Edge WAF deployment using the Fastly control panel
Last updated 2024-11-18
IMPORTANT
This guide only applies to customers with access to the Next-Gen WAF product in the Fastly control panel. If you have access to the Next-Gen WAF control panel, check out our Edge WAF deployment using the Next-Gen WAF control panel guide.
The Edge WAF deployment method hosts the Next-Gen WAF on Fastly’s Edge Cloud platform via our global network of POPs, integrates with Fastly’s caching layer, and is managed by Fastly. Since security processing happens at the edge, the Next-Gen WAF can inspect all traffic before it enters your origin infrastructure and block attacks close to where they originated. You do not need to make any modifications to your own hosting environment.
Before you begin
The Next-Gen WAF is disabled by default. To purchase and enable the product for your Fastly account, contact sales@fastly.com. Once enabled, users assigned the superuser role can enable the Next-Gen WAF for your CDN services.
Limitations and considerations
When enabling the Next-Gen WAF for your CDN services, keep the following in mind:
- Edge WAF deployment using the Fastly control panel is only supported for CDN services. To use Edge WAF deployment with Compute services, use the Next-Gen WAF control panel instead.
- Adding the Next-Gen WAF to an existing CDN service counts against the service chain limit.
- The Edge WAF deployment method is only compatible with CDN services that do not use mutual TLS to the origin.
- A CDN service can be linked to a maximum of one workspace. A workspace can be linked to multiple CDN services.
- Only users assigned the superuser role can enable and configure the Edge WAF deployment for CDN services.
How it works
When you enable the Next-Gen WAF for a CDN service, Fastly creates an edge security service in the background, which is responsible for inspecting traffic to your CDN service. The edge security service runs in the vcl_miss and vcl_pass subroutines. Execution priority is set to a high value to enable compatibility with any other VCL snippets that may be in use.
Health checks
The edge security service includes a health check, which skips security processing entirely if the edge security service is unhealthy for any reason. The health check works by sending a periodic probe every 15 seconds and checking for HTTP status code 200 as an expected response. Should a check indicate an unhealthy service, all security processing is skipped until the service becomes healthy again. It may take up to 60 seconds for all security processing to be skipped.
The edge security service is modeled as an origin using the backend type. The health check lives inside the edge_security function and uses the backend.health property to check the status of the edge security service.
Setting up the deployment
To deploy the Next-Gen WAF on an existing CDN service, complete the following steps:
- Fastly control panel
- Fastly Security API
- Log in to the Fastly web interface.
- From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
Click Edit configuration and then Security.
TIP
You do not need to clone the active version of the service to enable the Next-Gen WAF.
In the Next-Gen WAF card, click the switch to the On position.
Click the pencil
to edit the following deployment settings and then click Submit:
- From the Workspace menu, select the workspace that you want to link to the service. If your account only has one workspace, this field is read-only.
- In the % of traffic field, enter the percent of traffic that you want the Next-Gen WAF to inspect. When set to
100, all traffic to your service is inspected. When the value is less than 100, a random sample of the specified percentage is inspected.
(Optional) Use attack tooling to verify that the Next-Gen WAF is monitoring your web application and identifying malicious and anomalous requests.
Configuring the deployment
To update your deployment, complete the following steps:
- Fastly control panel
- Fastly Security API
- Log in to the Fastly web interface.
- From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
Click Edit configuration and then Security.
TIP
You do not need to clone the active version of the service to edit the Edge WAF deployment.
In the Next-Gen WAF card, set the switch to the On position to enable the Next-Gen WAF for your service or to the Off position to disable the Next-Gen WAF for your service.
If the Next-Gen WAF is enabled, click the pencil
to edit the following deployment settings and then click Submit:- From the Workspace menu, select the workspace that you want to link to the service. If your account only has one workspace, this field is read-only.
- In the % of traffic field, enter the percent of traffic that you want the Next-Gen WAF to inspect. When set to
100, all traffic to your service is inspected. When the value is less than 100, a random sample of the specified percentage is inspected.
(Optional) Use attack tooling to verify that the Next-Gen WAF is monitoring your web application and identifying malicious and anomalous requests.
Disabling the deployment
To disable Edge deployment for your service, complete the following steps:
- Fastly control panel
- Fastly Security API
- Log in to the Fastly web interface.
- From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
Click Edit configuration and then Security.
TIP
You do not need to clone the active version of the service to disable the Next-Gen WAF.
In the Next-Gen WAF card, click the switch to the Off position.
Using headers to customize inspection
You can use X-SigSci- headers to force the Next-Gen WAF to inspect requests, to disable inspection, and to skip initial inspection.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
