Loading...
Back

About Rate Dashboard

AWS WAF v2New PlanAdvancedFeature / Spec.

The Rate Dashboard is a dashboard feature designed to help you evaluate appropriate thresholds for rate-based rules based on integrated WAF logs. When traffic load increases, it helps you consider thresholds that can capture the requests causing the surge.

To use this feature, a paid subscription to the Log Intelligence option is required.

Notes and Additional Information

  • This feature is available only when the Log Intelligence option has been added to your WafCharm account.
    • If the [Change Options] button to subscribe to the Log Intelligence option is not displayed on the Account screen, please contact your sales representative.
  • This feature is available only for WAF Configs using the Advanced Rule policy.
  • This feature is not available for WAF Configs using the Legacy Rule policy.
  • WAF log integration (new method) must be enabled in order to use this feature.
  • If the JA4 Fingerprint is not present in the WAF logs, it will not appear in the search results.
  • As this feature is intended to help you evaluate thresholds when applying AWS WAF rate-based rules, the values that can be entered or selected for each field depend on the values supported by AWS WAF rate-based rules.
  • The graph display range varies based on the number of requests and the selected extraction period.

How to Configure

First, make sure that the Log Intelligence option is enabled. On the account page, if the Log Intelligence option shows [Subscribed], it indicates that the option is active. If it shows [Not Subscribed], it has not been enabled yet. In that case, please update your option settings from the account page.

Next, enable WAF log integration from the [Log and Notification Configuration] settings of the WAF Config. For details, see How to configure WAF log integration (new method) for AWS WAF v2 Advanced.

How to Use

To use the Rate Dashboard, click [Rate Dashboard] under [Analytics] in the left menu.

Screen Overview

In the [Request Frequency Analysis] panel, you can specify the target WAF Config, aggregation unit, evaluation window, extraction period, and other conditions. Data that matches the specified criteria is displayed under [Analysis Results].

If you enter a value in [Rate Limit] at the bottom of [Analysis Results], a horizontal line will be displayed on the graph at the specified value.

About Request Frequency Analysis

The items listed in [Request Frequency Analysis] are as follows.

  • Target WAF Config: Select the WAF Config to use. Only WAF Configs using the Advanced Rule policy and with WAF log integration enabled will be displayed.
  • Aggregation Unit: Select the unit by which requests are aggregated. You can choose either IP address or JA4 Fingerprint. If the JA4 fingerprint value does not exist in the WAF logs, no data will be displayed on the graph.
  • Evaluation Window: The time window used to aggregate the number of requests. You can choose from 1 minute, 2 minutes, 5 minutes, or 10 minutes. The extraction period changes depending on the selected evaluation window.
  • Extraction Period: Select the period of WAF logs to be used when aggregating the number of requests. This varies depending on the selected evaluation window.
  • End Date & Time: Select the end date and time. Extraction is performed by going back in time by the length of the extraction period, starting from the date and time specified here. Clicking [Set Current Date & Time] automatically inserts the current date and time.

    The displayed date and time are shown in the local time zone by default. If you want to search using UTC, select [Use UTC].

    Example:
    If November 1 at 10:00 is set as the end date and time, and the evaluation window is set to 1 minute, the extraction period will be 2 hours. As a result, WAF logs from 8:00 to 10:00 on November 1 will be included in the extraction target.

About the Analysis Results

The items listed in [Analysis Results] are as follows.

  • Timeline: A timeline plotting the number of requests aggregated from WAF logs that match the conditions specified in the request frequency analysis.

    The X-axis represents the period based on the combination of [Extraction Period] and [End Date & Time], while the Y-axis represents the range based on the number of requests. The Y-axis range automatically adjusts according to the number of requests.

    When you hover over the chart, the values for the time (displayed below the panel) and the aggregated items change accordingly.

    If a rate limit is specified, a horizontal line is drawn at the corresponding value. If the specified rate limit falls outside the displayed range, the horizontal line is not shown.

  • Evaluation Window: The evaluation window specified in the request frequency analysis.
  • Rate Limit: A field used to adjust the value specified for the rate limit in a rate-based rule. The configurable range is from 10 to 2,000,000,000.
  • Time: The time at the position currently hovered over in the graph.
  • List of Target Aggregation Items: The values of items aggregated from WAF logs that match the conditions specified in the request frequency analysis. Up to the top 20 items within the extraction period are displayed.

About the [Copy Customization Inquiry Template] Button

If you would like to request a customization based on the extracted conditions, you can use the provided inquiry template, which includes the extraction conditions and other relevant information. After copying the template, paste it into the message field of the inquiry form, fill in the necessary details, and submit it.

Please note that for rate-based rules, in some cases you can apply the configuration yourself by simply setting a few items on the rule settings screen of the Advanced Rule policy. If you request the WafCharm support team to add such rules, we may suggest you add them yourself via the WafCharm Console instead.

For more information about customization, see About rule customization (AWS WAF v2).

- Target WAF Config: "{selected WAF Config name}"
- Rate Limit: (Valid range: 10 to 2,000,000,000)
- Evaluation Window: (Valid values: 1, 2, 5, or 10 minutes)
- Request Aggregation: (IP address or JA4 fingerprint)
- [Optional] Additional Conditions: (e.g., URI, headers, etc.; multiple values allowed)
- Rule Action: (Choose one: Count, Block, CAPTCHA, Challenge)

For example, if you want to block requests when the threshold is 20 requests per 10 minutes and the URI starts with “/example”, adjust the template as follows. If no filtering conditions are required, you may delete the corresponding items as needed.

- Target WAF Config: "{selected WAF Config name}"
- Rate Limit: 20
- Evaluation Window: 10 minutes
- Request Aggregation: IP address
- [Optional] Additional Conditions:
  URI: /example (Starts with string)
- Rule Action: Block

If multiple WAF Configs are involved, please list all applicable WAF Config names next to “Target WAF Config.”

Because this is only a template, feel free to include any additional conditions you would like to combine. Please provide as much detail as possible about what you want to achieve when submitting your inquiry. It is not necessary to follow the template format exactly.

Notes About the [Copy Customization Inquiry Template] Button

  • This button copies a template that you can use when submitting a customization inquiry. Clicking the button does not apply any customization.
  • Please note that we may ask you to reconfirm the information you provide in the template to avoid any misunderstandings.
  • Clicking this button does not send an inquiry. Please submit your inquiry separately through the inquiry form.