How To: Manage WAF Security Reports¶
Create, clone security reports and generate a security report summary based on traffic processed by your WAF policy, or the traffic received by your application.
Note: Security reports are the configured data and object settings for a generated summary. When you create a security report, you are creating the configuration. You generate a security report summary based on the security report selected.
Prerequisites¶
To generate reports based on application or policy-detected traffic you must have the following:
One or more WAF policies.
The WAF policy is attached to an application that is deployed to a BIG-IP Next instance.
The WAF-protected application is receiving traffic.
Procedure summary¶
Use the following procedures to manage security reports:
Create a new security report¶
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Reports.
Click + Create.
To view all available fields, toggle Advanced View button to the top right of the panel.
Type a report Name and an optional Description.
From Report Time Period select the time over which you would like to view data within the report. When available, reports will show data from the most recent reporting period and the previous reporting period.
From Report By select which object you would like to report to present data by:
Policies - The report lists the WAF policies reporting the top attack data.
Applications - The report lists the protected applications (by application name) reporting the top attack data to the application.
Virtial Servers - The report lists the application services, reporting the top attack data to the virutal server.
From Choose.. whether to select all or some of the objects to report:
All - All objects by which the report is presented are included. This means that top results from all objects are considered in the report.
Select - Allows you to specify specific reported objects. Once you select this option, you can choose which policies, applications, or virutal servers are used in this report.
From Categories select which traffic and attack information to include in the report. You can select one or multiple categories. The report will show the top applications, policies, or virtual servers (depending on your report settings) for each category selected.
(Advanced View only) For Show results select the number of applications, policies, or virtual servers reported in the top results. The default selection is Top 5.
(Advanced View only) For Request Type select which kind of detected attack is reported:
Alerted & Blocked - Reports data from requests that were detected by a policy configured to create an event and block the attack.
Alerted - Reports data from requests that were detected by a policy configured to create an event for the attack, but did not necessarily block the attack.
Blocked - Reports data from requests that were detected that were blocked by default.
Click Create
The new report is added to the WAF Reports list.
Clone a security report¶
Clone an existing security report or template to modify report settings.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Reports.
Select the check box next to the name of the report you would like to clone.
From the top right of the screen click Actions and select Clone.
Modify the report settings and naming details. See Create a new security report for information about the report settings.
Click Clone.
The cloned report is added to the WAF Reports list.
Generate a security report summary¶
Generate a security report summary based on a selected security report. The summary is exported in PDF format.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Reports.
Select the check box next to the name of the report you would like to export to PDF.
Click Generate Report.
The security report summary is exported to your local system as a PDF file.
Delete a custom security report¶
You can delete a custom security report. To ensure you can delete the security report, check the Create By column in the list. If F5 is listed, you cannot delete the security report.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Reports.
Select the check box next to the name of the report you would like to delete.
From the top right of the screen click Actions and select Delete.
The security report is deleted from BIG-IP Next Central Manager.