Monitor your Application Firewall

Objective

This document provides instructions on how to monitor your application firewall. Volterra provides support to monitor your application for security. To know more about how Volterra secures your applications, see Security.

Using the instructions provided in this document, you can check the rules hit statitstics and security events for your virtual host.


Prerequisites

  • VES account

    Note: If you do not have an account, see Create a VES Account.

  • A virtual host in your edge or cloud site or in our global network cloud

    Note: If you do not have a virtual host, create one. See How to Create a Virtual Host for more information.

  • Rules-based application firewall enabled on a virtual host

    Note: See How to Configure App Firewall for more information.

  • Optionally, one or more cloud or edge locations with Volterra site

    Note: Install the Volterra node or cluster image in your cloud or edge location. For more information, see How to Create a Site.


Monitor the Application Firewall

Monitoring your application firewall consists of inspecting application firewall and security events.

Step 1: Select the namespace where the app firewall and virtual host are created.

Figure: Navigate namespace

Step 2: Select Mesh from the configuration menu and Virtual Hosts from the options pane. Click More on the right side of your virtual host.

Figure: Monitor Virtual Host (App Firewall)

Step 3: Among the loaded tabs, check for App Firewall and Security Events tabs as these are used in monitoring the firewall.

Figure: Selecting App Firewall and Security Events

Step 4: Click on the App Firewall tab. The following list provides information on each field.

  • Rules: Displays how many rules were hit and how many security events were detected
  • Top Rules Hit: Displays the description of the top rules that were triggered
  • OWASP Rules: Displays how many CRS rules are enforced and how many are disabled
  • Rule Hits by Severity: Displays the severity of the rules and how many hits in each severity level
  • Security Events by Location: Displays the origin of a security event on map and the severity of the event.
  • Last 5 Security Events: Displays the last five triggered security events along with the description and detected time.
  • Top Hits: Displays the rules that were triggered and the number of times each one was triggered
Figure: App Firewall Dashboard

Step 5: Click on the Security Events tab. The following list provides information on each field.

  • Time: Time the event was created.
  • Client IP: Source of the suspicious request
  • Dst.Service: The tag name of the specific service that is the destination of the suspicious request
  • Request Method: Method type of the HTTP request (GET, POST, DELETE, PUT, etc.)
  • Response Code: The HTTP response code (200, 403,404, etc.)
  • Length: The HTTP request length in KB (Kilobytes)
  • URI: Uniform Resource Identifier (URI) is a string of characters that unambiguously identifies a particular resource (for example /testcase-6/test.com)
Figure: Security Events Table

Concepts


API References