Configuring Edge WAF deployments using the Next-Gen WAF control panel
Last updated 2025-04-01
IMPORTANT
This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, check out our Edge WAF deployment using the Fastly control panel guide.
After deploying the Edge WAF, you can:
- change the percentage of traffic that is sent to the WAF.
- use request headers to customize inspection.
- re-assign the Fastly service to a new site (workspace).
Changing the percentage of traffic sent to the WAF
You can control the amount of traffic inspected by the edge security service using the Enabled dictionary key. This value is available in the Edge_Security dictionary and is automatically created when you attach a delivery service.
The default value is 0, with numbers greater than zero representing a percentage of the traffic being inspected. This means that unless you change the value of the Edge_Security Edge dictionary, your WAF will be enabled but won't inspect any traffic. If the value is set to 100, all traffic (100%) will be passed through the edge security service. If the value is less than 100, a random sample of the specified percentage will be sent through the edge security service.
NOTE
As the Edge_Security Edge dictionary no longer uses the DISABLED field, set Enabled to 0 if you don't want the WAF to inspect any traffic. Alternatively, you can use the control panel to control blocking and logging behavior of an edge security service or to turn off agent configurations entirely.
Customizing inspection with headers
You can use X-SigSci- headers to force the Next-Gen WAF to inspect requests, to disable inspection, and to skip initial inspection.
Re-mapping a Fastly CDN service to a new site (workspace)
To re-assign the Fastly service to a new site (workspace), follow these steps:
Using the curl command line tool, call the DELETE deliveryIntegration/${fastlySID} API endpoint in a terminal application:
$ curl -v -H "x-api-user: ${SIGSCI_EMAIL}" -H "x-api-token: ${SIGSCI_TOKEN}" \-H "Fastly-Key: ${FASTLY_KEY}" -H 'Content-Type: application/json' -X DELETE \"https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/deliveryIntegration/${fastlySID}"This API call requires the Fastly-Key header for authentication. The Fastly API key must have write access to the Fastly service ID. This API call removes all backends from the Edge WAF deployment connected to the Fastly service and detaches the Fastly service from the Edge WAF deployment.
Using the curl command line tool, call the
PUT deliveryIntegrationAPI endpoint in a terminal application with the new${siteName}to create a new edge security service. For example:$ curl -H "x-api-user:${SIGSCI_EMAIL}" -H "x-api-token:${SIGSCI_TOKEN}" \-H 'Content-Type: application/json' -X PUT \"https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/edgeDeployment"You can verify if a Next-Gen WAF instance resource was successfully created by the above step by referring to Create the edge security service.
Using the curl command line tool, call the PUT deliveryIntegration/{fastlySID} API endpoint in a terminal application to map the existing Fastly service to the new
${siteName}. For example:$ curl -H "x-api-user:${SIGSCI_EMAIL}" -H "x-api-token:${SIGSCI_TOKEN}" \-H "Fastly-Key: ${FASTLY_KEY}" -H 'Content-Type: application/json' -X PUT \"https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/deliveryIntegration/${fastlySID}"This API call will activate a new service version by updating the existing Next-Gen WAF VCL dynamic snippet with the new edge security service ID.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
