After you add your website to Web Application Firewall (WAF), you can use the alert settings feature to configure alerting. After you configure alerts in the alert settings, WAF sends alert notifications in real time when WAF detects attacks and unusual traffic. This helps you understand the security posture of your website in a timely manner.

Prerequisites

  • Your website is added to WAF. For more information, see Tutorial.
  • Optional:The Log Service for WAF feature is enabled for your WAF instance. The log collection feature is enabled for the domain name of your website. For more information, see Enable Log Service for WAF and Step 2: Enable the log collection feature.

    By default, WAF allows you to configure monitoring and alert rules by using Alibaba Cloud CloudMonitor. In the CloudMonitor console, you can configure monitoring and alert rules for the WAF metrics that are supported by CloudMonitor and the attack events that are detected by WAF. For more information about the WAF metrics, see WAF metrics. If the WAF metrics that are supported by CloudMonitor do not meet your business requirements, you can use the Log Service for WAF feature to configure the alert settings for WAF.

    If you want to use the Log Service for WAF feature to configure the alert settings, the preceding prerequisites must be met.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose System Management > Alarm Settings.
  4. On the Alarm Settings page, configure notification methods based on the type of attack events. Alarm Settings page
    Notification method Description
    CloudMonitor Notifications

    Create alert rules for different types of events by using the alerting feature provided by CloudMonitor.

    CloudMonitor is a service that monitors resources and Internet applications. For more information, see What is CloudMonitor. CloudMonitor provides the alerting feature to monitor events and metrics of cloud services. For more information about the feature, see Overview.

    If you use the CloudMonitor Notifications method, you can create alert rules for all types of events that are listed on the Alarm Settings page. The event types are Web Attacks, HTTP Flood Attack Events, ACL-based Attacks, Scan Attacks, Traffic Volume Monitoring, Abnormal Traffic Monitoring, Custom Attack Monitoring, Bandwidth Threshold Exceeded, and QPS Threshold Exceeded.

    When you click CloudMonitor Notifications, you are redirected to the Alert Rules tab of the CloudMonitor console. You can configure alert rules on the Alert Rules tab. For more information, see Use CloudMonitor to configure monitoring and alerting for WAF.

    Log Service Configurations

    Create alert rules for different types of events by using the alerting feature provided by Log Service for WAF.

    Log Service for WAF allows you to collect and store the logs for requests that are sent to the domain name of your website that is added to WAF. Then, you can query and analyze the logs. You can use query and analysis results to customize alert rules for WAF metrics based on your business requirements.

    If you use the Log Service Configurations method, you can create alert rules for different combinations of metrics. This method provides high flexibility and is suitable for business scenarios in which you want to customize alert rules. Compared with the previous method, this method is more complex to use.

    When you click Log Service Configurations, you are redirected to the Log Service page. You can query and analyze WAF logs and customize alert rules on the Log Service page. For more information about how to configure WAF log alerting, see Configure an alert in Log Service. For more information about the examples on how to configure WAF log alerting, see Overview.

    View Alerts Generated During Last 30 Days

    View details about alerts that are sent because the actual traffic exceeds the specified WAF service bandwidth or QPS threshold value.

    If the actual traffic of your website exceeds the service bandwidth or QPS threshold value of your WAF instance, the system automatically displays an alert notification in the upper part of the WAF console. The system also sends the alert notification by email to the contact that you specify for your Alibaba Cloud account. Bandwidth or QPS threshold value that is exceeded

    On the Alarm Settings page, you can view the details about the alerts that are generated within the last 30 days. You can click View Alerts Generated During 30 Days for Bandwidth Threshold Exceeded or QPS Threshold Exceeded to view alert details.

    Bandwidth threshold value exceeded

    For more information, see WAF service bandwidth.