Use the Rates dashboard to analyze recently rate limited requests to:
Logging for rate limited requests is downsampled due to the volume of requests that may occur during a single incident (e.g., volumetric Distributed Denial-of-Service attack).
Log data is retained for 30 days for most WAF solutions. The exception is WAF Insights which only retains data for 7 days.
This article describes:
The Rates dashboard contains two different views through which rate limit analysis may be performed, which are:
To view the Rates dashboard
Navigate to the Overview of the Rates dashboard page.
The Rates dashboard will display a chart showing recent violations of your security policy.
The Overview is a useful tool for detecting patterns for rate limited traffic directed to your origin servers. This view consists of a chart and statistics for a given time period.
A chart or line graph displays the number of rate limited requests over a given time period.
By default, a single line on the graph represents all rate limited traffic. Alternatively, categorize rate limited traffic by selecting the desired categorization criteria from the option that appears directly above the graph. A line will be drawn on the chart for each unique value. For example, if you select Top Action Types and rate limited requests were either dropped or redirected, then the graph will contain a line for REDIRECT-302 and another one for DROP-REQUEST.
Key information:
Statistics for rate limited traffic over a given time period are displayed directly below the chart. Statistics are broken down by category.
Each category may contain up to the top 10 entries.
View a brief description for each category.
The following information is displayed for each category:
Percentage (%): Indicates the percentage of rate limited traffic over a given time period for the current group.
Percentages are calculated from the total rate limited requests during the given time period. Since there is a limit of 10 entries per category, the sum of the percentages for categories containing more than 10 entries will not add up to 100%.
This view provides the means to delve into the details of a rate limited request. The information derived from this view provides a deeper understanding as to why rate limiting was applied to the request.
The event log contains a list of recent rate limited requests. Each request is described as follows:
Enforced Rule: RuleIdentifies the rate rule that was violated by its name. Elapsed TimeIndicates the amount of time that has passed since the request was screened. TimeIndicates the time (UTC) at which the request was screened.
A sample rule violation is provided below.
Enforced Rule: Marketing 10s ago 12:00:00.00 UTC
Action Type: CUSTOM-RESPONSE
Clicking on an event will expand that entry and display detailed information about it.
View a brief description for each event log entry field.
Key information:
Filters are applied to both the Overview and the Event Log views. Most fields support filtering.
The Event Log view contains the Request Method field. Although this field is not available from the Overview, it may be used to filter both the Overview and Event Log views.
The Overview and the Event Log views cannot be filtered by the Timestamp field. Use the Time Range option instead. This option filters the dashboard for events that occurred during a relative time period from the present (e.g., Last 24 hours or Last 7 days).
Key information:
A brief description for each field used to describe/categorize rate limited requests is provided below.
Field | Description |
---|---|
Client IP |
Identifies the IP address (IPv4) of the client from which the request originated. |
Country Name |
Identifies the country from which the request originated. |
Action Type |
Indicates the action (e.g., CUSTOM-RESPONSE) that was applied to the rate limited request. |
Referer |
Indicates the request’s referrer as defined by the Referer request header. A referrer identifies the address of the resource that linked to the requested content. |
Request Method |
Indicates the request's HTTP method. Format: HTTP_METHOD_NAME
Example: HTTP_METHOD_GET
|
Rule Name |
Indicates the name of the rule that was applied to the rate limited request. |
Timestamp |
Indicates the date and time (UTC) at which the request was rate limited. This field is only available from within the Event Log view. Requests may not be filtered by this field. Filter by time through the Time Range option that appears on the left-hand side of the dashboard. Local time is displayed on the right-hand side of the event log entry header that appears directly above this field. |
URL |
Indicates the URL of the request that was rate limited. |
User Agent |
Indicates the user agent that submitted the request that was rate limited. A request's user agent is defined in the User-Agent request header. |