Viewing the Dashboard

If you have connected websites to WAF, you can have a glance at their security on the Dashboard page. You will learn of WAF updates, protection overview, product details, as well as the security statistics of protected websites and instances you have for up to 30 days. You can also check event source statistics and bot protection statistics.

Statistics on the Dashboard page are updated every two minutes.

Prerequisites

You have connected the website you want to protect to WAF. For details, see Connecting a Website to WAF.
At least one protection rule has been configured for the domain name. For details, see Configuring Protection Policies.

Specification Limitations

You can view the protection data of a maximum of 30 days.

Checking the Overview Information

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner of the page and choose Web Application Firewall under Security & Compliance.
If you have enabled the enterprise project function, select your enterprise project from the Filter by enterprise project drop-down list in the upper part of the navigation pane. Then, WAF will display the related security data in the enterprise project on the page.

On the Dashboard page, view the following information.

**Table 1** Dashboard overview
Tab	Function Module	Description
Dashboard	Updates	This area displays the latest information about WAF back-to-source IP address ranges, rule updates, and risk found recently.
	Protection Overview	This area displays the domain name access status.
	Product Details	This area displays the details about instances you buy. You can check the WAF edition and specifications you are using.
	Security Event Statistics	In this area, you can view the protection event logs by website or instance. You can select a specific time range, including yesterday, today, past 3 days, past 7 days, or past 30 days. You can also specify a time range no longer than 30 days.
	Event Source Statistics	This area displays information such as event distribution, attacked objects, attack source IP addresses, attacked URLs, attack source locations, and error pages.
Bot Protection Statistics	Bot Protection Statistics	On this tab, you will learn of bot protection statistics, including traffic distribution, action distribution, traffic trends, BOT score distribution, and top event source statistics.
Bot protection statistics description: You need to submit a service ticket and configure a bot protection rule. Then, you can view Bot Protection Statistics on the Dashboard page. Otherwise, the Dashboard page displays only information such as Updates, Protection Overview, and Product Details, Updates, Protection Overview, and Product Details, Updates, Protection Overview, and Product Details, Security Event Statistics, and Event Source Statistics.

Updates, Protection Overview, and Product Details

In these areas, you can check the latest WAF back-to-source IP address ranges, rule updates, risks found recently, domain name access status statistics, and details about products you have.

Figure 1 Updates

Function Module	Description	Related Operation
Updates (① in Figure 1)	WAF Back-to-Source IP Addresses: You can check new WAF back-to-source IP addresses. A notification will be sent one month in advance if there are new WAF back-to-source IP addresses.	On the Updates bar, you can click View More next to WAF Back-to-Source IP Addresses to check and copy WAF back-to-source IP address ranges.
	Updated Rules: In this area, you can check notifications about built-in rule library updates, including emerging vulnerabilities such as zero-day vulnerabilities these rules can defend against. You can also check notifications about new functions, billing details, and critical alarms, such as alarms generated when requests to your domain name bypass WAF.	On the Updates bar, you can click View More next to Updated Rules to view the rule update details.
	Risks Found: If you use dedicated WAF instances, you will get notifications on the latest risks your dedicated WAF instances have. You can then handle related risks in a timely manner to prevent services from being affected.	Click View Details. In the displayed dialog box, check risks and upgrade dedicated WAF instances as needed. If the multi-active architecture is not used, click the Multi-active architecture not tab, buy another dedicated WAF instance, and deploy two instances to implement the multi-active architecture, preventing risks caused by single points of failure (SPOFs).
Protection Overview (② in Figure 1)	This area displays the total number of website domain names, number of domain names that have been connected to WAF, number of domain names that fail to be connected to WAF, and number of domain names that fail to be resolved by DNS.	You can click the number to go to the Website Settings page. In the domain name list, the system automatically filters the domain names based on the number you click, making it easier to locate websites you need to connect to WAF.
Product Details (③ in Figure 1)	This area displays the details about instances you buy. You can check the WAF edition and specifications you are using.	You can hover the mouse pointer over the edition in use to view more details. You can easily change the edition, domain name specifications, QPS specifications, and rule quantity. You can click to go to the Product Details page and view the edition and quota details.

Security Event Statistics

In the Security Event Statistics area, you can view the protection event logs by website or instance. You can select a specific time range, including yesterday, today, past 3 days, past 7 days, or past 30 days. You can also specify a time range no longer than 30 days. On this page, protection event logs are displayed by different dimensions, including the number of requests and attack types, QPS, bandwidth, response code, event distribution, top 5 attacked domain names, top 5 attack source IP addresses, and top 5 attacked URLs.

If no enterprise project is selected, WAF collects security data of all websites added to WAF in all enterprise projects under the account by default. Before viewing the data, you can set the following information based on service requirements:

Domain name (① in Figure 2): You can select one or more domain names to view the security statistics.
Instance (② in Figure 2): You can select a specific instance or all instance to view security statistics.
Query time (③ in Figure 2): You can view security statistics for yesterday, today, past 3 days, past 7 days, past 30 days, or any time range within 30 days. The statistics collection frequency in each time range is as follows:
- Yesterday and Today: Security data is gathered every minute.
- Past 3 days: Security data is gathered every 5 minutes.
- Past 7 days: Security event data is gathered every 10 minutes.
- Past 30 days: Security data is gathered every hour.

Figure 2 Security Event Statistics

Function Module	Description	Related Operation
Security statistics (④ in Figure 2)	Requests: shows the page views of the website, making it easy for you to view the total number of pages accessed by visitors in a certain period of time.	You can click Show Details to view the details about the 10 domain names with the most requests, attacks, and basic web protection, precise protection, CC attack protection, bot mitigation, and anti-crawler protection actions.
	Attacks: indicates the total number of attacks, including blocked attacks and logged attacks, at your website.
	Protection details: displays details about attacks that match each protection rule, including the number of times that the attack is blocked by the protection rule and the number of times that the attack is logged.
Security statistics trend (⑤ in Figure 2)	Requests: This tab displays statistics on the total number of requests to a domain name and details about each protection rule.	By day: You can select this option to view the data gathered by the day. If you leave this option unselected, the data is displayed by the time range you select. You can select Compare or Tile to view data.
	QPS: You can check the average number of requests per second for the domain name. This tab displays the total number of requests to the domain name, and the average and peak QPS values by protection rule. The QPS calculation method varies depending on the time range you specify. The average and peak QPS values for each time range are calculated in the following way: Average QPS description Yesterday and Today: The average value is obtained at an interval of 1 minute. Past 3 days: The QPS curve is made with the average QPS in every five minutes. Past 7 days: The QPS curve is made with the maximum value among the average QPS in every five minutes at a 10-minute interval. Past 30 days: The QPS curve is made with the maximum value among the average QPS in every five minutes at a one-hour interval. Peak QPS description Yesterday and Today: The maximum value is obtained at a one-minute interval. Past 3 days: The QPS curve is made with the maximum QPS in every five minutes. Past 7 days: The QPS curve is made with each peak QPS in every 10 minutes. Past 30 days: The QPS curve is made with the peak QPS in every hour.
	TX/RX Bandwidth: shows the bandwidth usage of domain names. You can view the average value and peak value. The value of sent and received bytes is calculated by adding the values of request_length and upstream_bytes_received by time, so the value is different from the network bandwidth monitored on the EIP. This value is also affected by web page compression, connection reuse, access mode, and TCP retransmission. For details, see Why Is the Traffic Statistics on WAF Inconsistent with That on the Origin Server?
	Response Code: Response codes returned by WAF to the client or returned by the origin server to WAF along with the corresponding number of responses. You can click WAF to Client or Origin Server to WAF to view the corresponding information. The number of response codes is accumulated based on the sequence of response codes (from left to right) in the lower part of the chart. The number of response codes is the difference between two lines. If the value of a response code is 0, the line of the response code overlaps that of the previous response code.

Event Source Statistics

This area displays the following information: event distribution, attacked objects, attack source IP addresses, and attacked URLs.

Figure 3 Event Source Statistics

Parameter	Description	Related Operation
Event Distribution (① in Figure 3)	Types of attack events.	You can click an area in the Event Distribution area to view the type, number, and proportion of an attack.
Attacked Targets (② in Figure 3)	The five most attacked domain names and the number of attacks at each domain name.	You can click View More to go to the Events page and view more protection details.
Attack Source IP Addresses (③ in Figure 3)	The five IP addresses that initiate most attacks and the number of attacks from each IP address. NOTE: 49.4.121.70 is the WAF dialing test IP address. If the requests of this IP address are blocked and the number of block times is ranked top 5, the IP address will be also displayed in the attack source IP address list.	You can click View More to go to the Events page and view more protection details.
Attacked URLs (④ in Figure 3)	The five most attacked URLs and the number of attacks at each URL.	You can click View More to go to the Events page and view more protection details.

Bot Protection Statistics

You need to submit a service ticket to enable bot protection. If you enable bot protection and configured bot rules, you can check the Bot Protection Statistics tab on the Dashboard page. You will view the traffic distribution, action distribution, traffic trends, bot score distribution, and top event source statistics.

If no enterprise project is selected, WAF collects security data of all websites added to WAF in all enterprise projects under the account by default. Before viewing data, you can set the following parameters based on service requirements:

Domain name (① in Figure 4): You can select one or more domain names to view the bot protection statistics.
Query time (② in Figure 4): You can view bot protection statistics for yesterday, today, past 3 days, past 7 days, past 30 days, or any time range you specify.

Viewing bot protection data and trends

Figure 4 Bot protection data and trends

**Table 2** Parameters of bot protection statistics
Function Module	Description
Traffic Distribution (③ in Figure 4)	Known bots: shows the number of requests that match known bot rules in a specified time range. Signature-based requests: shows the number of requests that hit the request signature detection in a specified time range. BOT behavior: shows the number of requests that hit bot behavior detection in a specified time range. Normal requests: shows the number of normal requests for accessing a website in a specified time range.
Action (④ in Figure 4)	WAF counts the number of requests that are identified based on bot detection rules within a period of time. WAF also displays protective actions (Allow, Log only, JS Challenge, and Block) taken to those requests.
Traffic Trends (⑤ in Figure 4)	On this tab, you will learn of traffic trends of known bots, signature-based requests, bot behavior, and normal requests.
Bot Score Distribution (⑥ in Figure 4)	This bot behavior scores based on bot behavior detection. BOT behavior detection scores each request of the client to evaluate the probability that the request comes from a bot. A value closer to 0 indicates that the request feature is more like a normal request, and a value closer to 100 indicates that the request feature is more like a bot.

Viewing Top Event Source Statistics

Figure 5 Top Event Source Statistics

**Table 3** Top event source statistics parameters
Parameter	Description
Known bots (① in Figure 5)	The five known bots with the most attacks and the number of attacks from each bot.
TLS fingerprint (② in Figure 5)	The five TLS fingerprints (JA3 and JA4) with the most attacks and the number of attacks.
Attacked Domain Names (③ in Figure 5)	The five most attacked domain names and the number of attacks at each domain name.
Attack Source IP Addresses (④ in Figure 5)	The five IP addresses where the most attacks initiate and the number of attacks from each IP address.
Attack Source Locations (⑤ in Figure 5)	The five locations where the most attacks originate, along with the number of attacks from each.