WAF

The WAF section gives violation details for your mitigation profile. The following options enable you to view your WAF violation details:

  • Violation Logs
  • Violation Types
  • Domain Targets
  • Geolocation
  • IP Targets
  • URL Path

Select an option to view traffic details and graphical representation for your WAF profile. You can also export the details for your records.

Violation logs

The Violation Logs page displays all the violations handled by a WAF profile. The default date range is the last day, however, you can select a date to display one of the range options (Today, Yesterday, Last 7 Days, Last 30 Days, This Month, Last Month, Custom Range). You can also export the Violation log by using the export option.

The Violation list is compiled in a table showing the high-level description of a violation (Action, Date/Time, Source IP, and Reason). To view more information, click (+) for the violation you want to examine further.

Violation types

The WAF Violation Types page displays all the recent violations by their Violation type. This page has two sections – a table and a graph. You can set the date range from the following options (1 hr, 3 hr, 1day, 7day, 30day, 90day). You can also export the graph as an image or PDF and you can export the table as a csv or json file by selecting the export options

The table view lists all the violation types sorted by the number of requests for each respective request.

Access violation logs

The CWAAP violation logs display a comprehensive overview of violations in direct contrast to bot protection techniques that have been implemented to log or block specific requests that were captured for your account.

To access the violation Logs, using the left-hand navigation menu, select Analytics, then WAF, Logs, and then violation Logs from the drop-down list.

Following are the violation log menus available in the drop-down list.

Application

The Applications drop-down menu allows for the selection of a custom configured asset (or all Assets) for your account. By default, the All Assets (Combined) application will be selected.

Date range menu

The Date Range filter provides two methods of customizing the data that is displayed on the WAF Dashboard.

Custom date range

Clicking on the displayed date range selection will open the pop-out calendar window, which allows you to select a beginning and end date, as well as selecting a custom time range as well. Clicking the calendar icon allows you to quickly navigate through months, as well as years to select the beginning and end dates. Additionally, you can manually type in the desired date instead of using the calendar option. The maximum number of days in the past that can be captured is ninety (90) days from the current date. Click the green checkmark icon once you have selected your custom time frame to view the results

Quick select date range

Instead of creating a custom time frame for your dashboard results, you can use one of the pre-configured quick select date range options. By default, the Dashboard will display the results for the previous seven days (7D).

  • 1H - Displays the result details for the previous hour.
  • 3H - Displays the result details for the previous three hours.
  • 12H - Displays the result details for the previous twelve hours.
  • 1D - Displays the result details for the previous calendar day.
  • 7D - Displays the result details for the previous seven calendar days (week).
  • 30D - Displays the result details for the previous thirty days (calendar month).

Field and text

The Field and Enter Text options enable custom search filters to be created to display your Violation Log details.

The Field drop-down menu has the following criteria options:

  • All
  • Source IP
  • Timestamp
  • Host
  • Country
  • User-Agent
  • City
  • Action
  • Reason
  • Domain
  • URI
  • Transaction ID
  • Event ID
  • Site
  • Signature

Note:

  • The URI and User-Agent fields are case-sensitive.
  • The maximum search number of characters allowed in the Search field is 90

Export violation logs

The Violation Logs that are currently displayed on the screen (which includes any configured filters) can be exported in either a:

  1. CSV file
  2. JSON output

Clicking on either of the download options will display a greyed-out cloud icon as the file is compiled. Once the cloud icon becomes clickable, the file will begin to download

Violation log details

The Violation Log Details table displays a comprehensive overview of the violation that was captured, with hyperlinked content that will navigate you to the Enrichment section, for additional details.

Action type Response type
Action Displays the action taken for the violation. Either Logged or Blocked
Timestamp Displays the timestamp (as UTC) in which the violation was captured
Application The Application name impacted by the violation.
Source IP The specific Source IP belonging to the application that was impacted by the violation
Country The country in which the traffic was originating from that triggered the violation.
Reason A brief explanation about the violation, as well as what type of violation was triggered.

Additional Features

A brief explanation about the violation, as well as what type of violation was triggered.

View Details

The View Details feature displays a more detailed overview of the violation details. Clicking on the Policy hyperlink will redirect you to the Configuration - Policies section of your account.

The double paper icon is a copy + paste option, as doing a manual copy and paste of the details may not work as the details may be truncated on the page.

Add IP Filter

Selecting the Add IP Filter button will add the selected IP address to the Blocklist for the account. On the pop-out window, the IP / CIDR address will be listed (which can be edited), as well as an indicator for Blocked (selected by default), or Not Blocked. Once you click Save, the IP address filter will be added to your policy (which can be found in the View Details section).

Create Relaxation Rule

Selecting the Create Relaxation Rule will add the selected violation log entry to the allowed list for the account. The Violation Reason will determine the possible configuration settings for the Relaxation Rule.

Once you click the Save button, the Relaxation Rule will be added to your configured policy (which can be found in the View Details section

Domain targets

The Domain Targets page displays all the recent violations by the attacks target domain. This page has two sections – a table representation and a graphical representation. You can set the date range from the following options (1 hr, 3 hr, 1 day, 7 day, 30 day, 90 day). You can also export the graph as an image or PDF and you can export the table as a csv or json file by selecting the export options.

Geolocation

The Geolocation page displays all the recent violations by the attack source country. This page has two sections – a table representation and a graphical representation. You can set the date range from the following options (1 hr, 3 hr, 1 day, 7 day, 30 day, 90 day). You can also export the graph as an image or PDF and you can export the table as a csv or json file by selecting the export options.

IP targets

The IP Targets page displays the recent violations by the attack Target IP address. The page has two sections – a table and a graph. You can set the date range from the following options (1 hr, 3 hr, 1 day, 7 day, 30 day, 90 day). You can also export the graph as an image or PDF and you can export the table as a csv or json file by selecting the export options.

URL path

The URL Path page displays all the recent violations for the URL path having the most blocked or logged violations. This page has two sections – a table and a graph. You can set a date from the following options - 1 hr, 3 hr, 1 day, 7 day, 30 day, 90 day. You can also export the graph as an image or PDF and you can export the table as a csv or json file by selecting the export options.

WAF