If you subscribe to Web Application and API Protection, you’ll see the WAF Log tab.
Here, we provide a visual overview of all traffic hitting your packs. At the top, you can choose the time range and the action to populate the widgets below.
Below that you’ll see a tile for each WAF policy you’ve created, much like you see in the demo video below, we have two separate policies applied to a pack, so we track and report on those separately.
Below that is a global map which plots the source of each hit showing yellow for not blocked and red for blocked. You can zoom in and hover over a location for more detail.
Below that are pie graphs showing a breakdown of blocked and not blocked traffic by country and rule types so you can see where the biggest threats are coming from.
You can also see rules triggered by time. This graphs allows you to zoom in to specific time periods by adjusting the controller at the bottom, or by clicking the zoom quick links at the top. You can also hover over the lines within the graph to see detail.
Lastly, at the bottom of the page is the raw log data. In this table, every block action is logged. In our example in the video, since we have “Log All Traffic” checked in the WAF Policy, we also see all policy hits here as well that don’t result in a block, which is handy for troubleshooting. The table is limited to 10,000 results at a time. If you need to see more than that, adjust your time period accordingly.
Above the table you can filter based on country, profile, security check or the action. And within the table, you can click on the source IP to see further detail about it, or hover over the request URL or the Details to see further information that’s not immediately shown in the table due to column width You can export the entire table with the full request URL and Details columns into a CSV file by clicking the Export Records button. This is handy if you want to analyze deeper or import the information into a SEIM.