Web Application Firewall (WAF) (2020)
Last updated 2020-07-14
On April 30, 2023, the Fastly WAF (WAF Legacy and WAF 2020) will reach its end of life date and will no longer be supported for existing customers. As an alternative, the Fastly Next-Gen WAF offers similar functionality as well as additional features. This product is a web application firewall that monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify. It can be controlled via the web interface dashboard or application programming interface (API). We encourage you to contact email@example.com or your Fastly account team to evaluate Fastly Next-Gen WAF and begin the transition process.
The Fastly WAF is a Web Application Firewall (WAF) security product that detects malicious request traffic sent over HTTP and HTTPS. Once properly configured and enabled for a service, the Fastly WAF can help protect against application-layer (layer 7) attacks such as SQL injection, cross-site scripting, and HTTP protocol violations.
Enabling Fastly WAF doesn't require modifications to your web application or origin servers. Contact our sales team to get started. Once you purchase the Fastly WAF, our customer support team will enable it with a default WAF policy for any service you've provided a service ID for. They will then work closely with you on additional configuration refinements. Once configured, you can then begin monitoring logs to determine which requests to your origin are legitimate and which you should consider blocking.
All WAF products that exist today, including the Fastly WAF, have several limitations:
- False positives. Any WAF can mistake good traffic for bad. We strongly recommend you monitor your logs for a minimum of two weeks before blocking traffic. You don't want to start blocking traffic with rules that are generating false positives.
- DNS configuration. A WAF only works when traffic is directed through it. It cannot protect against malicious requests that are sent to domain names or IP addresses that are not specified in your WAF configuration.
- Effective rules. A WAF is only as effective as the provisioned and tuned rules. You can add, remove, or modify rule modes using rule management web interface or the API.
- Custom application vulnerabilities. If attackers discover a vulnerability unique to your application or the technologies you use, and if your WAF configuration does not have a rule to protect against exploits for that particular vulnerability, it will not be able to protect your application in that instance. You can add additional rules to help protect against these types of attacks. If you need more protection than the selected rules provide, customer support can work with you to create custom VCL to help block malicious requests.
- Inspection of HTTP and HTTPS traffic only. A WAF only inspects HTTP or HTTPS requests (layer 7). It will not process any TCP, UDP, or ICMP requests.
Do not use this form to send sensitive information. If you need assistance, contact firstname.lastname@example.org.