After you add a website to Web Application Firewall (WAF), you can query the protection history of the website in the last 30 days on the Overview page. Protection history includes information about vulnerabilities, website traffic, and threat events. The Overview page allows you to understand the security posture of your website workloads.
Query data on the Overview page
- Log on to the Web Application Firewall console.
- In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
- In the left-side navigation pane, click Overview.
- In the upper part of the Overview page, specify a domain name and a time range to query data. Description of query settings:
- Domain name: By default, All is selected. In this case, WAF displays the data for all domain names that are added to WAF. You can select a specific domain name.
- Time range: By default, Today is selected. In this case, WAF displays the data of the current day. You can use
one of the following methods to change the time range:
- Click the icon and select an interval based on which data is refreshed. Then, you can query data in real time. You can select an interval of 10 seconds, 30 seconds, 60 seconds, or 5 minutes.
- Click Yesterday, Today, 7 Days, or 30 Days to query the data that is generated during the specified time range.
- Click the date picker and select the start date and end date of the time range in which you want to query data. The time range cannot exceed 30 days.
Description of vulnerabilities
The Vulnerabilities section displays the updated protection rules that are provided by WAF to help you handle the latest security vulnerabilities disclosed on the Internet.
You can click a rule to open the Details of Emergency Vulnerability panel. The panel displays the domain names that are affected by the vulnerability, the details of the vulnerability, and the information about protection rules.
Description of protection result statistics
The protection result statistics section displays the number of all received requests and the numbers of requests that trigger each of the following modules: Web Intrusion Prevention, HTTP Flood Protection, Scan Protection, Access Control, and Blocked Bot Attacks.
You can click the number below each module to go to the Security Report page. Then, you can view attack information. For more information, see View security reports.
- If you query the data of all domain names, the top 5 domain names for each module are displayed.
- If you query the data of a specific domain name, the trend of statistical data is displayed.
Description of request analysis charts
- The request trend charts include the trend charts for Requests, QPS, Bandwidth, and Response Code. Note The time of a trend chart can be accurate to the minute. If you query data in real time, you can view the trend of request data at the minute level.
To view a trend chart, you can click a tab in Section 1. To hide or show the trend for a specific module, you can click the legend of the module in Section 2 below the trend chart.Trend description:
- Requests: displays a trend chart for the total number of requests, the number of times that web intrusion protection is triggered, the number of times that HTTP flood protection is triggered, the number of times that scan protection is triggered, the number of times that access control is triggered, and the number of times that bot management is triggered.
- QPS: displays a trend chart for the queries per second (QPS) of all requests, QPS for
web intrusion prevention, QPS for HTTP flood protection, QPS for scan protection,
QPS for access control, and QPS for blocked bot attacks. The QPS values displayed
on this trend chart change over time.
In the upper-right corner of the trend chart, you can click Average or Peak to switch between the average QPS and peak QPS.
- Bandwidth: displays a trend chart for the inbound bandwidth and the outbound bandwidth.
- Response Code: displays trend charts for the number of error codes that are returned to clients
and the number of error codes that are returned to WAF. The error codes include 5XX,
405, 499, 302, and 444.
In the upper-right corner of the trend chart, you can click WAF to Client and Origin Server to WAF to switch between the two trend charts.
- The Traffic Analysis section includes the Percentage of Bot Traffic and Client Type Distribution charts.
- The Percentage of Bot Traffic chart displays the traffic destined for the domain name. Traffic from browsers and
applications is identified as human traffic. Traffic from other types of clients is identified as bot traffic.
If the percentage of bot traffic is abnormally high, we recommend that you click Configure Policy. Then, you can use the Bot Management feature of WAF to prevent bot attacks. You can click View Trend to go to the Security Report page. Then, click the Bot Management tab to view the protection effects. For more information about bot management, see Configure anti-crawler rules for websites.
- The Client Type Distribution chart displays the distribution of client types in a pie chart. The client types
include browsers, script tools, search engines, and scanners. You can click the icon to the right of Traffic Analysis to view the definition of each client type. To view the distribution of subtypes for a specific client type, you can click the client type in the pie chart. For example, you can click the browser type to view the distribution of different types of browsers.
- The Percentage of Bot Traffic chart displays the traffic destined for the domain name. Traffic from browsers and applications is identified as human traffic. Traffic from other types of clients is identified as bot traffic.
- The request analysis ranking charts include the charts for Top 10 Clients, URL Requests, and Top IP. You can click each
tab to view the ranking data.
- Top 10 Clients: displays the top 10 types of clients that initiate the most requests.
- URL Requests: displays the top 10 URLs that receive the most requests.
- Top IP: displays the top 10 IP addresses that initiate the most requests.
Description of threat event analysis
The Threat Event Analysis section displays the attack events on your website and the attacks that are blocked by WAF. This helps you understand the threats to your website and handle these threats.
- Source IP Address: displays the top 5 IP addresses that initiate the most attacks.
- Target: displays the top 5 URLs that receive the most attacks.
- Attack Type: displays the top 5 attack types. The attack types include SQL injections and cross-site scripting (XSS) attacks.
- Attack Date: displays the top 5 dates at which the most attacks are launched.
- Attack Tool: displays the top 5 attack tools that are used most frequently. The attack tools include cURL and postman-runtime.
In the Event Details panel, you can click View Log to the right of the event name to go to the Log Service page. Then, you can query logs to further analyze the event. For more information, see Enable log query.