---
title: Edge WAF deployment using the Fastly control panel
summary: null
url: >-
  https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/edge-waf-deployment-using-the-fastly-control-panel
---

> **IMPORTANT:** This guide only applies to customers with access to the Next-Gen WAF product in the Fastly control panel. If you don't have access to the product in the Fastly control panel, refer to the [Next-Gen WAF control panel](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/ngwaf-control-panel/) guides instead.

The Edge WAF deployment method hosts the Next-Gen WAF on Fastly’s Edge Cloud platform via our global network of [POPs](https://www.fastly.com/documentation/guides/getting-started/concepts/using-fastlys-global-pop-network), integrates with Fastly’s [caching layer](https://www.fastly.com/documentation/guides/full-site-delivery/fastly-vcl/about-fastly-vcl), and is managed by Fastly. Since security processing happens at the edge, the Next-Gen WAF can inspect all traffic before it enters your origin infrastructure and block attacks close to where they originated. You do not need to make any modifications to your own hosting environment.

## Prerequisites

Before setting up an Edge WAF deployment, be sure you have the necessary [prerequisites](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/getting-started-with-the-edge-waf#prerequisites) in place.

## Limitations and considerations

When enabling the Next-Gen WAF for your services, keep the following in mind:

- Enabling, disabling, or making changes to Fastly Next-Gen WAF on a service immediately impacts all service versions, including the active one.
- A service can be linked to a maximum of one workspace. A [workspace](https://www.fastly.com/documentation/guides/next-gen-waf/managing-sites) can be linked to multiple services.
- Only users assigned the [superuser role](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/about-user-roles-and-permissions) can [enable](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/edge-waf-deployment-using-the-fastly-control-panel#setting-up-the-deployment) and [configure](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/edge-waf-deployment-using-the-fastly-control-panel#configuring-the-deployment) the Edge WAF deployment for services.

Additionally, if you're deploying the Next-Gen WAF on a CDN service, keep the following in mind:

- Edge WAF deployment is not compatible with [CDN services](https://www.fastly.com/documentation/guides/getting-started/services/about-services) that use [mutual TLS](https://docs.fastly.com/products/tls-service-options#mutual-tls-authentication) to the origin.
- Adding the Next-Gen WAF to an existing CDN service counts against the [service chain limit](https://www.fastly.com/documentation/guides/getting-started/services/service-chaining).
- Updates made to your origins in the Fastly control panel are automatically synched to the Edge WAF. This means you never need to manually synchronize your origins.

## Setting up the deployment

### Fastly Control Panel

To deploy the Next-Gen WAF on an existing CDN or Compute service, complete the following steps:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   From the [**Home**](https://manage.fastly.com/home) page, select the appropriate service. You can use the search box to search by ID, name, or domain.

3. Click **Service configuration** and then **Security**.

4. Fill out the following deployment settings on the Next-Gen WAF card:

   ![Edit Next-Gen WAF deployment settings](/img/ngwaf/edit-ngwaf-deployment.png)

   - From the **Workspace** menu, select the workspace that you want to link to the service. If your account only has one workspace, this field is read-only.
   - (CDN services only) In the **% of traffic** field, enter the percentage of traffic that you want the Next-Gen WAF to inspect. When set to `100`, all traffic to your service is inspected. When the value is less than 100, a random sample of the specified percentage is inspected.

5. Click the **Next-Gen WAF** switch to the **On** position.

6. In the confirmation window, click **Update all versions**.

7. _(Optional)_ [Use attack tooling](https://www.fastly.com/documentation/guides/next-gen-waf/developer/testing-with-attack-tooling) to verify that the Next-Gen WAF is monitoring your web application and identifying malicious and anomalous requests.

### Fastly Products API

> **HINT:** Have a Compute service? Deploy the Next-Gen WAF on your service using the Fastly control panel instructions.

To deploy the Next-Gen WAF on an existing CDN service using the Fastly API, you will need the [Fastly-Key](https://www.fastly.com/documentation/reference/http/http-headers/Fastly-Key/) header for authentication. Your Fastly API key must have write access to the relevant CDN service.

1. Using the curl command line tool, call the [enable a product](https://www.fastly.com/documentation/reference/api/products/ngwaf/#enable-product-ngwaf) API endpoint in a terminal application to enable the Next-Gen WAF on your service and link your service to a workspace:

   ```term copy nolinenums
   $ curl -H "Fastly-Key: ${FASTLY_API_TOKEN}" -H 'Content-Type: application/json' -X PUT \
   -d '{"workspace_id": "${NGWAF_WORKSPACE_ID}"}' \
   "https://api.fastly.com/enabled-products/v1/ngwaf/services/${FASTLY_SERVICE_ID}"
   ```

2. _(Optional)_ Using the curl command line tool, call the [configure a product](https://www.fastly.com/documentation/reference/api/products/ngwaf/#get-product-ngwaf-configuration) API endpoint in a terminal application to change the amount of traffic the Next-Gen WAF inspects. When the value is set to `100`, all traffic (100%) is inspected. When the value is less than `100`, a random sample of the specified percentage is inspected. By default, the Next-Gen WAF inspects all traffic.

   ```term copy nolinenums
   $ curl -H "Fastly-Key: ${FASTLY_API_TOKEN}" -H 'Content-Type: application/json' -X PATCH \
   -d '{"workspace_id": "${NGWAF_WORKSPACE_ID}", "traffic_ramp": 20}' \
   "https://api.fastly.com/enabled-products/v1/ngwaf/services/${FASTLY_SERVICE_ID}/configuration"
   ```

3. _(Optional)_ [Use attack tooling](https://www.fastly.com/documentation/guides/next-gen-waf/developer/testing-with-attack-tooling) to verify that the Next-Gen WAF is monitoring your web application and identifying malicious and anomalous requests.

## Configuring the deployment

### Fastly Control Panel

To update your deployment on a CDN or Compute service, complete the following steps:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   From the [**Home**](https://manage.fastly.com/home) page, select the appropriate service. You can use the search box to search by ID, name, or domain.

3. Click **Service configuration** and then **Security**.

4. Fill out the following deployment settings on the Next-Gen WAF card.

   > **HINT:** If the Next-Gen WAF is already enabled, click the pencil <span class="inline-icons"><img src="/img/icons/pencil.png" alt="Pencil icon" /></span> to edit the settings and then **Submit** to save the updated values.

   - From the **Workspace** menu, select the workspace that you want to link to the service. If your account only has one workspace, this field is read-only.
   - (CDN services only) In the **% of traffic** field, enter the percent of traffic that you want the Next-Gen WAF to inspect. When set to `100`, all traffic to your service is inspected. When the value is less than 100, a random sample of the specified percentage is inspected.

5. Set the **Next-Gen WAF** switch to the **On** position to enable the Next-Gen WAF for your service or to the **Off** position to disable the Next-Gen WAF for your service.

6. In the confirmation window, click **Update all versions**.

7. _(Optional)_ [Use attack tooling](https://www.fastly.com/documentation/guides/next-gen-waf/developer/testing-with-attack-tooling) to verify that the Next-Gen WAF is monitoring your web application and identifying malicious and anomalous requests.

### Fastly Products API

> **HINT:** Have a Compute service? Configure the deployment using the Fastly control panel instructions.

Using the curl command line tool, call the [configure a product](https://www.fastly.com/documentation/reference/api/products/ngwaf/#get-product-ngwaf-configuration) API endpoint in a terminal application to configure your Edge WAF deployment on a CDN service. The endpoint requires that you include the [Fastly-Key](https://www.fastly.com/documentation/reference/http/http-headers/Fastly-Key/) header for authentication and at least one of the following parameters in the JSON body:

- `workspace_id`: the ID of the workspace that you want to link to the service.
- `traffic_ramp`: the percentage of traffic that the Next-Gen WAF inspects. When the value is set to `100`, all traffic (100%) is inspected. When the value is less than `100`, a random sample of the specified percentage is inspected. By default, the Next-Gen WAF inspects all traffic.

```term copy nolinenums
$ curl -H "Fastly-Key: ${FASTLY_API_TOKEN}" -H 'Content-Type: application/json' -X PATCH \
-d '{"workspace_id": "${NGWAF_WORKSPACE_ID}", "traffic_ramp": 20}' \
"https://api.fastly.com/enabled-products/v1/ngwaf/services/${FASTLY_SERVICE_ID}/configuration"
```

## Disabling the deployment

To disable Edge WAF deployment for a CDN or Compute service, complete the following steps.

### Fastly Control Panel

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   From the [**Home**](https://manage.fastly.com/home) page, select the appropriate service. You can use the search box to search by ID, name, or domain.

3. Click **Service configuration** and then **Security**.
4. In the **Next-Gen WAF** card, set the **Next-Gen WAF** to the **Off** position.
5. In the confirmation window, click **Update all versions**.

### Fastly Products API

To disable Edge WAF deployment for a CDN service using the curl command line tool, call the [disable a product](https://www.fastly.com/documentation/reference/api/products/ngwaf/#disable-product-ngwaf) API endpoint in a terminal application.

> **HINT:** To disable the Next-Gen WAF via the Fastly API, you will need the [Fastly-Key](https://www.fastly.com/documentation/reference/http/http-headers/Fastly-Key/) header for authentication. The Fastly API key must have write access to the relevant service.

```term copy nolinenums
$ curl -H "Fastly-Key: ${FASTLY_API_TOKEN}" -H 'Content-Type: application/json' -X DELETE \
"https://api.fastly.com/enabled-products/v1/ngwaf/services/${FASTLY_SERVICE_ID}"
```

## Using headers to customize inspection

You can use [`X-SigSci-` headers](https://www.fastly.com/documentation/guides/next-gen-waf/developer/x-sigsci-headers#adding-headers-to-customize-inspection-for-edge-waf-deployments) to force the Next-Gen WAF to inspect requests, to disable inspection, and to skip initial inspection.

## Related content

- [Getting started with the Edge WAF](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/getting-started-with-the-edge-waf)
- [Next-Gen WAF enablement API](https://www.fastly.com/documentation/reference/api/products/ngwaf)