About deploying the Next-Gen WAF
Last updated 2025-04-10
To deploy the Next-Gen WAF, you need to integrate the Next-Gen WAF product into your request flow by:
Choosing a deployment method. A deployment method outlines how the integration is set up. All of our deployment methods rely on the same architecture components but have different host locations (e.g., Fastly’s Edge Cloud platform and customer's local environment) and parties who maintain the active deployments.
Setting up your deployment by following the appropriate guide for your selected deployment method.
(Optional) Using attack tooling to verify that the Next-Gen WAF is monitoring your web application and identifying malicious and anomalous requests.
Before you begin
The Next-Gen WAF can be purchased for an account by contacting sales@fastly.com. Once purchased, our staff will create a Next-Gen WAF corp and at least one site for your use when you log in.
Choosing a deployment method
The key differences between our deployment methods are where the deployment is located and who maintains the deployment.
| Deployment method | Location | Fastly managed | Customer managed |
|---|---|---|---|
| Edge WAF | Fastly’s Edge Cloud platform via our global network of POPs | ✔ | |
| Core WAF | Customer's local environment | ✔ | |
| PaaS | Supported vendor platform | ✔ | |
| A10 Networks | A10 Networks | ✔ | |
| Cloud WAF | Fastly’s cloud infrastructure | ✔ |
About Edge WAF deployment
TIP
Any Next-Gen WAF customer can use this solution.
The Edge WAF deployment method hosts the Next-Gen WAF on Fastly’s Edge Cloud platform via our global network of POPs and integrates with Fastly’s caching layer, Varnish. Since security processing happens at the edge, the Next-Gen WAF can inspect all traffic before it enters your origin infrastructure and block attacks close to where they originated. To use this option, you must have a Fastly delivery account.
About Core WAF deployment
IMPORTANT
Only Next-Gen WAF customers with access to the Next-Gen WAF control panel can use this solution.
The Core WAF deployment method hosts the Next-Gen WAF directly on your local environment, which means you are responsible for managing the deployment. By deploying at your origin core, you are able to inspect traffic from any path that it took to your origin infrastructure. This means that you can inspect east-west traffic that hops from one internal server to another within the client origin.
This method includes both module-agent and reverse proxy deployment options.
| Deployment option | Components you must install | Considerations |
|---|---|---|
| Module-agent |
|
|
| Reverse proxy | Next-Gen WAF agent |
|
About Kubernetes deployment patterns
IMPORTANT
Only Next-Gen WAF customers with access to the Next-Gen WAF control panel can use this solution.
The Core WAF deployment method supports multiple deployment patterns in Kubernetes. For the Next-Gen WAF to work in Kubernetes, you will need to customize configurations. Our documentation provides several examples of Kubernetes deployments that use the Docker sidecar container pattern.
About Platform as a Service (PaaS) deployment
IMPORTANT
Only Next-Gen WAF customers with access to the Next-Gen WAF control panel can use this solution.
You can deploy the Next-Gen WAF product within a supported vendor platform by embedding the Next-Gen WAF agent within the selected platform.
NOTE
Fastly services interoperate with non-Fastly services only when you configure them that way. We do not provide direct support for non-Fastly services. Software or services that enable integration with non-Fastly services (such as plug-ins, extensions, and add-ons) are available under their own terms. Read Fastly's Terms of Service for more information.
About embedded service deployment with A10 Networks
The Next-Gen WAF can be deployed as an embedded service with A10 Networks on select A10 Thunder and vThunder application delivery controller (ADC) form factors. A10 Networks provides support for A10 deployments. To learn more about the A10 ADC Next-Gen WAF deployment option, contact your Fastly account manager or email our Sales team.
NOTE
This deployment option requires an A10 feature license for activation.
NOTE
Fastly services interoperate with non-Fastly services only when you configure them that way. We do not provide direct support for non-Fastly services. Software or services that enable integration with non-Fastly services (such as plug-ins, extensions, and add-ons) are available under their own terms. Read Fastly's Terms of Service for more information.
About Cloud WAF deployment
IMPORTANT
Only Next-Gen WAF customers with access to the Next-Gen WAF control panel can use this solution.
The Cloud WAF deployment method hosts the Next-Gen WAF on Fastly’s cloud infrastructure and consists of several Cloud WAF instances. Each instance is made up of a load balancer along with at least three Next-Gen WAF agents, each operating in reverse proxy mode and installed on separate redundant machines.
To use the Cloud WAF deployment method, you must upload a TLS certificate, add an origin server using the Next-Gen WAF control panel, and update your DNS records to point to the appropriate servers.
What's next
After setting up your deployment, the Next-Gen WAF will immediately start monitoring traffic to your website, detecting requests with malicious and anomalous payloads, and populating request data to the Next-Gen WAF control panel. To ensure legitimate traffic isn’t blocked, the Next-Gen WAF allows all requests initially.
To start blocking traffic, set the Agent mode setting to Blocking. You can also create rules to adjust the protection of your website and make sure the Next-Gen WAF blocks and allows the correct traffic.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
