Note: Although this bundle is specifically configured to support F5's APM (single sign-on) functionality, the included triggers can be modified as needed to support other applications which utilize session cookies. This bundle is meant to provide a framework to map session cookies in general to usernames, which are identified during authentication.
Out of the box, ExtraHop does a great job of showing metrics for HTTP clients by IP address. However, it is sometimes useful for organizations to track activity based on username rather than client IP. The challenge is that the username is typically only seen during the authentication process. A successful authentication will likely result in the client being issued a "session cookie" through a "Set-Cookie" directive. This session cookie is submitted by the client's web browser on subsequent transactions to identify the user and authorize the transactions. The ExtraHop system is able to capture the authentication request and associate the resulting session cookie back the the username for the life of the cookie through it's unique, event-based triggers and ability to access the HTTP payload.
Some organizations utilize F5's Access Policy Manager (APM) to handle front-end authentication for their applications. This bundle provides the triggers necessary to capture the authentication attempt to the F5 APM and associate the resulting session cookie (MRHSession) to a username. This provides the ability to report on top users based on transaction count as well as server processing time (load). Likewise, network round trip time is also recorded per-user. This also provides the ability to keep an audit log of users' activity for applications which may not support natively.
If authenticated usernames contain special characters such as '@' in the case of UPN (ex: firstname.lastname@example.org), the 'decodeURIComponent()' line of the HTTP_REQUEST trigger will need to be uncommented:
var user = HTTP.payload.substring( start, end ); //Uncomment if username contains characters escaped during POST: //user = decodeURIComponent( user ); Flow.store.user = user.toLowerCase();
This will decode the escaped unicode value to the actual character.
As previously mentioned, this bundle can provide auditing by username by enabling exporting of syslog data. This can be enabled by uncommenting the 'RemoteSyslog.info()' line of the HTTP_RESPONSE trigger:
/* Uncomment the following line to enable user auditing by logging user activity to a syslog server. Syslog server must be configured in Administration UI. */ //RemoteSyslog.info("eh_event=http_user_access username=" + username + " method=" + HTTP.method + " uri=" + HTTP.uri);
Custom page containing charts of user transactions:
- Transactions by User
- Server Processing Time by User
- Round Trip Time by User (internal/external)
Transaction rate by users:
Detailed transaction count by user:
Server processing time by user:
Detailed processing times by user:
Round Trip Time for external users:
Round Trip Times for internal users:
- ExtraHop firmware 3.7 and newer.
- Access to the authentication request in clear text:
- HTTP traffic must be unencrypted.
- ExtraHop appliance must be equipped with SSL decryption and certificate key imported to ExtraHop.
- HTTP traffic must be unencrypted.
- Download the bundle
- Upload the bundle into the ExtraHop appliance using Settings >> Bundles >> Upload >> Upload From File
- Apply the resulting ExtraHop User Tracking F5 APM Bundle in the bundle detail page.
- Assign triggers and custom page to appropriate devices to capture authentication and HTTP transactions. This is most likely the virtual server (VIP) of the web application.