About the architecture

The Next-Gen WAF is an application security monitoring system that proactively monitors and protects your web application from malicious traffic. Our entire console is built API-first. This means that you can adjust the protection and data privacy of your sites via our web interface and API. You can also use our API to pull your Next-Gen WAF data into other systems.

Three key components make up the Next-Gen WAF architecture:

• deployment entity: the component that is responsible for handling requests to, or on, your web application. Your deployment method determines the type of deployment entity (e.g., web server integration module or via a Fastly VCL service).
• monitoring agent (Signal Sciences agent): the component that is responsible for processing requests and communicating with our collection and analysis system.
• collection and analysis system (cloud engine): the component that is responsible for sending data between the monitoring agent and other sources.

About the deployment entity

The deployment entity is the architecture component that is responsible for handling requests to, or on, your web application. It listens for incoming requests and passes them to the monitoring agent for a decision. After receiving a decision from the agent, the deployment entity blocks, allows, or rate limits requests in accordance with that decision.

The type of deployment entity used in your deployment process depends on your deployment method. For example, with a core deployment that uses the optional module, the deployment entity can exist as a plugin to your web servers or a language specific implementation.

About the monitoring agent

The monitoring agent (also known as the Signal Sciences agent) is the architecture component that is responsible for processing requests and communicating with our collection and analysis system. After receiving a request from the deployment entity, the agent:

• uses your active rules and site alerts to determine how the request should be handled (e.g., allow, block, rate limit, or tag).
• performs any tagging decisions.
• redacts sensitive information from the request.
• relays the request and its decision back to the deployment entity.
• uploads redacted request and response data to the collection and analysis system per our data storage policy.

The agent also downloads new and updated rules and configurations from the collection and analysis system.

About the collection and analysis system

The collection and analysis system (also known as the cloud engine) is the architecture component that serves as the control plane between the monitoring agent and other sources. Specifically, the system:

• forwards corp and site configurations (e.g., rules and lists) that were made via the web interface and API to your monitoring agent. The agent uses this information to determine how to handle requests.
• forwards anomalous request and response data and performance metrics from the monitoring agent to the Next-Gen WAF console and any third-party integrations that you have set up.
• forwards attack data from the monitoring agent to our Network Learning Exchange (NLX). The NLX is an IP address reputation feed that aggregates and analyzes attack data from our subscriber network to identify potential bad actors.
• forwards the list of potential bad actors from the NLX to your monitoring agent. Your monitoring agent tags requests that are from the identified IP addresses and that contain at least one signal with the Network Effect (SIGSCI-IP) anomaly signal.
• forwards information from external sources to the monitoring agent. For example, the system imports the list of IP addresses that have engaged in malicious activity from SANS Internet Storm Center and sends them to the monitoring agent. The monitoring agent then tags requests that are from the identified IP address list with the Malicious IP Traffic (SANS) anomaly signal.

We host the collection and analysis service in AWS West across multiple availability zones.

Deploying the WAF alongside a CDN

If you already have a Fastly CDN service, you can deploy the Next-Gen WAF alongside your Fastly CDN service via the edge deployment method. With this method, your deployment will be hosted on Fastly’s Edge Cloud platform via our global network of POPs.

If you'd like to use another CDN provider, you can use a header (e.g., X-Forwarded-For) to obtain the true client IP address. For more information, check out our Client IP addresses guide.