Bug ID 745783: Anti-fraud: remote logging of login attempts

Last Modified: Jun 04, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP FPS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.1.0, 14.1.0.1, 14.1.0.2

Fixed In:
15.0.0, 14.1.0.3, 13.1.1.3

Opened: Oct 03, 2018
Severity: 3-Major

Symptoms

There is no support for logging of login attempts to a remote service.

Impact

There is no support for logging of login attempts.

Conditions

Using high speed logging (HSL) to log login attempts.

Workaround

None.

Fix Information

FPS now uses HSL to report login attempts using configured templates, rate-limit, and publisher to a remote service. To enable this feature: # via tmsh only tmsh modify sys db antifraud.riskengine.reportlogins value enable # via tmsh or GUI tmsh modify sys db antifraud.internalconfig.string1 value "<login attempt log template>" tmsh modify sys db antifraud.internalconfig.string2 value "<log-rate-exceeded log template>" tmsh modify sys db antifraud.internalconfig.number1 value "<log-rate-exceeded threshold>" tmsh modify security anti-fraud profile <fps profile> risk-engine-publisher <publisher> It is recommended that you use encoding when composing an HTTP template. The default encoding level is 0, meaning 'never encode'. To change encoding level: tmsh modify sys db antifraud.internalconfig.number2 value <0/1/2>

Behavior Change

FPS now includes the ability to perform High Speed Logging (HSL) of all login attempts to specific protected URLs. These events can be forwarded to remote services (e.g. SIEM Server), and, when enabled, can help indicate whether applications are under attack.