This topic describes how to configure alert rules for Web Application Firewall (WAF) in the CloudMonitor console. By configuring the alert notifications, you can learn about the traffic, connections, attacks, and other abnormal situations on WAF instances in a timely manner. The alert notifications can inform you immediately after the events occur and help you restore businesses at the earliest opportunity.

Background information

CloudMonitor is a service that monitors Internet applications and Alibaba Cloud resources. It sends you notifications when alerts are triggered. You can customize alert rules to specify how the alert system checks the monitoring data and when it sends alert notifications. After you set alert rules for important metrics, you will be notified when exceptions are detected in these metrics. This allows you to manage exceptions quickly.

The alert feature of CloudMonitor is compatible with WAF, you can configure alert notification rules in the CloudMonitor console. CloudMonitor supports monitoring the following WAF data metrics.

Table 1. Monitor metrics for WAF
Monitor metric Dimension Unit Description Remarks
4XX_ratio Domain name % The percentage of the 4xx HTTP status codes per minute (405 excluded). The value is displayed in decimal notation in alert notifications.
5XX_ratio Domain name % The percentage of the 5xx HTTP status codes per minute. The value is displayed in decimal notation in alert notifications.
acl_blocks_5m Domain name Count The number of requests blocked by access control within the last five minutes. None
acl_rate_5m Domain name % The percentage of requests blocked by access control within the last five minutes. The value is displayed in decimal notation in alert notifications.
cc_blocks_5m Domain name Count The number of requests blocked by HTTP flood protection within the last five minutes. None
cc_rate_5m Domain name % The percentage of requests blocked by HTTP flood protection within the last five minutes. The value is displayed in decimal notation in alert notifications.
web_blocks_5m Domain name Count The number of requests blocked by web attack protection within the last five minutes. None
web_rate_5m Domain name % The percentage of requests blocked by web attack protection within the last five minutes. The value is displayed in decimal notation in alert notifications.
qps Domain name Count The number of queries per second. None
qps_ratio Domain name % The growth rate of QPS every minute on the minute. The value is displayed in percentage notation in alert notifications.
qps_ratio_down Domain name % The decrease rate of QPS every minute on the minute. The value is displayed in percentage notation in alert notifications.

Procedure

  1. Log on to the CloudMonitor console.
  2. Optional: Add an alert recipient. If you have already specified a recipient, you can skip this step.
    1. In the left-side navigation pane, choose Alarms > Alarm Contacts.
    2. On the Alarm Contacts tab, click Create Alarm Contact in the upper-right corner.Add a recipient
    3. In the Set Alarm Contact dialog box that appears, enter the required contact information. Verify the Phone or Email ID, and then click Save.Specify contact information
      The alert recipient is saved.
  3. Optional: Create an alert contact group. If you have already created an alert contact group, you can skip this step.
    Note The recipients of alert notifications must be contact groups. You can add one or more recipients to a contact group.
    1. In the left-side navigation pane, choose Alarms > Alarm Contacts.
    2. On the Alarm Contact Group tab, click Create Alarm Contact Group in the upper-right corner.Create a contact group
    3. In the Create Alarm Contact Group dialog box that appears, enter a group name in the Group Name field. Select recipients from the left-side Existing Contacts list and add them to the right-side Selected Contacts list. Click OK.Specify contact information
      The contact group is created.
  4. Create an alert rule
    1. In the left-side navigation pane, choose Alarms > Alarm Rules.
    2. On the Threshold Value Alarm tab, click Create Alarm Rule.Create an alert rule
    3. Configure the alert rule on the Create Alarm Rule page and click Confirm. The following table lists the parameters and descriptions.
      Type Configuration item Description
      Related Resource Product Select WAF from the drop-down list.
      Resource Range The resources to which the alert rule is applied. You can select All Resources or Instances.
      • All Resources: The alert rule is applied to all WAF instances. An alert is triggered when any of the WAF instances matches the specified rule.
      • Instances: The alert rule is applied to the selected WAF instances. An alert is triggered when one of the selected instances matches the specified rule.
      Region This configuration item is required only if you select Instances from the Resource Range drop-down list. Select the region of the WAF instance.
      • For instances in mainland China, select China East 1 (Hangzhou).
      • For instances outside mainland China, select Asia Pacific SE 1 (Singapore).
      Instance This configuration item is required only if you select Instances from the Resource Range drop-down list. By default, the WAF instance in the selected region is selected after you configure Region.
      Domain This configuration item is required only if you select Instances from the Resource Range drop-down list. You can select one or more domain names from the domain names protected by the current instance.
      Set Alarm Rules Alarm Rule Specifies a name for the alert rule.
      Rule Description Specifies the conditions that trigger alerts.
      Note We recommend that you set the thresholds of metrics based on your actual business requirements. For more information, see Table 1. A low threshold may frequently trigger alerts and negatively impact user experience. A high threshold may leave insufficient time for you to handle attacks.

      Sample alert rule description:

      The rule description: QPS, 5Minute cycle, Continue for 3, and the Max. Value > 200. This alert rule indicates that the alert service detects the QPS data within any three cycles in a row. If the maximum QPS within three cycles is greater than 200, an alert is triggered. A data point is reported for each metric every 60 seconds. A total of 15 data points is reported within three consecutive cycles.

      Examples

      You can click Add Alarm Rule to add more alert rules. Specify the Alarm Rule and Rule Description for each alert rule.

      Mute for Specifies a mute period. If the alert is not cleared within the mute period, a new alert notification is sent when the mute period ends. The minimum value is five minutes and the maximum value is 24 hours.
      Effective Period The time period during which the alert rule remains effective. The system only sends alerts within the effective period. The system only records alerts if they occur before or after the effective period.
      Notification Method Notification Contact The contact group that receives alerts.
      Notification Methods Alert levels include Critical , Warning, and Info. The alerts of different levels are sent through different methods. Valid values:
      • Phone + Text Message + Email + DingTalk (Critical)
        Note You can select this notification method only after you purchase a notification plan that supports phone calls.
      • Test Message + Email + DingTalk (Warning)
      • Email + DingTalk (Info)
      Auto Scaling After you specify a scaling rule, the specified scaling rule is triggered when an alert occurs. This option is not required.
      Email Remark Optional. The custom additional information in the alert notification email. Remarks will be included in the alert notification email.
      HTTP Callback CloudMonitor uses a POST request to push an alert to the specified public URL address. Currently, only HTTP requests are supported.
      Create an alert rule
      You have created a WAF alert rule. When the WAF monitoring metrics meet the conditions described in an alert rule, alert notifications are sent to the specified contact group.