Fastly Next-Gen WAF (powered by Signal Sciences)
Last updated 2022-06-22
The Fastly Next-Gen WAF (powered by Signal Sciences) is a web application firewall that monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify.
Using default settings created by Fastly and custom settings you specify, the Next-Gen WAF identifies and tracks attacks across all of your deployments and determines whether to flag the originating IP address as potentially problematic, rate limit the IP address, allow the request, tag it with signals, or block it. You can choose to enable or disable these actions at any time. When the Next-Gen WAF determines that an incoming request is anomalous, we collect data from that request and upload it to our cloud engine, allowing us to perform out-of-band analysis of inbound traffic.
We provide documentation for the Next-Gen WAF in the Signal Sciences Help Center. Release notes for the agents and modules are also provided in the Signal Sciences Help Center.
The Next-Gen WAF can be deployed in three different ways:
- On Fastly’s Edge Cloud platform (Edge). To use the edge deployment method, you must add it to new or existing Fastly services that you create in the Fastly console and update your DNS records to point to Fastly.
- Directly on your web servers within your infrastructure (Core). The Core deployment method consists of two components, the module and the agent. The module can exist as a plugin to your web server or as a language or framework specific implementation. The agent is a small daemon process that provides an interface between your web server and our cloud engine. You can also use the core deployment method without a module by running the agent in reverse proxy mode.
- On Fastly’s cloud-hosted infrastructure (Cloud WAF). To use Cloud WAF, you must upload a TLS certificate, add an origin server using the Signal Sciences Hosted Dashboard, and update your DNS records to point to the appropriate servers.
The Signal Sciences Hosted Dashboard (Hosted Dashboard) is a web interface that you can use to investigate anomalous web traffic and see what actions, if any, Next-Gen WAF performed in response to certain requests. You can also use the Hosted Dashboard to create Workspaces. A Workspace (also known as a Site) is a user-defined set of rules and settings for applications and origin servers. The Hosted Dashboard allows you to create multiple Workspaces to differentiate between one or more APIs, microservices, or web applications. For each Workspace, you can use the Hosted Dashboard to add rules for requests, configure site alert thresholds, and add integrations to other systems.
As part of Next-Gen WAF, we may aggregate the attack data collected from use of Next-Gen WAF and combine it with data collected from security and other services offered as part of the Fastly platform, including for other subscribers. We use these data insights (threat intelligence) to analyze and detect potential future anomalies or attacks and to improve, secure, provide, and market Fastly services in a manner that does not associate the threat intelligence with or identify any subscriber. For example, you receive the benefits of this threat intelligence via the Network Learning Exchange (NLX) feature that adds a unique signal to information in the Hosted Dashboard and alerts you to potential bad actors that have been identified elsewhere in the subscriber network.
The Signal Sciences Application Programming Interface (API) allows you to integrate your applications and services with the Next-Gen WAF. It uses standard HTTP response codes and verbs to allow you to programmatically control all the same features that are available through the Hosted Dashboard. The Signal Sciences API provides a variety of endpoints that we document in our API reference documentation.
Control over data sharing
Next-Gen WAF gives you control over data shared with Fastly. The Hosted Services component of the Cloud WAF deployment does not create copies of or store your data as it passes through. The hosted aspect of the Edge deployment similarly does not create copies of or store your data feed as it passes through.
The security components for all deployment types of Next-Gen WAF do not require transmission or collection of any sensitive or personally identifiable information to function other than IP addresses that are identified as the initiator of anomalous or suspicious requests and related metadata. The Next-Gen WAF is designed to automatically redact certain sensitive or personally identifiable information in fields that are known to commonly contain such information before transmission to the cloud engine component of the Next-Gen WAF. Also, the Next-Gen WAF allows you to manually configure which fields are redacted via the Hosted Dashboard to further limit the sensitive information or other information sent to the cloud engine component of the Next-Gen WAF, other than the limited data required for the functionality of the Next-Gen WAF. If properly configured, for Edge and Cloud WAF deployments, none of your sensitive information other than the IP addresses identified as the initiator of anomalous or suspicious requests will be sent to the cloud engine component of the Next-Gen WAF. For Core deployments of Next-Gen WAF, if properly configured, this means that none of your sensitive information other than the IP addresses identified as the initiator of anomalous or suspicious requests will be shared with Fastly.
Edge and Cloud WAF deployments feature an always-on service integration that examines inbound traffic to detect and mitigate Distributed Denial of Service (DDoS) attacks before they reach the applications and origin servers that you specify.
Edge deployments receive access to a combination of features inherent in the Fastly Edge Cloud network that help protect from DDoS threats. This service requires no additional installation or maintenance.
Cloud WAF deployments use automated mitigation techniques to stop common network protocol-based floods including SYN floods and reflection attacks using UDP, DNS, NTP, and SSDP. This service requires no additional installation or maintenance.
Feature availability depends on the platform you have purchased.
|Default attack signals||Included||Included||Included|
|Default anomaly signals||Included||Included||Included|
|Custom response codes||Not Included||Included||Included|
|Custom signals||Not Included||Included||Included|
|Standard API & ATO signals||Not Included||Included||Included|
|Advanced Rate Limiting||Not Included||Not Included||Included|
|Edge Rate Limiting||Not Included||Not Included||Included but requires active full-site delivery account|
We bill you as specified in your applicable ordering document. We measure months according to Coordinated Universal Time (UTC). All deployments are billed according to the number of Workspaces and the average requests per second (RPS) processed by Next-Gen WAF.
Edge deployments are additionally billed for delivery charges associated with the Full-Site Delivery service on which Edge deployments are hosted. Prices are based on the volume of content delivered to your end users and the location of the POPs from which that content was served. Fastly billing is done in arrears based on actual usage with month-to-date usage being available via both our web interface and APIs.
Cloud WAF deployments are additionally billed for the overall traffic flowing through the Hosted Services in terabytes (TBs) and the number and location of protected origins.
From time to time, we may provide error corrections, bug fixes, software updates, and software upgrades to the agent and the module. Notices about updates are included in the documentation and described in the release notes. You can also subscribe to receive emails from us when updates are released or subscribe to our integrations with third-party tools (e.g., Slack or Microsoft Teams). For Core deployments, it is your responsibility to ensure that you are using the most recent version of the Next-Gen WAF components. Agents on Edge and Cloud WAF deployments are kept up to date by Fastly.
As a subscriber, you can identify and maintain up to five points of contact for support communications. All support requests must be initiated from and communicated through the designated points of contact.
Subject to the terms of any open source license applicable to any Fastly software installed in your environment (namely the agents and modules), your subscription for Next-Gen WAF does not include permission to modify the software or create derivative works based upon the software other than as set forth in the Documentation.
All WAF products that exist today, including the Next-Gen WAF, have several limitations:
- False positives. Any WAF can mistake good traffic for bad. We strongly recommend you monitor your traffic via the Hosted Dashboard for a minimum of two weeks before blocking traffic. You don't want to start blocking traffic with configurations that are generating false positives.
- Custom application vulnerabilities. If attackers discover a vulnerability unique to your application or the technologies you use, and if your WAF configuration does not have a rule to protect against exploits for that particular vulnerability, it will not be able to protect your application in that instance.
- Inspection of HTTP and HTTPS traffic only. A WAF only inspects HTTP or HTTPS requests (layer 7). It will not process any TCP, UDP, or ICMP requests.
- Security products note. No security product, such as a WAF or DDoS mitigation product, including those security services offered by Fastly, will detect or prevent all possible attacks or threats. Subscribers should maintain appropriate security controls on all web applications and origins, and the use of Fastly's security products do not relieve subscribers of this obligation. Subscribers should test and validate the effectiveness of Fastly's security services to the extent possible prior to deploying these services in production, and continuously monitor their performance and adjust these services as appropriate to address changes in the Subscriber's web applications, origin services, and configurations of the other aspects of the Subscriber's Fastly services.