Abnormal Status Code Monitoring
UWAF monitors the flow of requests (the average QPS needs to be above 10, if it’s below this average value, this alarm will not be triggered). If the overall request, the proportion of status codes above 499 is greater than 30%, corresponding alarm emails or text messages will be sent to users in the message subscription group. The frequency is once every 5 minutes.
These abnormal status code alarms are generally triggered when the origin server returns a large number of status codes above 499. When the origin server fails to respond for a long time, UWAF will return a 502 status code. This alarm indicates that the network connection between UWAF and the origin server is available, but the origin server may not be able to handle the back-to-origin request from UWAF in time, at this time, it is necessary to check the status of the origin server.
Handling Abnormal Status Code Alarms
When receiving abnormal status code alarm emails or text messages, please follow these steps for checking:
-
Check the domain access situation in the “system overview” of the “security report”. See if the surge in traffic has caused too much pressure on the origin server
-
Check if the origin server is working normally, mainly whether the CPU usage rate and bandwidth usage rate are too high
-
Check if the origin server IP is exposed. You can check the logs of the origin server to see if a large number of requests have bypassed the WAF and accessed the origin server directly
If you confirm that the origin server is normal but the alarm is triggered or if you believe the alarm is a false one, please consult technical support for help.