View WAF Rate Control trends
WAF rate control displays statistical information provided by the rate control activity report over the last 90 days.
Set report scope
- Go to .
- In the left menu click .
- In the Security Center menu bar,
modify the general settings for the view.
- Set a time period within the last 3 months. Click the date field and select the duration or dates you want to see.
- Apply filters to all
reports within the view to see results only for a specific
dimension..
On the upper right of the screen, click the filter button. Then, select a category from the dropdown and click Apply.
To clear filters, click Reset.
- Rate activity.
- The average request per second (in five-minute segments) of all clients compared with the rate category’s configured average threshold and burst threshold.
- Client that exceeded average threshold.
- The number of clients that exceeded the rate category’s average threshold.
- Client that exceeded burst threshold.
- The number of clients that exceeded the rate category’s burst threshold.
- Client IDs exceeding threshold.
- The specific IDs that exceeded the rate category’s average and/or burst threshold.
- Top 100 client IDs
- Up to 100 client IDs with the highest maximum rates occurring during the selected date range (ranked by Max Rate)
The Rate activity graph provides the average number of requests per second, in five-minute segments, of all clients and compares them with the rate category’s configured average and burst thresholds.
- keep the thresholds as they are
because you found illegitimate traffic that had an excessive request
rate.
This may be a good time to consider setting the rule to deny mode to deny this type of traffic at the edge.
- modify the IP rate control rule
definition.
You found that the IP addresses with excessive traffic were legitimate. They could be site scrapers you approve of or a monitoring system you own. You may decide to allow these addresses to prevent false positives or create a new category for the type of traffic causing the rule to fire.
- increase the
threshold.
You found the traffic was legitimate. You should therefore increase the threshold to reduce false positives.
As a general rule of thumb you shouldn’t increase the threshold beyond 20 requests per second. If you find you need to, then your category definition is insufficient, and the rule will not be able to deflect any DDoS attacks or slow crawlers.