---
title: Monitoring flagged sources
summary: null
url: >-
  https://www.fastly.com/documentation/guides/next-gen-waf/monitoring/monitoring-flagged-sources
---

The Next-Gen WAF monitors and flags sources (e.g., IP addresses) that exhibit repeat malicious behavior. This guide describes how to view and interact with sources that the Next-Gen WAF flagged within your data retention period.

## Viewing flagged sources from the Events page

Use the Events page to view all sources that the Next-Gen WAF flagged within your data retention period as a result of criteria you set via [threshold configurations](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/about-threshold-configurations) and [enabled CVE, API, and ATO signals](https://www.fastly.com/documentation/guides/next-gen-waf/signals/configuring-system-signals/#detections).

### Next Gen Waf Control Panel

To view the Events page in the Next-Gen WAF control panel:

1.   Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

2.   From the **Sites** menu, select a site if you have more than one site.

3. From the site navigation bar, select **Monitor** > **Events**.

You can view information about an event in the event view area. The event view area is comprised of three sections:

- The **Details** section contains detailed information about the event and associated IP address. This section also provides controls for managing sources that have been flagged. Specifically, you can:

  - click **Remove flag now** to remove the IP address from the flag list.
  - click **Allow IP** to create a [request rule](https://www.fastly.com/documentation/guides/next-gen-waf/rules/working-with-request-rules) to allow the IP address.
  - click **Block IP** to create a request rule to block the IP address.

- The **Timeline** section contains a timeline illustrating the actions that occurred during the event.

- The **Sample request** section highlights a single request received during the event, including the request itself and the signals applied to it. Clicking **View this request** takes you to the request details page for that request. Clicking **Edit rule** in the Signals field will take you to the **View** page for the rule where you can edit the [request rule](https://www.fastly.com/documentation/guides/next-gen-waf/rules/working-with-request-rules).

### Fastly Control Panel

To view the Events page in the Fastly control panel:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   Go to **Security** > **Next-Gen WAF** > [**Events**](https://manage.fastly.com/security/ngwaf/events).

3.   From the workspaces bar, click the menu <span class="inline-icons"><img src="/img/icons/chevron-down.png" alt="Menu icon" /></span> to the right of the workspace name and select a workspace.

For any IP address on the Events page, click the document icon <span class="inline-icons"><img src="/img/icons/document.png" alt="Document icon" /></span> to access the Event detail page for that event. The Event detail page displays event-related information. You can use this information to help determine how to handle the IP address and then:

- click **Remove flag** to remove the IP address from the flag list.
- click **Convert to rule** to [create a rule](https://www.fastly.com/documentation/guides/next-gen-waf/rules/converting-requests-to-rules) that is based on select characteristics of the event.

## Viewing suspicious, flagged, and rate limited sources

Fastly flags three types of sources: [Suspicious IPs](https://www.fastly.com/documentation/guides/next-gen-waf/monitoring/monitoring-flagged-sources#suspicious-ips-tab), [Flagged IPs](https://www.fastly.com/documentation/guides/next-gen-waf/monitoring/monitoring-flagged-sources#flagged-ips-tab), and [Rate Limited Sources](https://www.fastly.com/documentation/guides/next-gen-waf/monitoring/monitoring-flagged-sources#rate-limited-sources-tab). To access these lists of sources, follow the instructions for your control panel below:

### Next Gen Waf Control Panel

Use the Observed Sources page in the Next-Gen WAF control panel to view all sources that have been or soon will be flagged on your site:

1.   Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

2.   From the **Sites** menu, select a site if you have more than one site.

3. From the site navigation bar, select **Monitor** > **Observed Sources**.

### Fastly Control Panel

Use the Monitor page in the Fastly control panel to view [sources that have been rate limited](https://www.fastly.com/documentation/guides/next-gen-waf/monitoring/monitoring-flagged-sources#rate-limited-sources-tab) via the [Advanced Rate Limiting feature](https://www.fastly.com/documentation/guides/next-gen-waf/rules/working-with-advanced-rate-limiting-rules/):

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Security** > **Next-Gen WAF** > **Monitor**.
3.   From the workspaces bar, click the menu <span class="inline-icons"><img src="/img/icons/chevron-down.png" alt="Menu icon" /></span> to the right of the workspace name and select a workspace.

### Suspicious IPs tab

> **IMPORTANT:** This feature only applies to Next-Gen WAF customers with access to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

The **Suspicious IPs** tab shows sources that had requests containing attack payloads of a concerning volume but that did not exceed the decision threshold of flagged IPs. Once the threshold is met or exceeded, an IP address will be flagged and added to the [Flagged IPs](https://www.fastly.com/documentation/guides/next-gen-waf/monitoring/monitoring-flagged-sources#flagged-ips-tab) list. The Suspicious IPs tab helps anticipate which IPs may soon be flagged.

Clicking on an IP address in the Suspicious IPs list will take you to the [Requests page](https://www.fastly.com/documentation/guides/next-gen-waf/monitoring/monitoring-requests) with a search for that IP address already applied.

### Flagged IPs tab

> **IMPORTANT:** This feature only applies to Next-Gen WAF customers with access to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

The **Flagged IPs** tab shows all IP flagging events. Sources can be flagged through [threshold configurations](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/about-threshold-configurations) and [enabled CVE, API, and ATO signals](https://www.fastly.com/documentation/guides/next-gen-waf/signals/configuring-system-signals/#detections).

Clicking on an IP address in the Flagged IPs list will take you to the [Requests page](https://www.fastly.com/documentation/guides/next-gen-waf/monitoring/monitoring-requests) with a search for that IP address already applied.

### Rate Limited Sources tab

> **IMPORTANT:** Rate Limit rules are only included with the [Premier platform](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability) and certain [packaged offerings](https://www.fastly.com/package-entitlements). They are not included as part of the Professional or Essential platforms.

The **Rate Limited Sources** tab shows all sources that have been [rate limited](https://www.fastly.com/documentation/guides/next-gen-waf/rules/working-with-advanced-rate-limiting-rules) via the Advanced Rate Limiting feature. Rate limit rules are a type of rule that allow you to define arbitrary conditions and automatically begin to block, [deceive](https://www.fastly.com/documentation/guides/next-gen-waf/rules/using-the-deception-action), or tag requests that pass a specifically defined threshold.

The tab also provides controls for managing sources that have been rate limited, including:

- refreshing the list with the latest sources.
- removing specific sources from the rate limited sources list.
- creating [request rules](https://www.fastly.com/documentation/guides/next-gen-waf/rules/working-with-request-rules) to allow, block, or deceive specific sources.

## Related content

- [Fastly Next-Gen WAF API documentation](https://www.fastly.com/documentation/reference/api/ngwaf/)