Monitoring flagged sources

The Next-Gen WAF monitors and flags sources (e.g., IP addresses) that exhibit repeat malicious behavior. This guide describes how to view and interact with sources that the Next-Gen WAF flagged in the past 30 days.

Viewing flagged sources from the Events page

Use the Events page to view all sources that the Next-Gen WAF flagged in the past 30 days as a result of criteria you set via threshold configurations and enabled CVE, API, and ATO signals.

  1. Next-Gen WAF control panel
  2. Fastly control panel

To view the Events page in the Next-Gen WAF control panel:

  1. Log in to the Next-Gen WAF control panel.

  2. From the Sites menu, select a site if you have more than one site.

  3. From the site navigation bar, select Monitor > Events.

You can view information about an event in the event view area. The event view area is comprised of three sections:

  • The Details section contains detailed information about the event and associated IP address. This section also provides controls for managing sources that have been flagged. Specifically, you can:

    • click Remove flag now to remove the IP address from the flag list.
    • click Allow IP to create a request rule to allow the IP address.
    • click Block IP to create a request rule to block the IP address.
  • The Timeline section contains a timeline illustrating the actions that occurred during the event.

  • The Sample request section highlights a single request received during the event, including the request itself and the signals applied to it. Clicking View this request takes you to the request details page for that request. Clicking Edit rule in the Signals field will take you to the View page for the rule where you can edit the request rule.

Viewing suspicious, flagged, and rate limited sources

Fastly flags three types of sources: Suspicious IPs, Flagged IPs, and Rate Limited Sources. To access these lists of sources, follow the instructions for your control panel below:

  1. Next-Gen WAF control panel
  2. Fastly control panel

Use the Observed Sources page in the Next-Gen WAF control panel to view all sources that have been or soon will be flagged on your site:

  1. Log in to the Next-Gen WAF control panel.

  2. From the Sites menu, select a site if you have more than one site.

  3. From the site navigation bar, select Monitor > Observed Sources.

Suspicious IPs tab

IMPORTANT: This feature only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel.

The Suspicious IPs tab shows sources that had requests containing attack payloads of a concerning volume but that did not exceed the decision threshold of flagged IPs. Once the threshold is met or exceeded, an IP address will be flagged and added to the Flagged IPs list. The Suspicious IPs tab helps anticipate which IPs may soon be flagged.

Clicking on an IP address in the Suspicious IPs list will take you to the Requests page with a search for that IP address already applied.

Flagged IPs tab

IMPORTANT: This feature only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel.

The Flagged IPs tab shows all IP flagging events. Sources can be flagged through threshold configurations and enabled CVE, API, and ATO signals.

Clicking on an IP address in the Flagged IPs list will take you to the Requests page with a search for that IP address already applied.

Rate Limited Sources tab

IMPORTANT: Rate Limit rules are only included with the Premier platform and certain packaged offerings. They are not included as part of the Professional or Essential platforms.

The Rate Limited Sources tab shows all sources that have been rate limited via the Advanced Rate Limiting feature. Rate limit rules are a type of rule that allow you to define arbitrary conditions and automatically begin to block, deceive, or tag requests that pass a specifically defined threshold.

The tab also provides controls for managing sources that have been rate limited, including:

  • refreshing the list with the latest sources.
  • removing specific sources from the rate limited sources list.
  • creating request rules to allow, block, or deceive specific sources.