search close

Cloud WAF Instance Management

access_time Updated Aug 10, 2022

Before you begin

To save time before creating a Cloud WAF instance, ensure you have uploaded a TLS certificate. If requests will be coming from Fastly’s Edge, you can use a Fastly-managed TLS certificate instead by disabling uploaded certificates.

Viewing Cloud WAF instances

Cloud WAF instances are created and managed directly in the Signal Sciences console. To view an instance:

  1. Log in to the Signal Sciences console.
  2. From the Corp Manage menu, select Cloud WAF Instances. The Cloud WAF Instances page appears.

The Cloud WAF Instances page provides a summary table that lists all Cloud WAF instances running on your corp, including names, regions, and statuses. You can view additional details about each Cloud WAF instance by clicking the View button to the right of the summary table. Of particular note when viewing these additional details are the DNS entry and Health Check details.

Using health checks

Health checks can be used to assess whether or not the Cloud WAF, or a particular route within the Cloud WAF instance, is up or down. The checks can be used within Fastly or other systems to achieve a redirect failover. There are two methods available for accessing health check endpoints:

  • View the details of your Cloud WAF instance and click the Copy button to the right of the Health Check field. This URL is specific to your Cloud WAF instance and you can use it make health check HTTPS requests.
  • Make HTTPS requests to the /sigsci-healthcheck path of the fully qualified domain name used in a route for your Cloud WAF instance. For example, if one of your routes uses the domain name example.com, you could make a health check request to https://example.com/sigsci-healthcheck.

Creating a Cloud WAF instance

Cloud WAF instances contain basic server configuration details and workspace details about the site that those instances will be deployed on. Workspace details specifically include routes information for the paths that requests take from clients to upstream origins.

To create a Cloud WAF instance, follow these steps:

  1. On the Cloud WAF instance list menu page, click Add Cloud WAF Instance. The Cloud WAF instance creation menu page appears.
  2. In the Server configs area, supply the following information:
    • In the Name field, enter a name for the Cloud WAF instance.
    • In the Description field, enter a description for the Cloud WAF instance to make identifying and managing the instance easier.
    • From the Region menu, select the geographic region in which the Cloud WAF instance will be deployed. To minimize latency, select the region geographically closest to the location of your origin. The region can’t be changed after the Cloud WAF instance is provisioned.
    • From the Min TLS version menu, select the minimum TLS version your Cloud WAF instance will use. The minimum TLS version pertains to requests from the client to the Cloud WAF instance. If a request is received with a TLS version lower than the selected minimum TLS version, that request will be dropped.
    • Leave the Use uploaded certificates switch enabled if you uploaded a TLS certificate. If your requests are coming from Fastly’s edge, you can optionally set this to disabled to use a Fastly-owned certificate instead.
  3. In the Workspaces section, enter the following information:
    • From the Site menu, select the Signal Sciences site on which to deploy the Cloud WAF instance.
    • From the Instance location controls, select Direct if the Cloud WAF instance will send traffic directly to the upstream origin. In this mode, the source IP address is read from the X-Forwarded-For header by default. If the Cloud WAF instances will send traffic to a CDN in the path of the upstream origin, select Advanced instead and enter a value for the Client IP header.
    • From the Pass-through protocol controls, select HTTPS only to only allow requests sent over HTTPS through to your origin or select HTTP and HTTPS to allow requests sent over either HTTP or HTTPS through to your origin.
  4. In the Routes section of the Workspaces area, enter the following information:
    • In the Request field, enter the fully qualified domain name of the property that you’d like to protect with Cloud WAF (e.g., example.com). You may include subdomains and paths. The wildcard asterisk (*) can be used to match an entire single path segment between two forward slashes but cannot be used to match partial strings. For example, www.example.com/foo/*/bar is valid, but www.example.com/foo/foo*/bar is invalid.
    • In the Origin field, enter the origin address of the domain name entered in the Request field. Include the protocol (e.g., https://) as the first part of the origin address even if you’re providing an IP address.
    • From the Certificates to deploy menu, select a TLS certificate associated with the request URI. If the appropriate certificate doesn’t appear in the list, add it by clicking Add certificate and filling out the fields of the window that appears. If you disabled certificate uploads in the Server configs area, this section won’t be configurable.
    • Leave the Pass host header switch disabled if using Server Name Indication (SNI). Enable this setting for the agent to pass the host header to the upstream origin to be used in the TLS handshake. The host header value will take precedence over set values for the host.
    • Leave the Connection pooling switch enabled to allow open TCP connections to the origin to be reused. Disable this setting if open TCP connections should not be reused.
    • Leave the Trust proxy headers switch disabled to have an agent ignore and drop incoming proxy headers. Enable this setting to allow the agent to trust incoming proxy headers (such as the X-Forwarded-For header).
  5. Decide whether or not to add more routes to this site. To add another route to this site, click Add route and an additional Routes section will appear that you can fill out by repeating the above steps.
  6. Decide whether or not to add an additional site for this Cloud WAF instance. To add a route to a different Signal Sciences site, click Add workspace and an additional Workspaces area will appear that you can fill out by repeating the above steps.
  7. Click Create instance to create the Cloud WAF instance. The Cloud WAF Instances page appears with the new Cloud WAF instance listed with a status of “In progress”. Wait a few minutes for the Cloud WAF instance to be deployed, at which point the status will change to “Deployed”.
  8. Click View to the right of the Cloud WAF instance. The details page for that Cloud WAF instance will appear.
  9. Make note of the DNS entry and the egress IP addresses listed. You’ll need this information to create a CNAME record for the DNS entry with your DNS registrar. If your origin is not accessible to the public internet, you will also need to configure your origin to allow access from the egress IP addresses provided.

Editing a Cloud WAF instance

  1. On the Cloud WAF Instances page, click View to the right of the Cloud WAF instance. The details page for that Cloud WAF instance appears.

  2. Click Edit Cloud WAF Instance. The Cloud WAF instance configuration page appears.

  3. Make any changes necessary to the Cloud WAF instance.

  4. Click Update instance.

Deleting a Cloud WAF instance

  1. On the Cloud WAF instance list menu page, click View to the right of the Cloud WAF instance. The details page for that Cloud WAF instance appears.

  2. Click Remove Cloud WAF Instance.

  3. Click Delete.