WAF Metrics

You can monitor the health, capacity, and performance of your WAF policies by using metrics, alarms, and notifications.

This topic describes the metrics emitted by the metric namespace oci_waf (the WAF service).

Overview of the WAF Service Metrics

Oracle Cloud Infrastructure Web Application Firewall (WAF) is a cloud-based global security service that protects applications from malicious and unwanted internet traffic. The WAF service metrics help you measure various levels of traffic encountering your WAF policies, including non-malicious traffic. For more information, see Overview of the Web Application Firewall Service.

Prerequisites

  • IAM policies: To monitor resources, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. The policy must give you access to the monitoring services as well as the resources being monitored. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in. For more information on user authorizations for monitoring, see the Authentication and Authorization section for the related service: Monitoring or Notifications.
  • Permissions are required to allow monitoring, alarm, and notification (ONS) definition for users in a group for all compartments. The following policies must be configured in the root compartment:

    Allow group <WAFMonitors> to read metrics in compartment <CompartmentName>
    Allow group <WAFMonitors> to manage alarms in compartment <CompartmentName>
    Allow group <WAFmonitors> to manage ons-family in compartment <CompartmentName>

Available Metrics: oci_waf

The metrics listed in the following table are automatically available for any policies you create. You do not need to enable monitoring on the resource to get these metrics. However, you must have the policy properly set up with web traffic passing through it to make the oci_waf metric space available in the Metrics Explorer feature. Policies with no web traffic emit no metric data.

Metric Metric Display Name Unit Description Dimensions
NumberOfRequests Requests count The total number of requests serviced by the WAF.

resourceID

primaryDomain

module

action

countryCode

responseCode

responseCodeGroup

   
Traffic Traffic bytes Data egress from the WAF (compressed by default) measured in one minute intervals.
Bandwidth Bandwidth B/s (bytes per second)

Bandwidth rate calculated by dividing total data egress in a minute by 60.

NumberOfRequestsDetected Detects count The number of requests that triggered a detect (alert) for a WAF policy. resourceID

primaryDomain

module

Using the Console

WAF service metrics are currently only available using the Metrics Explorer feature in the Console. For more information about metrics, see Viewing Metric Charts.

Any metric/dimension combination can be used as criteria for alarms. Alarms can leverage Oracle Notification Service for alerting through communication mechanisms like email and pagerduty.

To view WAF metric charts
  1. Open the navigation menu. Under Solutions and Platform, go to Monitoring and click Metrics Explorer.

    For Metric Namespace, select oci_waf.

  2. Select a metric to view from the Metric Name field.

  3. Select a qualifier specified in the Dimension Name field. For example, the dimension resourceIdis specified in the metric definition for NumberOfRequests.
  4. Select the value you want to use for the specified dimension in the Dimension Value field. For example, the resource identifier for your instance of interest.

  5. Click Update Chart.

    The chart will be updated with the metrics that have been requested. You can hover over the line graphs to see a breakdown of the dimensions for data displayed.

For more information about monitoring metrics and using alarms, see Monitoring Overview. For information about notifications for alarms, see Notifications Overview.