Configuring Edge WAF deployments using the Next-Gen WAF control panel

IMPORTANT

This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, check out our Edge WAF deployment using the Fastly control panel guide.

After deploying the Edge WAF, you can:

Changing the percentage of traffic sent to the WAF

You can control the amount of traffic inspected by the Edge WAF using the Enabled dictionary key. This value is available in the Edge_Security dictionary and is automatically created when you attach a delivery service.

The default value is 0, with numbers greater than zero representing a percentage of the traffic being inspected. This means that unless you change the value of the Edge_Security Edge dictionary, your WAF will be enabled but won't inspect any traffic. If the value is set to 100, all traffic (100%) will be passed through the Edge WAF. If the value is less than 100, a random sample of the specified percentage will be sent through the Edge WAF.

NOTE

As the Edge_Security Edge dictionary no longer uses the DISABLED field, set Enabled to 0 if you don't want the WAF to inspect any traffic. Alternatively, you can use the control panel to control blocking and logging behavior of the Edge WAF or to turn off agent configurations entirely.

Customizing inspection with headers

You can use X-SigSci- headers to force the Next-Gen WAF to inspect requests, to disable inspection, and to skip initial inspection.

Re-mapping a Fastly CDN service to a new site (workspace)

To re-assign the Fastly service to a new site (workspace), follow these steps:

  1. Using the curl command line tool, call the DELETE deliveryIntegration/${fastlySID} API endpoint in a terminal application:

    $ curl -v -H "x-api-user: ${SIGSCI_EMAIL}" -H "x-api-token: ${SIGSCI_TOKEN}" \
    -H "Fastly-Key: ${FASTLY_KEY}" -H 'Content-Type: application/json' -X DELETE \
    "https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/deliveryIntegration/${fastlySID}"

    This API call requires the Fastly-Key header for authentication. The Fastly API key must have write access to the Fastly service ID. This API call removes all backends from the Edge WAF deployment connected to the Fastly service and detaches the Fastly service from the Edge WAF deployment.

  2. Using the curl command line tool, call the PUT deliveryIntegration/{fastlySID} API endpoint in a terminal application to map the existing Fastly service to the new ${siteName}. For example:

    $ curl -H "x-api-user:${SIGSCI_EMAIL}" -H "x-api-token:${SIGSCI_TOKEN}" \
    -H "Fastly-Key: ${FASTLY_KEY}" -H 'Content-Type: application/json' -X PUT \
    "https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/deliveryIntegration/${fastlySID}"

    This API call will activate a new service version by updating the existing Next-Gen WAF VCL dynamic snippet with the new edge security service ID. It also sets the percent of traffic sent to the WAF for inspection to 0.

  3. (Optional) Increase the percentage of traffic sent to the WAF for inspection.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.