**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# Testing and tuning your AWS WAF protections
This section provides guidance for testing and tuning your AWS WAF protection packs (web ACLs), rules, rule groups, IP sets, and regex pattern sets.
We recommend that you test and tune any changes to your AWS WAF protection pack (web ACL) before applying them to your website or web application traffic.
**Production traffic risk**
Before you deploy your protection pack (web ACL) implementation for production traffic, test and tune it in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune the rules in count mode with your production traffic before enabling them.
This section also provides general guidance for testing your use of rule groups that are managed by someone else. These include AWS Managed Rules rule groups, AWS Marketplace managed rule groups, and rule groups that are shared with you by another account. For these rule groups, also follow any guidance that you get from the rule group provider.
+ For the Bot Control AWS Managed Rules rule group, also see [Testing and deploying AWS WAF Bot Control](waf-bot-control-deploying.md).
+ For the account takeover prevention AWS Managed Rules rule group, also see [Testing and deploying ATP](waf-atp-deploying.md).
+ For the account creation fraud prevention AWS Managed Rules rule group, also see [Testing and deploying ACFP](waf-acfp-deploying.md).
**Temporary inconsistencies during updates**
When you create or change a protection pack (web ACL) or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes.
The following are examples of the temporary inconsistencies that you might notice during change propagation:
+ After you create a protection pack (web ACL), if you try to associate it with a resource, you might get an exception indicating that the protection pack (web ACL) is unavailable.
+ After you add a rule group to a protection pack (web ACL), the new rule group rules might be in effect in one area where the protection pack (web ACL) is used and not in another.
+ After you change a rule action setting, you might see the old action in some places and the new action in others.
+ After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.
# Testing and tuning high-level steps
This section provides a checklist of the steps for testing changes to your web ACL, including any rules or rule groups that it uses.
**Note**
To follow the guidance in this section, you need to understand how to create and manage AWS WAF protections like protection packs (web ACLs), rules, and rule groups. That information is covered in earlier sections of this guide.
**To test and tune your protection pack (web ACL)**
Perform these steps first in a test environment, then in production.
1.
**Prepare for testing**
Prepare your monitoring environment, switch your new AWS WAF protections to count mode for testing, and create any resource associations that you need.
See [Preparing for testing your AWS WAF protections](web-acl-testing-prep.md).
1.
**Monitor and tune in test and production environments**
Monitor and adjust your AWS WAF protections first in a test or staging environment, then in production, until you're satisfied that they can handle traffic as you need them to.
See [Monitoring and tuning your AWS WAF protections](web-acl-testing-activities.md).
1.
**Enable your protections in production**
When you're satisfied with your test protections, switch them to production mode, clean up any unnecessary testing artifacts, and continue monitoring.
See [Enabling your protections in production](web-acl-testing-enable-production.md).
After you've finished implementing your changes, continue monitoring your web traffic and protections in production to make sure that they're working as you want them to. Web traffic patterns can change over time, so you might need to adjust the protections occasionally.
# Preparing for testing your AWS WAF protections
This section describes how to get set up to test and tune your AWS WAF protections.
**Note**
To follow the guidance in this section, you need to understand generally how to create and manage AWS WAF protections like protection packs (web ACLs), rules, and rule groups. That information is covered in earlier sections of this guide.
**To prepare for testing**
1.
**Enable protection pack (web ACL) logging, Amazon CloudWatch metrics, and web request sampling for the protection pack (web ACL)**
Use logging, metrics, and sampling to monitor the interaction of the protection pack (web ACL) rules with your web traffic.
+ **Logging** – You can configure AWS WAF to log the web requests that a protection pack (web ACL) evaluates. You can send logs to CloudWatch logs, an Amazon S3 bucket, or an Amazon Data Firehose delivery stream. You can redact fields and apply filtering. For more information, see [Logging AWS WAF protection pack (web ACL) traffic](logging.md).
+ **Amazon Security Lake** – You can configure Security Lake to collect protection pack (web ACL) data. Security Lake collects log and event data from various sources for normalization, analysis, and management. For information about this option, see [What is Amazon Security Lake?](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) and [Collecting data from AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html) in the *Amazon Security Lake user guide*.
+ **Amazon CloudWatch metrics** – In your protection pack (web ACL) configuration, provide metric specifications for everything that you want to monitor. You can view metrics through the AWS WAF and CloudWatch consoles. For more information, see [Monitoring with Amazon CloudWatch](monitoring-cloudwatch.md).
+ **Web request sampling** – You can view a sample of all web requests that your protection pack (web ACL) evaluates. For information about web request sampling, see [Viewing a sample of web requests](web-acl-testing-view-sample.md).
1.
**Set your protections to Count mode**
In your protection pack (web ACL) configuration, switch anything that you want to test to count mode. This causes the test protections to record matches against web requests without altering how the requests are handled. You'll be able to see the matches in your metrics, logs, and sampled requests, to verify the match criteria and to understand what the effects might be on your web traffic. Rules that add labels to matching requests will add labels regardless of the rule action.
+ **Rule defined in the protection pack (web ACL)** – Edit the rules in the protection pack (web ACL) and set their actions to Count.
+ **Rule group** – In your protection pack (web ACL) configuration, edit the rule statement for the rule group and, in the **Rules** pane, open the **Override all rule actions** dropdown and choose **Count**. If you manage the protection pack (web ACL) in JSON, add the rules to the `RuleActionOverrides` settings in the rule group reference statement, with `ActionToUse` set to Count. The following example listing shows overrides for two rules in the `AWSManagedRulesAnonymousIpList` AWS Managed Rules rule group.
```
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesAnonymousIpList",
"RuleActionOverrides": [
{
"ActionToUse": {
"Count": {}
},
"Name": "AnonymousIPList"
},
{
"ActionToUse": {
"Count": {}
},
"Name": "HostingProviderIPList"
}
],
"ExcludedRules": []
}
},
```
For more information about rule action overrides, see [Overriding rule actions in a rule group](web-acl-rule-group-settings.md#web-acl-rule-group-rule-action-override).
For your own rule group, don't modify the rule actions in the rule group itself. Rule group rules with Count action don't generate the metrics or other artifacts that you need for your testing. In addition, changing a rule group affects all protection packs (web ACLs) that use it, while the changes inside the protection pack (web ACL) configuration only affect the single protection pack (web ACL).
+ **protection pack (web ACL)** – If you're testing a new protection pack (web ACL), set the default action for the protection pack (web ACL) to allow requests. This lets you try out the web ACL without affecting traffic in any way.
In general, count mode generates more matches than production. This is because a rule that counts requests doesn't stop the evaluation of the request by the protection pack (web ACL), so rules that run later in the protection pack (web ACL) might also match the request. When you change your rule actions to their production settings, rules that allow or block requests will terminate the evaluation of requests that they match. As a result, matching requests will generally be inspected by fewer rules in the protection pack (web ACL). For more information about the effects of rule actions on the overall evaluation of a web request, see [Using rule actions in AWS WAF](waf-rule-action.md).
With these settings, your new protections won't alter web traffic, but will generate match information in metrics, protection pack (web ACL) logs, and request samples.
1.
**Associate the protection pack (web ACL) with a resource**
If the protection pack (web ACL) isn't already associated with the resource, associate it.
See [Associating or disassociating protection with an AWS resource](web-acl-associating-aws-resource.md).
You're now ready to monitor and tune your protection pack (web ACL).
# Monitoring and tuning your AWS WAF protections
Monitor and tune your AWS WAF protections.
**Note**
To follow the guidance in this section, you need to understand generally how to create and manage AWS WAF protections like protection packs (web ACLs), rules, and rule groups. That information is covered in earlier sections of this guide.
Monitor web traffic and rule matches to verify the behavior of the protection pack (web ACL). If you find problems, adjust your rules to correct and then monitor to verify the adjustments.
Repeat the following procedure until the protection pack (web ACL) is managing your web traffic as you need it to.
**To monitor and tune**
1.
**Monitor traffic and rule matches**
Make sure that traffic is flowing and that your test rules are finding matching requests.
Look for the following information for the protections that you're testing:
+ **Logs** – Access information about the rules that match a web request:
+ **Your rules** - Rules in the protection pack (web ACL) that have Count action are listed under `nonTerminatingMatchingRules`. Rules with Allow or Block are listed as the `terminatingRule`. Rules with CAPTCHA or Challenge can be either terminating or non-terminating, and so are listed under one of the two categories, according to the result of the rule match.
+ **Rule groups** - Rule groups are identified in the `ruleGroupId` field, with their rule matches categorized the same as for standalone rules.
+ **Labels** - Labels that rules have applied to the request are listed in the `Labels` field.
For more information, see [Log fields for protection pack (web ACL) traffic](logging-fields.md).
+ **Amazon CloudWatch metrics** – You can access the following metrics for your protection pack (web ACL) request evaluation.
+ **Your rules** – Metrics are grouped by the rule action. For example, when you test a rule in Count mode, its matches are listed as `Count` metrics for the protection pack (web ACL).
+ **Your rule groups** – The metrics for your rule groups are listed under the rule group metrics.
+ **Rule groups owned by another account** – Rule group metrics are generally visible only to the rule group owner. However, if you override the rule action for a rule, the metrics for that rule will be listed under your protection pack (web ACL) metrics. Additionally, labels added by any rule group are listed in your protection pack (web ACL) metrics.
Count action rules in rule groups do NOT emit web ACL dimension metrics - only Rule, RuleGroup, and Region dimensions. This applies even when the rule group is referenced in a web ACL.
Rule groups in this category are [AWS Managed Rules for AWS WAF](aws-managed-rule-groups.md), [AWS Marketplace rule groups](marketplace-rule-groups.md), [Recognizing rule groups provided by other services](waf-service-owned-rule-groups.md), and rule groups that are shared with you by another account. When a protection pack (web ACL) is deployed through Firewall Manager, any rules within the WebACL that have a Count action will not display their metrics in the member account.
+ **Labels** - Labels that were added to a web request during evaluation are listed in the protection pack (web ACL) label metrics. You can access the metrics for all labels, regardless of whether they were added by your rules and rule groups or by rules in a rule group that another account owns.
For more information, see [Viewing metrics for your web ACL](web-acl-testing-view-metrics.md).
+ **protection pack (web ACL) traffic overview dashboards** – Access summaries of the web traffic that a protection pack (web ACL) has evaluated by going to the protection pack (web ACL)'s page in the AWS WAF console and opening the **Traffic overview** tab.
The traffic overview dashboards provide near real-time summaries of the Amazon CloudWatch metrics that AWS WAF collects when it evaluates your application web traffic.
For more information, see [Traffic overview dashboards for protection packs (web ACLs)](web-acl-dashboards.md).
+ **Sampled web requests** – Access information for the rules that match a sampling of the web requests. The sample information identifies matching rules by the metric name for the rule in the protection pack (web ACL). For rule groups, the metric identifies the rule group reference statement. For rules inside rule groups, the sample lists the matching rule name in `RuleWithinRuleGroup`.
For more information, see [Viewing a sample of web requests](web-acl-testing-view-sample.md).
1.
**Configure mitigations to address false positives**
If you determine that a rule is generating false positives, by matching web requests when it shouldn't, the following options can help you tune your protection pack (web ACL) protections to mitigate.
**Correcting rule inspection criteria**
For your own rules, you often just need to adjust the settings that you're using to inspect web requests. Examples include changing the specifications in a regex pattern set, adjusting the text transformations that you apply to a request component before inspection, or switching to using a forwarded IP address. See the guidance for the rule type that's causing problems, under [Using rule statements in AWS WAF](waf-rule-statements.md).
**Correcting more complex problems**
For inspection criteria that you don't control and for some complex rules, you might need to make other changes, like adding rules that explicitly allow or block requests or that eliminate requests from evaluation by the problematic rule. Managed rule groups most commonly need this type of mitigation, but other rules can too. Examples include the rate-based rule statement and the SQL injection attack rule statement.
What you do to mitigate false positives depends on your use case. The following are common approaches:
+ **Add a mitigating rule** – Add a rule that runs before the new rule and that explicitly allows requests that are causing false positives. For information about rule evaluation order in a web ACL, see [Setting rule priority](web-acl-processing-order.md).
With this approach, the allowed requests are sent to the protected resource, so they never reach the new rule for evaluation. If the new rule is a paid managed rule group, this approach can also help contain the cost of using the rule group.
+ **Add a logical rule with a mitigating rule** – Use logical rule statements to combine the new rule with a rule that excludes the false positives. For information, see [Using logical rule statements in AWS WAF](waf-rule-statements-logical.md).
For example, say you're adding an SQL injection attack match statement that's generating false positives for a category of requests. Create a rule that matches those requests, and then combine the rules using logical rule statements so that you match only on requests that both don't match the false positives criteria and do match the SQL injection attack criteria.
+ **Add a scope-down statement** – For rate-based statements and managed rule group reference statements, exclude requests that result in false positives from evaluation by adding a scope-down statement inside the main statement.
A request that doesn't match the scope-down statement never reaches the rule group or rate-based evaluation. For information about scope-down statements, see [Using scope-down statements in AWS WAF](waf-rule-scope-down-statements.md). For an example, see [Excluding IP range from bot management](waf-bot-control-example-scope-down-ip.md).
+ **Add a label match rule** – For rule groups that use labeling, identify the label that the problematic rule is applying to requests. You might need to set the rule group rules in count mode first, if you haven't already done that. Add a label match rule, positioned to run after the rule group, that matches against the label that's being added by the problematic rule. In the label match rule, you can filter the requests that you want to allow from those that you want to block.
If you use this approach, when you're finished testing, keep the problematic rule in count mode in the rule group, and keep your custom label match rule in place. For information about label match statements, see [Label match rule statement](waf-rule-statement-type-label-match.md). For examples, see [Allowing a specific blocked bot](waf-bot-control-example-allow-blocked-bot.md) and [ATP example: Custom handling for missing and compromised credentials](waf-atp-control-example-user-agent-exception.md).
+ **Change the version of a managed rule group** – For versioned managed rule groups, change the version that you're using. For example, you could switch back to the last static version that you were using successfully.
This is usually a temporary fix. You might change the version for your production traffic while you continue testing the latest version in your test or staging environment, or while you wait for a more compatible version from the provider. For information about managed rule group versions, see [Using managed rule groups in AWS WAF](waf-managed-rule-groups.md).
When you're satisfied that the new rules are matching requests as you need them to, move to the next stage of your testing and repeat this procedure. Perform the final stage of testing and tuning in your production environment.
# Viewing metrics for your web ACL
This section describes how to view metrics for your protection pack (web ACL).
After you've associated a protection pack (web ACL) with one or more AWS resources, you can view the resulting metrics for the association in an Amazon CloudWatch graph.
For information about AWS WAF metrics, see [AWS WAF metrics and dimensions](waf-metrics.md). For information about CloudWatch metrics, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html).
For each of your rules in a protection pack (web ACL) and for all the requests that an associated resource forwards to AWS WAF for a protection pack (web ACL), CloudWatch lets you do the following:
+ View data for the preceding hour or preceding three hours.
+ Change the interval between data points.
+ Change the calculation that CloudWatch performs on the data, such as maximum, minimum, average, or sum.
**Note**
AWS WAF with CloudFront is a global service and metrics are available only when you choose the **US East (N. Virginia)** Region in the AWS Management Console. If you choose another Region, no AWS WAF metrics will appear in the CloudWatch console.
**To view data for the rules in a protection pack (web ACL)**
1. Sign in to the AWS Management Console and open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. If necessary, change the Region to the one where your AWS resources are located. For CloudFront, choose the US East (N. Virginia) Region.
1. In the navigation pane, under **Metrics**, choose **All metrics** and then search under the **Browse** tab for `AWS::WAFV2`.
1. Select the check box for the protection pack (web ACL) that you want to view data for.
1. Change the applicable settings:
**Statistic**
Choose the calculation that CloudWatch performs on the data.
**Time range**
Choose whether you want to view data for the preceding hour or the preceding three hours.
**Period**
Choose the interval between data points in the graph.
**Rules**
Choose the rules for which you want to view data.
If you change the name of a rule and you want the rule's metric name to reflect the change, you must update the metric name as well. AWS WAF doesn't automatically update the metric name for a rule when you change the rule name. You can change the metric name when you edit the rule in the console, by using the rule JSON editor. You can also change both names through the APIs and in any JSON listing that you use to define your protection pack (web ACL) or rule group.
Note the following:
+ If you recently associated a protection pack (web ACL) with an AWS resource, you might need to wait a few minutes for data to appear in the graph and for the metric for the protection pack (web ACL) to appear in the list of available metrics.
+ If you associate more than one resource with a protection pack (web ACL), the CloudWatch data will include requests for all of them.
+ You can hover the cursor over a data point to get more information.
+ The graph doesn't refresh itself automatically. To update the display, choose the refresh (![\[Icon to refresh the CloudWatch graph\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/cloudwatch-refresh-icon.png)) icon.
For more information about CloudWatch metrics, see [Monitoring with Amazon CloudWatch](monitoring-cloudwatch.md).
# Traffic overview dashboards for protection packs (web ACLs)
This section describes the protection pack (web ACL) traffic overview dashboards in the AWS WAF console. After you associate a protection pack (web ACL) with one or more AWS resources and enable metrics for the protection pack (web ACL), you can access summaries of the web traffic that the protection pack (web ACL) evaluates by going to the protection pack (web ACL)'s **Traffic overview** tab in the AWS WAF console. The dashboards include near real-time summaries of the Amazon CloudWatch metrics that AWS WAF collects when it evaluates your application web traffic, including specialized AI bot and agent activity analysis.
**Note**
If you don't see anything on the dashboards, make sure you have metrics enabled for the protection pack (web ACL).
The protection pack (web ACL)'s **Traffic overview** tab contains tabbed dashboards with the following categories of information:
+ **Top security insights** – Insights into your AWS WAF protections that AWS WAF obtains by directly querying the Amazon CloudWatch logs. The rest of the dashboard uses the CloudWatch metrics. These insights provide richer information, but incur the added costs of querying the CloudWatch logs. For information about the additional costs, see [Amazon CloudWatch Logs Pricing](https://aws.amazon.com/cloudwatch/pricing/).
+ **AI Traffic Analysis** – Web requests analyzed for AI bot and agent activity, including bot identification, intent classification, access patterns, and temporal trends. This tab is available when your protection pack (web ACL) receives AI bot traffic
+ **All traffic** – All web requests that the protection pack (web ACL) evaluates.
The dashboard focus is on terminating actions, but you can view the matches for count rules in the following locations:
+ **Top 10 rules** pane of this dashboard. Toggle **Switch to count action** to show count rule matches.
+ **Sampled requests** tab of the protection pack (web ACL) page. This new tab includes a graph of all rule matches. For information, see [Viewing a sample of web requests](web-acl-testing-view-sample.md).
+ **Anti-DDoS** – Web requests that the protection pack (web ACL) evaluates using the `AntiDDoSRuleSet` Anti-DDoS managed rule group.
This tab is only available if you're using this rule group in your protection pack (web ACL).
+ **Bot Control** – Web requests that the protection pack (web ACL) evaluates using the Bot Control managed rule group.
+ If you aren't using this rule group in your protection pack (web ACL), this tab shows the results of evaluating a sampling of your web traffic against the Bot Control rules. This gives you an idea of the bot traffic that your application receives and it's free of charge.
This rule group is part of the intelligent threat mitigation options that AWS WAF offers. For more information, see [AWS WAF Bot Control](waf-bot-control.md) and [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md).
+ **Account takeover prevention** – Web requests that the protection pack (web ACL) evaluates using the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group. This tab is only available if you're using this rule group in your protection pack (web ACL).
The ATP rule group is part of the AWS WAF intelligent threat mitigation offerings. For more information, see [AWS WAF Fraud Control account takeover prevention (ATP)](waf-atp.md) and [AWS WAF Fraud Control account takeover prevention (ATP) rule group](aws-managed-rule-groups-atp.md).
+ **Account creation fraud prevention** – Web requests that the protection pack (web ACL) evaluates using the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group. This tab is only available if you're using this rule group in your protection pack (web ACL).
The ACFP rule group is part of the AWS WAF intelligent threat mitigation offerings. For more information, see [AWS WAF Fraud Control account creation fraud prevention (ACFP)](waf-acfp.md) and [AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group](aws-managed-rule-groups-acfp.md).
The dashboards are based on the protection pack (web ACL)'s CloudWatch metrics, and the graphs provide access to the corresponding metrics in CloudWatch. For the intelligent threat mitigation dashboards, like Bot Control, the metrics used are primarily the label metrics.
+ For a list of the metrics that AWS WAF provides, see [AWS WAF metrics and dimensions](waf-metrics.md).
+ For information about CloudWatch metrics, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html).
The dashboards provide summaries of your traffic patterns for the terminating actions and date range that you select. The intelligent threat mitigation dashboards include requests that the corresponding managed rule group evaluated, regardless of whether the managed rule group itself applied the terminating action. For example, if Block is selected, the **Account takeover prevention** dashboard includes information for all web requests that were both evaluated by the ATP managed rule group and blocked at some point during the protection pack (web ACL) evaluation. The requests can be blocked by the ATP managed rule group, by a rule that ran after the rule group in the protection pack (web ACL), or by the protection pack (web ACL) default action.
# Viewing the dashboards for a protection pack (web ACL)
Follow the procedure in this section to access the protection pack (web ACL) dashboards and set the data filtering criteria. If you recently associated a protection pack (web ACL) with an AWS resource, you might need to wait a few minutes for data to become available in the dashboards.
The dashboards include the requests for all of the resources that you've associated with the protection pack (web ACL).
**To view the **Traffic overview** dashboards for a protection pack (web ACL)**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2).
1. In the navigation pane, choose **protection packs (web ACLs)** and then search for the web ACL that you're interested in.
1. Select the protection pack (web ACL). The console takes you to the protection pack (web ACL)'s page. The **Traffic overview** tab is selected by default.
1. Change the **Data filters** settings as needed.
+ **Terminating rule actions** – Select the terminating actions to include in the dashboards. The dashboards summarize the metrics for the web requests that had one of the selected actions applied by the protection pack (web ACL) evaluation. If you select all of the available actions, the dashboards include all evaluated web requests. For information about the actions, see [How AWS WAF handles rule and rule group actions](web-acl-rule-actions.md).
+ **Time range** – Select the time interval to view in the dashboards. You can choose to view a time frame relative to now, for example the last 3 hours or the last week, and you can select an absolute time range from a calendar.
+ **Time zone** – This setting applies when you specify an absolute time range. You can use your browser's local time zone or UTC (Coordinated Universal Time).
Review the information in the tabs that you're interested in. The data filter selections apply to all of the dashboards. In the graph panes, you can hover the cursor over a data point or an area to see any additional details.
**Count action rules**
You can view information for count action matches in one of two places.
+ In this **Traffic overview** tab, on the **All traffic** dashboard, find the **Top 10 rules** pane and toggle **Switch to count action**. With this toggle on, the pane shows count rule matches instead of terminating rule matches.
+ In the protection pack (web ACL)'s **Sampled requests** tab, see a graph of all rule matches and actions for the time range that you've set on the **Traffic overview** tab. For information about the **Sampled requests** tab, see [Viewing a sample of web requests](web-acl-testing-view-sample.md).
**Amazon CloudWatch metrics**
In the dashboard graph panes, you can access the CloudWatch metrics for the graphed data. Choose the option at the top of the graph pane or from the **⋮** (vertical ellipsis) dropdown menu inside the pane.
**Refreshing the dashboards**
The dashboards don't refresh automatically. To update the display, choose the refresh ![\[Icon to refresh the dashboard graph\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/cloudwatch-refresh-icon.png) icon.
# Examples of the traffic overview dashboards for protection packs (web ACLs)
This section shows example screens of the traffic overview dashboards for protection packs (web ACLs).
**Note**
If you're already using AWS WAF to protect your application resources, you can see the dashboards for any of your protection packs (web ACLs) at its page in the AWS WAF console. For information, see [Viewing the dashboards for a protection pack (web ACL)](web-acl-dashboards-accessing.md).
**Example screen: Data filters and **All traffic** dashboard action counts**
The following screenshot depicts the traffic overview for a protection pack (web ACL) with the **All traffic** tab selected. The data filters are set to the defaults: all terminating actions for the last three hours.
Inside the all traffic dashboard are the action totals for the various terminating actions. Each pane lists the request count and shows an up/down arrow indicating the change since the prior three hours time range.
![\[The AWS WAF console shows the protection pack (web ACL) page Traffic overview tab with the default data filters selected. The terminating rule action options are Block, Allow, CAPTCHA, and Challenge. Below the data filters section are tabs for all traffic, Bot Control, and Account takeover prevention.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/web-acl-dashboard-data-filters-default-top-actions.png)
**Example screen: **Bot Control** dashboard action counts**
The following screenshot depicts action counts for the Bot Control dashboard. This shows the same totals panes for the time range, but the counts are only for requests that the Bot Control rule group evaluated. Farther down, in the **Action totals** pane, you can see the action counts throughout the specified three-hour time range. For this time range, the CAPTCHA action wasn't applied to any of the requests that the rule group evaluated.
![\[The AWS WAF console shows the top portion of the Bot Control dashboard, with action totals for the time range and action totals throughout the time range.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/web-acl-dashboard-bot-action-totals.png)
**Example screen: **AI Traffic Analysis dashboard** dashboard action counts**
The following screenshot depicts the AI Traffic Analysis dashboard for a protection pack (web ACL). The dashboard shows AI bot activity over the selected time range with filters for bot organization, intent type, and verification status.
![\[The AWS WAF console shows the top portion of the AI Traffic Analysis dashboard, with top crawlers and top paths for the time range and action totals throughout the time range.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/waf-phantom-edge-dashboard.png)
The dashboard includes:
+ **Bot Identity panel** – Lists detected AI bots with names and organizations
+ **Intent Classification** – Categorizes bot purposes (crawling, indexing, research, etc.)
+ **Access Patterns** – Top URLs accessed by AI agents with request counts
+ **Temporal Analysis** – Hourly and daily activity trends with 14-day historical view
+ **Organization Breakdown** – Traffic volume by bot owner organization
**Example screen: **Bot Control** dashboard token status summary graphs**
The following screenshot depicts two of the summary graphics available in the Bot Control dashboard. The **Token status** pane shows counts for the various token status labels, paired with the rule action that was applied to the request. The **IP token absent thresholds** pane shows data for requests from IPs that were sending too many requests without a token.
Hovering over any area in the graph brings up the available information details. In the **Token status** pane in this screenshot, the mouse is hovering over a point in time, without being on any graph line, so the console displays the data for all lines at that point in time.
![\[The AWS WAF console shows two panes for Token status and IP token absent thresholds, with similar graph lines for blocked and challenged requests in each pane. The Token status pane also has a graph for allowed requests.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/web-acl-dashboard-bot-token-panes.png)
This section shows just a few of the traffic summaries that are provided in the protection pack (web ACL) traffic overview dashboards. To see the dashboards for any of your protection packs (web ACLs), open the protection pack (web ACL)'s page in the console. For information about how to do this, see the guidance at [Viewing the dashboards for a protection pack (web ACL)](web-acl-dashboards-accessing.md).
# Viewing a sample of web requests
This section describes the protection pack (web ACL) **Sampled requests** tab in the AWS WAF console. In this tab, you can view a graph of all of the rule matches for web requests that AWS WAF has inspected. Additionally, if you have request sampling enabled for the protection pack (web ACL), you can see a table view of a sample of the web requests that AWS WAF has inspected. You can also retrieve sampled request information through the API call `GetSampledRequests`.
The sample of requests contains up to 100 requests that matched the criteria for a rule in the protection pack (web ACL) and another 100 requests for requests that didn't match any rules and had the protection pack (web ACL) default action applied. The requests in the sample come from all the protected resources that have received requests for your content in the previous three hours.
When a web request matches the criteria in a rule and the action for that rule doesn't terminate the request evaluation, AWS WAF continues inspecting the web request using the subsequent rules in the protection pack (web ACL). Because of this, a web request could appear multiple times. For information about rule action behaviors, see [Using rule actions in AWS WAF](waf-rule-action.md).
**To view the all rules graph and sampled requests**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2).
1. In the navigation pane, choose **protection packs (web ACLs)**.
1. Choose the name of the protection pack (web ACL) for which you want to view requests. The console takes you to the protection pack (web ACL)'s description, where you can edit it.
1. In the **Sampled requests** tab, you can see the following:
+ **All rules graph** – This graph shows the matching rules and rule actions for all web request evaluations that were performed during the indicated time range.
**Note**
The time range for this graph is set in the protection pack (web ACL)'s **Traffic overview** tab, in the **Data filters** section. For information, see [Viewing the dashboards for a protection pack (web ACL)](web-acl-dashboards-accessing.md).
+ **Sampled requests table** – This table displays sampled request data for the last 3 hours.
**Note**
If you aren't seeing the samples that you expect for a managed rule group, see the section below this procedure.
For each entry, the table displays the following data:
**Metric name**
The CloudWatch metric name for the rule in the protection pack (web ACL) that matched the request. If a web request doesn't match any rule in the protection pack (web ACL), this value is **Default**.
If you change the name of a rule and you want the rule's metric name to reflect the change, you must update the metric name as well. AWS WAF doesn't automatically update the metric name for a rule when you change the rule name. You can change the metric name when you edit the rule in the console, by using the rule JSON editor. You can also change both names through the APIs and in any JSON listing that you use to define your protection pack (web ACL) or rule group.
**Source IP**
Either the IP address that the request originated from or, if the viewer used an HTTP proxy or an Application Load Balancer to send the request, the IP address of the proxy or Application Load Balancer.
**URI**
The part of a URL that identifies a resource, for example, `/images/daily-ad.jpg`.
**Rule inside rule group**
If the metric name identifies a rule group reference statement, this identifies the rule inside the rule group that matched the request.
**Action**
Indicates the action for the corresponding rule. For information about the possible rule actions, see [Using rule actions in AWS WAF](waf-rule-action.md).
Sampled requests for rules with Count action in rule groups are not available in the Web ACL view. Count metrics and sampled requests for rule group rules are only visible to the rule group owner.
**Time**
The time that AWS WAF received the request from the protected resource.
To display additional information about the components of a web request, choose the name of the URI in the row of the request.
**Sampled requests for rules in managed rule groups**
The console shows metrics for rule groups with "rule inside rule group" specifying the rule that was triggered. You can view metrics for default action rulesets and rules using the most recent `RuleActionOverrides` setting. For rules using the older `ExcludedRules` setting, select the specific rule from within the ruleset from the **Sampled Requests** metrics rule dropdown.
If you see the older settings, replace them with the new settings to start making the sampled requests available through the console. You can do this through the console by editing the managed rule group in the protection pack (web ACL) and saving it. AWS WAF automatically replaces any older settings with the `RuleActionOverrides` settings and sets the rule action override to Count. For more information about these two settings, see [JSON listing: `RuleActionOverrides` replaces `ExcludedRules`](web-acl-rule-group-override-options.md#web-acl-rule-group-override-replaces-exclude).
You can access sampled requests for a rule that has the old override in place through the AWS WAF REST API, SDKs, or command line. For information, see [GetSampledRequests](https://docs.aws.amazon.com/waf/latest/APIReference/API_GetSampledRequests.html) in the *AWS WAF API Reference*.
The following shows the syntax for the command line request:
```
aws wafv2 get-sampled-requests \
--web-acl-arn webACL ARN \
--rule-metric-name Metric name of the rule in the managed rule group \
--scope=REGIONAL or CLOUDFRONT \
--time-window StartTime=UTC timestamp,EndTime=UTC timestamp \
--max-items 100
```
# Enabling your protections in production
This section provides instructions for enabling your tuned protections in production.
When you've finished the final stage of testing and tuning in your production environment, enable your protections in production mode.
**Production traffic risk**
Before you deploy your protection pack (web ACL) implementation for production traffic, test and tune it in a test environment until you are comfortable with the potential impact to your traffic. Also test and tune it in count mode with your production traffic before enabling your protections for production traffic.
**Note**
To follow the guidance in this section, you need to understand generally how to create and manage AWS WAF protections like protection packs (web ACLs), rules, and rule groups. That information is covered in earlier sections of this guide.
Perform these steps first in your test environment, then in production.
**Enable your AWS WAF protections in production**
1.
**Switch to your production protections**
Update your protection pack (web ACL) and switch your settings for production.
1.
**Remove any test rules that you don't need**
If you added test rules that you don't need in production, remove them. If you're using any label matching rules to filter the results of managed rule group rules, be sure to leave those in place.
1.
**Switch to production actions**
Change the action settings for your new rules to their intended production settings.
+ **Rule defined in the protection pack (web ACL)** – Edit the rules in the protection pack (web ACL) and change their actions from Count to their production actions.
+ **Rule group** – In your protection pack (web ACL) configuration of the rule group, switch rules to use their own actions or leave them with the Count action override, according to the results of your testing and tuning activities. If you're using a label matching rule to filter the results of a rule group rule, be sure to leave the override for that rule in place.
To switch to using a rule's action, in your protection pack (web ACL) configuration, edit the rule statement for the rule group and remove the Count override for the rule. If you manage the protection pack (web ACL) in JSON, in the rule group reference statement, remove the entry for the rule from the `RuleActionOverrides` list.
+ **protection pack (web ACL)** – If you changed the protection pack (web ACL) default action for your tests, switch it to its production setting.
With these settings, your new protections will be managing web traffic as you intend.
When you save your protection pack (web ACL), the resources that it's associated with will be using your production settings.
1.
**Monitor and tune**
To be sure that web requests are being handled as you want, closely monitor your traffic after you enable the new functionality. You'll be monitoring metrics and logs for your production rule actions, instead of the count actions that you were monitoring for in your tuning work. Keep monitoring and adjust the behavior as needed to adapt to changes in your web traffic.