- Application Programming Interface (API)
- Assurance Services
- Cloud Optimizer
- DDoS Protection and Mitigation Service and SLA
- Dedicated IP addresses
- Designated Technical Specialist
- Fastly product lifecycle
- Fastly’s Full-Site Delivery
- Fastly's Media Shield
- Fastly's On-the-Fly Packaging service
- Fastly’s Streaming Delivery
- HIPAA-Compliant Caching and Delivery
- Image Optimizer
- Live Event Monitoring Service
- Logging Insights Package
- Origin Connect
- PCI-Compliant Caching and Delivery
- Performance Optimization Package
- Platform TLS Certificate Management Product
- Professional Services
- Related offerings
- Service availability SLA
- Subscriber Provided Prefix
- Summary product definitions
- Support description and SLA
- TLS オプション
- TLS service options
- Varnish Configuration Language (VCL)
- WAF Quick Start Package
- WAF Support and SLA
- WAF Tuning Package
- WAF Tuning Plus Package
- Web Application Firewall (WAF)
Web Application Firewall (WAF)
Last updated July 14, 2020
The Fastly WAF is a Web Application Firewall (WAF) security product that detects malicious request traffic sent over HTTP and HTTPS. Once properly configured and enabled for a service, the Fastly WAF can help protect against application-layer (layer 7) attacks such as SQL injection, cross-site scripting, and HTTP protocol violations.
Enabling Fastly WAF doesn't require modifications to your web application or origin servers. Contact our sales team to get started. Once you purchase the Fastly WAF, our customer support team will enable it with a default WAF policy for any service you've provided a service ID for. They will then work closely with you on additional configuration refinements. Once configured, you can then begin monitoring logs to determine which requests to your origin are legitimate and which you should consider blocking.
All WAF products that exist today, including the Fastly WAF, have several limitations:
- False positives. Any WAF can mistake good traffic for bad. We strongly recommend you monitor your logs for a minimum of two weeks before blocking traffic. You don't want to start blocking traffic with rules that are generating false positives.
- DNS configuration. A WAF only works when traffic is directed through it. It cannot protect against malicious requests that are sent to domain names or IP addresses that are not specified in your WAF configuration.
- Effective rules. A WAF is only as effective as the provisioned and tuned rules. You can add, remove, or modify rule modes using rule management web interface or the API.
- Custom application vulnerabilities. If attackers discover a vulnerability unique to your application or the technologies you use, and if your WAF configuration does not have a rule to protect against exploits for that particular vulnerability, it will not be able to protect your application in that instance. You can add additional rules to help protect against these types of attacks. If you need more protection than the selected rules provide, customer support can work with you to create custom VCL to help block malicious requests.
- Inspection of HTTP and HTTPS traffic only. A WAF only inspects HTTP or HTTPS requests (layer 7). It will not process any TCP, UDP, or ICMP requests.
Security products note
IMPORTANT: To ensure your web application only receives traffic from your WAF-enabled Fastly service, we strongly recommend you configure TLS client authentication for that service and allowlist Fastly's assigned IP ranges.
No security product, such as a WAF or DDoS mitigation product, including those security services offered by Fastly, will detect or prevent all possible attacks or threats. Subscribers should maintain appropriate security controls on all web applications and origins, and the use of Fastly's security products do not relieve subscribers of this obligation. Subscribers should test and validate the effectiveness of Fastly's security services to the extent possible prior to deploying these services in production, and continuously monitor their performance and adjust these services as appropriate to address changes in the Subscriber's web applications, origin services, and configurations of the other aspects of the Subscriber's Fastly services.Back to Top