A set of L7 metrics has been introduced to facilitate WAF sizing. Based on the data provided by these metrics, you can plan your WAF resource allocation.

Note:

WAF must be enabled on the NSX Advanced Load Balancer for analyzing WAF Bypass metric. The other metrics are primarily HTTP based and also used for WAF sizing.

WAF Bypass

A class of HTTP requests that are considered safe need not be inspected by WAF and can be directly forwarded to the application. For example, HTTP GET with no parameters to fetch a .jpg image.

The Static Extensions field in the WAF profile configuration includes all requests that are termed safe. By default, .gif, .jpg, .jpeg, .png, .pdf, .js, .css, .ico, .svg and .webp are the included extensions.

For such files, parameterless HTTP GET requests are considered safe and will bypass WAF. These HTTP requests are important from a WAF sizing perspective. If web browsers interact with web applications that mostly issue requests bypassing WAF, WAF will not require many resources. Alternatively, if the bypass ratio is low, WAF inspects most of the HTTP requests, resulting in increased resource consumption.

The following Layer 7 metrics provide data on the impact of WAF bypass.

  • l7_client.sum_waf_disabled – Total number of requests bypassing WAF in a given metrics interval.

  • l7_client.avg_waf_disabled – Average number of transactions per second bypassing WAF.

  • l7_client.pct_waf_disabled – Transactions bypassing WAF as the percentage of total requests received.

HTTP Headers Count

WAF inspects HTTP headers sent from the browser to the web application. With more number of headers to process, the WAF might need more resources. The following Layer 7 metrics provide data on the number of HTTP headers processed.

  • l7_client.sum_http_headers_count – Total number of HTTP headers across all requests in a given metrics interval.

  • l7_client.avg_http_headers_count – Average number of HTTP headers per request.

HTTP Headers Size

The size of the HTTP headers processed by WAF has a direct impact on the resource utilization. The following Layer 7 metrics provide data on the size of HTTP header processed:

  • l7_client.sum_http_headers_bytes – Total size of HTTP request headers in a given metrics interval.

  • l7_client.avg_http_headers_bytes – Average size of HTTP headers per request.

HTTP Request Method Ratio

The number of HTTP POST or HTTP GET requests received by WAF is indicative of the web application behavior. The following Layer 7 metrics are percentage values that indicate the GET and POST requests received:

  • l7_client.pct_get_reqs - Number of HTTP GET requests as a percentage of total requests received.

  • l7_client.pct_post_reqs – Number of HTTP POST requests as a percentage of total requests received.

A value of 60 for l7_client.pct_get_reqs and 39 for l7_client.pct_post_reqs indicates that 60% of requests received were GET and 39% were POST. The remaining 1% is considered implicit.

HTTP POST size

The size of HTTP POST requests has a direct impact on WAF resource utilization. The larger the size of the POST request, higher the resource utilization. The following Layer 7 metrics provide data on the POST request size.

  • l7_client.sum_post_bytes – Total size of HTTP POST requests.

  • l7_client.avg_post_bytes – Average size of a HTTP POST request.

HTTP Parameters

For higher number of HTTP parameters, more resources will be required by WAF. With the addition of each parameter, WAF consumes significantly more resources and its performance slows down. The following Layer 7 metrics provide data on the HTTP parameters count.

  • l7_client.sum_http_params_count – Total number of HTTP request parameters.

  • l7_client.avg_http_params_count – Average number of HTTP request parameters per request.

  • l7_client.sum_reqs_with_params – Total number of HTTP requests containing at least one parameter.

  • l7_client.avg_params_per_req – Average number of HTTP request parameters per request, taking into account only requests with parameters.

l7_client.sum_http_params_count and l7_client.avg_http_params_count consider all requests, including the ones with no parameters to calculate the value. However, l7_client.sum_reqs_with_params and l7_client.avg_params_per_req consider only requests that contain at least one or more parameters.

HTTP URI Length

WAF resource utilization increases with the increase in the HTTP URI length. The following Layer 7 metrics provide data on the HTTP URI length.

  • l7_client.sum_uri_length – Total length of HTTP request URIs.

  • l7_client.avg_uri_length – Average length of HTTP URI per request.