Available offers
If you want to subscribe to the Fastly Next-Gen WAF through Upsun, you can choose from two offers:- If you subscribe to the Basic offer, your WAF is fully managed by Upsun.
- If you subscribe to the Basic configurable offer, your WAF is fully managed by Upsun too, but with additional flexibility and visibility provided.
Links to the official Fastly Next-Gen WAF documentation are provided for reference only.
The offers described on this page have been designed specifically for Upsun customers.
Included features may present limitations compared to those advertised by Fastly to their direct customers.
| Capability | Basic offer | Basic configurable offer |
|---|---|---|
| Available modes | Block mode only | Block, not blocking, off modes |
| Default attack signals | Yes | Yes |
| Default anomaly signals | Yes | Yes |
| Virtual patching | No | Yes, in block mode only |
| Default dashboards | No | During quarterly business reviews |
| Custom response codes | No | No |
| Custom signals | No | No |
| Standard API & ATO signals | No | No |
Next-Gen WAF Tier Comparison
Basic
- Block-only mode
- Default attack and anomaly signals enabled
- No virtual patching
- No default dashboards
- No custom signals, response codes, or API/ATO signals
Basic Configurable
- Block, not blocking, and off modes
- Default attack and anomaly signals enabled
- Virtual patching available in block mode
- Default dashboards reviewed during quarterly business reviews
- No custom signals, response codes, or API/ATO signals
How the Fastly Next-Gen WAF Works
The Fastly Next-Gen WAF evaluates incoming requests using a combination of signals, conditions, actions, and thresholds.Signals
Signals classify and tag requests based on observed patterns, such as:- SQL injection attempts
- Cross-site scripting payloads
- Repeated 404 requests
- Known attack signatures
Conditions
Conditions define where and when a rule applies. Examples include:- Specific URL paths
- Request methods
- Geographic origin
- Presence of certain signals
Actions
Actions define what happens when a rule matches (allow/log apply to the configurable offer):- Block the request
- Allow the request
- Log the request for analysis
The Basic Next-Gen WAF offer operates in block-only mode.
Thresholds
Thresholds define volume-based triggers. For example, block if more thanN suspicious requests occur from the same IP within a defined time window to distinguish normal user behaviour from automated probing or attacks.
Virtual Patching
Virtual patches are temporary WAF rules provided by Fastly to block known CVEs at the edge. They:- Protect against specific, identified vulnerabilities
- Buy time while application dependencies are patched
- Do not replace proper application updates
Virtual patching is available only in the Basic Configurable Next-Gen WAF tier.
Scope and Limitations
The Fastly Next-Gen WAF mitigates many common web-based attacks, including parts of the OWASP Top 10. However, it does not replace application-level security. The WAF does not automatically protect against:- Weak authentication or password policies
- Insecure application design
- Business-logic flaws
- All bot or scraper traffic
- All DDoS attack types