Web Application Firewall:View security reports

The Web Security tab displays the protection details of the following features: Web Intrusion Prevention, Data Leakage Prevention, Account Security, and Positive Security Model. You can click the tab of a feature to view the protection details of the feature.

• Web Intrusion Prevention: displays all web application attacks that are blocked by WAF. This tab consists of two sections: attack chart and attack event. In the following figure, Section 1 shows the attack charts and Section 2 shows the attack events.

  • The attack chart section displays Attack Type Distribution, Top 5 Attack IP Addresses, and Top 5 Attack Regions.

    In the upper part of the attack chart section, you can specify a domain name and a time range to search for protection details.

  • The attack event section displays the following information: Attack IP, Region, Time Attacked, Attack Type, Attacked URL, Method, Parameter, Rule Action, Rule ID, and Attack Probability.

    In the upper part of the attack event section, you can configure the following fields to search for protection details: protection module, attack type, attack IP address, rule ID, and protection action.

    You can perform the following operations on an attack event:

    • View attack details: Find the attack event whose details you want to view and click View Details in the Actions column.

    • Ignore false positives: If you confirm that the attack event is a normal request, click Ignore False Positives in the Actions column of the attack event.

      After you click Ignore False Positives, WAF generates a whitelist rule for web intrusion prevention based on the characteristics of the attack event. Then, web intrusion prevention does not detect requests that have the same characteristics. In the Create Rule dialog box, configure the Rule Name parameter for the whitelist rule and click Save.

      Note

      In rare cases, a request is blocked because multiple protection rules are triggered at the same time. However, the whitelist rule that is generated after you click Ignore False Positives allows requests that have the same characteristics to skip only a specific protection rule. In this case, you can manually reconfigure the IDs of Specific Rules parameter in the whitelist rule and add the IDs of the other protection rules that you want to skip.

      After the whitelist rule is created, the whitelist rule is automatically enabled. You can query, modify, and delete existing rules on the Web Intrusion Prevention - Whitelisting page. For more information, see Configure a whitelist for web intrusion prevention.

  For more information about how to configure web intrusion prevention, see Configure the protection rules engine feature.

• Data Leakage Prevention: displays the web requests that trigger the rules of data leakage prevention. The following information is displayed: Attack IP, Region, Time Attacked, Attacked URL, Method, Parameter, Rule Action, Rule ID, and Attack Probability. You can search for protection details by domain name and time range.

  You can find a web request and click View Details in the Actions column to go to the Attack Detail panel.

  For more information about how to configure data leak prevention, see Configure data leakage prevention.

• Account Security: displays the risk events that occur at a specific endpoint. The endpoint is configured in account security. The following information is displayed: Domain, Endpoint, Malicious Requests Occurred During, Blocked Requests/Total Requests, and Alert Triggered By. You can search for protection details by domain name, endpoint, and time range.

  For more information about how to configure account security, see Configure account security.

• Positive Security Model: displays web application attacks that trigger protection rules. The protection rules are automatically generated by the positive security model. The following information is displayed: Attack IP, Region, Time Attacked, Attacked URL, Method, Rule Action, Rule ID, and Attack Probability. You can search for protection details by domain name and time range.

  You can find a web request and click View Details in the Actions column to go to the Attack Detail panel.

  For more information about how to configure the positive security model, see Configure the positive security model.

The Bot Management tab displays the monitoring data of the crawler requests to websites. This tab also displays the protection details of anti-crawler rules. In the upper-left corner of the tab, you can select a domain name and specify a time range to search for protection details. WAF provides an independent security report for each scenario that you configure by using the scenario-specific configuration feature.

• The Bot Management tab consists of Overview of Protection Effects and Scenario-specific Protection Effect. Overview of Protection Effects displays the trends in the total number of requests, the number of requests that are identified as crawler requests, and the number of crawler requests that trigger different protection rules.

• Bot Requests indicates the number of requests that are identified as crawler requests based on multi-dimensional traffic characteristics. This allows you to view the protection performance of anti-crawler rules. If the number of blocked requests is significantly less than that of requests that are identified as crawler requests, you must modify the anti-crawler rules to improve the protection performance. If the number of requests that are blocked is close to that of requests that are identified as crawler requests, the protection performance is considered satisfactory.

• Requests Detected in Monitoring Mode indicates the number of requests that match anti-crawler rules in Monitor mode. If you set the protection mode to Block, the requests are blocked or the clients are required to pass slider CAPTCHA verification.

• Blocked Requests indicates the number of requests that match anti-crawler rules in Block mode.

For more information about how to configure bot management, see the following topics:

• Configure anti-crawler rules for websites

• Configure the allowed crawlers function

• Configure bot threat intelligence rules

• Configure application protection

The Access Control/Throttling tab displays web requests that trigger HTTP flood protection, scan protection, and access control rules that you configured. You can search for protection details by domain name and time range. You can also query logs with a few clicks.

• HTTP Flood Protection: displays the trend of HTTP flood protection. The following information is displayed: Total QPS, Alert Rule of Custom HTTP Flood Protection, Block Rule of Custom HTTP Flood Protection, and Block Rule of Default HTTP Flood Protection. This tab also displays Number of Matches for different rule types. The rule types include Alert Rule of Custom HTTP Flood Protection, Block Rule of Custom HTTP Flood Protection, and Block Rule of Default HTTP Flood Protection.

  You can click the value of Number of Matches for a rule type to go to the Log Service page. On the Log Service page, the system provides the log query statements that are related to HTTP flood protection. This facilitates log queries. For more information, see Query logs.

  For more information about how to configure HTTP flood protection, see Configure HTTP flood protection.

  For more information about how to configure custom HTTP flood protection rules, see Create a custom protection policy.

• Scan Protection: displays the trend of scan protection. The following information is displayed: Total QPS, Directory Traversal Protection, Collaborative Protection, High-frequency Web Attack Protection, and Scan Tool-based Blocking. This tab also displays Number of Matches for different rule types. The rule types include Directory Traversal Protection, Collaborative Protection, High-frequency Web Attack Protection, and Scan Tool-based Blocking.

  You can click the value of Number of Matches for a rule type to go to the Log Service page. On the Log Service page, the system provides the log query statements that are related to scan protection. This facilitates log queries. For more information, see Query logs.

  For more information about how to configure scan protection, see Configure scan protection.

• Access Control: displays the trend of access control. The following information is displayed: Total QPS, Block Rules of ACL, Alert Rules of ACL, and Blacklist. This tab also displays the number of times that custom rules are matched.

  You can click the ID of a custom rule. In the Edit Rule dialog box, you can view and modify the configuration of this custom rule. For more information, see Create a custom protection policy.

  You can click the value of Number of Matches for a custom rule to go to the Log Service page. On the Log Service page, the system provides the log query statements that are related to access control. This facilitates log queries. For more information, see Query logs.

  For information about how to configure access control rules, see Create a custom protection policy.

  For information about how to configure an IP address blacklist, see Configure a blacklist.