Using Web Application Firewall Monitoring

The Web Application Firewall > Monitoring page provides two tabs: Local and Global. The pages for both tabs display statistics and graphs for detected/prevented threats over time and top 10 threats. The Local tab also displays Web server status statistics and graphs of the number of requests and the amount of traffic during the selected monitoring period.

The monitoring functions of each tab are explained in the following sections:
Monitoring on the Local Tab
Monitoring on the Global Tab

Monitoring on the Local Tab

The Local tab displays statistics and graphs for the local appliance. Graphs are displayed for Web Server Status and WAF Threats Detected & Prevented. For the latter, you can use the Perspective options to change the view between Signature, Severity, and Server, and you can display the statistics in list format rather than as graphs.

Using the Control Buttons

The control buttons are displayed at the top of the page. They control the statistics that are displayed on this page. On the Local tab, you can use the control buttons to turn streaming updates on or off, refresh the data on the page, clear the graphs, and download a report. If streaming is turned on, Web Application Firewall statistics information is fetched periodically, and displayed in the graphs and threat list. If streaming is turned off, no new information can be displayed.

To use the control buttons:
1
Select the Local tab. The active tab name is displayed in red or pink, while the inactive tab name is blue. The control buttons act on the page that is currently displayed.
2
To turn streaming on or off, click the ON or OFF indicator next to Streaming Updates.
3
To refresh the display, click the Refresh button.
4
To clear all Web Application Firewall statistics from the graphs and list, click the Clear Graphs button.
5
To generate a PDF report containing Web Application Firewall statistics, click the Download Report button.
* 
NOTE: Internet Explorer requires Adobe Flash Player version 10 or higher to generate the report.
6
If prompted to install Adobe Flash Player, click Get Flash and then after the installation click Try Again to generate the PDF report from Internet Explorer.

Monitoring Web Server Status

On the Local tab, below the control buttons, this page displays graphs for Web server status. One graph shows the number of Web requests detected over time, and another graph shows the amount of traffic in kilobytes (KB).

The Web servers tracked are those servers within the local network of the SRA appliance that provide HTTP/HTTPS bookmarks, offloaded applications, and other Web services. The Traffic graph indicates the amount of HTTP/HTTPS payload data that is sent to client browsers.

You can view Web server activity on the Local tab over different time periods by selecting one of the following options from the Monitoring Period drop-down list:
Last 60 Seconds
Last 60 Minutes
Last 24 Hours
Last 30 Days

Figure 50 shows a 24 hour period of Web server activity.

Figure 50. Web Server Status For Last 24 Hours

Figure 51 shows a 60 minute period of Web server activity.

Figure 51. Web Server Status For Last 60 Minutes

Monitoring Detected and Prevented Threats

On the Local tab below the Web server status graphs, the Web Application Firewall > Monitoring page displays graphs indicating the number of detected and prevented threats. Two graphs are presented, one showing the number of threats over time, and the other showing the top ten threats that were detected and prevented during that time frame.

You can change the time frame displayed in both graphs or change the view to display all threats in list format by selecting one of the following options from the Monitoring Period drop-down list:
Last 12 Hours
Last 14 Days
Last 21 Days
Last 6 Months
All in Lists

Figure 52 shows the number and severities of threats detected and prevented over the last 21 days.

Figure 52. Threats Over Last 21 Days

When displaying the top 10 threats graph with Perspective set to Signature, hovering your mouse pointer over the signature ID causes a tooltip to appear with details about the threat.

Figure 53. Threat Details Tooltip

Viewing Threats in List Format

To see the threats in list format rather than as a graph, select All in Lists from the Monitoring Period drop-down list. Figure 54 shows the list format.

The Severity column of the threat list is color coded for quick reference, as follows:
High severity threats – Red
Medium severity threats – Orange
Low severity threats – Black

The initial, default sorting order lists the high severity threats with highest frequency values first. You can change the order of listed threats by clicking on the column headings to sort them by ID, signature name, classification, severity, or frequency. Click again to toggle between ascending and descending order. The active sorting column is marked by an arrowhead pointing upwards for ascending order, and downwards for descending order.

Figure 54. Threats in List Format

To view and hide threat details:
1
On the Web Application Firewall > Monitoring page, select All in Lists from the Monitoring Period drop-down list. The list of detected or prevented threats is displayed in the WAF Threats Detected & Prevented table.
2
To display details about a threat, click on the threat. The details include the following:
URL – The URL to the Dell SonicWALL knowledge base for this threat
Category – The category of the threat
Severity – The severity of the threat, either high, medium, or low
Summary – A short description of how the threat behaves

3
To collapse the threat details, click the threat link again.
Changing Perspective

For the Top 10 Threats graph, you can select the following display options from the Perspective drop-down list:
Signature – The name of each threat shown is listed at the left side of the graph.

Severity – High, medium, and low severity threats are displayed using color coding.

Server – The server names are listed at the left side of the graph.

Monitoring on the Global Tab

The Global tab displays statistics and graphs for threats reported by all SRA appliances with Web Application Firewall enabled. Graphs are displayed for WAF Threats Detected & Prevented.

Using the Control Buttons

The control buttons are displayed at the top of the page. They control the statistics that are displayed on this page. On the Global tab, you can use the control buttons to turn streaming updates on or off, refresh the data on the page, and download a report. If streaming is turned on, Web Application Firewall statistics information is fetched periodically, and displayed in the graphs and threat list. If streaming is turned off, no new information can be displayed.

To use the control buttons:
1
Select the Global tab. The active tab name is displayed in red or pink, while the inactive tab name is blue. The control buttons act on the page that is currently displayed.
2
To turn streaming on or off, click the ON or OFF indicator next to Streaming Updates.
3
To refresh the display, click the Refresh button.
4
To generate a PDF report containing Web Application Firewall statistics, click the Download Report button.
* 
NOTE: Internet Explorer requires Adobe Flash Player version 10 or higher to generate the report.
5
If prompted to install Adobe Flash Player, click Get Flash and then after the installation click Try Again to generate the PDF report from Internet Explorer.

Monitoring Detected and Prevented Threats

At the top of the Global tab, the Web Application Firewall > Monitoring page displays graphs indicating the number of detected and prevented threats. Two graphs are presented, one showing the number of threats over time, and the other showing the top ten threats that were detected and prevented during that time frame.

You can change the time frame displayed in both graphs by selecting one of the following options from the Monitoring Period drop-down list:
Last 12 Hours
Last 14 Days
Last 21 Days
Last 6 Months

Figure 55 shows the number and severities of threats detected and prevented over the last 21 days.

Figure 55. Threats Over Last 21 Days

Hovering your mouse pointer over the signature ID causes a tooltip to appear with details about the threat.

Figure 56. Threat Details Tooltip

The local signature database on the appliance is accessed to get detailed threat information, but if the database is not up-to-date, some detailed information for the Top 10 Threats might not be available. In this case, the threat color in the graph is light grey, and the severity is displayed as unknown in the tooltip for this threat. The following error message is also displayed below the graphs:

“Warning: Web Application Firewall Signature Database for this device is not current. Please synchronize the Database from the Web Application Firewall > Status page”