The following section explores further into WAF Logs Analytics.
The following are the fields in a WAF log entry.
Timestamp: Time of capturing the log.
WAF: Result of WAF evaluation. For more information, see the WAF Status section.
Client IP: IP address of the client.
URI: URL of the evaluated traffic.
Request: Request type.
Response: Response code.
Length: Size of the response body.
Duration/Timeline: Duration of the traffic.
This column in the WAF Logs entry refers to the result of WAF evaluation. The following are the possible outcomes:
REJECTED: Policy is in Enforcement mode and the request was rejected.
FLAGGED: Policy is in Detection mode and the request was logged, but not rejected.
PASSED: Request passed the WAF Policy without any match.
-: The request was not evaluated by WAF.
BYPASSED: When the request matches with the Allowlist and is bypassed.
Log Recommendations are used to help remediate false positives, if any. These Recommendations correspond to each
FLAGGED log entry.
The system generates Recommendations that suggest what you can do to mitigate a false positive. However, it is entirely within your discretion to decide if a log entry represents a false positive.
Detailed log information
Clicking on the + sign at the end of each log entry expands the panel to provide more details.
Significance: Indicates WAF Policy match.
This is the first indicator of a matched WAF Policy and does not indicate if the request was rejected.
WAF response time: Displays the execution time for all four WAF evaluation phases.
WAF Hits: Displays the rules that were matched. All rules that were matched will have an entry consisting of the following fields:
Part of the request or response that was matched, along with the offending string
Tags assigned to the rule
Add Exceptions: Under the WAF Hits section, click + Add Exceptions, to create an Exception for a false positive remediation.
Exceptions can be created either at a group or rule level. The created Exceptions are activated immediately.