The WAF Insights page only displays data if the Web Application Firewall (WAF) is enabled on a Virtual Service in the relevant LoadMaster. To enable WAF, in the LoadMaster User Interface (UI), go to Virtual Services > View/Modify Services > Modify > WAF and select the Enabled check box.

The LoadMaster WAF Insights page provides a graphical representation of WAF logs and statistics collected from your LoadMasters.

To get to the WAF Insights page for a particular LoadMaster, go to Infrastructure > Device Inventory, click a LoadMaster name link, and click WAF Insights.

Note: You can also get limited WAF insights at the application level, by going to Applications, clicking an application name link, and clicking WAF Insights.

You can filter the LoadMaster WAF Insights page by application by selecting one or more applications in the Applications drop-down list. The data shown on the page relates to the selected applications.

Select the relevant time span to display details for requests handled by the WAF, for example, for the Last hour, Last 6 hours, Last 12 hours and so on.

You can click Reset at any time to revert to the default view.

Top 10 executed rules

This graph displays the top 10 executed WAF rules for the selected application (or applications). The table provides details of the top 10 executed rules, including the Rule ID, Rule Group, Application, and the total number of requests the rule was executed on. You can hover over each segment in the graph to view further details.

Top 10 blocked requests by IP

This graph displays the total number of requests blocked based on the client IP address for the selected application (or applications). The table provides details relating to the top 10 requests blocked based on the client IP address, including the related client IP address, application, and total number of requests. You can hover over each segment in the graph to view further details.

Top 10 blocked requests by URL

This graph displays the total number of blocked requests based on the URL for the selected application (or applications). The table provides details relating to the top 10 requests blocked based on the URL, including the related URL, application, and total number of requests. You can hover over each segment in the graph to view further details.

Total Requests

Displays the total number of requests handled by the WAF.

Blocked Requests

Displays the total number of blocked requests and the percentage of total requests that were blocked.

False Positives

Displays the number of false positive events detected against Virtual Services that ran OWASP Core Rule Set (CRS) rules during the last 24 hours on the selected LoadMaster.

False positives occur when the WAF incorrectly flags legitimate traffic as malicious. The WAF relies on the OWASP Core Rule Set (CRS) to detect attacks. These rules can sometimes be too broad or too sensitive, leading to incorrect detections. It is essential to balance security with usability by fine-tuning these rules to reduce false positives. Rule tuning is designed to help you identify potential false positives in your WAF logs and provide suggestions for handling them. The program samples your logs, highlights suspicious entries, and presents them on a dashboard for easy review. We recommend you examine the context of each suggested false positive.

When examining the false positives, consider the following:

  • User behavior: Is this a typical request for your user base? Key indicators could be the type of request, the URL, the time it was performed, or the IP address of that user.
  • Application context: Does the request match legitimate application functionality? Think about what the user is trying to do, is the behavior normal for your application?
LoadMaster 360 tries to identify false positives. When you review them we suggest either:
  • Tune the rule, by adjusting the sensitivity of a specific CRS rule, for example, modify the regex patterns or threshold values, or;
  • Use the suggested Rule Exclusion options available on LoadMaster 360.

You can review the false positives and configure rule exclusions by going to WAF Rule Tuning in the False positive activity section.

False positive activity

Displays a list of false positive events detected in the last 24 hours.

You can use the search box to narrow down the list of false positives in your view.

Click WAF Rule Tuning to access the WAF Rule Tuning page, which displays detailed information on each false positive event and allows you to configure rule exclusions.

Events by location for this LoadMaster

The geographical map represents the events triggered per GEO location. If the Region drop-down list is set to All, continents are displayed as the Location. If you select a continent in the Region drop-down, countries are displayed. The table displays the Location (dependent on the Region selection), the number (and percentage of) blocked requests, and the total number of requests. The Location appears as Private for requests that come from a private IP address.

You can zoom in and out of the map using the magnifying glass icons in the bottom left of the map view. You can also drag around the map. Hover over a circle on the map to view the total number of requests for that location.