After you add a website to Web Application Firewall (WAF), you can query the protection information about the website over the last 30 days on the Overview page. The information includes vulnerabilities, website traffic data, and threat events. The Overview page allows you to understand the security posture of your website workloads.
Query data on the Overview page
- Log on to the Web Application Firewall console.
- In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
- In the left-side navigation pane, click Overview.
- In the upper part of the Overview page, specify a domain name and a time range that you want to query. Settings description:
- Domain name: By default, All is displayed. WAF displays the data for all domain names that are added to WAF. You can select a specific domain name.
- Time range: By default, Today is displayed. WAF displays the data for the domain names you select on the current
day. You can use one of the following methods to modify the time range:
- Click the icon and select an interval based on which data is refreshed. Then, you can query real-time data. You can select an interval of 10 seconds, 30 seconds, 60 seconds, or 15 minutes.
- Click Yesterday, Today, 7 Days, or 30 Days to query the data that is generated during the specified time range.
- Click the date picker and select the start date and end date of the time range over which you want to query data. The time range cannot exceed 30 days.
Description of vulnerabilities
The Vulnerabilities section displays the updated protection rules that are issued by WAF to handle the latest security vulnerabilities on the Internet.
You can click a rule to open the Details of Emergency Vulnerability panel. The panel displays the domain names that are affected by the vulnerability, the details of the vulnerability, and the information about protection rules.
Description of protection result statistics
The protection result statistics section displays the number of all received requests and the numbers of requests that trigger the checks by the following modules: Web Intrusion Prevention, HTTP Flood Protection, Scan Protection, Access Control, and Blocked Bot Attacks.
You can click the number below each module to go to the Security Report page. Then, you can view attack information. For more information, see View security reports.
- If you query the data of all domain names, the top 5 domain names for each module appear.
- If you query the data of a specific domain name, the trend of statistical data appears.
Description of request analysis charts
- The request trend charts include the trend charts for Requests, QPS, Bandwidth, and Response Code. Note The time that a trend chart of this type displays can be accurate to the minute. If you query real-time data, you can view the trend of requests at the minute level.
To view a trend chart, you can click a tab in Section 1. To hide or show the trend for a module, you can click the legend of the module in Section 2 below the trend chart.Trend description:
- Requests: displays a trend chart for the total number of requests, the number of times that web intrusion protection is triggered, the number of times that HTTP flood protection is triggered, the number of times that scan protection is triggered, the number of times that access control is triggered, and the number of times that bot management is triggered.
- QPS: displays a trend chart for the queries per second (QPS) of all requests, QPS for
web intrusion prevention, QPS for HTTP flood protection, QPS for scan protection,
QPS for access control, and QPS for blocked bot attacks.
In the upper-right corner of the trend chart, you can click Average or Peak to switch between the average QPS and peak QPS.
- Bandwidth: displays a trend chart for the inbound bandwidth and the outbound bandwidth.
- Response Code: displays trend charts for the number of abnormal response codes that are returned
to clients and the number of abnormal response codes that are returned to WAF. The
abnormal response codes include 5XX, 405, 499, 302, and 444.
In the upper-right corner of the trend chart, click WAF to Client and Origin Server to WAF to view the abnormal response codes.
- The Client Type Distribution chart displays the distribution of client types in a pie chart. The client types include
browsers, script tools, search engines, and scanners.
To view the distribution of sub-categories under a specific client type, you can click the client type in the pie chart. For example, if you click browsers, you can view the distribution of different types of browsers.
- The request analysis ranking charts include the charts for Top 10 Clients, URL Requests, and Top IP. You can click each
tab to view the ranking data.
- Top 10 Clients: displays the top 10 types of clients that initiate the most requests.
- URL Requests: displays the top 10 URLs that receive the most requests.
- Top IP: displays the top 10 IP addresses that initiate the most requests.
Description of threat event analysis
The Threat Event Analysis section displays the attack events on your website and the attacks blocked by WAF. Then, you can understand the threats to your website and how to handle these threats.
- Source IP Address: displays the top 5 IP addresses that initiate the most attacks.
- Target: displays the top 5 URLs that receive the most attacks.
- Attack Type: displays the top 5 attack types. The attack types include SQL injections and cross-site scripting (XSS) attacks.
- Attack Date: displays the top 5 dates during which the most attacks are launched.
- Attack Tool: displays the top 5 attack tools that are used the most frequently to initiate attacks. The attack tools include cURL and postman-runtime.
In the Event Details panel, you can click View Log next to the event name to go to the Log Service page. You can query related logs to further analyze the event. For more information, see Enable log query.