Step 4: Monitoring Threats
HTTP Large
HTTP Small
ADN
WAF
The WAF dashboard illustrates threat detection trends and lists recent illegitimate requests. This dashboard is a useful tool for:
- Verifying that a newly activated instance/profile will not impact legitimate traffic.
- Analyzing threats directed to your site.
To check whether a newly activated instance impacts legitimate traffic
- Wait a reasonable amount of time (e.g., 24 hours) after activating an instance.
- Navigate to the Dashboard page.
- A graph will display the number of detected threats over the last 24 hours. Check for an abnormally high number of detected threats.
- Click the icon from the upper-right hand side of the window.
- Click on each alert to view detailed information on it.
- Pay special attention to the requested URL. Verify that it is an illegitimate request.
- If an alert was generated for a legitimate request, then review the Rule Tags, Matched On, and Matched Value fields to see why the request was flagged.
- Check whether the web application may be changed to prevent this type of request from occurring.
- If the web application cannot be changed and a significant number of requests will be impacted by this rule, then make a note of the Rule Tags and Rule ID fields. Disable the rule in the corresponding profile.
- The Rule Tags field identifies the threat detection category.
- A search option is displayed in the popup window that appears after clicking the "n Rules Disabled" link next to the desired threat detection category. Search for the rule ID defined in the Rule ID fields. Disable that rule.
- It is strongly recommended to disable the bare minimum set of rules required to serve all legitimate traffic. An additional recommendation is to avoid disabling most threat detection categories.
More Information
Getting Started with Web Application Firewall