View WAF Rate Control trends

WAF rate control displays statistical information provided by the rate control activity report over the last 90 days.

Set report scope

  1. Go to > WEB & DATA CENTER SECURITY > Security Center.

  2. In the left menu click Trends > WAF Rate Control.

  3. In the Security Center menu bar, modify the general settings for the view.

    • Set a time period within the last 3 months. Click the date field and select the duration or dates you want to see.

    • Apply filters to all reports within the view to see results only for a specific dimension.

    On the upper right of the screen, click the filter button. Then, select a category from the dropdown and click Apply.
    To clear filters, click Reset.

  • Rate activity. The average request per second (in five-minute segments) of all clients compared with the rate category's configured average threshold and burst threshold.

  • Client that exceeded average threshold. The number of clients that exceeded the rate category's average threshold.

  • Client that exceeded burst threshold. The number of clients that exceeded the rate category's burst threshold.

  • Client IDs exceeding threshold. The specific IDs that exceeded the rate category's average and/or burst threshold.

  • Top 100 client IDs. Up to 100 client IDs with the highest maximum rates occurring during the selected date range (ranked by Max Rate).

The Rate activity graph provides the average number of requests per second, in five-minute segments, of all clients and compares them with the rate category's configured average and burst thresholds.

During your initial analysis, this graph provides an idea of whether you have properly defined your categories and appropriately set your thresholds. Before making any decisions about increasing the threshold, you should first investigate the clients that exceeded it. Collect some information about the IP address (check the list of client IP addresses exceeding the thresholds), and investigate the activity for each address. Once you understand the nature of the traffic causing the burst you may decide to:

  • Keep the thresholds as they are because you found illegitimate traffic that had an excessive request rate.

    This may be a good time to consider setting the rule to deny mode to deny this type of traffic at the edge.

  • Modify the IP rate control rule definition.

    You found that the IP addresses with excessive traffic were legitimate. They could be site scrapers you approve of or a monitoring system you own. You may decide to allow these addresses to prevent false positives or create a new category for the type of traffic causing the rule to fire.

  • Increase the threshold.

    You found the traffic was legitimate. You should therefore increase the threshold to reduce false positives. As a general rule of thumb you shouldn't increase the threshold beyond 20 requests per second. If you find you need to, then your category definition is insufficient, and the rule will not be able to deflect any DDoS attacks or slow crawlers.