Cloud WAF instance management
Last updated 2022-12-05
IMPORTANT
This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, you can only deploy the Next-Gen WAF with the Edge WAF deployment method.
Before you begin
To save time before creating a Cloud WAF instance, ensure you have uploaded a TLS certificate. If requests will be coming from Fastly’s Edge, you can use a Fastly-managed TLS certificate instead by disabling uploaded certificates.
Viewing Cloud WAF instances
Cloud WAF instances are created and managed directly in the Next-Gen WAF control panel. To view an instance:
- Log in to the Next-Gen WAF control panel.
- From the Corp Manage menu, select Cloud WAF Instances.
The Cloud WAF Instances page provides a summary table that lists all Cloud WAF instances running on your corp, including names, regions, and statuses. You can view additional details about each Cloud WAF instance by clicking View to the right of the summary table. Of particular note when viewing these additional details are the DNS entry and Health Check details.
Using health checks
Health checks can be used to assess whether or not the Cloud WAF, or a particular route within the Cloud WAF instance, is up or down. The checks can be used within Fastly or other systems to achieve a redirect failover. There are two methods available for accessing health check endpoints:
- View the details of your Cloud WAF instance and click Copy to the right of the Health Check field. This URL is specific to your Cloud WAF instance and you can use it make health check HTTPS requests.
- Make HTTPS requests to the
/sigsci-healthcheck
path of the fully qualified domain name used in a route for your Cloud WAF instance. For example, if one of your routes uses the domain nameexample.com
, you could make a health check request tohttps://example.com/sigsci-healthcheck
.
Creating a Cloud WAF instance
Cloud WAF instances contain basic server configuration details and workspace (also known as site) details about the web application that those instances will be deployed on. Workspace (site) details specifically include routes information for the paths that requests take from clients to upstream origins.
To create a Cloud WAF instance, follow these steps:
- Log in to the Next-Gen WAF control panel.
- From the Corp Manage menu, select Cloud WAF Instances.
- Click Add Cloud WAF Instance.
- In the Server configs area, supply the following information:
- In the Name field, enter a name for the Cloud WAF instance.
- In the Description field, enter a description for the Cloud WAF instance to make identifying and managing the instance easier.
- From the Region menu, select the geographic region in which the Cloud WAF instance will be deployed. To minimize latency, select the region geographically closest to the location of your origin. The region can't be changed after the Cloud WAF instance is provisioned.
- From the Min TLS version menu, select the minimum TLS version your Cloud WAF instance will use. The minimum TLS version pertains to requests from the client to the Cloud WAF instance. If a request is received with a TLS version lower than the selected minimum TLS version, that request will be dropped.
- Leave the Use uploaded certificates switch enabled if you uploaded a TLS certificate. If your requests are coming from Fastly’s edge, you can optionally set this to disabled to use a Fastly-owned certificate instead.
- In the Workspaces section, enter the following information:
- From the Site menu, select the site on which to deploy the Cloud WAF instance.
- From the Instance location controls, select Direct if the Cloud WAF instance will send traffic directly to the upstream origin. In this mode, the source IP address is read from the
X-Forwarded-For
header by default. If the Cloud WAF instances will send traffic to a CDN in the path of the upstream origin, select Advanced instead and enter a value for the Client IP header. - From the Pass-through protocol controls, select HTTPS only to only allow requests sent over HTTPS through to your origin or select HTTP and HTTPS to allow requests sent over either HTTP or HTTPS through to your origin.
- In the Routes section of the Workspaces area, enter the following information:
- In the Request field, enter the fully qualified domain name of the property that you’d like to protect with Cloud WAF (e.g.,
example.com
). You may include subdomains and paths. The wildcard asterisk (*) can be used to match an entire single path segment between two forward slashes but cannot be used to match partial strings. For example,www.example.com/foo/*/bar
is valid, butwww.example.com/foo/foo*/bar
is invalid. - In the Origin field, enter the origin address of the domain name entered in the Request field. Include the protocol (e.g.,
https://
) as the first part of the origin address even if you're providing an IP address. - From the Certificates to deploy menu, select a TLS certificate associated with the request URI. If the appropriate certificate doesn't appear in the list, add it by clicking Add certificate and filling out the fields of the window that appears. If you disabled certificate uploads in the Server configs area, this section won't be configurable.
- Leave the Pass host header switch disabled if using Server Name Indication (SNI). Enable this setting for the agent to pass the host header to the upstream origin to be used in the TLS handshake. The host header value will take precedence over set values for the host.
- Leave the Connection pooling switch enabled to allow open TCP connections to the origin to be reused. Disable this setting if open TCP connections should not be reused.
- Leave the Trust proxy headers switch disabled to have an agent ignore and drop incoming proxy headers. Enable this setting to allow the agent to trust incoming proxy headers (such as the
X-Forwarded-For
header).
- In the Request field, enter the fully qualified domain name of the property that you’d like to protect with Cloud WAF (e.g.,
- Decide whether or not to add more routes to this site. To add another route to this site, click Add route and an additional Routes section will appear that you can fill out by repeating the above steps.
- Decide whether or not to add an additional site for this Cloud WAF instance. To add a route to a different site, click Add workspace and an additional Workspaces area will appear that you can fill out by repeating the above steps.
- Click Create instance to create the Cloud WAF instance. The Cloud WAF Instances page appears with the new Cloud WAF instance listed with a status of
In progress
. Wait a few minutes for the Cloud WAF instance to be deployed, at which point the status will change to “Deployed”. - Click View to the right of the Cloud WAF instance. The details page for that Cloud WAF instance will appear.
- Make note of the DNS entry and the egress IP addresses listed. You'll need this information to create a CNAME record for the DNS entry with your DNS registrar. If your origin is not accessible to the public internet, you will also need to configure your origin to allow access from the egress IP addresses provided.
Editing a Cloud WAF instance
- Log in to the Next-Gen WAF control panel.
- From the Corp Manage menu, select Cloud WAF Instances.
- Click View to the right of the Cloud WAF instance.
- Click Edit Cloud WAF Instance.
- Make any changes necessary to the Cloud WAF instance.
- Click Update instance.
Deleting a Cloud WAF instance
- Log in to the Next-Gen WAF control panel.
- From the Corp Manage menu, select Cloud WAF Instances.
- Click View to the right of the Cloud WAF instance.
- Click Remove Cloud WAF Instance.
- Click Delete.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.