About the architecture

The Next-Gen WAF is an application security monitoring system that proactively monitors and protects your web application from malicious traffic. Our entire platform is built API-first. This means that you can adjust the protection and data privacy of your sites (also known as workspaces) via the control panel and API you have access to. You can also use our API to pull your Next-Gen WAF data into other systems.

Three key components make up the Next-Gen WAF architecture:

• deployment entity: the component that is responsible for handling requests to, or on, your web application. Your deployment method determines the type of deployment entity (e.g., web server integration module or via a Fastly VCL service).
• Next-Gen WAF agent: the component that is responsible for processing requests and communicating with our cloud engine.
• cloud engine: the component that is responsible for sending data between the Next-Gen WAF agent and other sources.

About the deployment entity

The deployment entity is the architecture component that is responsible for handling requests to, or on, your web application. It listens for incoming requests and passes them to the Next-Gen WAF agent for a decision. After receiving a decision from the agent, the deployment entity blocks, allows, or rate limits requests in accordance with that decision.

The type of deployment entity used in your deployment process depends on your deployment method. For example, with a Core WAF deployment that uses the optional module, the deployment entity can exist as a plugin to your web servers or a language specific implementation.

About the agent

The Next-Gen WAF agent (formerly known as the Signal Sciences agent) is the architecture component that is responsible for processing requests and communicating with our cloud engine. After receiving a request from the deployment entity, the agent:

• uses your active rules and site alerts (also known as workspace alerts) to determine how the request should be handled (i.e., allow, block, rate limit, or tag).
• performs any tagging decisions.
• redacts sensitive information from the request.
• relays the request and its decision back to the deployment entity.
• uploads redacted request and response data to the cloud engine per our data storage policy.

The agent also downloads new and updated rules and configurations from the cloud engine.

If the agent experiences issues or unavailability, your web application will continue to function because your deployment entity fails open if it doesn’t hear back from the agent within a set time limit. Additionally, if the agent loses the ability to communicate with the cloud engine, the agent will continue to function with a few caveats.

About the cloud engine

The cloud engine is the architecture component that serves as the control plane between the Next-Gen WAF agent and other sources. Specifically, the cloud engine:

• forwards corp (also known as account) and site (workspace) configurations (e.g., rules and lists) to your Next-Gen WAF agent. The agent uses this information to determine how to handle requests.
• forwards anomalous request and response data and performance metrics from the Next-Gen WAF agent to the control panel you have access to and any third-party integrations that you have set up.
• forwards attack data from the Next-Gen WAF agent to our Network Learning Exchange (NLX). The NLX is an IP address reputation feed that aggregates and analyzes attack data from our subscriber network to identify potential bad actors.
• forwards the list of potential bad actors from the NLX to your Next-Gen WAF agent. Your agent tags requests that are from the identified IP addresses and that contain at least one signal with the SigSci Malicious IPs (SIGSCI-IP) anomaly signal.
• forwards information from external sources to the Next-Gen WAF agent. For example, the cloud engine imports the list of IP addresses that have engaged in malicious activity from SANS Internet Storm Center and sends them to the agent. The agent then tags requests that are from the identified IP address list with the Malicious IP Traffic (SANS) anomaly signal.

We host the collection and analysis service in AWS West across multiple availability zones.

Deploying the WAF alongside a CDN

If you already have a Fastly CDN service, you can deploy the Next-Gen WAF alongside your Fastly CDN service via the Edge WAF deployment method. With this method, your deployment will be hosted on Fastly’s Edge Cloud platform via our global network of POPs.

If you'd like to use another CDN provider, you can use a header (e.g., X-Forwarded-For) to obtain the true client IP address. For more information, check out our Client IP addresses guide.