About deploying the Next-Gen WAF

To deploy the Next-Gen WAF, you need to integrate the Next-Gen WAF product into your request flow by:

  1. Choosing a deployment method. A deployment method outlines how the integration is set up. All of our deployment methods rely on the same architecture components but have different host locations (e.g., Fastly’s Edge Cloud platform and customer's local environment) and parties who maintain the active deployments.

    TIP

    You can use more than one deployment method. For example, you may want to use the Edge WAF deployment method to protect your web applications that are behind the Fastly CDN and the Core WAF deployment method for your other web applications.

  2. Setting up your deployment by following the appropriate guide for your selected deployment method.

  3. (Optional) Using attack tooling to verify that the Next-Gen WAF is monitoring your web application and identifying malicious and anomalous requests.

Before you begin

The Next-Gen WAF can be purchased for an account by contacting sales@fastly.com. Once purchased, our staff will create a Next-Gen WAF corp and at least one site for your use when you log in.

Choosing a deployment method

The key differences between our deployment methods are where the deployment is located and who maintains the deployment.

Deployment methodLocationFastly managedCustomer managed
Edge WAFFastly’s Edge Cloud platform via our global network of POPs
Core WAFCustomer's local environment
PaaSSupported vendor platform
A10 NetworksA10 Networks
Cloud WAFFastly’s cloud infrastructure

About Edge WAF deployment

TIP

Any Next-Gen WAF customer can use this solution.

The Edge WAF deployment method hosts the Next-Gen WAF on Fastly’s Edge Cloud platform via our global network of POPs and integrates with Fastly’s caching layer, Varnish. Since security processing happens at the edge, the Next-Gen WAF can inspect all traffic before it enters your origin infrastructure and block attacks close to where they originated.

To use this option, you must have a Fastly delivery account. For full instructions, check out our Edge WAF deployment guides:

About Core WAF deployment

IMPORTANT

Only Next-Gen WAF customers with access to the Next-Gen WAF control panel can use this solution.

The Core WAF deployment method hosts the Next-Gen WAF directly on your local environment, which means you are responsible for managing the deployment. By deploying at your origin core, you are able to inspect traffic from any path that it took to your origin infrastructure. This means that you can inspect east-west traffic that hops from one internal server to another within the client origin.

This method includes both module-agent and reverse proxy deployment options.

Deployment optionComponents you must installConsiderations
Module-agent
  • Next-Gen WAF module
  • Next-Gen WAF agent
  • This option has a fail-open design, meaning the module verifies agent availability and allows all traffic when the agent is down.
  • The module hooks into the request mechanism on your environment, so you don’t need to change how you're handling TLS termination.
  • The module can exist as a plugin to your web server or be deployed at the application layer.
Reverse proxyNext-Gen WAF agent
  • This option has a fail-close design, meaning all traffic is blocked when the agent is down.
  • This option does not require you to make modifications to your web server or code, which is helpful for old and fragile environments.
  • The agent performs the role of both the deployment entity and agent components.

About Kubernetes deployment patterns

IMPORTANT

Only Next-Gen WAF customers with access to the Next-Gen WAF control panel can use this solution.

The Core WAF deployment method supports multiple deployment patterns in Kubernetes. For the Next-Gen WAF to work in Kubernetes, you will need to customize configurations. Our documentation provides several examples of Kubernetes deployments that use the Docker sidecar container pattern.

About Platform as a Service (PaaS) deployment

IMPORTANT

Only Next-Gen WAF customers with access to the Next-Gen WAF control panel can use this solution.

You can deploy the Next-Gen WAF product within a supported vendor platform by embedding the Next-Gen WAF agent within the selected platform.

NOTE

Fastly services interoperate with non-Fastly services only when you configure them that way. We do not provide direct support for non-Fastly services. Software or services that enable integration with non-Fastly services (such as plug-ins, extensions, and add-ons) are available under their own terms. Read Fastly's Terms of Service for more information.

About embedded service deployment with A10 Networks

The Next-Gen WAF can be deployed as an embedded service with A10 Networks on select A10 Thunder and vThunder application delivery controller (ADC) form factors. A10 Networks provides support for A10 deployments. To learn more about the A10 ADC Next-Gen WAF deployment option, contact your Fastly account manager or email our Sales team.

NOTE

This deployment option requires an A10 feature license for activation.

NOTE

Fastly services interoperate with non-Fastly services only when you configure them that way. We do not provide direct support for non-Fastly services. Software or services that enable integration with non-Fastly services (such as plug-ins, extensions, and add-ons) are available under their own terms. Read Fastly's Terms of Service for more information.

About Cloud WAF deployment

IMPORTANT

Only Next-Gen WAF customers with access to the Next-Gen WAF control panel can use this solution.

The Cloud WAF deployment method hosts the Next-Gen WAF on Fastly’s cloud infrastructure and consists of several Cloud WAF instances. Each instance is made up of a load balancer along with at least three Next-Gen WAF agents, each operating in reverse proxy mode and installed on separate redundant machines.

To use the Cloud WAF deployment method, you must upload a TLS certificate, add an origin server using the Next-Gen WAF control panel, and update your DNS records to point to the appropriate servers.

What's next

After setting up your deployment, the Next-Gen WAF will immediately start monitoring traffic to your website, detecting requests with malicious and anomalous payloads, and populating request data to the Next-Gen WAF control panel. To ensure legitimate traffic isn’t blocked, the Next-Gen WAF allows all requests initially.

To start blocking traffic, set the Agent mode setting to Blocking. You can also create rules to adjust the protection of your website and make sure the Next-Gen WAF blocks and allows the correct traffic.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.