- Fastly Status
About the Fastly WAF dashboard
Last updated May 09, 2018
The Fastly WAF dashboard allows you to monitor the Fastly WAF deployed within your Fastly service. You can use the information in the Fastly WAF dashboard to determine whether or not the WAF is active, see how many requests the WAF is currently processing, and review recent configuration changes.
The Fastly WAF dashboard consists of the following pages:
IMPORTANT: This feature is part of a limited availability release. For more information, see our product and feature lifecycle descriptions.
Accessing the Fastly WAF dashboard
To access the Fastly WAF dashboard, follow the steps below:
Log in to the Fastly web interface. The All services page appears.
Find your Fastly service in the list, and then click the WAF link. The WAF summary page appears.
If you have hundreds of services, you might want to jump to the All WAF services page for an overview of all your WAFs.
About the WAF summary page
The WAF status section indicates whether the WAF is currently active. You can see the total number of active rules. This number includes OWASP rules set to "active" and strict match rules set to blocking or logging. The charts show the number of active and disabled OWASP rules, application-specific rules, and Fastly-created rules. Sample charts are shown below.
The Requests graph displays how many requests are served from cache and how many requests are processed by the WAF. Of the requests that are processed by the WAF, the WAF Process graph displays how many requests were blocked by the WAF, logged by the WAF and sent to the origin server, and were passed (not blocked or logged) and sent to the origin server.
You can exclude certain data from the graphs by clicking the hide link next to a data label. Clicking this link will hide that value in the graph's display.
TIP: The Fastly WAF only executes on traffic sent to the origin server.
About the WAF audit log page
The WAF audit log page displays all configuration changes made to your WAF. You can use this page to determine who made certain types of configuration changes to the WAF, and when the changes were made. The line items indicate when rules were set to log or block, when they were updated, and whether they were disabled.
Some line items include changes for multiple rules. Click Show rule IDs to see all of the changes.
TIP: You can use the Fastly WAF rule statuses API endpoint to view the state of an individual rule.
Some entries contain information about the WAF's OWASP properties. To learn more about the OWASP properties, refer to the OWASP properties section.
You may see OWASP properties referenced on the WAF audit log page. The table below contains a list of all available properties and their descriptions. The properties shown here reflect changes made by altering the settings in the OWASP object.
|Allowed HTTP versions||HTTP version control for client requestors.|
|Allowed HTTP methods||HTTP method control for client requestors.|
|Allowed client content types||HTTP content-type controls for client requestors.|
|Maximum length of query parameter name||The maximum size of any given HTTP query parameter name.|
|Maximum length of query parameter value||The maximum size of any given HTTP query parameter value.|
|Combined file sizes||Total size of MIME bodies in the request.|
|Critical anomaly threshold||Configured critical anomaly score threshold. Action is taken when requests in this category exceed the threshold. The critical anomaly score is incremented when rules of the highest severity level are triggered.|
|Validate UTF8 encoding||Validates the client request as UTF-8 prior to the execution of WAF rules.|
|Error anomaly threshold||Configured error anomaly score threshold. Action is taken when requests in this category exceed the threshold.|
|High risk countries||Block clients from high risk countries based on their IP address.|
|HTTP violation threshold||Configured HTTP violation threshold. Action is taken when rules that trigger HTTP violations exceed the threshold.|
|Inbound anomaly threshold||Configured inbound anomaly score threshold. Action is taken when the sum of the individual category scores exceed the inbound score.|
|LFI threshold||Configured LFI threshold. Action is taken when rules that trigger Local File Inclusion (LFI) rules exceed the threshold.|
|Maximum file size (bytes)||Maximum size of any MIME body in the request.|
|Maximum argument count||Maximum number of HTTP query parameter name/value pairs.|
|Notice anomaly score||Configured Notice anomaly score threshold. Action is taken when rules that trigger violations in the notice category exceed the threshold.|
|Paranoia level||The paranoia level setting can be set from 1 through 4 and determines the number of rules to include by deafult. Higher levels indicate higher levels of security but potentially a larger number of false positives.|
|PHP injection threshold||Configured PHP injection score threshold. Action is taken when rules that trigger PHP related violations exceed the threshold.|
|RCE threshold||Configured RCE injection score threshold. Action is taken when rules that trigger Remote Code Exeuction (RCE) violations exceed the threshold.|
|Restricted extensions||Control on restricted file extensions in the client request.|
|Restricted headers||Control on restricted HTTP headers in the client request.|
|RFI threshold||Configured RFI violation threshold. Action is taken when rules that trigger Remote File Inclusion (RFI) violations exceed the threshold.|
|Session fixation threshold||Configured Session Fixation violation threshold. Action is taken when rules that trigger Session Fixation violations exceed the threshold.|
|SQLi threshold||Configured SQLi threshold. Action is taken when rules that trigger SQL Injection (SQLi) violations exceed the threshold.|
|Total query parameter length||Maximum total size of all query parameters in the request.|
|Warning anomaly score||Configured Warning anomaly score threshold. Action is taken when rules that trigger violations in the warning category exceed the threshold.|
|XSS threshold||Configured XSS threshold. Action is taken when rules that trigger Cross-Site Scripting (XSS) violations exceed the threshold.|
About the All WAF services page
You can use the All WAF services page to monitor all of the WAFs deployed within your services. This page shows which of your services have WAFs, which WAFs are enabled, how many rules are enabled and disabled per WAF, and which configuration sets the WAFs are using. If a configuration set is out of date, a message is displayed alerting you it's time to update to the latest rule set.
About the WAF stats
The WAF stats graph appears on the Stats page. For the selected service, this graph shows blocked traffic that was stopped by the WAF based on rules, logged traffic that triggered rules but was sent to the origin, and passed traffic that didn't trigger rules and was sent to the origin.