Web Application Firewall (WAF) (2020)


As announced, April 30, 2023 marks the formal retirement of the Fastly WAF (WAF Legacy and WAF 2020). Our Fastly Next-Gen WAF offers similar functionality. It monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify.

Fastly offers a Web Application Firewall (WAF) security product that detects malicious request traffic and can log or log and block that traffic before it reaches your web application. The Fastly WAF provides rules that detect and block potential attacks. The rules are collected into a policy and deployed within your Fastly service at the edge. To get started, email our sales team for product information.

How the Fastly WAF works

The Fastly WAF is designed to protect production web applications running over HTTP or HTTPS against known vulnerabilities and common attacks such as cross-site scripting (XSS) and SQL injection. The Fastly WAF can provide a layer of protection logically positioned at the client edge of your distributed application to detect and block malicious activity from exploiting vulnerabilities in web applications and APIs.

Image showing attacker blocked by the Fastly WAF

Unlike traditional firewalls that inspect traffic at the network or transport layer, the Fastly WAF works by analyzing web traffic primarily at the HTTP application layer. The Fastly WAF inspects all HTTP and HTTPS headers and post body requests by applying a policy that is selected and tuned for your specific service environment.

Once the Fastly WAF is enabled for a version of your service, you can add or remove rules. The status of a WAF rule can be changed after it is added to your WAF. To update an active rule's status, you must clone your firewall version, make status changes to any active rules you'd like to update, then deploy the new firewall version.


The Fastly WAF only works when traffic is directed through it. Make sure that you've signed up for Fastly, created a service, and added a CNAME DNS record for your domain name to direct traffic to Fastly and through the Fastly WAF.

Enabling the Fastly WAF

Enabling Fastly WAF doesn't require modifications to your web application or origin servers.

Refining the default WAF policy once it's enabled

Once you purchase the Fastly WAF, our Customer Support team will enable it with the default WAF policy for any service you've provided a service ID for. They will then work closely with you on additional configuration refinements, including:

You can then begin monitoring logs to determine which requests to your origin are legitimate and which you should consider blocking.

Setting up a logging endpoint

To begin monitoring requests for potential malicious activity, set up remote logging so you can log WAF variables. You can use an existing logging endpoint or add a new endpoint specifically for Fastly WAF. You'll use the information provided in the logs to monitor WAF events.

Adding a prefetch condition

A prefetch condition is the condition under which Fastly should run a block of code before sending a request to your origin. To avoid running every request against your WAF, add a default prefetch condition, (req.backend.is_origin), for the WAF policy. This ensures that the Fastly WAF only inspects traffic to the origin and accounts for whether or not a service has shielding configured.

You can modify the prefetch condition, but keep in mind that you cannot modify a condition's type (type:request to type:prefetch) after it has been created. If a condition with a type:prefetch hasn't been created for your WAF, you can create one using the POST method. For example:

$ curl -s -X POST https://api.fastly.com/service/$service_id/version/$version/condition -H "Fastly-Key:$token" -H "Content-Type: application/json" -H "Accept: application/json" -d '{"name": "Waf_Prefetch","priority": "10","statement": "req.backend.is_origin", "type": "prefetch"}'

You can modify an existing prefetch statement using the PUT method. For example, you could update the prefetch condition's statement to run the WAF policy on origin traffic and requests from IP addresses that aren't part of an allowlist:

$ curl -s -X PUT https://api.fastly.com/service/$service_id/version/$version/condition/Waf_Prefetch -H "Fastly-Key:$token" -H "Content-Type: application/json" -d '{"statement": "req.backend.is_origin && !(client.ip ~ allowlist)"}' -H "Accept: application/json"

Customizing the response

Before you can enable your WAF, you must create a custom response and assign an HTTP status code for all requests that Fastly WAF blocks. If you've configured Fastly WAF to block requests, that response will be served directly from the cache when a request matches a rule. If you would like to customize the response, use the web interface to make your changes.


You can create a custom HTML error page that will be presented to users who are blocked by the Fastly WAF response object. For more information, see our guide on creating a custom WAF error page.


If your WAF is created by customer support, do not modify the Status or Description of the Fastly WAF response.

Selecting rules

The WAF includes rules based on Fastly's own rules, Trustwave ModSecurity Rules, and the OWASP Top Ten. These rules help you monitor web application traffic for a wide range of common attacks. The rules must be explicitly enabled because they are not enabled by default. When you identify rules needed to protect your origin infrastructure, you can add them to your WAF. You can deploy your WAF when you are ready to run traffic past the rules you've added.

Fastly provides rules you can add to your WAF for specific applications or technologies (e.g., WordPress, Drupal, PHP, .Net). Keep in mind that adding additional rules can increase latency for requests being evaluated against the published WAF policy.

Once you've selected the rules for your WAF policy, you can apply the updates Fastly creates at your convenience. If you modify the applications or technologies that are present at the origin, you will need to review the rules available and apply any relevant rules to your WAF.

Monitoring the Fastly WAF

You can use the Fastly WAF dashboard to monitor the Fastly WAF deployed within your Fastly service.

Disabling Fastly WAF for your service

Users with superuser access tokens can disable the WAF on a Fastly service:

1$ curl -s -X PATCH \
2 -H "Fastly-Key:$token" \
3 -H "Content-Type: application/vnd.api+json" \
4 -d @-
5 https://api.fastly.com/service/waf/firewalls/$firewall_id \
8 "data": {
9 "type": "waf_firewall",
10 "attributes": {
11 "disabled": true
12 }
13 }
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.