Dashboard
An overview of traffic activity
Last updated
An overview of traffic activity
Last updated
The Dashboard page displays all incoming traffic and the actions executed in response to the different traffic events.
The user interface has three main sections:
Note also that the Top Metrics section includes some tools for quickly building queries, often useful when investigating security events.
The controls at the top allow you to easily filter the display to show only the data you want. Initially, it asks you to supply a query.
Adding a query to the Search field and selecting the magnifying glass icon will display the results.
If the Search field is left empty, Reblaze will display all results that match the specified parameters in the date/time selection field.
Selecting the "calendar" icon will display the date/time picker, for specifying the beginning and ending dates/times for the query.
When selecting times, hours and minutes are required, while seconds are optional. To specify seconds, simply click in the time selection box and type them, as shown in the "To" field below.
When seconds are not specified, the beginning of the specified minute will be used.
Queries consist of field names, operators, and arguments. Multiple filters can be combined (separating them with commas), and are evaluated with a logical AND. Some examples:
Show blocked requests: blocked=true
Show requests from the United States: country="United States"
Show requests with status codes in the 200s: status>199,status<=299
Show requests containing the string contentfilter
in their reason for being blocked: reason~"contentfilter"
For a full explanation and more examples, see the documentation of Query Filter Syntax.
If you have constructed a query that you want to use for another purpose, select the "duplicate" icon next to the magnifying glass icon. A text string for the query will be copied to your clipboard.
To transfer the current query to the Events Log, simply select the "Open Events Log" button on the upper right. (Note that in order for the query to transfer, it must have been run already.)
Reblaze reports data according to several categories, summarized here:
Hits
Total amount of requests
Passed
Requests that reached the upstream server.
Blocked
Requests that were blocked by Reblaze.
Humans
Requests that passed Reblaze's human vs. bot challenge process.
Bots
Requests with originators that were not (yet) verified as humans. For a full explanation, see Counting Bots.
Challenges
Requests that were served with bot detection challenges.
For a full explanation of these categories and their relationships to each other, see this page: Traffic Reporting and Analytics.
The charts display all data for the query's time period.
Normally, the time period is shown in the date/time selection control. However, if the query string shown in the Search field contains a date/time period, the one in the Search field will override the selection control.
To adjust the time period shown in the charts, modify the query in the Search field or date/time control.
If you merely wish to inspect a smaller portion of the current period, you can drag the cursor over the corresponding portion of the chart. The query will be adjusted automatically to focus only on this time period.
Hovering the cursor over a chart will display the values at that point on the graph.
You can filter the items being shown in a chart by selecting the data categories in the legend to enable/disable them.
This chart shows the traffic that was processed by Reblaze: requests which passed through to the upstream servers, and requests that were blocked. Hits are distributed by time and sorted into three different categories: Humans, Challenges, and Blocked.
Counts the number of status codes in a certain time period.
HTTP Status response codes are divided into five categories:
1xx - Informational Response
2xx - Request Successful
3xx - Request For Redirection
4xx - Client Error
5xx - Server Error
For a detailed list of response codes, go here.
How many unique sessions and IP addresses were active at any given time.
Total bandwidth for all proxies.
The number of network requests during a certain period of time.
Bandwidth for the current proxy.
The time (in milliseconds) consumed by Reblaze's processing.
The bottom part of the Dashboard displays traffic statistics according to a variety of "top" or "most frequent" metrics: the Top Applications, Top Countries, Top Targets, etc.
Each metric contains a list of entries. Where appropriate, entries representing blocked requests are shown in red.
In most of these lists, right-clicking on the entries will display a menu with options to copy the corresponding value to the clipboard, automatically rebuild the current query to show only (or exclude) that value, or show the Events Log with requests matching (or excluding) that value.
Most of the Top Metrics lists display their results according to the data categories described above (i.e., Hits, Humans, Bots, etc.)
Some of the lists include values for Down (the amount of traffic that originated from the upstream server towards the clients) and Up (the amount of traffic that originated from the client towards the upstream server).
In the Top Metrics lists, rows are marked as red when they have a blockage rate above 30%. The blockage rate is the ratio of requests blocked by the system to the number of total network requests: blockage rate = (challenged requests + requests blocked by Reblaze + requests blocked by the origin) / (total requests)
Shows all protected sites for the current Reblaze deployment.
Shows incoming traffic sorted by country. Each country's flag is shown by its name.
Shows traffic data according to IP address. The ASN (autonomous system number) is included where appropriate.
Shows the nature of user sessions. Sessions that pass Reblaze's bot mitigation challenge are identified as originating from humans, and are listed here according to the user's RBZ (Reblaze) cookie ID. Sessions that did not pass the challenge are shown with -
for the ID.
Shows the URLs that were accessed the most frequently.
Shows the most common reasons why requests are being blocked or monitored during the time period.
Shows the referers that were extracted from the request headers.
Shows all the user agents that initiated requests for the application(s).
Shows all of the ASNs (Autonomous System Numbers) from which requests were sent. The ASN can identify individual entities, or larger networks: for example, a telecom provider or a cloud provider.
Shows a list of URIs, with the total latency for each.
Shows a list of URIs, with the latency for each from Reblaze.
Shows a list of URIs, with the latency for each due to the upstream server.
When security incidents occur, the investigator will frequently submit a succession of queries, often starting from a broad scope and then drilling down into a narrower focus while trying to discern the underlying cause.
Reblaze provides several tools in the Top Metrics section to make this process easier. The entries in each list can be right-clicked to display a popup menu, as shown below.
In this example, the admin is observing the Organizations list in the Top Metrics section, and has right-clicked on the top entry.
The options in the menu will do the following.
Copy Value to Clipboard: Copies the value of whatever was right-clicked to the clipboard. In the example above, this string would be copied: ASN4766 Korea Telecom
.
Show Matching: Adds a filter parameter (for whatever was right-clicked) to the existing query in the Search field at the top of the page. Submitting the modified query will restrict the results to requests that match the field and value that was selected. In the example above, the following string would be added to the query: organization="ASN4766 Korea Telecom"
.
Hide Matching: Adds a filter parameter (for whatever was right-clicked) to the existing query in the Search field at the top of the page. Submitting the modified query will exclude requests that match the field and value that was selected. In the example above, the following string would be added to the query: organization!="ASN4766 Korea Telecom"
.
Events Log (Matching): The same as Show Matching, except that it opens the Events Log with the modified query.
Events Log (Other): The same as Hide Matching, except that it opens the Events Log with the modified query.
The Events Log has similar query-building capabilities when displaying a request.