About thresholds
Last updated 2024-04-02
Thresholds (also known as site alerts and workspace alerts) monitor and handle requests from IP addresses that have been tagged with specific signals. Specifically, when the number of requests from an IP address meets the signal count threshold for a site alert (workspace alert), the IP address is flagged and select, subsequent requests from the IP address are blocked or logged for a set period of time.
You can monitor site alert activity via our control panels.
| Control panel | Web interface location |
|---|---|
| Next-Gen WAF | Events page Observed Sources page |
| Fastly | Events page |
Types of thresholds
There are two types of thresholds:
- system (also known as attack thresholds): configurations that we've defined to monitor and handle requests from IP addresses that contain attack signals. They apply to all attack signals for a site (workspace). You can lower and raise the attack thresholds and override them for individual attack signals.
- custom: configurations that you define to monitor and handle requests from IP addresses that contain specific signals. They are only included with the Professional and Premier platforms.
Precedence for thresholds
When multiple site alerts (workspace alerts) exist, the Next-Gen WAF agent uses the following logic to determine which threshold configuration should take precedence:
- The alert with the lowest threshold and smallest interval for a given action (i.e., block or log) will be checked first.
- Alerts with a block action do not compete for precedence against those with a log action.
- After an alert with a block action flags an IP address, other alerts with a block action can't flag that IP address until the existing flag is lifted.
- After an alert with a log action flags an IP address, other alerts with a log action can't flag that IP address until the existing flag is lifted.
- An alert with a block action and an alert with a log action can both flag the same IP address.
Preventing specific IP addresses from being flagged
To prevent an IP address from being flagged by site alerts (workspace alerts), create a request rule with an allow action. For example, let's say you plan to scan your web application for vulnerabilities. To ensure the scanning IP address isn't flagged, you can create a request rule with an allow action.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
