Installation: Getting started

Next-Gen WAF supports multiple installation methods. You can use Fastly’s Edge Cloud Platform, hosted Cloud WAF solution, or you can deploy directly onto your hosting environment via traditional module-agent process. Next-Gen WAF supports traditional, virtual machine (VM)-based architectures as well as modern container-based ones. Integrations with several Platforms-as-a-Service (PaaS) are also available. Below are all the installation options available to get Next-Gen WAF up and running.

Edge deployment

You can deploy Next-Gen WAF on Fastly's Edge Cloud Platform by adding it to new or existing Fastly services. Deploying on Fastly's Edge Cloud Platform doesn't require you to install or modify anything on your own hosting environment.

Cloud WAF deployment

Our Cloud WAF solution allows you to deploy Next-Gen WAF without requiring you to install the Signal Sciences agent and module directly onto your environment.

Module-agent deployment

Next-Gen WAF can also be deployed directly onto your hosting environment. In the module-agent topology, modules are installed on your reverse proxy or load balancer (e.g., Apache, NGINX, and HAProxy) to extend the request handling logic and communicate with the agent for subsequent advice. Another less common but technically viable approach is to deploy our software at the application layer. We currently provide modules for Node.js, Java, and .NET and can supply documentation to help you write an application layer module in other languages.

The module-agent installation process can be done with three steps:

Step 1: Agent installation

The Signal Sciences agent is a small process which provides the interface between your web server and our analysis platform. An inbound web request is passed to the agent, which then decides whether the request should be permitted to continue, or whether it should take action.

Learn how to install an agent

Step 2: Module installation

The Signal Sciences module is the architecture component that is responsible for passing request data to the agent. The module deployment is flexible and can exist as a plugin to the web server, a language or framework specific implementation, or can be removed if running the agent in reverse proxy mode.

Learn how to install a module

Step 3: Verify agent and module installation

  1. Log in to the Next-Gen WAF console.
  2. From the Sites menu, select a site if you have more than one site.
  3. Click Agents in the navigation bar near the top of the screen.
  4. Check the module version under Module to confirm the correct version is listed.

Until there has been at least one request since the agent and module were installed, the module information won't be listed. Once there is traffic the module information will be populated.

Containers and Kubernetes

Next-Gen WAF supports multiple deployment patterns in Kubernetes. You will likely have to customize configurations for Next-Gen WAF to work in your own Kubernetes app. The documentation provides several Kubernetes deployment examples, using the Docker sidecar container pattern.

Learn how to install in Kubernetes

Agent-only deployment

If you want to deploy the WAF directly on the web servers in your infrastructure but do not want to install the optional module component, you can use one of our agent-only deployment options. With an agent-only deployment, the agent performs the role of both the module and agent components.

PaaS deployment

The Signal Sciences agent can be deployed by Platform as a Service (PaaS). We worked with multiple vendors to integrate our technologies directly into their platforms to simplify deployment.

View PaaS platforms

Embedded service deployment with A10 Networks

The Next-Gen WAF can be deployed as an embedded service with A10 Networks on select A10 Thunder and vThunder application delivery controller (ADC) form factors. To learn more about the A10 ADC Next-Gen WAF deployment, contact your Fastly account manager or email our Sales team.


This deployment option requires an A10 feature license for activation.

Fastly services interoperate with non-Fastly services only when you configure them that way. We do not provide direct support for non-Fastly services. Software or services that enable integration with non-Fastly services (such as plug-ins, extensions, and add-ons) are available under their own terms. Read Fastly's Terms of Service for more information.

Agent and module release notifications

You can subscribe to release notifications through our corp integrations. The releaseCreated integration event will trigger the integration to notify you when a new agent or module version is available.

What's next

Once Next-Gen WAF is installed, there are no rules or signatures to configure to get immediate visibility and protection against common attack types.

Now that you have Next-Gen WAF installed, learn how to use it.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.