About the Fastly WAF dashboard (2020)

IMPORTANT

As announced, April 30, 2023 marks the formal retirement of the Fastly WAF (WAF Legacy and WAF 2020). Our Fastly Next-Gen WAF offers similar functionality. It monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify.

The Fastly WAF dashboard allows you to monitor the Fastly WAF deployed within your Fastly service. If you've been assigned the role of engineer or superuser, you can use the information in the Fastly WAF dashboard to determine whether or not the WAF is active, see how many requests the WAF is currently processing, review recent changes, and manage your WAF.

The Fastly WAF dashboard consists of the following pages:

Accessing the Fastly WAF dashboard

To access the Fastly WAF dashboard, log in to the Fastly web interface and click the WAF link.

NOTE

To access the Fastly WAF dashboard, you must sign up for a Fastly account and purchase the Fastly WAF. Contact our sales team to get started.

About the WAF summary page

The WAF summary page displays the status of your WAF.

links on the WAF summary page

The WAF status section indicates whether the WAF is currently active. To be considered active, the WAF must not be disabled and must have at least one active rule's status set in either logging or blocking. You can see the total number of active rules. This number includes scoring, logging, and blocking rules added to your WAF. The charts show the number of scoring, logging, and blocking OWASP rules, application-specific rules, and Fastly-created rules. Sample charts are shown below.

the WAF status section

The Requests graph displays how many requests are served from cache and how many requests are processed by the WAF. Of the requests that are processed by the WAF, the WAF Process graph displays how many requests were blocked by the WAF, logged by the WAF and sent to the origin server, and were passed (not blocked or logged) and sent to the origin server.

You can exclude certain data from the graphs by clicking hide next to a data label. Clicking this link will hide that value in the graph's display.

TIP

The Fastly WAF only executes on traffic sent to the origin server.

the WAF summary graphs

About the Manage rules page

The Manage rules page allows you to manage the rules on your WAF. There you can:

  • Add new rules to your WAF
  • Change the status of rules already on your WAF, e.g. log => block
  • View details about individual rules, i.e. the ModSec source code and the generated VCL
  • View potential rules to add to your WAF
  • Remove rules from your WAF

the WAF summary graphs

About the WAF audit history page

The WAF audit history page displays all changes made to your WAF. You can use this page to determine who made certain types of changes to the WAF and when the changes were made. The line items indicate when rules were set to log or block, when they were updated, and when firewall versions are cloned or deployed.

the WAF audit history page

TIP

You can use the Fastly WAF active rules API endpoint to view the state of an individual rule.

Some entries contain information about the WAF's OWASP properties. To learn more about the OWASP properties, refer to the OWASP properties section.

the WAF activation entry on the WAF audit history page

OWASP properties

You may see OWASP properties referenced on the WAF audit history page. The table below contains a list of all available properties and their descriptions. The properties shown here reflect changes made by altering the settings in the firewall version.

OWASP propertyDescription
Allowed HTTP versionsHTTP versions that a client is allowed to use.
Allowed HTTP methodsHTTP methods that a client is allowed to use.
Allowed client content typesHTTP Content-Types that a client is allowed to use.
Maximum length for parameter namesMaximum length of any parameter names passed in the query string and request body.
Maximum length for parameter valuesMaximum length of any parameter values passed in the query string and request body.
Combined file sizesTotal size of MIME bodies in the request.
Critical anomaly scoreConfigured critical anomaly score. Rules using the critical severity will increment scores using this value.
Validate UTF8 encodingValidates the client request as UTF-8 prior to the execution of WAF rules.
Error anomaly scoreConfigured error anomaly score. Rules using the error severity will increment scores using this value.
High risk countriesBlock clients from high risk countries based on their IP address.
HTTP violation thresholdConfigured HTTP violation threshold. Action is taken when rules that trigger HTTP violations exceed the threshold.
Inbound anomaly thresholdConfigured inbound anomaly threshold. Action is taken when the sum of the individual category scores exceed the threshold.
LFI thresholdConfigured LFI threshold. Action is taken when rules that trigger Local File Inclusion (LFI) rules exceed the threshold.
Maximum file size (bytes)Maximum size of any MIME body in the request.
Maximum argument countMaximum number of parameters in the query string and request body.
Notice anomaly scoreConfigured notice anomaly score. Rules using the notice severity will increment scores using this value.
Paranoia levelThe paranoia level setting can be set from 1 through 4 and determines the number of rules to include by default. Higher levels indicate higher levels of security but potentially a larger number of false positives.
PHP injection thresholdConfigured PHP injection score threshold. Action is taken when rules that trigger PHP related violations exceed the threshold.
RCE thresholdConfigured RCE injection score threshold. Action is taken when rules that trigger Remote Code Execution (RCE) violations exceed the threshold.
Restricted extensionsControl on restricted file extensions in the client request.
Restricted headersControl on restricted HTTP headers in the client request.
RFI thresholdConfigured RFI violation threshold. Action is taken when rules that trigger Remote File Inclusion (RFI) violations exceed the threshold.
Session fixation thresholdConfigured Session Fixation violation threshold. Action is taken when rules that trigger Session Fixation violations exceed the threshold.
SQLi thresholdConfigured SQLi threshold. Action is taken when rules that trigger SQL Injection (SQLi) violations exceed the threshold.
Total parameter lengthMaximum length of all parameters passed in the query string and request body.
Warning anomaly scoreConfigured warning anomaly score. Rules using the warning severity will increment scores using this value.
XSS thresholdConfigured XSS threshold. Action is taken when rules that trigger Cross-Site Scripting (XSS) violations exceed the threshold.

About the Settings page

The Settings page allows you to adjust various settings for your WAF. To understand the behavior of thresholds and scores, see Managing rules.

the settings page

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.