WAF protection overview - Web Application Firewall - Alibaba Cloud Documentation Center

After you add your website to Web Application Firewall (WAF), you can query urgent vulnerability notifications, service security data, and service traffic data of the previous 30 days on the Overview page. This way, you can view the security status of your website.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF 3.0 as protected objects. For more information, see Protected objects and protected object groups.

View the overall data on the Overview page

You are directed to an interface when you log on to the WAF console based on the region in which your WAF instance is deployed. If your WAF instance is deployed in the Chinese mainland, you are directed to the interface in the China (Hangzhou) region. If your WAF instance is deployed outside the Chinese mainland, you are directed to the interface in the Singapore region.

On the Overview page, you can view information about the resources that are added to WAF, such as the number of requests and queries per second (QPS).

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Overview.

On the Overview page, you can view urgent vulnerability notifications, data of the current day, basic information about the WAF instance, and overall data.

Subscription

包年包月版

Pay-as-you-go

按量付费版

Item	Subscription	Pay-as-you-go
Urgent vulnerability notifications (labeled as 1 in the preceding figure)	The Urgent Vulnerability section displays update notifications for protection rules that can be used to fix the latest urgent vulnerabilities. In the upper part of the Overview page, you can view the latest urgent vulnerability notification. Click More to view all urgent vulnerability notifications.
Data of current day (labeled as 2 in the preceding figure)	The Data of Current Day section displays the data that is generated during the statistical period, including the number of requests, peak QPS, number of blocked requests, and number of monitored requests. If you use a subscription WAF instance, the value of the Peak QPS parameter is the QPS quota of the current edition.
Basic information about the WAF instance (labeled as 3 in the preceding figure)	You can perform the following operations in the Protected Assets section: View the duration for which the WAF instance protected your assets and the expiration time of the WAF instance. Renew your WAF instance. For more information, see Renewal policy. Upgrade or downgrade your WAF instance. For more information, see Upgrade or downgrade a WAF instance. Click Excess Details to view QPS usage details. Click Show Details to view the number of protected domain names, clean QPS, and the number of exclusive IP addresses, and check whether intelligent load balancing is enabled. You can also click Resize to the right of the specifications or Upgrade Now to upgrade the specifications that you purchased.	You can perform the following operations in the Protected Assets section: View the duration for which the WAF instance protected your assets. Check whether your WAF instance is added to a sandbox. For more information, see The sandbox feature. Purchase a security capacity unit (SeCU) resource plan. For more information, see SeCU resource plans. Change the threshold for traffic billing protection. For more information, see Traffic billing protection. Terminate the WAF service. For more information, see Terminate the WAF service. View the details of traffic billing protection. For more information, see Traffic billing protection.
Overall data (labeled as 4 in the preceding figure)	Specify the protected object and the time range to query the overall data. Query settings: Protected object: By default, All is selected and the data of all protected objects of the WAF instance is queried. You can select a specific protected object. Time range: By default, Today is selected and the data of the current day is queried. You can select Yesterday, Today, 7 Days, or 30 Days to view the data of the previous day, the current day, the previous 7 days, or the previous 30 days. The overall data is classified into overall security data and overall traffic data. To view the overall security data or overall traffic data, you can click the Security or Traffic tab. For more information, see the "Overall security data" and "Traffic data" sections in this topic.

Overall security data

On the Security tab of the Overview page, you can view the overall security data. The following table describes the overall security data.

Data type	Description	Supported operation
Protection Overview	Displays the number of requests that are blocked by the protection rules that you configured in a specific time range. You can click the number below each protection module to view the protection details of the corresponding protection module on the Security Reports page. For example, if you click the number below Basic Protection Rule, you are redirected to the Basic Protection Rule tab of the Security Reports page. Then, you can view the protection details of the Basic Protection Rule module. For more information, see Security reports. Displays the trend of requests that are received by the protected object in a specific time range in a line chart. Total Requests Requests in Monitoring Mode: the number of monitored requests. Blocked Requests: the number of blocked requests.	Move the pointer over a point in the line chart to view the data at the corresponding point in time.
Risk Analysis of Bot Traffic	Displays the data of all types of bot traffic that is received by the protected object in a specific time range in a pie chart.	Click Configure Now to enable the bot management module. For more information, see Enable and configure the bot management module.
Security Events	Displays the records and details of attack events that occur on protected objects and the attack block percentage in a list. This allows you to identify the threats to your services and obtain information about how to handle the threats.	Click the name of an event to view the event details. The event details include Threat Intelligence and Suggestions. You can view the analysis result of the event in the Top 5 Attacks section. You can click the following tabs to view specific data: Source IP Address: displays the top 5 source IP addresses of attacks. Attack Target: displays the top 5 attacked URLs. Attack Type: displays the top 5 most frequently used attack types, such as SQL injection and cross-site scripting (XSS) attacks. Attack Date: displays the top 5 dates at which the highest number of attacks are initiated. Attack Tool: displays the top 5 most frequently used attack tools, such as cURL and postman-runtime. In the Event Details panel, you can click View Log on the right side of the event name to go to the Log Service page. Then, you can query logs to analyze the event. For more information, see Enable or disable the Log Service for WAF feature.
Top 10 Attacks	Displays the statistics on the sources that initiate attacks on the protected object in a specific time range. Attacker IP Address: displays the top 10 source IP addresses of attacks. The IP addresses are listed in descending order of the number of attacks. Attack User-Agent Header: displays the top 10 User-Agent strings that are included in attacks the highest number of times. The User-Agent strings are listed in descending order of the number of attacks.	Click Attacker IP Address or Attack User-Agent Header to view the corresponding data.
Top 10 Matches	Displays the statistics on all protection rules that are triggered in a specific time range. Protected Object: displays the top 10 protected objects that trigger protection rules the highest number of times. The protected objects are listed in descending order of the number of times that the protected objects trigger protection rules. Note This parameter is available only if you query the data of all protected objects. Protection Rule Type: displays the top 10 protection modules that are triggered the highest number of times. The protection modules are listed in descending order of the number of times that the protection modules are triggered. Rule ID: displays the IDs of the top 10 protection rules that are matched the highest number of times. The IDs are listed in descending order of the number of times that the protection rules are matched.	Click Protected Object, Protection Rule Type, or Rule ID to view the corresponding data.

Traffic data

On the Traffic tab of the Overview page, you can view the overall traffic data.

Data type	Description	Supported operation
Requests	Displays the trend of requests that are received by the protected object in a specific time range in a line chart.	Move the pointer over a point in the line chart to view the data at the corresponding point in time.
QPS	Displays the trend of QPS for requests that are received by the protected object in a specific time range in a line chart.	Move the pointer over a point in the line chart to view the data at the corresponding point in time. In the upper-right corner of the line chart, you can click Average-value Chart or Peak-value Chart to switch between the average QPS and peak QPS. If the peak QPS of a WAF instance exceeds the QPS limit of the WAF instance for 5 minutes, the event is recorded as a QPS excess event. If multiple QPS excess events occur on the same day, only one QPS excess event is recorded. If four QPS excess events are recorded, the WAF instance is added to a sandbox. For more information, see The sandbox feature.
Bandwidth	Displays the trends of the inbound bandwidth and outbound bandwidth of the protected object in a specific time range in a line chart. Unit: bit/s.	Move the pointer over a point in the line chart to view the data at the corresponding point in time.
Status Code	Displays the trends of the number of HTTP status codes in a specific time range in a line chart. The HTTP status codes can be returned by WAF to clients (WAF to Client) or returned by origin servers to WAF (Origin Server to WAF). The HTTP status codes include 5XX, 405, 499, 302, and 444.	Move the pointer over a point in the line chart to view the data at the corresponding point in time.
Top 10 Access Statistics	Displays the statistics on the requests that are received by protected objects in a specific time range. Protected Object: displays the top 10 protected objects that receive the highest number of requests. The protected objects are listed in descending order of the number of requests. Note This parameter is supported only if you query the data of all protected objects. IP Address: displays the top 10 source IP addresses of requests. The IP addresses are listed in descending order of the number of requests. User-Agent Header: displays the top 10 User-Agent strings that are included in requests the highest number of times. The User-Agent strings are listed in descending order of the number of requests.	Click Protected Object, IP Address, or User-Agent Header to view the corresponding data.