Checking Dashboard

If you have connected a website to WAF, you can have a glance at the Dashboard page to check its security. You can learn of WAF updates, protection overview, product details, as well as the security statistics of protected websites, product details, and instances you have for up to 30 days. You can also check event source statistics.

Statistics on the Dashboard page are updated every two minutes.

Prerequisites

You have connected the website you want to protect to WAF. For details, see Connecting Your Website to WAF.
At least one protection rule has been configured for the domain name. For details, see Configuring Protection Policies.

Specification Limitations

You can view the protection data of a maximum of 30 days.

Checking the Overview Information

Log in to the WAF console.
Click in the upper left corner and select a region or project.
In the navigation pane on the left, choose Dashboard.
On the Dashboard page, check the following information.

Protection Overview, Updates, and Product Details

In the Protection Overview, Updates, and Product Details areas, you can check the domain name access status statistics, latest WAF back-to-source IP address ranges, rule updates, risks found recently, and product details.

Figure 1 Updates
Click to enlarge

Function Module	Description	Related Operation
Updates (① in Figure 1)	WAF Back-to-Source IP Addresses: You can check new WAF back-to-source IP addresses. A notification will be sent one month in advance if there are new WAF back-to-source IP addresses.	On the Updates bar, you can click View More next to WAF Back-to-Source IP Addresses to check and copy WAF back-to-source IP address ranges.
Updates (① in Figure 1)	Risks Found: If you use dedicated WAF instances, you will get notifications on the latest risks your dedicated WAF instances have. You can then handle related risks in a timely manner to prevent services from being affected.	Click View Details. In the displayed dialog box, check risks and upgrade dedicated WAF instances as needed. If the multi-active architecture is not used, click the Multi-active architecture not tab, buy another dedicated WAF instance, and deploy two instances to implement the multi-active architecture, preventing risks caused by single points of failure (SPOFs).
Protection Overview (② in Figure 1)	This area displays the total number of website domain names, number of domain names that have been connected to WAF, number of domain names that fail to be connected to WAF, and number of domain names that fail to be resolved by DNS.	You can click the number to go to the Website Settings page. In the domain name list, the system automatically filters the domain names based on the number you click, making it easier to locate websites you need to connect to WAF.
Product Details (③ in Figure 1)	This area displays the details about instances you buy. You can check the WAF edition and specifications you are using.	You can hover the mouse pointer over the edition in use to view more details. You can easily change the edition, domain name specifications, QPS specifications, and rule quantity. You can click to go to the Product Details page and view the edition and quota details. Click Buy in the dedicated mode to buy dedicated WAF instances based on service requirements.

Security Event Statistics

In the Security Event Statistics area, you can check the protection event logs by website or instance. You can select a specific time range, including yesterday, today, past 3 days, past 7 days, or past 30 days. You can also specify a time range no longer than 30 days. You can check the number of requests, number of attacks of each type, QPS, response code, and bandwidth.

Before viewing the data, you can set the following information based on service requirements:

Domain name (① in Figure 2): You can select a specific domain name, multiple domain names, or all domain names to view the security statistics.
Instance (② in Figure 2): You can select a specific instance or all instances to view security statistics.
Query time (③ in Figure 2): You can view security statistics for yesterday, today, past 3 days, past 7 days, past 30 days, or any time range within 30 days. The statistics collection frequency in each time range is as follows:
- Yesterday and Today: Security data is gathered every minute.
- Past 3 days: Security data is gathered every 5 minutes.
- Past 7 days: Security event data is gathered every 10 minutes.
- Past 30 days: Security data is gathered every hour.

Figure 2 Security Event Statistics
Click to enlarge

Function Module	Description	Related Operation
Security statistics (④ in Figure 2)	Requests: shows the page views of the website, making it easy for you to view the total number of pages accessed by visitors in a certain period of time.	You can click Show Details to view the details about the 10 domain names with the most requests, attacks, and basic web protection, precise protection, CC attack protection, and anti-crawler protection actions.
	Attacks: indicates the total number of attacks, including blocked attacks and logged attacks, at your website.
	Protection details: displays details about attacks that match each protection rule, including the number of times that the attack is blocked by the protection rule and the number of times that the attack is logged.
Security statistics trend (⑤ in Figure 2)	Requests: This tab displays statistics on the total number of requests to a domain name and details about each protection rule.	By day: You can select this option to view the data gathered by the day. If you leave this option unselected, the data is displayed by the time range you select. You can select Compare or Tile to view data.
	QPS: You can check the average number of requests per second for the domain name. This tab displays the total number of requests to the domain name, and the average and peak QPS values by protection rule. The QPS calculation method varies depending on the time range you specify. The average and peak QPS values for each time range are calculated in the following way: Average QPS description Yesterday and Today: The average value is obtained at an interval of 1 minute. Past 3 days: The QPS curve is made with the average QPS in every five minutes. Past 7 days: The QPS curve is made with the maximum value among the average QPS in every five minutes at a 10-minute interval. Past 30 days: The QPS curve is made with the maximum value among the average QPS in every five minutes at a one-hour interval. Peak QPS description Yesterday and Today: The maximum value is obtained at a one-minute interval. Past 3 days: The QPS curve is made with the maximum QPS in every five minutes. Past 7 days: The QPS curve is made with each peak QPS in every 10 minutes. Past 30 days: The QPS curve is made with the peak QPS in every hour.
	TX/RX Bandwidth: shows the bandwidth usage of domain names. You can view the average value and peak value. The value of sent and received bytes is calculated by adding the values of request_length and upstream_bytes_received by time, so the value is different from the network bandwidth monitored on the EIP. This value is also affected by web page compression, connection reuse, and TCP retransmission. For details, see Why Is the Traffic Statistics on WAF Inconsistent with That on the Origin Server?
	Response Code: Response codes returned by WAF to the client or returned by the origin server to WAF along with the corresponding number of responses. You can click WAF to Client or Origin Server to WAF to view the corresponding information. The number of response codes is accumulated based on the sequence of response codes (from left to right) in the lower part of the chart. The number of response codes is the difference between two lines. If the value of a response code is 0, the line of the response code overlaps that of the previous response code.

Event Source Statistics

This area displays the following information: event distribution, attacked objects, attack source IP addresses, attack source locations, error pages, and attacked URLs.

Figure 3 Event Source Statistics
Click to enlarge

Parameter	Description	Related Operation
Event Distribution (① in Figure 3)	Types of attack events.	You can click an area in the Event Distribution area to view the type, number, and proportion of an attack.
Attacked Targets (② in Figure 3)	The five most attacked domain names and the number of attacks at each domain name.	You can click to go to the Events page and view more protection details.
Attack Source IP Addresses (③ in Figure 3)	The five IP addresses that initiate most attacks and the number of attacks from each IP address. NOTE: 49.4.121.70 is the WAF dialing test IP address. If the requests of this IP address are blocked and the number of block times is ranked top 5, the IP address will be also displayed in the attack source IP address list.	You can click to go to the Events page and view more protection details.
Attacked URLs	The five most attacked URLs and the number of attacks at each URL.	You can click to go to the Events page and view more protection details.
Attack Source Locations (⑤ in Figure 3)	The five locations generating the most attacks and the number of attacks from each location.	N/A
Error Pages (⑥ in Figure 3)	The five websites with the most service exceptions. Websites with 404, 500, or 502 errors can be viewed.	You can click Exception Check and find corresponding solutions to rectify service interruptions.