API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
WAAP
WAAP
API
Chosen image
Home/WAAP

Analytics

WAAP analytics provides comprehensive information about incoming traffic to your domain. It features detailed statistics about recent requests, potential threats, and frequently triggered rules, allowing you to fine-tune your WAAP settings based on the analyzed data.

Analytics is available on the following pages:

  • Overview: Get a consolidated view of all incoming requests that have been inspected by WAAP.

  • WAF: View detailed statistics on the incoming requests and the actions enforced for those requests.

  • DDoS attacks: Check for recent attacks and get detailed information about each of them.

To access analytics for your domain:

1. In the Gcore Customer Portal, navigate to WAAP > Domains.

Domains page in the Customer Portal

2. Find the domain where you want to check analytics and click the domain name to open it.

3. In the sidebar menu, click Analytics.

Analytics page in the Customer Portal

The information on the Analytics page is displayed according to the selected period. At the top of the page, you can use the time frame dropdown to configure the displayed data. When you choose a new time frame, data on the graphs will automatically refresh.

Time and date dropdown on the Analytics page in the Customer Portal

Overview page

This page features general information about incoming requests and contains two graphs: WAF and Status codes.

WAF

This graph shows the total number of incoming requests for the selected period and the number of requests that have been blocked.

WAF graph on the Analytics page in the Customer Portal

You can print the chart or download it in the following formats: png, pdf, csv, xls.

Status codes

This graph shows all requests sorted according to the returned status codes:

  • 2xx: Successful

  • 3xx: Redirection

  • 4xx: Client errors

  • 5xx: Server errors

WAF graph on the Analytics page in the Customer Portal

The Status Codes graph only displays information from the origin's backend and doesn't include status codes from WAAP, such as 403.

You can print the chart in pdf format or download it in the following formats: png, pdf, csv, xls.

WAF page

This page features detailed statistics on HTTP requests and displays data in the graph format (Web application firewall requests) and as a table (Requests).

Web Application Firewall Requests

This graph shows information about actions that were applied to incoming requests. The data is displayed in a plot chart format that gives a comprehensive overview of both good and bad requests–potential security threats detected based on a triggered rule.

WAF graph on the Analytics page in the Customer Portal

You can select the following filters to view specific types of requests:

  • Monitored requests: total number of requests proceeded by WAAP.

  • Policy—blocked: View requests that were blocked because of a triggered default policy.

  • Custom rule—blocked: View requests that were blocked because of a triggered custom rule created in your account.

  • DDoS L7—blocked: View requests that were blocked because of a triggered default rule related to DDoS. To learn more about how requests can trigger this rule, check out our Configure WAF for L7 DDoS protection guide.

  • Passed to origin: View requests that successfully reached the origin.

Any changes made to the WAAP requests plot are also displayed in the Requests table below the plot:

  • When you click on a particular data point on the plot, the Requests table is filtered accordingly. The date, time, and the corresponding traffic type are updated to show information relevant to what you’ve selected on the plot.

  • When you select a specific filter like Policy – Blocked, the Requests table is filtered to display only information that matches the same filter.

Updating filters on the table doesn’t change the data displayed on the Web Application Firewall Requests graph.

Requests table

This table displays incoming requests for the past 24 hours, including good and bad ones (potential threats). Request history is retained for 30 days.

WAF graph on the Analytics page in the Customer Portal

You can select multiple filters to get a more granular view of the displayed information in the table.

Table column Description
Request ID A unique identifier assigned to each HTTP request.
Date The date and time when a rule was triggered or request occurred.
IP The origin IP address of the client.
Country The origin location of the IP.
Response code HTTP code returned in response to the request.
Security rule triggered The default or custom rule name that was triggered by the request. You can click on the rule name to view detailed information about the rule and the triggered request.
Security action The action that was taken against the request:

Allow: Display requests that were allowed to pass.
Block: Display requests that were blocked.
CAPTCHA: Display requests that got the CAPTCHA validation screen, regardless of whether the request passed or failed the validation.
Handshake (JavaScript validation): Display requests that were presented with a JavaScript validation screen, regardless of whether the request passed or failed the screen.
Result The result of the request based on the enforced action. For example, if a request was presented with a Captcha, and the request didn’t pass, then the result is “Blocked”.
Create rule A button that you can select to create a custom rule for the request.
Threats (last 24 hours) This section displays the most triggered actions and default policies, along with how many times each of them was triggered.

Threats (last 24 hours)

This section displays the most triggered actions and default policies, along with how many times each of them was triggered.

WAF graph on the Analytics page in the Customer Portal

Top threat origins

This map and table display the origin location of bad requests (threats) from the last 24 hours. You can view the country from which requests are coming and the total number of requests for that country.

WAF graph on the Analytics page in the Customer Portal

DDoS attacks page

We provide detailed analytics related to any DDoS attacks that were detected in your domain. DDoS analytics is stored for 32 days.

In-progress attacks

If there is an active DDoS attack, you’ll see a banner at the top of the page in the Customer Portal.

Clicking the View attack link will take you to the DDoS analytics page, where you can view more details related to that specific attack.

WAF graph on the Analytics page in the Customer Portal

Attacks over time

Requests associated with DDoS attacks are presented in a plot format.

To filter DDoS request data by the timeframe of each attack, click the dropdown menu in the top-right corner of the screen and select the checkbox next to the attack you want to view. You can view up to four sets of timeframes simultaneously.

WAF graph on the Analytics page in the Customer Portal

Attack requests

This table displays more fine-grained information about requests associated with attacks. You can search for specific attacks by clicking the Select field dropdown and entering an IP or response code.

Table column Description
Request ID A unique identifier assigned to each HTTP request.
Date The date and time when a rule was triggered or request occurred.
IP The origin IP address of the client.
Response code HTTP code returned in response to the request.
URL targeted Top URLs that were requested during a DDoS attack.
Result The action that was taken against the request:

Allow: Display requests that were allowed to pass.
Block: Display requests that were blocked.
CAPTCHA: Display requests that got the CAPTCHA validation screen, regardless of whether the request passed or failed the validation.
Handshake (JavaScript validation): Display requests that were presented with a JavaScript validation screen, regardless of whether the request passed or failed the screen.

Result The result of the request based on the enforced action. For example, if a request was presented with a Captcha, and the request didn’t pass, then the result is “Blocked”.
Create rule A button that you can select to create a custom rule for the request.
Threats (last 24 hours) This section displays the most triggered actions and default policies, along with how many times each of them was triggered.

To view more details about a specific request listed in this table, click on the Request ID.

IPs participated

This table displays a list of the top IP addresses associated with the selected DDoS attack, along with the total number of times each IP has made a request to your domain.

WAF graph on the Analytics page in the Customer Portal

Clients, tools, and user agents

This table displays a list of the top clients, tools, and user agents associated with the selected DDoS attack. It also shows the total number of times each of them has made a request to your site.

WAF graph on the Analytics page in the Customer Portal

URLs targeted

This table displays a list of the top URLs that were requested during a DDoS attack, along with the number of times each URL was requested.

WAF graph on the Analytics page in the Customer Portal

Was this article helpful?