Total requests from the source.
    • Total security events from the source.
    • Breakdown of security events such as WAF events, Bot defense, service policy, etc.
    • HTTP Load Balancers to which the attacks are made.
  • Click on an HTTP load balancer in the details window. This switches the view to Security Events view of load balancer security monitoring. The security events view displays filtered view of the event related to the source IP address for the time period set in the threat campaigns monitoring view.

  • Click on the Add to Blocked Clients button on the details window to add user to deny list. This opens the associated load balancer's client blocking rule section with name and IP address populated. Click Apply to complete creating the client blocking rule.

  • Click on the Filter Attack Analysis filter on top right of the threat campaigns monitoring page to display forensics view with advanced filters. The following is a list of guidelines to use these filters:

  • Select any of the source IPs in the Top src_ip section and click Apply to filter the chart and the graph for that source IP. You can also click the edit option to change the metric from src_ip to country. The section changes to Top country and you filter the chart to display chart for specific country.

  • Select any of the threat campaigns in the Top threat_campaigns.name section and click Apply to filter the chart and the graph for that threat campaign.

  • Select any of the load balancers in the Top vh_name section and click Apply to filter the chart and the graph for that load balancer.


Explore Performance Monitoring

In the Web App & API Protection service, select Overview > Performance to see the performance page with three tabs offering different views of the state of your security performance.

WAAPPerfDash
Figure: WAAP Performance Dashboard
General Page Options

Each tab consists of a number of widgets that display information related to the title at the top of the widget. For example, the Health widget only shows information related to health. Above the widgets is a set of options that relate to all widgets below (unless otherwise noted).

  • Export PDF will allow you to record and/or share the information on the Security Dashboard.

  • The All HTTP LB drop-down menu determines which load balancer(s) to use for the information shown in the dashboard. You can use the drop-down menu to select one to five load balancers. If no load balancers are selected, then data will be shown for all load balancers, which is the default.

  • The time drop-down menu allows you to show data only for the specified time period. This is convenient for assessing your "current" security situation or looking at longer term trends. You can also look at a specific time period by selecting Custom, which can cover any time period with the last 30 days.

  • The Refresh option updates the information shown in the dashboard.

Dashboard

The dashboard tab is displayed by default and offers a snapshot view of all performance monitoring information. The following list provides overview on the dashboard and the widgets it offers:

  • Health displays a donut chart showing the health of your load balancers. The donut colors correspond to the colored checkboxes below and provide a visual percentage of the health states of your load balancers. You can turn individual states on or off with the checkboxes. The number in the center of the donut is the number of load balancers shown in the donut (which can change with use of the checkboxes).

  • Active Alerts displays a donut chart showing the states of your active alerts, regardless of the selected time period. The donut colors correspond to the colored checkboxes below and provide a visual percentage of the health states of your load balancers. You can turn individual states on or off with the checkboxes. The number in the center of the donut is the number of active alerts shown in the donut (which can change with use of the checkboxes).

  • Active Configuration displays the total number of load balancers at the top. Below it shows a list of the different types of security configurations and how many of your load balancers are protected by that configuration. This content is based on your current configuration and not affected by selected time periodic.

  • Traffic Overview shows the total number of requests and requests with errors received during the time period. The graph below shows a timeline for the receipt of those requests. The colored checkboxes allow you to turn on or off either category in the graph.

  • Throughput shows the total number of requests and requests with errors received during the time period. The graph below shows a timeline for the receipt of those requests. The colored checkboxes allow you to turn on or off either category in the graph.

  • Load Balancers at the bottom of the page shows a table of load balancers in the namespace along with a summary information for a number of performance categories. Click on the gear icon ( ⚙ ) to select which summary information is shown in the table columns. Click on the name of a load balancer go to the security monitoring page specific to that load balancer. For more details on load balancer specific security monitoring, see Monitor HTTP Load Balancer.

Traffic Graph
WAAPTrafGraph
Figure: WAAP Traffic Graph

Select the Traffic Graph tab to view the monitoring page for traffic from requestor to origin server. The following information is displayed:

  • The view shows a graphical representation where the traffic trend is presented between the public and the origin servers. Lines with an arrow in the middle represent past traffic. Dots moving on lines represent active traffic. Color represent the health of the server based on application responses.

  • Hover the mouse pointer over a traffic line to view details for that traffic.

  • Hover the mouse pointer over a server to view details for that traffic through that server.

Metrics

Select the Metrics tab to load the WAAP application metrics view:

The metrics present the trend of the following metrics in graph view over the selected time period:

  • Various rates including requests, connections, and errors
  • Throughput for both upstream and downstream
  • Various latency measurements including client and server Round-Trip Time (RTT), app latency, and connection duration.
Figure
Figure: WAAP Performance Metrics

Note: The metrics are grouped into the fields Rate, Throughput, and Latency. A field may have one or more metrics.

  • Select the Site/RE or site edge from the drop-down menu to see the metrics for that entity in the graph.

  • Use the Server / Client selector to show one or the other in the graphic.

  • Hover over a metric on the right-hand side and click either the blue bar or the magenta bar to see that metric in the graph. Hover over another metric and click the opposite color bar to see both in the graph.

A red bar indicates a time period where the request rate is outside the confidence window, which is shown in light blue as part of the graph background.

You can select any two metrics under a field such as Rate to display the combined graph for them. To do this, do the following:


Concepts


API References