---
title: About deploying the Next-Gen WAF
summary: null
url: >-
  https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf
---

To deploy the Next-Gen WAF, you need to integrate the Next-Gen WAF product into your request flow by:

1. [Choosing](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#choosing-a-deployment-method) a deployment method. A deployment method outlines how the integration is set up. All of our deployment methods rely on the same [architecture components](https://www.fastly.com/documentation/guides/next-gen-waf/getting-started/about-the-architecture) but have different host locations (e.g., Fastly’s Edge Cloud platform and customer's local environment) and parties who maintain the active deployments.

   > **HINT:** You can use more than one deployment method. For example, you may want to use the [Edge WAF](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-edge-waf-deployment) deployment method to protect your web applications that are behind the Fastly CDN and the [On-Prem WAF](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-on-prem-waf-deployment) deployment method for your other web applications.

2. Setting up your deployment by following the [appropriate guide](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration) for your selected deployment method.

3. _(Optional)_ [Using attack tooling](https://www.fastly.com/documentation/guides/next-gen-waf/developer/testing-with-attack-tooling) to verify that the Next-Gen WAF is monitoring your web application and identifying malicious and anomalous requests.

## Before you begin

The Next-Gen WAF can be [purchased for an account](https://docs.fastly.com/products/fastly-next-gen-waf) by contacting [sales@fastly.com](mailto:sales@fastly.com). Once purchased, our staff will create a Next-Gen WAF corp (account) and at least one site (workspace) for your use when you log in.

## Choosing a deployment method

The key differences between our deployment methods are where the deployment is located and who maintains the deployment.

| Deployment method                                                                                                                                                                     | Location                                                                                                                              | Fastly managed | Customer managed |     |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ---------------- | --- |
| [Edge WAF](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-edge-waf-deployment)                               | Fastly’s Edge Cloud platform via our global network of [POPs](https://www.fastly.com/documentation/guides/concepts/pop)               | ✔              |                  |     |
| [On-Prem WAF](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-on-prem-waf-deployment)                         | Customer's local environment                                                                                                          |                | ✔                |     |
| [PaaS](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-platform-as-a-service-paas-deployment)                 | Supported [vendor platform](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/paas/paas-install-intro) |                | ✔                |     |
| [A10 Networks](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-embedded-service-deployment-with-a10-networks) | A10 Networks                                                                                                                          |                | ✔                |     |
| [Cloud WAF](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-cloud-waf-deployment)                             | Fastly’s cloud infrastructure                                                                                                         | ✔              |                  |     |

### About Edge WAF deployment

The [Edge WAF deployment method](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/getting-started-with-the-edge-waf) hosts the Next-Gen WAF on Fastly’s Edge Cloud platform via our global network of [POPs](https://www.fastly.com/documentation/guides/concepts/pop) and integrates with Fastly’s caching layer, [Varnish](https://www.fastly.com/documentation/guides/full-site-delivery/fastly-vcl/about-fastly-vcl). Since security processing happens at the edge, the Next-Gen WAF can inspect all traffic before it enters your origin infrastructure and block attacks close to where they originated. The sequence diagram below shows the Edge WAF request flow, which we explain in greater detail in our [How the Edge WAF works](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/how-the-edge-waf-works) guide. To use this option, you must have a [Fastly delivery account](https://www.fastly.com/documentation/guides/account-info/billing/account-types).

![Sequence diagram showing the Edge WAF request flow between the web client, Fastly service, Edge WAF, and origin. The flow begins with the client request to the Fastly service, which searches the cache for the requested objects. If the objects are found (cache hit path), the service returns the cached response directly to the client. If the objects aren't found (cache miss path), the service forwards the request to the Edge WAF for inspection. If the request is malicious, the Edge WAF blocks it and returns a block response via the Fastly service to the client. If the request is legitimate, the Edge WAF allows the request to continue to the origin. For allowed requests, the origin generates a response, which gets sent to the Edge WAF and Fastly service for final processing before getting delivered to the client.](/img/ngwaf/request-flow-for-edge-waf.png)

### About On-Prem WAF deployment

The On-Prem WAF (formerly known as Core WAF) deployment method hosts the Next-Gen WAF directly on your local environment, which means you are responsible for managing the deployment. By deploying at your origin core, you are able to inspect traffic from any path that it took to your origin infrastructure. This means that you can inspect east-west traffic that hops from one internal server to another within the client origin.

This method includes both [module-agent](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/about-module-agent-deployment) and [reverse proxy](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/reverse-proxy-deployment/about-reverse-proxy-deployment) deployment options.

| Deployment option | Components you must install                                      | Considerations                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| ----------------- | ---------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Module-agent      | <ul><li>Next-Gen WAF module</li><li>Next-Gen WAF agent</li></ul> | <ul><li>This option has a fail-open design, meaning the module verifies agent availability and allows all traffic when the agent is down.</li><li>The module hooks into the request mechanism on your environment, so you don’t need to change how you're handling TLS termination.</li><li>The module can exist as a [plugin to your web server](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/about-module-agent-deployment#web-server-module-options) or be deployed [at the application layer](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/about-module-agent-deployment#language-and-framework-specific-module-rasp-options).</li><li>The only Next-Gen WAF module variation that supports WebSocket inspection is the [NGINX dynamic module](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/nginx-module/about-the-nginx-module#choosing-an-nginx-module-variation). </li></ul> |
| Reverse proxy     | Next-Gen WAF agent                                               | <ul><li>This option has a fail-close design, meaning all traffic is blocked when the agent is down.</li><li>This option does not require you to make modifications to your web server or code, which is helpful for old and fragile environments.</li><li>The agent performs the role of both the [module and agent components](https://www.fastly.com/documentation/guides/next-gen-waf/getting-started/about-the-architecture).</li><li>This option supports WebSocket inspection.</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |

### Module-agent with traffic management layer

The sequence diagram below shows the request flow for a module-agent deployment where the module exists as a plugin to your web server.

![Sequence diagram showing the module-agent request flow, where the module exists as a plugin to your web server. The request flow is between the web client, traffic management layer and Next-Gen WAF module, Next-Gen WAF agent, and backend application. The flow begins with the client request to the traffic management layer and module, which forward the request to the agent for inspection. The agent then sends a decision back. If the decision is block, the traffic management layer and module return a block response to the client. If the decision is allow, the traffic management layer and module forward the request to the backend application. The backend application generates a response and sends it to the traffic management layer and module. The traffic management layer and module deliver the response to the client and forward the response to the agent.](/img/ngwaf/request-flow-for-traffic-management-layer.png)

### Module-agent with application layer

The sequence diagram below shows the request flow for a module-agent deployment where the module is deployed at the application layer.

![Sequence diagram showing the module-agent request flow, where the module is deployed at the application layer. The request flow is between the web client, application layer and Next-Gen WAF module, and Next-Gen WAF agent. The flow begins with the client request to the application layer and module, which forward the request to the agent for inspection. The agent analyzes the request and returns its decision to the application layer and module. If the decision is block, the application layer and module return a block response to the client. If the decision is allow, the application layer and module return an allow response to the client and forward the response to the agent.](/img/ngwaf/request-flow-for-application-layer.png)

### Reverse proxy

The sequence diagram below shows the request flow for a reverse proxy deployment.

![Sequence diagram showing the reverse proxy request flow between the web client, Next-Gen WAF agent, and origin. The flow begins with the client request to the agent, which inspects the request. If the request is malicious, the agent returns a block response to the client. If the request is legitimate, the agent allows the request to continue to the origin. The origin generates a response, which gets sent to agent and then the client.](/img/ngwaf/request-flow-for-reverse-proxy.png)

#### About Kubernetes deployment patterns

The On-Prem WAF deployment method supports multiple deployment patterns in Kubernetes. For the Next-Gen WAF to work in Kubernetes, you will need to customize configurations. Our [documentation](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/kubernetes/kubernetes-intro) provides several examples of Kubernetes deployments that use the Docker sidecar container pattern.

### About Platform as a Service (PaaS) deployment

You can deploy the Next-Gen WAF product within a [supported vendor platform](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/paas/paas-install-intro) by embedding the Next-Gen WAF agent within the selected platform. The sequence diagram below shows the request flow for a PaaS deployment.

![Sequence diagram showing the PaaS request flow between the web client, Next-Gen WAF agent, and PaaS. The flow begins with the client request to the agent, which inspects the request. If the request is malicious, the agent returns a block response to the client. If the request is legitimate, the agent allows the request to continue to the PaaS. The PaaS generates a response, which gets sent to agent and then the client.](/img/ngwaf/request-flow-for-paas.png)

> **NOTE:** 
>
> Fastly services interoperate with non-Fastly services only when you configure them that way. We do not provide direct support for non-Fastly services. Software or services that enable integration with non-Fastly services (such as plug-ins, extensions, and add-ons) are available under their own terms. Read Fastly's [Terms of Service](https://www.fastly.com/terms) for more information.
>
>

### About embedded service deployment with A10 Networks

> **IMPORTANT:** This deployment option requires an A10 feature license for activation.

The Next-Gen WAF can be deployed as an embedded service with [A10 Networks](https://www.a10networks.com/products/a10-next-gen-waf/) on select A10 Thunder and vThunder application delivery controller (ADC) form factors. A10 Networks provides support for A10 deployments. To learn more about the A10 ADC Next-Gen WAF deployment option, contact your Fastly account manager or email our [Sales team](mailto:sales@fastly.com).

> **NOTE:** 
>
> Fastly services interoperate with non-Fastly services only when you configure them that way. We do not provide direct support for non-Fastly services. Software or services that enable integration with non-Fastly services (such as plug-ins, extensions, and add-ons) are available under their own terms. Read Fastly's [Terms of Service](https://www.fastly.com/terms) for more information.
>
>

### About Cloud WAF deployment

> **IMPORTANT:** 
>
> Only Next-Gen WAF customers with access to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net) can use this solution.
>
>

The [Cloud WAF](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/cloud-waf/cloud-waf-overview) deployment method hosts the Next-Gen WAF on Fastly’s cloud infrastructure and consists of several Cloud WAF instances. Each instance is made up of a load balancer along with at least three [Next-Gen WAF agents](https://www.fastly.com/documentation/guides/next-gen-waf/getting-started/about-the-architecture#about-the-agent), each operating in reverse proxy mode and installed on separate redundant machines. The sequence diagram below shows the request flow for a Cloud WAF deployment.

![Sequence diagram showing the Cloud WAF request flow between the web client, Next-Gen WAF agent, and origin. The flow begins with the client request to the agent, which inspects the request. If the request is malicious, the agent returns a block response to the client. If the request is legitimate, the agent allows the request to continue to origin. The origin generates a response, which gets sent to agent and then the client.](/img/ngwaf/request-flow-for-cloud-waf.png)

To use the Cloud WAF deployment method, you must upload a TLS certificate, add an origin server using the Next-Gen WAF control panel, and update your DNS records to point to the appropriate servers.

## What's next

After setting up your deployment, the Next-Gen WAF will immediately start monitoring traffic to your website, detecting requests with [malicious and anomalous payloads](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals), and populating [request data](https://www.fastly.com/documentation/guides/next-gen-waf/data-storage-and-privacy/about-data-storage-and-privacy) to the control panel you use to access the Next-Gen WAF. To ensure legitimate traffic isn’t blocked, the Next-Gen WAF allows all requests initially.

To start blocking malicious traffic, set the [Agent mode](https://www.fastly.com/documentation/guides/next-gen-waf/about-the-agent-mode) (Protection mode) setting to `Blocking`. You can also create [rules](https://www.fastly.com/documentation/guides/next-gen-waf/rules/about-rules) to adjust the protection of your website and make sure the Next-Gen WAF blocks and allows the correct traffic.

## Related content

- [Next-Gen WAF architecture](https://www.fastly.com/documentation/guides/next-gen-waf/getting-started/about-the-architecture)
- [Deployment types](https://docs.fastly.com/products/fastly-next-gen-waf#deployment-types)