Reference: WAF Web Protection Dashboard

The WAF Web Protection dashboard provides information about application security management for all your WAF policies and protected applications.

You can filter this dashboard by policy, application, virtual server, traffic, or attack component allowing you to drill down into a specific aspect of your WAF protection. For more information about filtering the WAF dashboard, see How to: Policy actions from WAF Security Dashboard

The following describes the information found in the dashboard and provides an overview of policy management capabilities.

image

Note: For L7 DoS dashboard information, see Reference: WAF L7 DoS Dashboard

Dashboard toolbar

Customize the information displayed in the dashboard using the selection tools at the top of the dashboard:

  • Time Settings - Select the amount of time displayed in the dashboard. Each time setting displays the average traffic and attack information from the present time to the unit selected.

  • Refresh - Trigger a manual refresh, or select an automatic refresh time.

Example of time selection and manual refresh:

Dashboard toolbar

WAF dashboard widgets

The top of the dashboard provides general policy information and traffic information to the policy for the selected time period. To the lower right of the widget, you can see how the volume of this traffic statistic has increased or decreased over the previous time period.

  • Total Requests - The total number of HTTP requests to the WAF application over the selected time period.

  • Blocked Requests - The number of requests blocked by the WAF policy over the selected time.

  • Alerted Requests - The number of requests that generated an alert, but not blocked, by the WAF policy over the selected time.

Example of WAF dashboard widgets:

WAF dashboard widgets

Applications and Policies

The dashboard lists all WAF applications and WAF policies on BIG-IP Next Central Manager. Each application or policy includes information about number of illegal and bot malicious requests over the selected time period for the dashboard.

The enforcement status of each application or policy is indicated by the name:

- The enforcement mode blocks detected attacks or violations.

- The enforcement mode detects attacks and violations, but does not block traffic.

In addition, you can see the percent in which the request type has increased or decreased over the previous time period. For example: You selected the Last 24 hours for the dashboard. In the previous 24 hours, only 1 illegal request was detected on a WAF application. However, over the last 24 hours period, 2 illegal requests were detected. The application would indicate there was a 100% increase in web illegal requests.

Detected Attacks

Monitor and manage detected attacks based on the information presented for the selected time period.

Each data card presents different aspects of the attack and/or how the attack was handled by the WAF policy.

You can use the arrows at the bottom of each chart to scroll through the data lists.

For more information about review event log details, see: Reference: Event Logs

For more information about managing your WAF policy, see: How To: Manage and edit a WAF policy on BIG-IP Next Central Manager

Violations/Sub-Violations

The Violations/Sub-Violations chart lists all detected violations, and is sorted by how often the attack was detected over the selected time period.

You can click the violation row to display average information about blocked and alerted requests. The information card includes:

  • The number of attacked URLs or attacking IP Addresses were detected with that violation in the request.

  • The Average Violation Rating

  • The number of alerted requests (violation detected but not blocked). In addition, this shows the percentage of alerted requests with that violation, out of all requests, over the selected time.

  • The number of blocked requests. In addition, this shows the percentage of blocked requests with that violation type, out of all requests, over the selected time.

If you click View Logs, a panel displays the event log of alerted and blocked requests that detected the selected violation.

If you click Actions, panel displays general information and allows you to change the policy’s enforcement settings for that violation. You can change one or more policy enforcement actions from the panel. See example below:

Signatures

The Signatures chart lists all detected attack signatures, and is sorted by how often the signature was detected over the selected time period.

You can click the signature row to display average information about blocked and alerted requests. The information card includes:

  • The number of attacked URLs or attacking IP Addresses were detected with that signature in the request.

  • The Average Violation Rating

  • The number of alerted requests (violation detected but not blocked). In addition, this shows the percentage of alerted requests with that attack signature, out of all requests, over the selected time.

  • The number of blocked requests. In addition, this shows the percentage of blocked requests with that attack signature, out of all requests, over the selected time.

If you click View Logs, a panel displays the event log of alerted and blocked requests that detected the selected signature.

If you click Actions, panel displays general information and allows you to change the policy’s enforcement settings for that signature. You can change one or more policy enforcement actions from the panel. See the example shown in Violations/Sun-Violations.

Example of Signatures chart with XSS script tag signature details:

Attack URLs

The Attack URLs chart lists the top 20 application URLs included in malicious or suspicious requests detected by WAF.

You can click the URL row to display average information about blocked requests to that URL. The information card includes:

  • The number of times the same IP address tried to access the URL.

  • The Average Violation Rating

  • The number of alerted requests (violation detected but not blocked). In addition, this shows the percentage of alerted requests to that URL, out of all URL requests, over the selected time.

  • The number of blocked requests. In addition, this shows the percentage of blocked requests to that URL, out of all URL requests, over the selected time.

If you click View Logs, a panel displays the event log of alerted and blocked requests to that URL.

Example of URLs chart with event log details selected for a URL:

WAF URLs

Attack IP Addresses

The Attack IP Addresses list displays the most commonly blocked request IP addresses by the policy. The list includes the top 20 IP addresses. You can click the IP address row to display average information about blocked requests from that source IP address. The information card includes:

  • The number of times the IP address tried to access a URL.

  • The Average Violation Rating.

  • The number of alerted requests (violation detected but not blocked). In addition, this shows the percentage of alerted requests from that IP address, out of all requests to that policy, over the selected time, that generated an alert.

  • The number of blocked requests. In addition, this shows the percentage of blocked requests from that IP address, out of all requests to that policy, over the selected time, that generated an alert.

If you click View Logs, a panel displays the event log of blocked requests from that source IP address.

If you click View Details, panel displays general information and allows you to change the policy’s settings for that IP address. For more information, see How to: Policy actions from WAF Security Dashboard.

Example of Top Attack Source Addresses with top IP address selected

WAF IP Addresses

Attack Geolocations

The Attack Geolocations map displays the volume of blocked requests from the top 20 countries with blocked requests. You can click the name of the country from the right of the map. This displays average information about all the requests from that country, including violations that generated an alert, but were not blocked. The information card includes:

  • The number of attacked URLs or attacking IP Addresses were detected with that geolocation in the request.

  • The Average Violation Rating

  • The number of alerted requests (violation detected but not blocked). In addition, this shows the percentage of alerted requests from that country, out of all requests over the selected time.

  • The number of blocked requests. In addition, this shows the percentage of blocked requests from that country, out of all requests over the selected time.

If you click Actions, panel displays general information and allows you to change the policy’s enforcement settings for that country. In addition, you can deploy these geolocation updates to other policies. For more information, see How to: Policy actions from WAF Security Dashboard.

If you click View Logs, a panel displays the event log of blocked requests from that geolocation.

Example of Attack Geolocations with a country’s name selected

Attack Geo

Attack Requests

The Attack Requests chart displays the number of detected attacks over time, and whether the policy action was to generate an alert or alert and block the request.

A significant increase in attack activity is an indicator of whether you need to further investigate traffic to your application. You can check the event log to verify why the policy blocked or alerted traffic.

Example of Attack Requests chart with details for alerted requests at a specific time.

WAF Attack Requests

Bot Signatures

The Bot Signatures chart lists all bots detected, and whether they were associate with an illegal request. If your policy is configured to detect all bot activity, even allowed bots, you will be able to view the amount of bot activity to your applications.

You can click the name of the detected bot to display average information about all the requests from that bot, including any illegal flags found in the request. The details include:

  • The number of attacked URLs or attacking IP Addresses were detected with that bot signature in the request.

  • The Average Violation Rating

  • The number of alerted requests (violation detected but not blocked). In addition, this shows the percentage of alerted requests with that bot signature, out of all requests over the selected time.

  • The number of blocked requests. In addition, this shows the percentage of blocked requests from that that bot signature, out of all requests over the selected time.

If you click View Logs, a panel displays the event log of requests with that bot signature.

Example of bot signatures with a specific bot name selected

Bot Signatures

Threat Campaigns

The Threat Campaigns chart lists the top 20 threat campaigns (most illegal request) detected, and whether they are active.

You can click the name of the detected threat campaign to display average information the detected threat campaign. The details include:

  • The Average Violation Rating

  • The number of alerted requests (violation detected but not blocked). In addition, this shows the percentage of alerted requests with that threat campaign, out of all requests over the selected time.

  • The number of blocked requests. In addition, this shows the percentage of blocked requests from that that threat campaign, out of all requests over the selected time.

If you click View Logs, a panel displays the event log of requests with that threat campaign.