This topic describes the Overview page of the Web Application Firewall (WAF) console. The Overview page displays the protection information of websites that you add to WAF, including attack events, urgent vulnerabilities, protection statistics, and request analysis charts. You can check the security status of your websites and perform security analysis based on the information displayed on this page.

Prerequisite

  • Your website is added to the WAF console. For more information, see Add websites.
  • Your websites are protected by WAF.

    After you add a domain name to WAF, the RegEx Protection Engine and HTTP Flood Protection features are enabled by default. You need to manually enable other features. For more information, see Overview.

Access the Overview page

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, click Overview.
  4. In the upper-left corner of the Overview page, select a specific domain name or All. Then, select a time period from Real-time, Today, 7 Days, 30 Days, or Customize to view the overall information.Specify the domain name and time period
    Note The overall information for the last 30 days is available. You can customize a time period within the last 30 days.

Overview page

The Overview page includes the following three parts: Overview page

Attack events and urgent vulnerabilities

The Vulnerabilities tab is displayed by default. You can view the updates to protection rules for the newly disclosed security vulnerabilities.

On the Vulnerabilities tab, click a vulnerability name to go to the Details of Emergency Vulnerability panel. In the panel, you can view protection details, including information about protection rules and affected assets. In the Details of Emergency Vulnerability panel, click the number below Protected Assets to go to the Website Access page.

The Events tab displays historical attack events. WAF aggregates blocked attacks into events so that you can quickly know attacks and threats to your website.
Note If you select All, the total numbers of attacks and events on all domain names are displayed. You can also select a specific domain name to view the relevant events.

You can click an event to view its details and information about the type of this event. For example, in the HTTP Flood Protection section, you can view the top 5 User-Agents, Referrers, requested URLs of attacks and source IP addresses that initiate the most attacks. You can also view the number of attacks that are blocked for each of these items. The system provides protection suggestions below the data.

Protection statistics

This part displays the number of all received requests and the numbers of requests that trigger the checks of the following modules: Web Intrusion Prevention, HTTP Flood Protection, Scan Protection, Access Control, and Blocked Bot Attacks.
Note The Blocked Bot Attacks module is available only in the new protection engine. For more information, see Protection engine upgrade.
Overall information

You can click the number below each module to go to the Security report page to view detailed data. For more information, see View security reports.

You can click the downward arrow in the lower part of this part to display the trend charts of the corresponding requests in each module.
Note If you select All, the top 5 domain names with the most data volume and their data are displayed.
Top5

Request analysis charts

  • Trend charts: display the trend charts of Requests, QPS, Bandwidth, and Response Code within a specified time period. The minimum time granularity is one minute.
    Note
    • You can click a legend item below a trend chart to hide or show the specific trend.
    • The Blocked Bot Attacks module is available only in the new protection engine. For more information, see Protection engine upgrade.
    • Requests: displays the total number of requests, the number of times web intrusion protection is triggered, the number of times HTTP flood protection is triggered, the number of times scan protection is triggered, the number of times access control is triggered, and the number of times bot management is triggered.Requests
    • QPS: displays the queries per second (QPS) of all requests, and QPS for Web Intrusion Prevention, HTTP Flood Protection, Scan Protection, Access Control, and Blocked Bot Attacks.
      Note You can click Average and Peak in the upper-right corner of the chart to switch between the average QPS and peak QPS.
      qps
    • Bandwidth: displays the inbound bandwidth and outbound bandwidth in bit/s.Bandwidth
    • Response Code: displays the trends of the numbers of HTTP error codes, such as 5XX, 405, 499, 302, and 444.
      Note You can click WAF to Client and Origin Server to WAF in the upper-right corner of the trend chart to view the distribution of response codes. The response codes are sent by a WAF instance to clients or by origin servers to the WAF instance.
      Response Code
  • Browser Distribution: displays the distribution of browsers used by the request sources in a pie.Browser Distribution tab
  • Top UserAgents: displays the most often used User-Agents and their requests.Third-party Dependencies - Response Time (milliseconds)
  • URL Requests: displays the URLs that are most often used and the number of the specific requests.URL Requests tab
  • Top IP: displays source IP addresses that initiate the most access requests and the number of requests.Top IP tab
  • Attack Distribution: displays the distribution of attack events.
    Note You can click an event to view its details and information about the type of this event.