After your web services are added to Web Application Firewall (WAF), you can go to the Overview page of the WAF console and query urgent vulnerability notifications that occurred in the last 30 days, service security data, and service traffic data. This way, you can check the security posture of your web services.

Prerequisites

Your web services are added as protected objects in WAF.

For more information, see Manage protected objects.

View the overall data on the Overview page

  1. Log on to the WAF 3.0 console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. You can select the Chinese Mainland or Outside Chinese Mainland region.
  3. In the left-side navigation pane, click Overview.
  4. On the Overview page, view urgent vulnerability notifications and the overall data. Overview - Configure query conditions
    • View urgent vulnerability notifications

      The Urgent Vulnerability section displays the update notification for protection rule that is provided by WAF to fix the latest urgent vulnerability. The Urgent Vulnerability section is displayed in the upper part of the Overview page and displays the latest urgent vulnerability notification. To view all urgent vulnerability notifications, click More.

    • Query the overall data

      In the upper part of the Overview page, specify the protected object and time range to query the overall data.

      • Protected object: By default, All is selected, and all protected objects of WAF are queried. You can select a specific protected object.
      • Time range: By default, Today is selected, and WAF displays the data of the current day. You can use one of the following methods to change the time range:
        • Click Yesterday, Today, 7 Days, or 30 Days to query the data of yesterday, today, the last 7days, or the last 30 days.
        • Click the date and time picker and specify the start time and end time to query data within the specified time range. The time range must be within 30 days.

      The overall data is classified into two parts: overall security data and overall traffic data. To view overall security data or overall traffic data, you can click the Security or Traffic tab. For more information, see Overall security data and Traffic data description.

Overall security data

On the Security tab of the Overview page, you can view the overall security data. The following table describes the overall security data.

Security tab
Category Description Supported operation
Protection Overview Displays the trends of total requests (Total Requests), requests that match rules in monitoring mode (Requests in Monitoring Mode), and blocked requests (Blocked Requests) for the protected object within the specified time range in a line chart. The requests that match rules in monitoring mode are not blocked. Move the pointer over a point in the line chart to view the data at that point in time.
Attacks Displays the statistics of the sources that initiate attacks on the protected object within the specified time range.
  • Top 10 Attack IP Addresses: displays the top 10 IP addresses from which attacks are initiated the most times. The IP addresses are listed in descending order by the number of attacks.
  • Top 10 Attack User-Agents: displays the top 10 User-Agent strings that appear in attacks the most times. The User-Agent strings are listed in descending order by the number of attacks.
Click the Top 10 Attack IP Addresses or Top 10 Attack User-Agents tab to view the corresponding data.
Rule Hits Displays the statistics of all protection rules that are matched in the specified time range
  • Top 10 Protected Websites: displays the top 10 protected objects that match protection rules the most times. The protected objects are listed in descending order by the number of matches.
    Notice This parameter is supported if you query the data of all protected objects.
  • Top 10 URLs: displays the top 10 URLs that match protection rules the most times. The URLs are listed in descending order by the number of matches.
    Notice This parameter is supported if you query the data of a specific protected object.
  • Top 10 Rule Types: displays the top 10 protection modules that are most frequently matched. The protection modules are listed in descending order by the number of matches.
  • IDs of Top 10 Rules: displays the IDs of the top 10 protection rules that are most frequently matched. The IDs are listed in descending order by the number of matches.
Click the Top 10 Protected Websites, Top 10 Rule Types, and IDs of Top 10 Rules tab to view the corresponding data.
Security Events Displays the records and details of attack events that occur on protected objects and the attack block percentage in a list. This way, you can identify the threats to your services and obtain information about how to handle these threats. Security Events Click the name of an event to view the event details.

The event details include Threat Intelligence and Suggestions. You can also view the analysis result of the event in the Top 5 Attacks section. You can click the following tabs to view specific data:

  • Source IP Address: displays the top 5 client IP addresses from which attacks are initiated the most times.
  • Attack Target: displays the top 5 URLs that receive attacks the most times.
  • Attack Type: displays the top 5 attack types. The attack types include SQL injections and cross-site scripting (XSS) attacks.
  • Attack Date: displays the top 5 dates at which attacks are initiated the most times.
  • Attack Tool: displays the top 5 attack tools that are most frequently used. The attack tools include cURL and postman-runtime.

In the Event Details panel, you can click View Log to the right of the event name to go to the Log Service page. Then, you can query logs to further analyze the event. For more information, see Enable the Log Service for WAF feature.

Traffic data description

On the Traffic tab of the Overview page, you can view the overall traffic data. The following table describes the overall traffic data.

Traffic tab
Category Description Supported operation
Requests Displays the trend of requests that are received by the protected object within the specified time range in a line chart. Move the pointer over a point in the line chart to view the data at that point in time.
QPS Displays the trend of queries per second (QPS) for requests that are received by the protected object within the specified time range in a line chart.
  • Move the pointer over a point in the line chart to view the data at that point in time.
  • In the upper-right corner of the line chart, you can click Average-value Chart or Peak-value Chart to switch between the average QPS and peak QPS.
Bandwidth Displays the trends of the inbound bandwidth (Inbound Bandwidth) and outbound bandwidth (Outbound Bandwidth) of the protected object within the specified time range in a line chart. Unit: Bit/s. Move the pointer over a point in the line chart to view the data at that point in time.
Status Code Displays the trends of the number of HTTP status codes within the specified time range in a line chart. The status codes can be returned by WAF to clients (WAF to Client) or returned by origin servers to WAF (Origin Server to WAF). The status codes include 5XX,405,499,302, and 444. Move the pointer over a point in the line chart to view the data at that point in time.
Access Statistics Displays the statistics of the requests that are received by protected objects within the specified time range.
  • Top 10 Protected Websites: displays the top 10 protected objects that receive requests the most times. The protected objects are listed in descending order by the number of requests.
    Notice This parameter is supported if you query the data of all protected objects.
  • Top 10 URLs: displays the top 10 URLs that receive requests the most times. The URLs are listed in descending order by the number of matches.
    Notice This parameter is supported if you query the data of a specific protected object.
  • Top 10 IP Addresses: displays the top 10 IP addresses from which attacks are initiated the most times. The IP addresses are listed in descending order by the number of requests.
  • Top 10 Attack User-Agents: displays the top 10 User-Agent strings that appear in attacks the most times. The User-Agent strings are listed in descending order by the number of requests.
Click the Top 10 Protected Websites, Top 10 IP Addresses, or Top 10 User-Agents tab to view the corresponding data.