Skip to content

Tencent Cloud WAF

Tencent Cloud Web Application Firewall (WAF) is an AI-based all-in-one Web business operation risk protection solution. Displayed Metrics include WAF operational status, number of attacks, attack traffic, number of attack IPs, number of attacked domains, number of attacked ports, distribution of attack types, distribution of attack sources, distribution of attack times, and attack trends, reflecting the operational status and attack conditions of WAF.

Configuration

Install Func

It is recommended to enable Guance Integration - Extension - Managed Func: All prerequisites are automatically installed. Please continue with the script installation.

If you deploy Func manually, refer to Manual Deployment of Func

Install WAF Collection Script

Note: Please prepare a Tencent Cloud AK that meets the requirements in advance (for simplicity, you can directly grant global read-only permission ReadOnlyAccess).

To synchronize WAF monitoring data, we install the corresponding collection script: 「Guance Integration (Tencent Cloud-WAF)」(ID: guance_tencentcloud_waf)

After clicking 【Install】, enter the corresponding parameters: Tencent Cloud AK, Tencent Cloud account name.

Click 【Deploy Startup Script】, and the system will automatically create a Startup script set and configure the corresponding startup script automatically.

Once enabled, you can see the corresponding automatic trigger configuration in 「Manage / Automatic Trigger Configuration」. Click 【Execute】to run it immediately without waiting for the scheduled time. After a short wait, you can view the execution task records and corresponding logs.

We default to collecting some configurations, see the metrics section for details Customize cloud object metrics

Verification

  1. In 「Manage / Automatic Trigger Configuration」, confirm whether the corresponding tasks have corresponding automatic trigger configurations, and check the corresponding task records and logs for any abnormalities.
  2. In Guance, under 「Infrastructure / Custom」, check if asset information exists.
  3. In Guance, under 「Metrics」, check if there are corresponding monitoring data.

Metrics

After configuring Tencent Cloud - Cloud Monitoring, the default Measurement set is as follows. You can collect more metrics through configuration Tencent Cloud Cloud Monitoring Metric Details

Metric English Name Metric Chinese Name Description Unit Dimension Statistical Rule
4xx Number of Access Requests with 4XX Total Number of Access Requests with 4XX Total Count domain, edition [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
4xxNew Number of Access Requests with 4XX Total Number of Access Requests with 4XX Total Count instance [5s, sum], [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
5xx Number of Access Requests with 5XX Total Number of Access Requests with 5XX Total Count domain, edition [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
5xxNew Number of Access Requests with 5XX Total Number of Access Requests with 5XX Total Count instance [5s, sum], [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
Access Total Number of WAF Accesses Total Number of WAF Accesses Count domain, edition [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
AccessNew Total Number of WAF Accesses Total Number of WAF Accesses Count instance [5s, sum], [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
Attack Total Number of WAF Attacks Total Number of WAF Attacks Count domain, edition [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
AttackNew Total Number of WAF Attacks Total Number of WAF Attacks Count instance [5s, sum], [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
Bot Total Number of BOT Requests Total Number of BOT Requests Count domain, edition [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
BotNew Total Number of BOT Requests Total Number of BOT Requests Count instance [5s, sum], [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
Bw Total Number of IP Blacklist Attacks Total Number of IP Blacklist Attacks Count domain, edition [10s, sum], [60s, sum], [300s, sum]
Cc Total Number of CC Attacks Total Number of CC Attacks Count domain, edition [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
CcNew Total Number of CC Attacks Total Number of CC Attacks Count instance [5s, sum], [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
Down Total Outbound Bandwidth Total Outbound Bandwidth Bytes domain, edition [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
DownNew Total Outbound Bandwidth Total Outbound Bandwidth Bytes instance [5s, sum], [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
InBandwidth Inbound Bandwidth Inbound Bandwidth MBytes domain, edition [60s, expr], [300s, sum], [3600s, sum], [86400s, sum]
InBandwidthNew Inbound Bandwidth Inbound Bandwidth Bytes instance [60s, expr], [300s, sum], [3600s, sum], [86400s, sum]
Leak Total Number of Sensitive Information Leakage Prevention Attacks Total Number of Sensitive Information Leakage Prevention Attacks Count domain, edition [10s, sum], [60s, sum], [300s, sum]
MetricnameCustomSecurity Custom Policy Attacks Number of Custom Policy Attacks Count domain, edition [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
MetricnameCustomSecurityNew Custom Policy Attacks Custom Policy Attacks Count instance [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
OutBandwidth Outbound Bandwidth Outbound Bandwidth MBytes edition, domain [60s, expr], [300s, sum], [3600s, sum], [86400s, sum]
OutBandwidthNew Outbound Bandwidth Outbound Bandwidth MBytes instance [60s, expr], [300s, sum], [3600s, sum], [86400s, sum]
Qps Number of Requests per Second Number of Requests per Second Count/s edition, domain [10s, expr], [60s, max], [300s, max], [3600s, max], [86400s, max]
QpsNew Number of Requests per Second Number of Requests per Second Count/s instance [10s, expr], [60s, max], [300s, max], [3600s, max], [86400s, max]
Ratio4xx Percentage of 4XX Status Codes Percentage of 4XX Status Codes % domain, edition [60s, expr], [300s, expr]
Ratio4xxNew Percentage of 4XX Status Codes Percentage of 4XX Status Codes % instance [60s, expr], [300s, expr]
Ratio5xx Percentage of 5XX Requests Percentage of 5XX Requests % domain, edition [60s, expr], [300s, expr]
Ratio5xxNew Percentage of 5XX Requests Percentage of 5XX Requests % instance [60s, expr], [300s, expr]
RatioAttack Percentage of WEB Attacks Percentage of WEB Attacks % domain, edition [60s, expr], [300s, expr]
RatioAttackNew Percentage of WEB Attacks Percentage of WEB Attacks % instance [60s, expr], [300s, expr]
RatioBot Percentage of BOT Attacks Percentage of BOT Attacks % domain, edition [60s, expr], [300s, expr]
RatioBotNew Percentage of BOT Attacks Percentage of BOT Attacks % instance [60s, expr], [300s, expr]
RatioCc Percentage of CC Attacks Percentage of CC Attacks % domain, edition [60s, expr], [300s, expr]
RatioCcNew Percentage of CC Attacks Percentage of CC Attacks % instance [60s, expr], [300s, expr]
RatioInBandwidth Instance Inbound Bandwidth Utilization Instance Inbound Bandwidth Utilization % instance [60s, expr]
RatioOutBandwidth Instance Outbound Bandwidth Utilization Instance Outbound Bandwidth Utilization % instance [60s, expr]
RatioQps Instance QPS Utilization Instance QPS Utilization % instance [60s, expr]
Tamper Total Number of Page Anti-Tampering Attacks Total Number of Page Anti-Tampering Attacks Count domain, edition [10s, sum], [60s, sum], [300s, sum]
U4xx Total Number of Upstream Requests with 4XX Total Number of Upstream Requests with 4XX Count edition, domain [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
U4xxNew Total Number of Upstream Requests with 4XX Total Number of Upstream Requests with 4XX Count instance [5s, sum], [10s, sum], [60s, sum], [300s, sum]
U5xx Total Number of Upstream Requests with 5XX Total Number of Upstream Requests with 5XX Count domain, edition [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
U5xxNew Total Number of Upstream Requests with 5XX Total Number of Upstream Requests with 5XX Count instance [5s, sum], [10s, sum], [60s, sum], [300s, sum]
Up Total Upstream Bandwidth Total Upstream Bandwidth Bytes edition, domain [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
UpNew Total Upstream Bandwidth Total Upstream Bandwidth Bytes instance [5s, sum], [10s, sum], [60s, sum], [300s, sum]
Upstream Total Number of Upstream Source Returns Total Number of Upstream Source Returns Count domain, edition [60s, sum], [300s, sum], [3600s, sum], [86400s, sum]
UpstreamNew Total Number of Upstream Source Returns Total Number of Upstream Source Returns Count instance [5s, sum], [10s, sum], [60s, sum], [300s, sum]

Note When pulling Web Application Firewall metric data, Region should be uniformly selected as "Guangzhou".

Overview of Parameters Corresponding to Each Dimension

Parameter Name Dimension Name Dimension Explanation Format
Instances.N.Dimensions.0.Name domain Domain dimension name for client attacks Enter String type dimension name: domain
Instances.N.Dimensions.0.Value domain Specific domain for client attacks Enter the specific domain for client attacks, for example: www.cloud.tencent.com
Instances.N.Dimensions.1.Name edition Dimension name for Web Application Firewall instance type Enter String type dimension name: edition
Instances.N.Dimensions.1.Value edition Specific type of Web Application Firewall instance Enter the specific type of Web Application Firewall instance, for example: SaaS WAF (input value 0) or CLB WAF (input value 1)
Instances.N.Dimensions.2.Name instance Dimension name for Web Application Firewall instance Enter String type dimension name: instance
Instances.N.Dimensions.2.Value instance Specific name of Web Application Firewall instance Enter the specific name of Web Application Firewall instance, for example: waf_2kxtpo960i9y7i05

Object

Data structure of collected Tencent Cloud WAF objects, which can be seen from 「Infrastructure-Custom」.

{
  "time": 1749782297000,
  "AppId": "1311317185",
  "CCList": "[]",
  "ClsStatus": "0",
  "Cname": "15bfb3de8de69192de22b581c2a66571.qcloudwzgj.com",
  "CreateTime": "2025-06-09T14:47:48+08:00",
  "Domain": "",
  "DomainId": "13f6c2f0def0558e9f5234270434d1b0",
  "Edition": "sparta-waf",
  "EditionNum": "0",
  "Engine": "1",
  "InstanceId": "waf_2l12weqc17ldfpop",
  "InstanceName": "gz-Default",
  "Level": "2",
  "LoadBalancerSet": "[]",
  "Ports": "[{\"NginxServerId\": 408141, \"Port\": \"80\", \"Protocol\": \"http\", \"UpstreamPort\": \"80\", \"UpstreamProtocol\": \"http\"}]",
  "Region": "gz",
  "RegionId": "",
  "RsList": "[\"134.175.221.0/24\"]",
  "SrcList": "[]",
  "State": "1",
  "Status": "1",
  "__docid": "CO_fcaf33c5dcca7aca4735e6b5d9857f2e",
  "__namespace": "custom_object",
  "__update_time": 1749782297000,
  "account_name": "",
  "class": "tencentcloud_waf",
  "cloud_provider": "tencentcloud",
  "create_time": 1749782297797,
  "date": 1749782297000,
  "date_ns": 1749782297000000000,
  "last_update_time": 1749782297797,
  "message": "{\"AccessStatus\": 1, \"AlbType\": \"\", \"ApiStatus\": 0, \"AppId\": 1311317185, \"BotStatus\": 0, \"CCList\": [], \"CdcClusters\": \"\", \"CloudType\": \"\", \"ClsStatus\": 0, \"Cname\": \"15bfb3de8de69192de22b581c2a66571.qcloudwzgj.com\", \"CreateTime\": \"2025-06-09T14:47:48+08:00\", \"Domain\": \"xxxxx.com\", \"DomainId\": \"13f6c2f0def0558e9f5234270434d1b0\", \"Edition\": \"sparta-waf\", \"EditionNum\": 0, \"Engine\": 1, \"FlowMode\": 0, \"InstanceId\": \"waf_2l12weqc17ldfpop\", \"InstanceName\": \"gz-Default\", \"Ipv6Status\": 0, \"Labels\": [\"\"], \"Level\": 2, \"LoadBalancerSet\": [], \"Mode\": 1, \"Note\": \"\", \"Ports\": [{\"NginxServerId\": 408141, \"Port\": \"80\", \"Protocol\": \"http\", \"UpstreamPort\": \"80\", \"UpstreamProtocol\": \"http\"}], \"PostCKafkaStatus\": 0, \"PostCLSStatus\": 0, \"Region\": \"gz\", \"RegionId\": \"ap-guangzhou\", \"RsList\": [\"134.175.221.0/24\"], \"SgDetail\": \"\", \"SgID\": \"\", \"SgState\": 0, \"SrcList\": [], \"State\": 1, \"Status\": 1, \"UpstreamDomainList\": [\"www.xxxxx.com\"]}",
  "name": "13f6c2f0def0558e9f5234270434d1b0",
  "time_us": 1749782297000000,
  "__searches": []
}

Note: Fields in tags, fields may change with subsequent updates.

Feedback

Is this page helpful? ×