Datasheet

Fastly Next-Gen WAF edge deployment

Pare-feu d’applications web (WAF)Sécurité

The Fastly Next-Gen WAF’s patented approach to detection and blocking provides broad, highly accurate protection without required tuning.

On this page

Fastly’s Next-Gen WAF is the most flexibly deployed on the market and offers the ability to deploy on-premises, in any cloud, at the Fastly edge, or a hybrid of these. While we can secure apps wherever they live, organizations favor edge deployment for four main reasons: faster deployment and maintenance, threat mitigation away from their origin, inherent DDoS (distributed denial of service) protection, and the ability to scale security capabilities and beyond without adding unnecessary latency (image 1).

Fastly's edge architecture

Image 1: Fastly edge deployment architecture

Fast deployment and simplified maintenance

Fastly’s edge deployment is ideal if you’re unable to install software on existing infrastructure. It takes just minutes and only requires an API call to route traffic through the Fastly network and enable WAF inspection. Edge deployment also reduces ongoing maintenance as all updates happen automatically without downtime.

Threat mitigation further from business-critical infrastructure

Fastly’s edge refers to our globally distributed network of 100+ modern servers, or points of presence (POPs). With Tier 1 transit and solid-state drive (SSD)-powered servers, we’ve built a modern network that requires less hardware to deliver comprehensive global reach (image 2). 

Network Map as of 7-22-24

Image 2: Fastly network map as of July 2024

By deploying the Next-Gen WAF at the edge, you scan and fight malicious requests at Fastly’s servers instead of your origin infrastructure. Depending on your architecture, fighting malicious threats away from origin can have one of two additional benefits. For customers working primarily on-prem, deploying at the edge reduces the computational load on origin infrastructure, limiting any impact on your machines and their limited resources. For customers deployed in the cloud, it likely offers cost savings as malicious requests aren’t processed by your origin, reducing inflated traffic bills.

Automatic DDoS protection

Deploying at the edge comes with our network’s built-in security and DDoS mitigation benefits (image 3). 

Fastly's Approach to DDoS

Image 3: Fastly’s platform DDoS protection

With 330+ Tbps of global capacity as of June 30, 2024, Fastly’s network absorbs malicious volumetric Layer 3/4 traffic to stop common attacks like Network Time Protocol (NTP), Domain Name System (DNS), and other amplification/reflection. We’ve also built platform security features to reduce unwanted traffic at Layer 7 dynamically:

  • Fastly only transits relevant traffic and automatically drops any non-http/https traffic before it hits your services.

  • Fastly uses proprietary techniques to intelligently stop massive Layer 7 DDoS attacks. When hit with complicated attacks, our attribute unmasking techniques rapidly extract accurate fingerprints from the network traffic for mitigation. It ingests the metadata from inbound requests on our network and considers the traffic’s characteristics like Layer 3 and Layer 4 headers, TLS info, Layer 7 details, and more. Borrowing concepts from AI, it systematically extracts the elements that match the shape and volume of traffic with the volume of the attack to identify the optimal fingerprint and begin mitigation.

The robust infrastructure you gain by deploying at the edge enables you to scale your traffic capacity instantly and on demand, even during peak traffic events like product launches, viral marketing campaigns, or volumetric attacks.

Granular traffic control

All edge deployments have access to their subset of our network’s underlying Varnish Configuration Language (VCL). VCL is the domain-specific language Fastly uses to automatically define how incoming requests and outgoing responses are accessed, cached, and delivered. Customizable VCL provides fine-grained control and empowers your developers to optimize performance and achieve bespoke security outcomes.

Scale without performance impacts

All Fastly products run on every POP, offering consistent capabilities across the network. This means you can deploy the Next-Gen WAF and other Fastly products like Bot Management, Edge Rate Limiting, real-time caching, load balancing, origin shielding, or TLS encryption in one location, minimizing latency and ensuring a robust security posture without compromising user experience.

Fastly products like our Content Delivery Network (CDN) and Compute typically sit under NetOps and DevOps, respectively, but running them on Fastly’s platform offers integrated insights for teams and better economies of scale for procurement. Running additional products on Fastly’s platform also enables synergies between teams to emerge as they gain visibility into shared data and additional capabilities to manage traffic spikes, or custom code at the edge for security and beyond.

Deploy your Next-Gen WAF at Fastly’s edge

While Fastly’s Next-Gen WAF can deploy anywhere you need it, deploying at the edge is impactful for security teams and beyond. Contact us to learn more and schedule a proof of concept.

Datasheet
Fastly Next-Gen WAF Datasheet

Learn how our Next-Gen WAF automatically protects against web layer attacks and easily integrates with DevOps tools.

Analyst Report
Gartner® Magic Quadrant™ for WAAP Analyst Report

Fastly is a Cloud WAAP Challenger. Compare vendors in this report.

Blog Post
WAF Efficacy Framework

Discover how the WAF efficacy framework helps you measure the effectiveness of your WAF.

Blog Post
How to deploy Fastly's Next-Gen WAF in less than 10 minutes

See how easy it is to get started with Fastly’s Next-Gen WAF

Meet a more powerful global network.

Our network is all about greater efficiency. With our strategically placed points of presence (POPs), you can scale on-demand and deliver seamlessly during major events and traffic spikes. Get the peace of mind that comes with truly reliable performance — wherever users may be browsing, watching, shopping, or doing business.

377 Tbps

Edge network capacity1

150 ms

Mean purge time with Instant Purge™

>1.8 trillion

Daily requests served4

~90% of customers

Run Next-Gen WAF in blocking mode3

As of March 31, 2024

As of December 31, 2019

As of March 31, 2021

As of July 31, 2023

Ready to get started?

Get in touch.