Q: How do I know if a SpamTitan server is being protected by a WAF?

A: Log on to the server UI (not the cloudfront UI) using HTTPS and check the certificate.  If you see an Amazon issued certificate a WAF is in use, any other certificate means no WAF is in use (e.g. Let's Encrypt, Digicert,etc).


Q: How can I determine if the WAF is blocking traffic from a customer?

A:  All traffic processed by the WAF, allowed and blocked, is logged to a CloudWatch Log Group.


Get the external IP address of the customers current location. e.g. home, office, etc.

Log in to AWS

Go to the region in which the SpamTitan server is located

Go to CloudWatch

Log for a log group with a name starting with aws-waf-logs-* and click it

Look for a log stream and click it

You can now search the last 14 days of logs.  Search for the customer IP address and see if traffic is being blocked.

Or click "Tail" to start viewing the logs in realtime and enter the customers IP address to highlight any logs containing that IP.  Have the customer use the UI to perform the action and monitor the resulting log entries.


Live tail:


If traffic is being blocked, provide Steven Kenny with the IP address of the customer and any details about the rules blocking the traffic (see image below).



You can also use the "CloudWatch Log Insights" to search the CW logs for a date range.



Select the WAF logs


Selection of queries you can use:


# To filter for all blocked requests, and display their terminating rule, URI path, and client IP

fields @timestamp, httpRequest.clientIp as ClientIP, httpRequest.uri as URI, terminatingRuleId as rule
| filter action = "BLOCK"
| sort @timestamp desc


# Find blocked requests for a specific IP address (replace x.x.x.x)

fields @timestamp, httpRequest.clientIp as ClientIP, httpRequest.uri as URI, terminatingRuleId as rule
| filter action = "BLOCK" and  httpRequest.ClientIp = "X.X.X.X"
| sort @timestamp desc


# Find Failed logins for new UI from a specific IP

fields @timestamp, httpRequest.clientIp as ClientIP, httpRequest.uri as URI, terminatingRuleId as rule
| filter action = "BLOCK" and httpRequest.uri like "/restapi/auth/authorize" and httpRequest.ClientIp = "X.X.X.X"
| sort @timestamp desc