Monitor your Application Firewall

Objective

This document provides instructions on how to monitor your application firewall. Volterra provides support to monitor your application for security. To know more about how Volterra secures your applications, see Security.

Using the instructions provided in this document, you can check the rules hit statitstics and security events for your virtual host.


Prerequisites


Monitor the Application Firewall

Monitoring your application firewall consists of inspecting application firewall and security events.

Step 1: Select the namespace where the app firewall and virtual host are created.

Click App on the namespace selector and select your namespacer from the drop-down list of namespaces.

image2
Figure: Navigate namespace

Step 2: Navigate to load balancer for which the WAF is enabled.
  • Select Virtual Hosts -> HTTP Load Balancers on the configuration menu to display a list of load balancers.

image1
Figure: Load Balancer Monitoring

  • Click on Security Monitoring on a load balancer from the displyed list of load balancers. The Dashboard page is displayed by default.
Step 3 Inspect security monitoring dashboard for WAF events.
  • Inspect the Security Events section to view the snapshot of security events. This displays a list of secueity events in the last 12 hours by default. Click on any event to load its full information in security events page. For example, click on l7_policy_sec_event to load the related information in Security Events page.
  • Inspect the Top WAF Rules Hit section to check the WAF rule hit statistics.

image5
Figure: Security Monitoring View

  • Inspect the Security Events by Location section to view the security events arranged in a map view. You can click on the location with hits to load the Security Events page.
  • Inspect the Recent WAF and Policy Events section to view the list of recent WAF events.
Step 4: Inspect security events.

Click on the Security Events tab to load security events view. This shows various types of security events over default time period of 12 hours in a graph view. This page also displays filters various types of events that are represented in different colored dots. Beneath the graph, the security event page displays the events in a list arranged into different tabs namely Security Events, Malicious User Events, and DDoS Events.

Perform the following to inspect various security events.

  • Click on a dot to select or deselect those events from being displayed.
  • Click on the Add Filter option and select a key-value pair to apply specific filters. You can select available key-value pairs. You can also choose a custom entry. Type a key, click Select Custom Key, type a value, and click Select Custom Value to apply a custom filter.
  • Click on the time interval drop-down list on the top right side of the page to select another time interval or specify a custom interval.
Security Events Inspect security events sub page.
  • Click Security Events tab beneath the graph chart to view the list of security events. The following list provides information on each field of the list.

    • Time: Time the event was created.
    • Country,City: Location of the event.
    • Src IP: Source of the suspicious request
    • Method: Method type of the HTTP request (GET, POST, DELETE, PUT, etc.)
    • Rsp Code: The HTTP response code (200, 403,404, etc.)
    • Rules Hit: Number of rules hit.
    • Authority: Load balancer domain.
    • Request Path: String of characters that unambiguously identifies a particular resource (for example /testcase-6/test.com)

image3
Figure: Security Events Page

Note: You can click > on any entry to display information of that event in fully expanded view. Select JSON tab to obtain the information in JSON format.

  • Click ... for an entry on the list of security events and select one option as per the following guidelines.

    • Select Create Exception Rule to create exception for that event so that it is not flagged as a security event. This will open the load balancer edit form with a WAF rule to exclude this event. Enter name, select values for Exclude WAF Rules field, click Apply, and click Save and Exit in the load balancer configuration page to apply the exception rule.
    • Select Add to Blocked Clients to add this client to blocked clients. This will open the load balancer edit form with a rule to block the specific client. Click Applyand click Save and Exit in the load balancer configuration page to apply the blocking rule.
    • Select Add to Trusted Clients to add this client to trusted clients. This will open the load balancer edit form with a rule to whitelist the specific client. Click Applyand click Save and Exit in the load balancer configuration page to apply the trusted clients rule.
Malicious User Events Inspect malicious events sub page.

Click on the Malicious User Events tab beneath the graph to inspect list of events flagged as malicious user events.

DDoS Events Inspect DDoS events sub page.

Note: Click Refresh on the top right side of the page to refresh the information displayed on the page. Click Hide Chart to hide the graph and show only events list.


Concepts


API References