About thresholds

  Last updated 2024-04-02

Thresholds (also known as site alerts) monitor and handle requests from IP addresses that have been tagged with specific signals. Specifically, when the number of requests from an IP address meets the signal count threshold for a site alert, the IP address is flagged and select, subsequent requests from the IP address are blocked or logged for a set period of time.

The Events page lists all IP addresses that were flagged in the past 30 days, and the Observed Sources page provides an overview of all IP addresses that have been or soon will be flagged on your site.

Types of thresholds

There are two types of thresholds:

  • System site alerts (also known as attack thresholds): configurations that we've defined to monitor and handle requests from IP addresses that contain attack signals. System site alerts apply to all attack signals for a site. You can lower and raise the attack thresholds and override them for individual attack signals.
  • Custom site alerts: configurations that you define to monitor and handle requests from IP addresses that contain specific signals. Custom site alerts are only included with the Professional and Premier platforms.

Precedence for thresholds

When multiple site alerts exist, the Next-Gen WAF agent uses the following logic to determine which threshold configuration should take precedence:

  • The site alert with the lowest threshold and smallest interval for a given action (i.e., block or log) will be checked first.
  • Site alerts with a block action do not compete for precedence against site alerts with a log action.
  • After a site alert with a block action flags an IP address, other site alerts with a block action can't flag that IP address until the existing flag is lifted.
  • After a site alert with a log action flags an IP address, other site alerts with a log action can't flag that IP address until the existing flag is lifted.
  • A site alert with a block action and a site alert with a log action can both flag the same IP address.

Preventing specific IP addresses from being flagged

To prevent an IP address from being flagged by site alerts, create a request rule with an allow action. For example, let's say you plan to scan your web application for vulnerabilities. To ensure the scanning IP address isn't flagged, you can create a request rule with an allow action.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Fastly
© Fastly 2024