Q: How do I know if a SpamTitan server is being protected by a WAF?
A: Log on to the server UI (not the cloudfront UI) using HTTPS and check the certificate. If you see an Amazon issued certificate a WAF is in use, any other certificate means no WAF is in use (e.g. Let's Encrypt, Digicert,etc).
Q: How can I determine if the WAF is blocking traffic from a customer?
A: All traffic processed by the WAF, allowed and blocked, is logged to a CloudWatch Log Group.
Get the external IP address of the customers current location. e.g. home, office, etc.
Log in to AWS
Go to the region in which the SpamTitan server is located
Go to CloudWatch
Log for a log group with a name starting with aws-waf-logs-* and click it
Look for a log stream and click it
You can now search the last 14 days of logs. Search for the customer IP address and see if traffic is being blocked.
Or click "Tail" to start viewing the logs in realtime and enter the customers IP address to highlight any logs containing that IP. Have the customer use the UI to perform the action and monitor the resulting log entries.
Using the "CloudWatch Log Insights" to search the CW logs for a date range.
Go to the AWS CloudWatch service.
Go to the region where the server is hosted.
Go to Logs -> "Log Insights"
Select the WAF logs
Selection of queries you can use:
# To filter for all blocked requests, and display their terminating rule, URI path, and client IP fields @timestamp, httpRequest.clientIp as ClientIP, httpRequest.uri as URI, terminatingRuleId as rule | filter action = "BLOCK" | sort @timestamp desc
# Find blocked requests for a specific IP address (replace x.x.x.x) fields @timestamp, httpRequest.clientIp as ClientIP, httpRequest.uri as URI, terminatingRuleId as rule | filter action = "BLOCK" and httpRequest.ClientIp = "X.X.X.X" | sort @timestamp desc
# Find Failed logins for new UI from a specific IP fields @timestamp, httpRequest.clientIp as ClientIP, httpRequest.uri as URI, terminatingRuleId as rule | filter action = "BLOCK" and httpRequest.uri like "/restapi/auth/authorize" and httpRequest.ClientIp = "X.X.X.X" | sort @timestamp desc