Monitoring flagged IP addresses
The Next-Gen WAF monitors and flags IP addresses that exhibit repeat malicious behavior. This guide describes how to use the Events page and Observed Sources page to view and interact with IP addresses that the Next-Gen WAF flagged in the past 30 days.
Viewing flagged IP addresses from the Events page
Use the Events page to view all IP addresses that the Next-Gen WAF flagged in the past 30 days as a result of criteria you set.
- Next-Gen WAF control panel
- Fastly control panel
The Events page in the Next-Gen WAF control panel lists IP addresses the Next-Gen WAF flagged as the result of regular thresholds (also known as site alerts) and templated rules.
To view the Events page in the Next-Gen WAF control panel:
Log in to the Next-Gen WAF control panel.
From the Sites menu, select a site if you have more than one site.
- From the site navigation bar, select Monitor > Events.
You can view information about an event in the event view area. The event view area is comprised of three sections:
The Details section contains detailed information about the event and associated IP address. This section also provides controls for managing IP addresses that have been flagged. Specifically, you can:
- click Remove flag now to remove the IP address from the flag list.
- click Allow IP to create a request rule to allow the IP address.
- click Block IP to create a request rule to block the IP address.
The Timeline section contains a timeline illustrating the actions that occurred during the event.
The Sample request section highlights a single request received during the event, including the request itself and the signals applied to it. Clicking View this request takes you to the request details page for that request. Clicking Edit rule in the Signals field will take you to the View page for the rule where you can edit the request rule.
Viewing flagged IP addresses from the Observed Sources page
IMPORTANT: This feature only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel.
The Observed Sources page provides an overview of all IP addresses that have been or soon will be flagged on your site. To access the Observed Sources page:
Log in to the Next-Gen WAF control panel.
From the Sites menu, select a site if you have more than one site.
- From the site navigation bar, select Monitor > Observed Sources.
The Observed Sources page contains three tabs: Suspicious IPs, Flagged IPs, and Rate Limited Sources.
Suspicious IPs tab
The Suspicious IPs tab shows IP addresses that had requests containing attack payloads of a concerning volume but that did not exceed the decision threshold of flagged IPs. Once the threshold is met or exceeded, an IP address will be flagged and added to the Flagged IPs list. The Suspicious IPs tab helps anticipate which IPs may soon be flagged.
Clicking on an IP address in the Suspicious IPs list will take you to the Requests page with a search for that IP address already applied.
Flagged IPs tab
The Flagged IPs tab shows all IP flagging events. IP addresses can be flagged through site alerts and templated rules.
Clicking on an IP address in the Flagged IPs list will take you to the Requests page with a search for that IP address already applied.
Rate Limited Sources tab
NOTE: Rate Limit rules are only included with the Premier platform and certain packaged offerings. They are not included as part of the Professional or Essential platforms.
The Rate Limited Sources tab shows all sources that have been rate limited via the Advanced Rate Limiting feature. Rate limit rules are a type of rule that allow you to define arbitrary conditions and automatically begin to block or tag requests that pass a specifically defined threshold.
The tab also provides controls for managing sources that have been rate limited, including:
- removing specific sources from the rate limited sources list.
- creating request rules to allow or block specific sources.c
