Fastly Next-Gen WAF
Last updated 2024-10-22
The Fastly Next-Gen WAF is a web application firewall that monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify.
Using default settings created by Fastly and custom settings you specify, the Next-Gen WAF identifies and tracks attacks across all of your deployments and determines whether to flag the originating IP address as potentially problematic, rate limit the IP address, allow the request, tag it with signals, or block it. You can choose to enable or disable these actions at any time. When the Next-Gen WAF determines that an incoming request is anomalous, we collect data from that request and upload it to our cloud engine, allowing us to perform out-of-band analysis of inbound traffic.
The Fastly Next-Gen WAF now collectively refers to the products that were previously known as the Signal Sciences Cloud WAF and Signal Sciences Next-Gen WAF. The functionality of those products has not changed as part of the new naming convention. Fastly Next-Gen WAF continues to be powered by Signal Sciences technology.
Documentation
Documentation for the Next-Gen WAF can be found at docs.fastly.com/en/ngwaf/. We announce the most recent changes and updates for the agents and modules in our changelog.
Control panel access
The Next-Gen WAF can be accessed via either the Next-Gen WAF control panel or the Fastly control panel. Each control panel allows you to investigate anomalous web traffic and see what actions, if any, Next-Gen WAF performed in response to certain requests. You can also use the control panel to create sites (also known as workspaces). A site (workspace) is a user-defined set of rules and settings for applications and origin servers. Each control panel allows you to create multiple sites (workspaces) to differentiate between one or more APIs, microservices, or web applications. For each site (workspace), you can use the control panels to add rules for requests, configure site alert (workspace alert) thresholds, and add integrations to other systems.
Deployment types
The Next-Gen WAF can be deployed in three different ways:
- On Fastly’s Edge platform (Edge WAF). To use the Edge WAF deployment method with VCL or Compute services, you must add it to new or existing Fastly services that you create in the Fastly control panel and update your DNS records to point to Fastly.
- Directly on your web servers within your infrastructure (Core WAF). The Core WAF deployment method consists of two components, the module and the agent. The module can exist as a plugin to your web server or as a language or framework-specific implementation. The agent is a small process that provides an interface between your web server and our cloud engine. You can also use the Core WAF deployment method without a module by running the agent in reverse proxy mode.
- On Fastly’s cloud-hosted infrastructure (Cloud WAF). To use Cloud WAF, you must upload a TLS certificate, add an origin server using the Next-Gen WAF control panel, and update your DNS records to point to the appropriate servers.
The Next-Gen WAF control panel supports all features of all deployment types. The Fastly control panel supports the features of the Edge WAF deployment type only.
Threat intelligence
As part of Next-Gen WAF, we may aggregate the attack data collected from use of Next-Gen WAF and combine it with data collected from security and other services offered as part of the Fastly platform, including for other subscribers. We use these data insights (threat intelligence) to analyze and detect potential future anomalies or attacks and to improve, secure, provide, and market Fastly services in a manner that does not associate the threat intelligence with or identify any subscriber. For example, you receive the benefits of this threat intelligence via the Network Learning Exchange (NLX) feature that adds a unique signal to information in the control panels and alerts you to potential bad actors that have been identified elsewhere in the subscriber network.
API
The Signal Sciences Application Programming Interface allows you to integrate your applications and services with the Next-Gen WAF via the Next-Gen WAF control panel. The Fastly Security Application Programming Interface allows you to integrate your applications and services with the Next-Gen WAF via the Fastly control panel. Each uses standard HTTP response codes and verbs to allow you to programmatically control all the same features that are available with the control panels. Each API provides a variety of endpoints that we document in our API reference documentation.
Control over data sharing
Next-Gen WAF gives you control over data shared with Fastly. The hosted Cloud WAF deployment does not create copies of or store your data feed as it passes through.
The security components for all deployment types of Next-Gen WAF do not require transmission or collection of any sensitive or personally identifiable information to function other than IP addresses that are identified as the initiator of anomalous or suspicious requests and related metadata. The Next-Gen WAF is designed to automatically redact certain sensitive or personally identifiable information in fields that are known to commonly contain such information before transmission to the cloud engine component of the Next-Gen WAF. Also, the Next-Gen WAF allows you to manually configure which fields are redacted via the control panel to further limit the sensitive information or other information sent to the cloud engine component of the Next-Gen WAF, other than the limited data required for the functionality of the Next-Gen WAF.
If properly configured, for Edge and Cloud WAF deployments, none of your sensitive information other than the IP addresses identified as the initiator of anomalous or suspicious requests will be sent to the cloud engine component of the Next-Gen WAF. For Core WAF deployments of Next-Gen WAF, if properly configured, this means that none of your sensitive information other than the IP addresses identified as the initiator of anomalous or suspicious requests will be shared with Fastly.
DDoS mitigation
Edge and Cloud WAF deployments feature an always-on service integration that examines inbound traffic to detect and mitigate Distributed Denial of Service (DDoS) attacks before they reach the applications and origin servers that you specify.
Edge WAF deployments receive access to a combination of features inherent in the Fastly Edge Cloud network that help protect from DDoS threats. This service requires no additional installation or maintenance.
Cloud WAF deployments use automated mitigation techniques to stop common network protocol-based floods including SYN floods and reflection attacks using UDP, DNS, NTP, and SSDP. This service requires no additional installation or maintenance.
In addition to these included detection and mitigation capabilities, Fastly offers Fastly DDoS Protection. For more information about this or any of our advanced services, including their subscription costs, contact sales@fastly.com.
Feature availability
Feature availability depends on the platform and, if applicable, any packaged offerings you have purchased. The Next-Gen WAF control panel supports all features of the Essential, Professional, and Premier platforms. The Fastly control panel supports the features of the Essential platform only.
Feature | Essential | Professional | Premier |
---|---|---|---|
Default attack signals | Included | Included | Included |
Default anomaly signals | Included | Included | Included |
Default dashboards | Included | Included | Included |
System site alerts (System workspace alerts) | Included | Included | Included |
Virtual Patching | Included (BLOCK only) | Included | Included |
Custom response codes | Not Included | Included | Included |
Custom signals | Not Included | Included | Included |
Custom site alerts (Custom workspace alerts) | Not Included | Included | Included |
Lists | Not Included | Included | Included |
Standard API & ATO signals | Not Included | Included | Included |
Advanced Rate Limiting | Not Included | Not Included | Included |
Edge Rate Limiting | Not Included | Included but requires active Full-site Delivery or Compute account | Included but requires active Full-site Delivery or Compute account |
Bot Management | Not available | Available for purchase | Available for purchase |
Deployment Types | Edge WAF Core WAF Cloud WAF | Edge WAF Core WAF Cloud WAF | Edge WAF Core WAF Cloud WAF |
Subscriber responsibilities
From time to time, we may provide error corrections, bug fixes, software updates, and software upgrades to the agent and the module. Notices about updates are included in the documentation and described in the release notes. You can also subscribe to receive emails from us when updates are released or subscribe to our integrations with third-party tools (e.g., Slack or Microsoft Teams). For Core WAF deployments, it is your responsibility to ensure that you are using the most recent version of the Next-Gen WAF components. Agents on Edge and Cloud WAF deployments are kept up to date by Fastly.
As a subscriber, you can identify and maintain up to five points of contact for support communications. All support requests must be initiated from and communicated through the designated points of contact.
Subject to the terms of any open source license applicable to any Fastly software installed in your environment (namely the agents and modules), your subscription for Next-Gen WAF does not include permission to modify the software or create derivative works based upon the software other than as set forth in the Documentation.
Limitations
All WAF products that exist today, including the Next-Gen WAF, have several limitations:
- False positives. Any WAF can mistake good traffic for bad. We strongly recommend you monitor your traffic via the control panel for a minimum of two weeks before blocking traffic. You don't want to start blocking traffic with configurations that are generating false positives.
- Custom application vulnerabilities. If attackers discover a vulnerability unique to your application or the technologies you use, and if your WAF configuration does not have a rule to protect against exploits for that particular vulnerability, it will not be able to protect your application in that instance.
- Inspection of HTTP and HTTPS traffic only. A WAF only inspects HTTP or HTTPS requests (layer 7). It will not process any TCP, UDP, or ICMP requests.
- Security products note. No security product, such as a WAF or DDoS mitigation product, including those security services offered by Fastly, will detect or prevent all possible attacks or threats. As a subscriber, you should maintain appropriate security controls on all web applications and origins. The use of Fastly's security products do not relieve you of this obligation. As a subscriber, you should test and validate the effectiveness of Fastly's security services to the extent possible prior to deploying these services in production, continuously monitor their performance, and adjust these services as appropriate to address changes in your web applications, origin services, and configurations of the other aspects of your Fastly services.
This article describes a product that may use third-party cloud infrastructure to process or store content or requests for content. For more information, check out our cloud infrastructure security and compliance program.
Billing
NOTE
Billing limits for this product may be different if you've purchased a package offering or are using a product or feature trial.
We bill you as specified in your applicable ordering document. We measure months according to Coordinated Universal Time (UTC). All deployments are billed according to the number of sites (workspaces) and the average requests per second (RPS) processed by Next-Gen WAF.
When you purchase Next-Gen WAF for the first time, your service order will include a one-time purchase of Continuity Essentials to assist you with your onboarding experience. Likewise, any time you purchase a deployment option for the first time, your service order will include a one-time purchase of Implementation Services for the same reason.
Edge WAF deployments are additionally billed for delivery charges associated with the Full-Site Delivery service on which those deployments are hosted. Prices are based on the volume of content delivered to your end users and the location of the POPs from which that content was served. Fastly billing is done in arrears based on actual usage with month-to-date usage being available via both our web interface and APIs.
Cloud WAF deployments are additionally billed for the overall traffic flowing through the hosted services in terabytes (TBs) and the number and location of protected origins.
For more details about this product, including help with purchasing it, contact your account manager or email sales@fastly.com.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.