WAF protection overview - Web Application Firewall - Alibaba Cloud Documentation Center

After you add your website to Web Application Firewall (WAF), you can query urgent vulnerability notifications, service security data, and service traffic data of the previous 30 days on the Overview page. This way, you can view the security status of your website.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.

View the overall data on the Overview page

You are directed to an interface when you log on to the WAF console based on the region in which your WAF instance is deployed. If your WAF instance is deployed in the Chinese mainland, you are directed to the interface in the China (Hangzhou) region. If your WAF instance is deployed outside the Chinese mainland, you are directed to the interface in the Singapore region.

On the Overview page, you can view information about the resources that are added to WAF, such as Total Requests, Peak QPS, Total Blocked Requests, and Matched Requests in Monitoring Mode.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Overview.

On the Overview page, view urgent vulnerability notifications, data of the current day, basic information about the WAF instance, and overall data.

Subscription

包年包月版

Pay-as-you-go

按量付费版

Item	Subscription	Pay-as-you-go
Urgent vulnerability notifications (labeled as 1 in the preceding figure)	The Urgent Vulnerability section displays update notifications for protection rules that can be used to fix the latest urgent vulnerabilities. In the upper part of the Overview page, you can view the latest urgent vulnerability notification. Click More to view all urgent vulnerability notifications.
Data of the current day (labeled as 2 in the preceding figure)	The Data of Current Day section displays the data that is generated during the current statistical period, including Total Requests, Peak QPS, Total Blocked Requests, and Matched Requests in Monitoring Mode. If you use a subscription WAF instance, the value of the Peak QPS parameter is the QPS quota of the current edition.
Basic information about the WAF instance (labeled as 3 in the preceding figure)	You can perform the following operations in the Protected Assets section: Product Updates: You can view the new features or specifications that are recently released by WAF. You can also view the new regions or zones supported by WAF. Upgrade Now/Downgrade: You can upgrade the edition of your WAF instance. You can also upgrade or downgrade the specifications of the value-added services that you purchased. For more information, see Upgrade or downgrade a WAF instance. Auto-Renewal/Renew: You can enable auto-renewal for your WAF instance or manually renew the instance. If you enable auto-renewal, Alibaba Cloud automatically deducts the renewal fee from your account balance 9 days before your WAF instance expires. For more information, see Renewal policy. Unsubscribe: You can perform this operation only on a subscription WAF instance. For more information, see Refund policy. Excess Details: Click Excess Details to view queries per second (QPS) usage details. Show Details: You can view the number of protected domain names, clean QPS, and number of exclusive IP addresses, and check whether intelligent load balancing is enabled. You can also click Resize or Upgrade to the right of each item to upgrade the specifications that you purchased.	You can perform the following operations in the Protected Assets section: Product Updates: You can view the new features or specifications that are recently released by WAF. You can also view the new regions or zones supported by WAF. Purchase Resource Plan: You can purchase security capacity unit (SeCU) resource plans to offset the traffic processing and feature fees of your pay-as-you-go WAF instance and reduce costs. For more information, see SeCU resource plans. Modify Traffic Protection Threshold: For more information, see Specify a threshold value for traffic billing protection. Terminate WAF Service: You can directly click Terminate WAF Service for your pay-as-you-go WAF instance. For more information, see Terminate the WAF service. View More: You can view the usage details of your resource plans in the Expenses and Costs console. View Traffic Protection Details: You can view QPS usage details. View Specifications: You can view the threshold value of traffic billing protection and the peak QPS when traffic billing protection is triggered in the previous 30 days. You can also click Modify Threshold to change the threshold value.
Overall data (labeled as 4 in the preceding figure)	You can specify a protected object and a time range to query the overall data. Protected object: By default, All is selected and the data of all protected objects of the WAF instance is returned. You can also select a specific protected object. Time range: By default, Today is selected and the data of the current day is returned. You can select Last 15 Minutes, Last 30 Minutes, Last 1 Hour, Last 24 Hours, Today, Yesterday, 7 Days, or 30 Days to query the data of the selected time range. The overall data is classified into overall security data and overall traffic data. To view the overall security data or overall traffic data, you can click the Security or Traffic tab. For more information, see the "Overall security data" and "Traffic data" sections in this topic.

Note

If your subscription or pay-as-you-go WAF instance is added to the sandbox, you can view a notification in the upper part of the Overview page. For more information, see Sandbox overview.

Overall security data

On the Security tab of the Overview page, you can view the overall security data. The following table describes the overall security data.

Data type	Description	Supported operation
Protection Overview	Displays the number of requests that are blocked by the protection rules that you configured in a specific time range. You can click the number below each protection module to view the protection details of the corresponding protection module on the Security Reports page. For more information, see Security reports. Displays the trend of requests that are received by the protected object in a specific time range in a line chart. Total Requests Requests in Monitoring Mode: the number of requests that match protection rules in Monitor mode. Blocked Requests: the number of blocked requests.	Move the pointer over a point in the line chart to view the data at the corresponding point in time.
Bot Traffic Analysis	Displays the data of all types of bot traffic that is received by the protected object in a specific time range in a pie chart.	Click Configure Now to enable the bot management module. For more information, see Enable and configure the bot management module.
Security Events	Displays the records and details of attack events that occur on the protected object and the attack block percentage in a list. This allows you to identify the threats to your services and obtain information about how to handle the threats.	Click the name of an event to view the event details. The event details include Threat Intelligence and Suggestions. You can view the analysis result of the event in the Top 5 Attacks section. You can click the following tabs to view specific data: Source IP Address: displays the top 5 source IP addresses of attacks. Attack Target: displays the top 5 attacked URLs. Attack Type: displays the top 5 most frequently used attack types, such as SQL injection and cross-site scripting (XSS) attacks. Attack Date: displays the top 5 dates at which the highest number of attacks are initiated. Attack Tool: displays the top 5 most frequently used attack tools, such as cURL and postman-runtime. In the Event Details panel, you can click View Log on the right side of the event name to go to the Log Service page. Then, you can query logs to analyze the event. For more information, see Enable or disable the Log Service for WAF feature.
Top 10 Attacks	Displays the statistics on the sources that initiate attacks on the protected object in a specific time range. Attacker IP Address: displays the top 10 source IP addresses of attacks. The IP addresses are listed in descending order of the number of attacks. Attack User-Agent Header: displays the top 10 User-Agent strings that are included in attacks the highest number of times. The User-Agent strings are listed in descending order of the number of attacks.	Click Attacker IP Address or Attack User-Agent Header to view the corresponding data.
Top 10 Matches	Displays the statistics on all protection rules that are triggered in a specific time range. Protected Object: displays the top 10 protected objects that trigger protection rules the highest number of times. The protected objects are listed in descending order of the number of times that the protected objects trigger protection rules. Note This parameter is available only if you query the data of all protected objects. Protection Rule Type: displays the top 10 protection modules that are triggered the highest number of times. The protection modules are listed in descending order of the number of times that the protection modules are triggered. Rule ID: displays the IDs of the top 10 protection rules that are matched the highest number of times. The IDs are listed in descending order of the number of times that the protection rules are matched.	Click Protected Object, Protection Rule Type, or Rule ID to view the corresponding data.

Traffic data

On the Traffic tab of the Overview page, you can view the overall traffic data.

Data type	Description	Supported operation
Requests	Displays the trend of requests that are received by the protected object in a specific time range in a line chart.	Move the pointer over a point in the line chart to view the data at the corresponding point in time.
QPS	Displays the trend of QPS for requests that are received by the protected object in a specific time range in a line chart.	Move the pointer over a point in the line chart to view the data at the corresponding point in time. In the upper-right corner of the line chart, you can click Average-value Chart or Peak-value Chart to switch between the average QPS and peak QPS. If the peak QPS of a WAF instance exceeds the QPS limit of the WAF instance for 5 minutes, the event is recorded as a QPS excess event. If multiple QPS excess events occur on the same day, only one QPS excess event is recorded. If four QPS excess events are recorded, the WAF instance is added to a sandbox. For more information, see Sandbox overview.
Bandwidth	Displays the trends of the inbound bandwidth and outbound bandwidth of the protected object in a specific time range in a line chart. Unit: bit/s.	Move the pointer over a point in the line chart to view the data at the corresponding point in time.
Status Code	Displays the trends of the number of HTTP status codes in a specific time range in a line chart. The HTTP status codes can be returned by WAF to clients (WAF to Client) or returned by origin servers to WAF (Origin Server to WAF). The HTTP status codes include 5XX, 405, 499, 302, and 444.	Move the pointer over a point in the line chart to view the data at the corresponding point in time.
Top 10 Access Statistics	Displays the statistics on the requests that are received by protected objects in a specific time range. Protected Object: displays the top 10 protected objects that receive the highest number of requests. The protected objects are listed in descending order of the number of requests. Note This parameter is supported only if you query the data of all protected objects. IP Address: displays the top 10 source IP addresses of requests. The IP addresses are listed in descending order of the number of requests. User-Agent Header: displays the top 10 User-Agent strings that are included in requests the highest number of times. The User-Agent strings are listed in descending order of the number of requests.	Click Protected Object, IP Address, or User-Agent Header to view the corresponding data.