View WAF trends

The WAF Trends view shows attacks that trigger firewall rules, for example protocol violations, HTTP policy violations, cross-site scripting attacks, injection attacks, and more. You can use the analytics to assess the effectiveness of your security configuration setup. This view allows you to trend application security activity up to the last 90 days.
Note: To get data from the security products for your reports, log HTTP header data, and make sure to enable host header logging in your delivery configurations log delivery system (LDS) setting.

Set report scope

  1. Go to > WEB & DATA CENTER SECURITY > Security Center.
  2. In the left menu click Trends > Web Application Firewall.
  3. In the Security Center menu bar, modify the general settings for the view.
    • Switch to view another security configuration. Click the name of the current security configuration and select a different configuration from the menu.
    • Set a time period within the last 3 months. Click the date field and select the duration or dates you want to see.
    • Specify the section of traffic you want to see in all charts within Web Application Firewall view. At the top of the screen, click the Traffic Segment dropdown and select: Website & API, API, or Website.
    • Apply filters to all charts within Web Application Firewall view to see results only for a specific dimension, like policy, hostname, API name, and more.

      On the upper right of the screen, click the filter button. Then, under the dimensions you want, select values to filter on. Click Apply.
      To clear filters, click Reset.

  4. Use filters in charts.
    • Choose the type of traffic displayed in the WAF Attack Traffic Trends graph. Click the Traffic dropdown and select the Edge hits, Edge bandwidth, Edge page requests or Edge error views.

      You can enable and disable either display by selecting and deselecting the All Traffic and Attack Traffic checkboxes.

    • Choose what type of attack to display in the WAF Attack Groups Detected graph. Click the Attack Groups dropdown and select a category.

Interact with the charts

  • In a pie chart, to enable and disable sections of the chart, click a section name in the legend.
  • To view the details for a specific moment in time, hover the mouse over a point on the time line.
  • For some charts, to switch between the line chart and bar chart views, click and in its header.
  • To download the data for further analysis in the CSV format, click the download button that is next to any chart header.

See WAF attack overview

See how much of your traffic has been generated by attack activity in WAF Attack Traffic Summary. The section includes the amount of hits/page requests generated by the WAF activity at the edge servers, and bandwidth served to attacks.

Scroll to the The WAF Attack Traffic Trends graph to check how regular client traffic compares to WAF activity. Enable and disable either display by selecting and deselecting the All Traffic and Attack Traffic checkboxes.

Using the Traffic menu, you can choose the type of traffic displayed:

  • Edge Hits. Displays the number of hits on the edge servers.
  • Edge Bandwidth. Displays the amount of bandwidth being served.
  • Edge Page Requests. Displays the number of pages being requested at the edge.
  • Edge Error Views. Displays the number of HTTP errors the edge is issuing.

Investigate which types of WAF attack are most common

The WAF Attack Groups Detected pie chart shows the percentages and number of triggered rule types.

The WAF Attack Groups Detected graph shows the top categories of detected attacks.

View how your security products handle WAF attacks

Firewall Policies Triggered by WAF Attacks shows your top firewall policies that detect WAF attacks.

Next, you can see what happened to the detected attacks in theActions Applied to WAF Attacks pie chart. See the percentages and number of requests that were denied and those that generated an alert, but the request was allowed to continue.
Note: While this indicates application security allowed the request to continue, other rules applied afterward can still deny it.

See which parts of your setup attract WAF attacks

The APIs Targeted by WAF Attacks section displays your APIs that WAF attacks have targeted.

The Hostnames Targeted by WAF Attacks bar chart displays your hostnames and the total number of attacks on each. If you’re filtering WAF trends by security configuration, you’ll also see a column displaying the configuration to which the hostname belongs.

See where WAF attacks originated

The Countries Where WAF Attacks Originated bar chart displays the countries and the number of WAF attacks that originated from each.