This topic describes the Overview page of the Web Application Firewall (WAF) console. The Overview page displays the protection information of websites that you add to WAF, including attack events, urgent vulnerabilities, protection statistics, and request analysis charts. You can check the security status of your websites and perform security analysis based on the information displayed on this page.
- Your website is added to the WAF console. For more information, see Add websites.
- Your websites are protected by WAF.
After you add a domain name to WAF, the RegEx Protection Engine and HTTP Flood Protection features are enabled by default. You need to manually enable other features. For more information, see Overview.
Access the Overview page
- Log on to the Web Application Firewall console.
- In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
- In the left-side navigation pane, click Overview.
- In the upper-left corner of the Overview page, select a specific domain name or All. Then, select a time period from Real-time, Today, 7 Days, 30 Days, or Customize to view the overall information.Note The overall information for the last 30 days is available. You can customize a time period within the last 30 days.
Attack events and urgent vulnerabilities
The Vulnerabilities tab is displayed by default. You can view the updates to protection rules for the newly disclosed security vulnerabilities.
On the Vulnerabilities tab, click a vulnerability name to go to the Details of Emergency Vulnerability panel. In the panel, you can view protection details, including information about protection rules and affected assets. In the Details of Emergency Vulnerability panel, click the number below Protected Assets to go to the Website Access page.
You can click an event to view its details and information about the type of this event. For example, in the HTTP Flood Protection section, you can view the top 5 User-Agents, Referrers, requested URLs of attacks and source IP addresses that initiate the most attacks. You can also view the number of attacks that are blocked for each of these items. The system provides protection suggestions below the data.
You can click the number below each module to go to the Security report page to view detailed data. For more information, see View security reports.
Request analysis charts
- Trend charts: display the trend charts of Requests, QPS, Bandwidth, and Response Code within a specified time period. The minimum time granularity is one minute.
- You can click a legend item below a trend chart to hide or show the specific trend.
- The Blocked Bot Attacks module is available only in the new protection engine. For more information, see Protection engine upgrade.
- Requests: displays the total number of requests, the number of times web intrusion protection is triggered, the number of times HTTP flood protection is triggered, the number of times scan protection is triggered, the number of times access control is triggered, and the number of times bot management is triggered.
- QPS: displays the queries per second (QPS) of all requests, and QPS for Web Intrusion
Prevention, HTTP Flood Protection, Scan Protection, Access Control, and Blocked Bot
Note You can click Average and Peak in the upper-right corner of the chart to switch between the average QPS and peak QPS.
- Bandwidth: displays the inbound bandwidth and outbound bandwidth in bit/s.
- Response Code: displays the trends of the numbers of HTTP error codes, such as 5XX, 405, 499, 302,
Note You can click WAF to Client and Origin Server to WAF in the upper-right corner of the trend chart to view the distribution of response codes. The response codes are sent by a WAF instance to clients or by origin servers to the WAF instance.
- Browser Distribution: displays the distribution of browsers used by the request sources in a pie.
- Top UserAgents: displays the most often used User-Agents and their requests.
- URL Requests: displays the URLs that are most often used and the number of the specific requests.
- Top IP: displays source IP addresses that initiate the most access requests and the number of requests.
- Attack Distribution: displays the distribution of attack events.
Note You can click an event to view its details and information about the type of this event.