Network requirements
Last updated 2024-10-01
IMPORTANT
This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, you can only deploy the Next-Gen WAF with the Edge WAF deployment method.
When deployed in a self-hosted deployment, the Next-Gen WAF agent requires egress to multiple external endpoints to facilitate actions (e.g., configuration retrieval, updates to rules, and notifications). If installing the required Next-Gen WAF packages via a package manager, the server must also be able to access our external package repositories to retrieve packages and package updates. The sections below describe the Fully Qualified Domain Names (FQDN), and the functionalities they pertain to, that may need to be added to your egress and firewall policies.
NOTE
CNAME records resolve the endpoints to IP addresses. This means that the IP addresses are subject to change (e.g., when the services behind them scale). For this reason, we recommend allowing traffic to these endpoints by FQDN and not via IP address or IP address range. Allow-listing only IP addresses has the potential to impact the availability of your deployment.
APT installs
For distributions that use Advanced Package Tool (APT) to retrieve our packages, ensure egress to:
| FQDN | Port | Protocols | Description |
|---|---|---|---|
| apt.signalsciences.net | 443 | TCP/HTTPS | Repository URL |
| dl.signalsciences.net | 443 | TCP/HTTPS | Used for GPG key verification on upgrade and install |
| d3fo0g5hm7lbuv.cloudfront.net | 443 | TCP/HTTPS | Cached package objects via packagecloud |
DNF and YUM installs
For distributions that use Dandified Yum (DNF) and Yellowdog Updater (YUM) for packaging, ensure egress to:
| FQDN | Port | Protocols | Description |
|---|---|---|---|
| yum.signalsciences.net | 443 | TCP/HTTPS | Repository URL |
| dl.signalsciences.net | 443 | TCP/HTTPS | Used for GPG key verification on upgrade and install |
| d3fo0g5hm7lbuv.cloudfront.net | 443 | TCP/HTTPS | Cached package objects via packagecloud |
APK installs
For distributions that use Alpine Package Keeper (APK) for packaging, ensure egress to:
| FQDN | Port | Protocols | Description |
|---|---|---|---|
| apk.signalsciences.net | 443 | TCP/HTTPS | Repository URL and GPG key location |
Direct download installs and the agent auto-update service
For direct package downloads and the agent auto-update service, ensure egress to:
| FQDN | Port | Protocols | Description |
|---|---|---|---|
| dl.signalsciences.net | 443 | TCP/HTTPS | Repository URL |
| dl-signalsciences-net.s3-us-west-2.amazonaws.com | 443 | TCP/HTTPS | Repository URL |
Next-Gen WAF endpoints
The Next-Gen WAF endpoints are fronted on the Fastly CDN or on AWS in a configuration failover scenario. If the Next-Gen WAF agent is unable to download from the Fastly CDN, it will fall back to downloading directly from an AWS S3 bucket with an additional fallback to a secondary bucket in a second region until it can download from the Fastly CDN or a primary S3 bucket again.
The agent communicates with the following endpoints:
| FQDN | Port | Protocols | Description |
|---|---|---|---|
| c.signalsciences.net | 443 | TCP/HTTPS | Next-Gen WAF collector endpoint |
| wafconf.signalsciences.net | 443 | TCP/HTTPS | Primary configuration endpoint |
| sigsci-agent-wafconf.s3.amazonaws.com | 443 | TCP/HTTPS | Failover configuration endpoint |
| sigsci-agent-wafconf-us-west-2.s3.amazonaws.com | 443 | TCP/HTTPS | Secondary failover configuration endpoint |
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
