Web Application Firewall (WAF) provides security reports that include the protection details of all protection modules, such as the basic protection rule, IP address blacklist, and custom rule modules. You can analyze the security of your business based on the security reports.
- Web services are added to WAF 3.0 as protected objects. For more information, see Protected objects and protected object groups.
- Protection rules are configured for protected objects.
By default, the basic protection rule module is enabled. You do not need to configure basic protection rules. However, you must configure protection rules for other protection modules to take effect. For more information, see Protection configuration overview.
View security reports
- Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
- In the left-side navigation pane, choose .
- On the Security Reports page, specify the report type, protected object, and time range to query security report data. You can click a protection module tab such as Basic Protection Rule, IP Address Blacklist, Custom Rule, and Scan Protection to view the security reports of a protection module. The following list describes the query settings:
- Protected object: By default, All is selected and security report data of all protected objects of WAF is queried. You can select a specific protected object.
- Time range: By default, Today is selected and security report data of the current day is queried. Select Yesterday, Today, 7 Days, or 30 Days to query data of the previous day, current day, previous seven days, or previous 30 days.
- Template name: You can specify a bot management template to view the protection details of the template.
Basic protection rule module
On the Basic Protection Rule tab, you can view the protection details of the basic protection rule module. By default, the basic protection rule module is enabled. You can view the security report of the basic protection rule module on the Security Reports page. For information about how to modify the default settings of the basic protection rule module, see Configure basic protection rules and rule groups.
|Distribution of Attack Types||Displays the distribution of attacks by type in a pie chart.||None|
|Top 5 Attacker IP Addresses||Displays the top five IP addresses from which the highest number of attacks are initiated and the regions where the IP addresses are located. The IP addresses are listed in descending order by the number of attacks.||None|
|Top 5 Attacker Areas||Displays the top five areas from which the highest number of attacks are initiated. The areas are listed in descending order by the number of attacks.||None|
|Protection Details||Displays information about the attacks that match basic protection rules in a list. |
The list includes the following information:
IP address blacklist, custom rule, scan protection, HTTP flood protection, and region blacklist modules
On the Security Reports page, you can view the protection details on the IP Address Blacklist, Custom Rule, Scan Protection, HTTP Flood Protection, or Region Blacklist tab.
|Protection Overview||Displays the trends of Total QPS, Alerts, and Blocked Requests of a protected object within a specific time range in a line chart. Total QPS indicates the total number of requests that are received by a protected object. Alerts indicates the number of requests that match protection rules in Monitor mode. Blocked Requests indicates the number of requests that are blocked by protection rules.||Move the pointer over a point in the line chart to view the data at a specific point in time.|
|Top 10 Rules||Displays the information about the top 10 protection rules that are most frequently matched in a specific time range. The information includes Rule Name/ID, Protected Objects, and Hits. The rules are listed in descending order by the number of matches.||Click the icon in the Rule Name/ID column to copy the name or ID of a rule.|
|Protection Details||Displays the statistics of the protection details of the protection module in a specific time range.||Click the Top 10 Protected Objects or Top 10 IP Addresses tab to view the data.|
Bot management module
On the Bot Management tab of the Security Reports page, you can view the protection details of the bot management module.
|Protection Overview||Displays the protection details of the bot management module in a specific time range in a line chart. The protection details include the actions that are performed on requests and the rules that are matched.|
|Matched Rules||Displays the IDs of configured bot management rules, the rule templates to which the rules belong, and the number of times that rules in Monitor mode are matched.||None|
|Attack Details||Displays information about the IP addresses that match bot management rules in a specific time range. The information includes the attacker IP address, area where the attacker IP address is located, attack URL, details of the rule template that is matched, and number of requests. The details of the rule template that is matched include the template name, rule ID, rule name, and the action that is specified in the rule.||Find the IP address whose attack details you want to view and click Add to Whitelist or Add to Blacklist in the Actions column. |
A rule template named AutoTemplate is created and a whitelist rule or IP address blacklist rule is created for the template. For more information, see Configure whitelist rules to allow specific requests and Configure IP address blacklist rules to block specific requests.
Data leakage prevention module
On the Data Leakage Prevention tab of the Security Reports page, you can view the protection details of the data leakage prevention module.
- Displays the match details of data leakage prevention rules that are configured for a protected object within a specific time range, including Attacker IP Address, Area, Attack Time, Attack Type, Attack URL, Request Method, Request Parameter, and Action.
- If you want to view the protection details of an attack IP address, find the attack IP address and click View Details in the Actions column. In the Attack Details panel, you can view the protection details.