Dashboard
An overview of traffic activity
Last updated
Was this helpful?
An overview of traffic activity
Last updated
Was this helpful?
The Dashboard page displays all incoming traffic and the actions executed in response to the different traffic events.
The user interface has three main sections:
The controls at the top allow you to easily filter the display to show only the data you want. Initially, it asks you to supply a query.
Adding a query to the Search field and selecting the magnifying glass icon will display the results.
If the Search field is left empty, Link11 WAAP will display all results that match the selected Server Group (if any) and the parameters in the date/time selection field.
Server Group filtering can also be done manually, by entering a parameter and value (server_group="$SERVER_GROUP_NAME") into the Search field. The dropdown list will reflect this specification.
Selecting the "calendar" icon will display the date/time picker, for specifying the beginning and ending dates/times for the query.
When selecting times, hours and minutes are required, while seconds are optional. To specify seconds, simply click in the time selection box and type them, as shown in the "To" field below.
When seconds are not specified, the beginning of the specified minute will be used.
Queries consist of field names, operators, and arguments. Multiple filters can be combined (separating them with commas), and are evaluated with a logical AND. Some examples:
Show blocked requests: blocked=true
Show requests from the United States: country="United States"
Show requests with status codes in the 200s: status>199,status<=299
Show requests containing the string contentfilter in their reason for being blocked: reason~"contentfilter"
If you have constructed a query that you want to use for another purpose, select the "duplicate" icon next to the magnifying glass icon. A text string for the query will be copied to your clipboard.
The kebab (vertical three-dot) menu on the far right offers three options:
Filter Information: Links to a page in the user documentation describing syntax and best practices for constructing queries.
Query History: Shows the history of your queries in the current page (Dashboard or Events Log; separate histories are maintained for each). Each entry provides a Restore button, to restore that query to the Search field. Selecting the Search button will then re-run that query.
Apply Previous Query: Restores the previous query to the Search field. Selecting the Search button will then re-run that query.
Link11 WAAP reports data according to several categories, summarized here:
Hits
Total amount of requests
Passed
Requests that reached the upstream server.
Blocked
Requests that were blocked by L11WAAP.
Humans
Requests that passed L11WAAP's human vs. bot challenge process.
Bots
Challenges
Requests that were served with bot detection challenges.
The charts display all data for the query's time period.
To adjust the time period shown in the charts, modify the query in the Search field or date/time control.
Hovering the cursor over a chart will display the values at that point on the graph.
You can filter the items being shown in a chart by selecting the data categories in the legend to enable/disable them.
This chart shows the traffic that was processed by L11WAAP: requests which passed through to the upstream servers, and requests that were blocked. Hits are distributed by time and sorted into three different categories: Humans, Challenges, and Blocked.
Counts the number of status codes in a certain time period.
HTTP Status response codes are divided into five categories:
1xx - Informational Response
2xx - Request Successful
3xx - Request for Redirection
4xx - Client Error
5xx - Server Error
How many unique sessions and IP addresses were active at any given time.
Total bandwidth for all proxies.
The number of network requests during a certain period of time.
Bandwidth for the current proxy.
The time (in milliseconds) consumed by L11WAAP's processing.
The bottom part of the Dashboard displays traffic statistics according to a variety of "top" or "most frequent" metrics: the Top Applications, Top Countries, Top Targets, etc.
Each metric contains a list of entries. Where appropriate, entries representing blocked requests are shown in red.
In most of these lists, right-clicking on the entries will display a menu with options to copy the corresponding value to the clipboard, automatically rebuild the current query to show only (or exclude) that value, or show the Events Log with requests matching (or excluding) that value.
Some of the lists include values for Down (the amount of traffic that originated from the upstream server towards the clients) and Up (the amount of traffic that originated from the client towards the upstream server).
Shows all protected sites for the current L11WAAP deployment.
Shows incoming traffic sorted by country. Each country's flag is shown by its name.
Shows traffic data according to IP address. The ASN (autonomous system number) is included where appropriate.
Shows the nature of user sessions. Sessions that pass L11WAAP's bot mitigation challenge are identified as originating from humans, and are listed here according to a user cookie containing RBZ in the cookie ID. Sessions that did not pass the challenge are shown with - for the ID.
Shows the URLs that were accessed the most frequently.
Shows the most common reasons why requests are being blocked or monitored during the time period.
Shows the referers that were extracted from the request headers.
Shows all the user agents that initiated requests for the application(s).
Shows all of the ASNs (Autonomous System Numbers) from which requests were sent. The ASN can identify individual entities, or larger networks: for example, a telecom provider or a cloud provider.
Shows a list of URIs, with the total latency for each.
Shows a list of URIs, with the latency for each from L11WAAP.
Shows a list of URIs, with the latency for each due to the upstream server.
When security incidents occur, the investigator will frequently submit a succession of queries, often starting from a broad scope and then drilling down into a narrower focus while trying to discern the underlying cause.
Link11 WAAP provides several tools in the Top Metrics section to make this process easier. The entries in each list can be right-clicked to display a popup menu, as shown below.
In this example, the admin is observing the Organizations list in the Top Metrics section, and has right-clicked on the top entry.
The options in the menu will do the following.
Copy Value to Clipboard: Copies the value of whatever was right-clicked to the clipboard. In the example above, this string would be copied: ASN4766 Korea Telecom.
Show Matching: Adds a filter parameter (for whatever was right-clicked) to the existing query in the Search field at the top of the page. Submitting the modified query will restrict the results to requests that match the field and value that was selected. In the example above, the following string would be added to the query: organization="ASN4766 Korea Telecom".
Hide Matching: Adds a filter parameter (for whatever was right-clicked) to the existing query in the Search field at the top of the page. Submitting the modified query will exclude requests that match the field and value that was selected. In the example above, the following string would be added to the query: organization!="ASN4766 Korea Telecom".
Events Log (Matching): The same as Show Matching, except that it opens the Events Log with the modified query.
Events Log (Other): The same as Hide Matching, except that it opens the Events Log with the modified query.
Note also that the Top Metrics section includes some tools for , often useful when investigating security events.
On the upper right, there is a dropdown list of (which in most deployments, correspond to domains). Selecting one will add a filter parameter that will restrict query results to that Server Group. If no Server Group is selected, traffic data will be returned for all of them.
For a full explanation and more examples, see the documentation of .
To transfer the current query to the , simply select the "Open Events Log" button on the upper right. (Note that in order for the query to transfer, it must have been run already.)
Requests with originators that were not (yet) verified as humans. For a full explanation, see .
For a full explanation of these categories and their relationships to each other, see this page: .
For a detailed list of response codes, .
Most of the Top Metrics lists display their results according to (i.e., Hits, Humans, Bots, etc.)
The Events Log has when displaying a request.
