Metrics for iWAF Sizing

Starting with Avi Vantage release 18.1.2, the following set of L7 metrics have been introduced to facilitate iWAF sizing:

Based on the data provided by these metrics, you can plan your iWAF resource allocation.

Note: iWAF must be enabled on Avi Vantage for analyzing WAF Bypass metric. The rest of the metrics are primarily HTTP based and are also used for WAF sizing.

WAF Bypass

A class of HTTP requests that are considered safe need not be inspected by iWAF and can be directly forwarded to the application. For instance, HTTP GET with no parameters to fetch a .jpg image.

The Static Extensions field in the iWAF profile configuration includes all requests that are termed safe. By default, .gif, .jpg, .jpeg, .png, .js, .css, .ico, .svg, .webp are the included extensions. Parameterless HTTP GET for such files are considered safe and so will bypass iWAF.

These HTTP requests are important from a iWAF sizing perspective. If web browsers interact with web applications that mostly issue requests bypassing iWAF, then iWAF will not require many resources. Alternately, if the bypass ratio is low, then iWAF inspects most of the HTTP requests, resulting in increased resource consumption.

The following Layer 7 metrics provide data on the impact of iWAF bypass:

  • l7_client.sum_waf_disabled– Total number of requests bypassing iWAF in a given metrics interval.
  • l7_client.avg_waf_disabled– Average number of transactions per second bypassing iWAF.
  • l7_client.pct_waf_disabled– Transactions bypassing iWAF as the percentage of total requests received.

HTTP headers count

iWAF inspects HTTP headers sent from the browser to the web application. With more number of headers to process, iWAF will need more resources. The following Layer 7 metrics provide data on the number of HTTP headers processed:

  • l7_client.sum_http_headers_count– Total number of HTTP headers across all requests in a given metrics interval.
  • l7_client.avg_http_headers_count– Average number of HTTP headers per request.

HTTP headers size

The size of the HTTP headers processed by iWAF has a direct impact on the resource utilization. The following Layer 7 metrics provide data on the size of HTTP header processed:

  • l7_client.sum_http_headers_bytes– Total size of HTTP request headers in a given metrics interval.
  • l7_client.avg_http_headers_bytes– Average size of HTTP headers per request.

HTTP request method ratio

The number of HTTP POST or HTTP GET received by iWAF is indicative of the web application behaviour. The following Layer 7 metrics are percentage values that indicate the GET and POST requests received:

  • l7_client.pct_get_reqs– Number of HTTP GET requests as a percentage of total requests received.
  • l7_client.pct_post_reqs– Number of HTTP POST requests as a percentage of total requests received.

A value of 60 for l7_client.pct_get_reqs and 39 for l7_client.pct_post_reqs indicate that 60% of requests received were GET and 39% were POST (the remaining 1% is considered implicit).

HTTP POST size

The size of HTTP POST requests has a direct impact on iWAF resource utilization. Higher the size, the resources utilized will be higher. The following Layer 7 metrics provide data on the POST request size:

  • l7_client.sum_post_bytes– Total size of HTTP POST requests.
  • l7_client.avg_post_bytes– Average size of a HTTP POST request.

HTTP parameters

Higher the number of HTTP parameters, more resources will be required by iWAF. With addition of each parameter, iWAF consumes significantly more resources and its performance slows down. The following Layer 7 metrics provide data on the HTTP parameters count:

  • l7_client.sum_http_params_count– Total number of HTTP request parameters.
  • l7_client.avg_http_params_count– Average number of HTTP request parameters per request.
  • l7_client.sum_reqs_with_params– Total number of HTTP requests containing at least one parameter.
  • l7_client.avg_params_per_req– Average number of HTTP request parameters per request, taking into account only requests with parameters.

l7_client.sum_http_params_count and l7_client.avg_http_params_count consider all requests, including the ones with no parameters to calculate the value. However, l7_client.sum_reqs_with_params and l7_client.avg_params_per_req consider only requests that contain at least one or more parameters.

HTTP URI length

iWAF resource utilization increases with the increase in the HTTP URI length. The following Layer 7 metrics provide data on the HTTP URI length:

  • l7_client.sum_uri_length– Total length of HTTP request URIs.
  • l7_client.avg_uri_length– Average length of HTTP URI per request.

Positive Security
Allowlist
WAF Policy Signatures