---
title: ''
header: Fastly Next-Gen WAF
excerpt: null
lang: en
last_updated: '2026-02-09T00:00:00.000Z'
url: https://docs.fastly.com/products/fastly-next-gen-waf
---
The [Fastly Next-Gen WAF](https://www.fastly.com/documentation/guides/next-gen-waf/) is a web application firewall that monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify.
Using default settings created by Fastly and custom settings you specify, the Next-Gen WAF identifies and tracks attacks across all of your deployments and determines whether to flag the originating IP address as potentially problematic, rate limit the IP address, allow the request, tag it with signals, block it, or return a [deceptive response](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/using-the-deception-action). You can choose to enable or disable these actions at any time. When the Next-Gen WAF determines that an incoming request is anomalous, we collect data from that request and upload it to our cloud engine, allowing us to perform out-of-band analysis of inbound traffic.
## Feature availability
::: tabbed-panels
::: panel Security Core, Core Plus, and Total
Feature availability and limitations depend on the Security Core, Security Core Plus, and Security Total [packaged security offering](https://www.fastly.com/package-entitlements/) you may have purchased, as well as limitations specifically mentioned on your service order. The Core, Core Plus, and Total columns indicate what's included in each package.
Feature | Core | Core Plus | Total
--- | --- | --- | ---
[Deployment Types](#deployment-types) | Edge
On-Prem | Edge
On-Prem | Edge
On-Prem
[API Discovery](/products/api-discovery) | Available for purchase | Available for purchase | Included
[Bot Management](/products/bot-management) | Available for purchase | Available for purchase | Included
[Client-side Protection](/products/fastly-client-side-protection) | Available for purchase | Included | Included
[DDoS Protection](/products/fastly-ddos-protection) | Available for purchase | Included | Included
[Default attack signals](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/signals/using-system-signals/#attacks) | Included | Included | Included
[Default anomaly signals](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/signals/using-system-signals/#anomalies) | Included | Included | Included
[Standard API & ATO signals](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/signals/configuring-system-signals/#ato-and-api-signals) | Included | Included | Included
[Custom signals](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/signals/working-with-custom-signals) | Included | Included | Included
[Lists](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/using-lists-in-rules) | Included | Included | Included
[Virtual patching](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/virtual-patches-for-cves/) | Included
(BLOCK only) | Included | Included
[Custom rules](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/about-rules/#rule-types)* | Available for purchase | Included | Included
[Signal exclusion rules](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/about-rules/#rule-types) | Included | Included | Included
[Rule action types](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/about-rules/#action-types) | Allow and Block only | All | All
[Attack thresholds](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/thresholds/configuring-attack-thresholds) | Included | Included | Included
[Edge Rate Limiting](https://www.fastly.com/documentation/guides/security/rate-limiting/working-with-rate-limiting-policies)** | Available for purchase | Available for purchase | Included
[Custom response codes](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/agent-response-codes/using-custom-agent-response-codes) | Not available | Included | Included
[Default dashboards](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/monitoring/monitoring-with-system-generated-dashboards/) | Included | Included | Included
* Custom rules include request rules, advanced rate limiting rules, and signal thresholds (site alerts).
** Requires an active Full-site Delivery or Compute account.
:::
::: panel Security Starter, Advantage, and Ultimate
Feature availability and limitations depend on the platform and, if applicable, the Security Starter, Security Advantage, or Security Ultimate [packaged security offering](https://www.fastly.com/package-entitlements/) you may have purchased. The Essential, Professional, and Premier platform columns indicate what's included in each package.
Feature | Essential | Professional | Premier
--- | --- | --- | ---
[Deployment Types](#deployment-types) | Edge
On-Prem
Cloud | Edge
On-Prem
Cloud | Edge
On-Prem
Cloud
[API Discovery](/products/api-discovery) | Not available | Available for purchase | Included
[Bot Management](/products/bot-management) | Not available | Available for purchase | Available for purchase
[Client-side Protection](/products/fastly-client-side-protection) | Not available | Available for purchase | Available for purchase
[DDoS Protection](/products/fastly-ddos-protection) | Not available | Available for purchase | Available for purchase
[Standard API & ATO signals](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/signals/configuring-system-signals/#ato-and-api-signals) | Not available | Included | Included
[Custom signals](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/signals/working-with-custom-signals) | Not available | Included | Included
[Lists](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/using-lists-in-rules) | Not available | Included | Included
[Virtual patching](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/virtual-patches-for-cves/) | Included
(BLOCK only) | Included | Included
[Request rules](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/about-rules/#rule-types) | Included | Included | Included
[Signal exclusion rules](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/about-rules/#rule-types) | Not available | Included | Included
[Templated rules](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/about-rules/#rule-types) | Not available | Included | Included
[Rule action types](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/about-rules/#action-types) | Allow and Block only | All except Deception | All
[Attack thresholds](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/thresholds/configuring-attack-thresholds) | Included | Included | Included
[Site alerts](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/thresholds/configuring-site-alerts/) (signal thresholds) | Included (attack signals only) | Included | Included
[Edge Rate Limiting](https://www.fastly.com/documentation/guides/security/rate-limiting/working-with-rate-limiting-policies) | Not available | Included* | Included*
[Advanced Rate Limiting](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/working-with-advanced-rate-limiting-rules) | Not available | Not available | Included
[Custom response codes](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/agent-response-codes/using-custom-agent-response-codes) | Not available | Included | Included
[Default dashboards](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/monitoring/monitoring-with-system-generated-dashboards/) | Included | Included | Included
* Requires an active Full-site Delivery or Compute account.
:::
:::
## Documentation
Documentation for the Next-Gen WAF can be found at [www.fastly.com/documentation/guides/next-gen-waf](https://www.fastly.com/documentation/guides/next-gen-waf/). We [announce the most recent changes and updates](https://www.fastly.com/documentation/reference/changes/) for the agents and modules in our changelog.
## Control panel access
The Next-Gen WAF can be accessed via either the [Next-Gen WAF control panel](https://dashboard.signalsciences.net/) or the [Fastly control panel](https://manage.fastly.com/). Each control panel allows you to investigate anomalous web traffic and see what actions, if any, Next-Gen WAF performed in response to certain requests. You can also use the control panel to create sites (also known as workspaces). A site (workspace) is a user-defined set of rules and settings for applications and origin servers. Each control panel allows you to create multiple sites (workspaces) to differentiate between one or more APIs, microservices, or web applications. For each site (workspace), you can use the control panels to add rules for requests, configure thresholds, and add integrations to other systems.
## Deployment types
The Next-Gen WAF can be deployed in three different ways:
* __On Fastly’s Edge platform (Edge WAF).__ To use the Edge WAF deployment method with VCL or Compute services, you must add it to new or existing Fastly services that you create in the Fastly control panel and update your DNS records to point to Fastly.
* __Directly on your web servers within your infrastructure (On-Prem WAF).__ The On-Prem WAF (formerly known as Core WAF) deployment method consists of two components, the module and the agent. The module can exist as a [plugin to your web server](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/about-module-agent-deployment#web-server-module-options) or as a [language or framework-specific implementation](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/about-module-agent-deployment/#language-and-framework-specific-module-rasp-options). The agent is a small process that provides an interface between your web server and our cloud engine. You can also use this deployment method without a module by running the agent in [reverse proxy mode](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/agent-only-deployment/configuring-agent-reverse-proxy-deployments).
* __On Fastly’s cloud-hosted infrastructure (Cloud WAF).__ To use Cloud WAF, you must upload a TLS certificate, add an origin server using the Next-Gen WAF control panel, and update your DNS records to point to the appropriate servers.
The Next-Gen WAF control panel supports all features of all deployment types. The Fastly control panel supports the features of the Edge WAF and On-Prem WAF deployment types only.
## Threat intelligence
As part of Next-Gen WAF, we may [aggregate the attack data collected](/products/data-management) from use of Next-Gen WAF and combine it with data collected from security and other services offered as part of the Fastly platform, including for other subscribers. We use these data insights (threat intelligence) to analyze and detect potential future anomalies or attacks and to improve, secure, provide, and market Fastly services in a manner that does not associate the threat intelligence with or identify any subscriber. For example, you receive the benefits of this threat intelligence via the Network Learning Exchange (NLX) feature that adds a unique signal to information in the control panels and alerts you to potential bad actors that have been identified elsewhere in the subscriber network.
## API
The [Signal Sciences Application Programming Interface](https://www.fastly.com/documentation/signalsciences/api/) allows you to integrate your applications and services with the Next-Gen WAF via the Next-Gen WAF control panel. The [Fastly Security Application Programming Interface](https://www.fastly.com/documentation/reference/api/security/) allows you to integrate your applications and services with the Next-Gen WAF via the Fastly control panel. Each uses standard HTTP response codes and verbs to allow you to programmatically control all the same features that are available with the [control panels](#control-panel-access). Each API provides a variety of endpoints that we document in our API reference documentation.
## Control over data sharing
Next-Gen WAF gives you control over data shared with Fastly. The hosted Cloud WAF deployment does not create copies of or store your data feed as it passes through.
The security components for all deployment types of Next-Gen WAF do not require transmission or collection of any sensitive or personally identifiable information to function other than IP addresses that are identified as the initiator of anomalous or suspicious requests and related metadata. The Next-Gen WAF is designed to automatically redact certain sensitive or personally identifiable information in fields that are known to commonly contain such information before transmission to the cloud engine component of the Next-Gen WAF. Also, the Next-Gen WAF allows you to manually configure which fields are redacted via the control panel to further limit the sensitive information or other information sent to the cloud engine component of the Next-Gen WAF, other than the limited data required for the functionality of the Next-Gen WAF.
If properly configured, for Edge and Cloud WAF deployments, none of your sensitive information other than the IP addresses identified as the initiator of anomalous or suspicious requests will be sent to the cloud engine component of the Next-Gen WAF. For On-Prem WAF deployments of Next-Gen WAF, if properly configured, this means that none of your sensitive information other than the IP addresses identified as the initiator of anomalous or suspicious requests will be shared with Fastly.
## DDoS mitigation
Edge and Cloud WAF deployments feature an always-on service integration that examines inbound traffic to detect and mitigate Distributed Denial of Service (DDoS) attacks before they reach the applications and origin servers that you specify.
Edge WAF deployments receive access to a [combination of features](/products/fastlys-full-site-delivery#always-on-ddos-mitigation) inherent in the Fastly Edge Cloud network that help protect from DDoS threats. This service requires no additional installation or maintenance.
Cloud WAF deployments use automated mitigation techniques to stop common network protocol-based floods including SYN floods and reflection attacks using UDP, DNS, NTP, and SSDP. This service requires no additional installation or maintenance.
In addition to these included detection and mitigation capabilities, Fastly offers [Fastly DDoS Protection](/products/fastly-ddos-protection). For more information about this or any of our advanced services, including their subscription costs, contact sales@fastly.com.
## Subscriber responsibilities
From time to time, we may provide error corrections, bug fixes, software updates, and software upgrades to the agent and the module. Notices about updates are included in the [documentation](https://www.fastly.com/documentation/reference/changes/ngwaf-agent/) and described in the [release notes](https://www.fastly.com/documentation/reference/changes/). You can also [subscribe to receive emails from us](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/integrations/mailing-list) when updates are released or subscribe to our integrations with third-party tools (e.g., [Slack](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/integrations/slack) or [Microsoft Teams](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/integrations/teams)). For On-Prem WAF deployments, it is your responsibility to ensure that you are using the most recent version of the Next-Gen WAF components. Agents on Edge and Cloud WAF deployments are kept up to date by Fastly.
As a subscriber, you can identify and maintain up to five points of contact for support communications. All support requests must be initiated from and communicated through the designated points of contact.
Subject to the terms of any open source license applicable to any Fastly software installed in your environment (namely the agents and modules), your subscription for Next-Gen WAF does not include permission to modify the software or create derivative works based upon the software other than as set forth in the Documentation.
## Limitations
All WAF products that exist today, including the Next-Gen WAF, have several limitations:
* __False positives.__ Any WAF can mistake good traffic for bad. We strongly recommend you monitor your traffic via the control panel for a minimum of two weeks before blocking traffic. You don't want to start blocking traffic with configurations that are generating false positives.
* __Custom application vulnerabilities.__ If attackers discover a vulnerability unique to your application or the technologies you use, and if your WAF configuration does not have a rule to protect against exploits for that particular vulnerability, it will not be able to protect your application in that instance.
* __Inspection of HTTP and HTTPS traffic only.__ A WAF only inspects HTTP or HTTPS requests (layer 7). It will not process any TCP, UDP, or ICMP requests.
* __WebSocket traffic inspection.__ Next-Gen WAF can only inspect WebSocket traffic when it is deployed using the Core WAF deployment method. Edge WAF and Cloud WAF deployments don't support WebSocket traffic inspection.
* __Security products note.__
## Billing
We bill you as specified in your applicable ordering document. We measure months according to Coordinated Universal Time (UTC). All deployments are billed according to the number of sites (workspaces) and either the average requests per second (RPS) or average requests per month (RPM) processed by Next-Gen WAF as appropriate for your packaged entitlements.
Any time you purchase a [deployment option](/products/fastly-next-gen-waf/#deployment-types) for the first time, your service order will include a one-time purchase of [Implementation Services](/products/fastly-next-gen-waf-professional-services#implementation-services) to assist you with your onboarding experience.
Edge WAF deployments are additionally billed for delivery charges associated with the [Full-Site Delivery service](/products/fastlys-full-site-delivery) on which those deployments are hosted. [Prices](https://www.fastly.com/pricing) are based on the volume of content delivered to your end users and the location of the POPs from which that content was served. Fastly billing is done in arrears based on [actual usage](/products/how-we-calculate-your-delivery-bill) with month-to-date usage being available via both our control panel and APIs.
Cloud WAF deployments are additionally billed for the overall traffic flowing through the hosted services in terabytes (TBs) and the number and location of protected origins.