Monitor your Site Security

Objective

This document provides instructions on how to monitor your site security in VoltConsole. To learn more about site and how Volterra provides monitoring support, see Volterra Site and Monitoring.

Using the instructions provided in this document, you can look at an overview of the firewall security for your site, and you can investigate details of firewall events and logs.


Prerequisites

  • VES account

    Note: If you do not have an account, see Create a VES Account.

  • One or more cloud or edge locations with Volterra Site

    Note: Install the Volterra node or cluster image in your cloud or edge location. See Create a Site for more information.


Activities of Monitoring

Perform the activities presented in the following chapters to monitor your site security.


View Site Security

In the System namespace under Sites, select Site Security. This page defaults to the Firewall Dashboard, which provides a security overview of your site. You can also view your site's specific events on the Firewall Events tab, or use the Firewall Logs tab to see your site's requests in both tabular and graphic views.

Firewall Dashboard

The Filewall dashboard shows an aggregation of all firewall activity related to all your apps running on all your sites. Various information is presented in different blocks withing the dashboard.

site security dashboard
Figure: Site Firewall Dashboard

Controlling the Dashboard Contents

The dashboard contents are dependent on the settings in the right-justified, top bar of options. The sites dropdown, which defaults to All sites, determines which site(s) is shown in the dashboard. Likewise, the time dropdown allows you to specify the time period for the data shown, including both quick-pick options like Last 24 hours and the ability to specify a custom time period. The time dropdown also allows you to set a refresh interval, or you can manually click the Refresh button between the two dropdowns.

Count Summary Blocks

The top row of summary blocks contain counts for their respective block titles, giving you a quick overview of key firewall parameters.

  • Total Sites shows the total number of sites in your tennant. Unlike the most other blocks in the dashboard, it does not change based on the site or time dropdowns.
  • Alerting Sites shows the total number of sites reporting an issue. If you have selected a single site with the site dropdown, then the value will be either zero or 1 indicating whether or not the selected site has raised any alerts.
  • Firewall Denied Events shows how many events were denied by the firewall for the specified site(s) and time period. You can click on the block title to see the firewall events.
  • Destinations Blocked shows the number of specific client IPs that were blocked from accessing a destination for the specified site(s) and time period.

Incidents Block

The Incidents block shows a donut chart for each of the last five days. The number at the center of the donut indicates the total ingress traffic for that day. The donut chart will show a green portion representing traffic that successfully passed throught he firewall and a red portion representing the percentage of Blocked traffic—incidents. You can hover over a donut to see the actual number incoming requests broken down into of Success and Blocked quantities. See the example below.

incident donut
Figure: Incident donut graph

Log Summary Blocks

The next set of blocks show quantities of different categorizations from the log files.

  • Top Sites shows the sites in your tennant with the most traffic along with the associated number of log entries for each site. Click on a number in the Logs column to see traffic details for the corresponding site.
  • Source IPs Denied shows shows the IP addresses that were denied and how many times they were denied. Click on a number in the Logs column to see all the denials for the corresponding IP address.
  • Destinations Blocked shows shows the destination URLs that were blocked and how many times they were blocked. Click on a number in the Logs column to see all the individual denials for the corresponding URLs.
  • Top Rules shows the list of top rules within a policy that that are being used by the firewall for the existing traffic. Select the desired policy type from the policy dropdown in the top right corner of the block. Then click on a number in the Logs column to see the list of events that was affected by the corresponding rule.
  • Total Events shows the number of hits per policy type. Click on Total Events to see a list of all events. This will show all content in the firewall logs.

Sites by Events

The Sites by Event block shows a world map with the sites in your tennant that have had events. The number of events is shown within the blue circle representing the site. If there are multiple sites close together, then a blue/white circle represents all the close-together sites, the number of sites represented is shown below the circle, and the number of events for all sites is shown within the circle. You can hover over either type of circle to see how many of the events were blocked.

Firewall Events

The Firewall Events tab provides a detailed view of all traffic going through the firewall.

events
Figure: Firewall Events tab

Above the table are control options for choosing what data is shown and how it is shown:

  • ChooseFlattened to see all data in a single table or Structured to see separate tables by policy name.
  • Search for content within the table, even if it's not shown on the current page.
  • Use the Policy pulldown to only show selected policies. If no policies are selected (default), then all policies will be shown.
  • Click Refresh to update the table with the latest traffic.
  • Use the time pulldown to select the timeframe for the data in the table. Choose from Last 5 minutes to Last 24 hours or specify a custom time period.

Controls within a flattened table:

  • The gear icon at the top-right allows you to select which columns are shown.
  • Click on a column name to sort by that column.
  • Hover over a column name to see column options:

    • Click on the column name to sort by that column.
    • Drag a column border to change the width of a column.
    • Drag the six-dot icon to move a column.
  • Click on # More within the To column to expand an abreviated row.
  • At the bottom of the table, you can you the number of items per page and which page is shown.

Controls within a Structured table:

  • Click the policy name or the down arrow to the far right of the policy name to expand the content giving one or two flattened tables, depending on the type of policy.
  • Click the pencil icon to the right of a policy name to edit the policy.
Firewall Logs

The Firewall Logs tab provides a detailed view of the traffic that has passed through your firewall.

logs
Figure: Firewall Logs tab

The top of the table contains control options for choosing what data is shown and how it is shown:

  • Click Refresh to update the chart and table with the latest traffic.
  • Use the time pulldown to select the timeframe for the data in the chart and table. Choose from Last 5 minutes to Last 24 hours or specify a custom time period.
  • Click the chart visibility button to toggle between Hide Chart and Show Chart.
  • Click the filter icon to add a filter for the content shown in the chart and table.
  • The Allow and Deny labels are quick filters that show (bright color) or hide (dim color) allowed and denied traffic.

Controls within the chart:

  • Drag the gray verticle bars on the left and right sides of the chart to change the timeframe for data in the chart and table.
  • Hover over a column in the chart to see summary information for that column's time period.
  • Click on a column to zoom to that time period. The chart and table will both reflect the new time period, and the chart will further subdivide the time period into a new set of smaller time periods represented as new columns.

Controls within the table:

  • Search for content within the table, even if it's not shown on the current page. The filtered content will be used for both the chart and the table.
  • The gear icon at the top-right allows you to select which columns are shown.
  • Click on a column name to sort by that column.
  • Hover over a column name to see column options.
  • Click on the column name to sort by that column.
  • Drag a column border to change the width of a column.
  • Drag the six-dot icon to move a column.
  • Click on # More (where # is a number) within the To column to expand an abreviated row.
  • At the bottom of the table, you can you the number of items per page and which page is shown.

Forensics

The blue, vertical Forensics button at the top right of the page pulls out a slide panel showing some statistical information and give you another way to filter the logs display.

logs forensics
Figure: Firewall Logs Forensics

The Forensics panel contains four boxes, each showing a metric as the box title and then percentages for their respective metric elements. For instance, a box with the title Top src_ip will show a list of source IP addresses along with a percentage of their activity within the logs.

Controls within the Forensics panel:

  • Check a box next to an element or precentage bar to select the element. Click Apply at the top right of the Forensics panel to show only firewall log data related to that element. You can select multiple elements from the same or separate boxes to apply.
  • Click the pencil icon at the top right of any box to change the metric for that box. Note that the metric of each box must be unique, so if you select a duplicate metric, the duplicate will be changed to an unused metric.

Concepts


API References