This topic describes the Overview page of the Web Application Firewall (WAF) console. The Overview page displays the protection information of websites that are added to WAF, including attack events, emergency vulnerabilities, protection statistics, and request analysis charts. You can obtain the security status of your website and perform security analysis based on the information displayed on this page.

Access the Overview page

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, click Overview.
  4. In the upper-left corner of the Overview page that appears, specify the target domain (all domains or a single domain) and the time period (Real-time, Today, 7 Days, 30 Days, or Customize) to view the overall information.Specify domain and time period
    Note The overall information for the last 30 days is available. You can customize a time period within the last 30 days.

Overall information

The Overview page includes the following three parts: Overview page

Event list and emergency vulnerability records

The Vulnerabilities tab is displayed by default. You can view the updates to the protection rules for the latest disclosed security vulnerabilities on this tab.

The Events tab displays historical security events. WAF aggregates the blocked attacks into events so that you can quickly identify attacks and threats to your website.
Note If you select all domains, the total numbers of attacks and events on all domains are displayed. You can also select a specific domain to view the relevant events.
Web Application Firewall classifies the attacks into events based on the attack type, severity, frequency, and time. The events are classified into the following types: invalid request blocking, HTTP flood attack blocking, web attack blocking, request blocking based on precise access control, request blocking based on region blocking policies, and request blocking based on continuous attack protection. Attack events
You can click an event to view information of the event and the related data of the event type. For example, in the HTTP Flood Protection area, you can view the top 5 source IP addresses that initiate the most attacks, user agents, referrers, and requested URLs of the attacks. You can also view the number of attacks that are blocked for each of these items. You can also view the protection suggestions provided below the data.HTTP flood attacks

Protection statistics

This area displays the number of all received requests and the numbers of the following types of protection requests, including Web Intrusion Prevention, HTTP Flood Protection, Scan Protection, Access Control, and Blocked Bot Attacks.
Note The Blocked Bot Attacks module is available only in the new protection engine. For more information, see Protection engine is upgraded.
Overall information

You can click the number of requests under each protection module to go to the corresponding Security report page to view data details. For more information, see View security reports.

You can click the drop-down icon in the lower part of this area to display the trend charts of the requests in each module.
Note If you select all domains, the top 5 domains with the most data volume and their data are displayed.
Top 5 domains

Request analysis charts

  • Trends: displays the trends of Requests, QPS, Bandwidth, and Response Code within a specified period. The minimum time granularity is one minute.
    Note
    • You can click a legend item below the trend chart to hide or show the relevant records.
    • The Blocked Bot Attacks module is available only in the new protection engine. For more information, see Protection engine is upgraded.
    • Requests: displays the total number of requests, the number of web intrusion prevention times, the number of HTTP flood protection times, the number of scan protection times, the number of access control hits, and the number of bot protection times.Requests
    • QPS: displays the queries per second (QPS) of all requests, the QPS of web intrusion prevention, the QPS of HTTP flood protection, the QPS of scan protection, the QPS of access control, and the QPS of bot protection.
      Note You can click Average and Peak in the upper-right corner of the chart to switch between the average QPS and peak QPS.
      QPS
    • Bandwidth: displays the inbound bandwidth and outbound bandwidth in bit/s.Bandwidth
    • Response Code: displays the trends of the numbers of HTTP error codes, such as 5XX, 405, 499, 302, and 444.
      Note You can click WAF to Client and Origin Server to WAF in the upper-right corner of the trend chart to view the distributions of response codes from the WAF instance to the client and those from the origin server to the WAF instance.
      Response Code
  • Browser Distribution tab: On this tab, a pie chart shows the distribution of browsers used by the request sources.Browser Distribution tab
  • Top UserAgents tab: On this tab, the most often used user agents and corresponding requests are displayed.Top UserAgents tab
  • URL Requests tab: On this tab, the URLs that are often requested and the number of requests are displayed.URL Requests tab
  • Top IP tab: On this tab, source IP addresses that initiate the most access requests and the number of requests are displayed.Top IP tab
  • Attack Distribution area: In this area, the distribution of attack events is displayed.
    Note You can click an event to view information of the event and related data of the event type.