---
title: Edge WAF deployment using the Fastly control panel
summary: null
url: >-
  https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/edge-waf-deployment-using-the-fastly-control-panel
---

> **IMPORTANT:** This guide only applies to customers with access to the Next-Gen WAF product in the Fastly control panel. If you don't have access to the product in the Fastly control panel, refer to the [Next-Gen WAF control panel](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/ngwaf-control-panel/) guides instead.

The Edge WAF deployment method hosts the Next-Gen WAF on Fastly’s Edge Cloud platform via our global network of [POPs](https://www.fastly.com/documentation/guides/concepts/pop), integrates with Fastly’s [caching layer](https://www.fastly.com/documentation/guides/full-site-delivery/fastly-vcl/about-fastly-vcl), and is managed by Fastly. Since security processing happens at the edge, the Next-Gen WAF can inspect all traffic before it enters your origin infrastructure and block attacks close to where they originated. You do not need to make any modifications to your own hosting environment.

## Prerequisites

Before setting up an Edge WAF deployment, be sure you have the necessary [prerequisites](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/getting-started-with-the-edge-waf#prerequisites) in place.

## Limitations and considerations

When enabling the Next-Gen WAF for your CDN services, keep the following in mind:

- Enabling, disabling, or making changes to Fastly Next-Gen WAF on a service immediately impacts all service versions, including the active one.
- Access to the Next-Gen WAF in the Fastly control panel is only included for customers on the [Essential platform](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability) who don't have access to the Next-Gen WAF control panel. All other Next-Gen WAF customers can access the product through the Next-Gen WAF control panel.
- Updates made to your origins in the Fastly control panel are automatically synched to the Edge WAF. This means you never need to manually synchronize your origins.
- Edge WAF deployment using the Fastly control panel is only supported for CDN services. To use Edge WAF deployment with Compute services, use the [Next-Gen WAF control panel](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/ngwaf-control-panel/setting-up-edge-waf-deployments-using-the-next-gen-waf-control-panel) instead.
- Edge WAF deployment is not compatible with [CDN services](https://www.fastly.com/documentation/guides/getting-started/services/about-services) that use [mutual TLS](https://docs.fastly.com/products/tls-service-options#mutual-tls-authentication) to the origin.
- Adding the Next-Gen WAF to an existing CDN service counts against the [service chain limit](https://www.fastly.com/documentation/guides/getting-started/services/service-chaining).
- A CDN service can be linked to a maximum of one workspace. A [workspace](https://www.fastly.com/documentation/guides/next-gen-waf/managing-sites) can be linked to multiple CDN services.
- Only users assigned the [superuser role](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/about-user-roles-and-permissions) can [enable](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/edge-waf-deployment-using-the-fastly-control-panel#setting-up-the-deployment) and [configure](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/edge-waf-deployment-using-the-fastly-control-panel#configuring-the-deployment) the Edge WAF deployment for CDN services.

## Setting up the deployment

To deploy the Next-Gen WAF on an existing CDN service, complete the following steps:

### Fastly Control Panel

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   From the [**Home**](https://manage.fastly.com/home) page, select the appropriate service. You can use the search box to search by ID, name, or domain.

3.   Click **Edit configuration** and then select the option to clone the active version.

4. Click **Security**.

5. In the Next-Gen WAF card, click the pencil <span class="inline-icons"><img src="/img/icons/pencil.png" alt="Pencil icon" /></span> to edit the following deployment settings and then click **Submit**:

   ![Edit Next-Gen WAF deployment settings](/img/ngwaf/edit-ngwaf-deployment.png)

   - From the **Workspace** menu, select the workspace that you want to link to the service. If your account only has one workspace, this field is read-only.
   - In the **% of traffic** field, enter the percentage of traffic that you want the Next-Gen WAF to inspect. When set to `100`, all traffic to your service is inspected. When the value is less than 100, a random sample of the specified percentage is inspected.

6. Click the switch to the **On** position.

7. _(Optional)_ [Use attack tooling](https://www.fastly.com/documentation/guides/next-gen-waf/developer/testing-with-attack-tooling) to verify that the Next-Gen WAF is monitoring your web application and identifying malicious and anomalous requests.

### Fastly Products API

> **IMPORTANT:** To deploy the Next-Gen WAF via the Fastly API, you will need the [Fastly-Key](https://www.fastly.com/documentation/reference/http/http-headers/Fastly-Key/) header for authentication. The Fastly API key must have write access to the relevant service.

1. Using the curl command line tool, call the [enable a product](https://www.fastly.com/documentation/reference/api/products/ngwaf/#enable-product-ngwaf) API endpoint in a terminal application to enable the Next-Gen WAF on your service and link your service to a workspace:

   ```term copy nolinenums
   $ curl -H "Fastly-Key: ${FASTLY_API_TOKEN}" -H 'Content-Type: application/json' -X PUT \
   -d '{"workspace_id": "${NGWAF_WORKSPACE_ID}"}' \
   "https://api.fastly.com/enabled-products/v1/ngwaf/services/${FASTLY_SERVICE_ID}"
   ```

2. _(Optional)_ Using the curl command line tool, call the [configure a product](https://www.fastly.com/documentation/reference/api/products/ngwaf/#get-product-ngwaf-configuration) API endpoint in a terminal application to change the amount of traffic the Next-Gen WAF inspects. When the value is set to `100`, all traffic (100%) is inspected. When the value is less than `100`, a random sample of the specified percentage is inspected. By default, the Next-Gen WAF inspects all traffic.

   ```term copy nolinenums
   $ curl -H "Fastly-Key: ${FASTLY_API_TOKEN}" -H 'Content-Type: application/json' -X PATCH \
   -d '{"traffic_ramp": 20}' \
   "https://api.fastly.com/enabled-products/v1/ngwaf/services/${FASTLY_SERVICE_ID}/configuration"
   ```

3. _(Optional)_ [Use attack tooling](https://www.fastly.com/documentation/guides/next-gen-waf/developer/testing-with-attack-tooling) to verify that the Next-Gen WAF is monitoring your web application and identifying malicious and anomalous requests.

## Configuring the deployment

To update your deployment, complete the following steps:

### Fastly Control Panel

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   From the [**Home**](https://manage.fastly.com/home) page, select the appropriate service. You can use the search box to search by ID, name, or domain.

3.   Click **Edit configuration** and then select the option to clone the active version.

4. Click **Security**.

5. In the Next-Gen WAF card, set the switch to the **On** position to enable the Next-Gen WAF for your service or to the **Off** position to disable the Next-Gen WAF for your service.

6. If the Next-Gen WAF is enabled, click the pencil <span class="inline-icons"><img src="/img/icons/pencil.png" alt="Pencil icon" /></span> to edit the following deployment settings and then click **Submit**:

   ![Edit Next-Gen WAF deployment settings](/img/ngwaf/edit-ngwaf-deployment.png)

   - From the **Workspace** menu, select the workspace that you want to link to the service. If your account only has one workspace, this field is read-only.
   - In the **% of traffic** field, enter the percent of traffic that you want the Next-Gen WAF to inspect. When set to `100`, all traffic to your service is inspected. When the value is less than 100, a random sample of the specified percentage is inspected.

7. _(Optional)_ [Use attack tooling](https://www.fastly.com/documentation/guides/next-gen-waf/developer/testing-with-attack-tooling) to verify that the Next-Gen WAF is monitoring your web application and identifying malicious and anomalous requests.

### Fastly Products API

Using the curl command line tool, call the [configure a product](https://www.fastly.com/documentation/reference/api/products/ngwaf/#get-product-ngwaf-configuration) API endpoint in a terminal application to configure your Edge WAF deployment. The endpoint requires that you include the [Fastly-Key](https://www.fastly.com/documentation/reference/http/http-headers/Fastly-Key/) header for authentication and at least one of the following parameters in the JSON body:

- `workspace_id`: the ID of the workspace that you want to link to the service.
- `traffic_ramp`: the percentage of traffic that the Next-Gen WAF inspects. When the value is set to `100`, all traffic (100%) is inspected. When the value is less than `100`, a random sample of the specified percentage is inspected. By default, the Next-Gen WAF inspects all traffic.

```term copy nolinenums
$ curl -H "Fastly-Key: ${FASTLY_API_TOKEN}" -H 'Content-Type: application/json' -X PATCH \
-d '{"workspace_id": "${NGWAF_WORKSPACE_ID}", "traffic_ramp": 20}' \
"https://api.fastly.com/enabled-products/v1/ngwaf/services/${FASTLY_SERVICE_ID}/configuration"
```

## Disabling the deployment

To disable Edge deployment for your service, complete the following steps.

### Fastly Control Panel

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   From the [**Home**](https://manage.fastly.com/home) page, select the appropriate service. You can use the search box to search by ID, name, or domain.

3.   Click **Edit configuration** and then select the option to clone the active version.

4. Click **Security**.
5. In the Next-Gen WAF card, click the switch to the **Off** position.

### Fastly Products API

Using the curl command line tool, call the [disable a product](https://www.fastly.com/documentation/reference/api/products/ngwaf/#disable-product-ngwaf) API endpoint in a terminal application.

> **HINT:** To disable the Next-Gen WAF via the Fastly API, you will need the [Fastly-Key](https://www.fastly.com/documentation/reference/http/http-headers/Fastly-Key/) header for authentication. The Fastly API key must have write access to the relevant service.

```term copy nolinenums
$ curl -H "Fastly-Key: ${FASTLY_API_TOKEN}" -H 'Content-Type: application/json' -X DELETE \
"https://api.fastly.com/enabled-products/v1/ngwaf/services/${FASTLY_SERVICE_ID}"
```

## Using headers to customize inspection

You can use [`X-SigSci-` headers](https://www.fastly.com/documentation/guides/next-gen-waf/developer/x-sigsci-headers#adding-headers-to-customize-inspection-for-edge-waf-deployments) to force the Next-Gen WAF to inspect requests, to disable inspection, and to skip initial inspection.

## Related content

- [Getting started with the Edge WAF](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/getting-started-with-the-edge-waf)
- [Next-Gen WAF enablement API](https://www.fastly.com/documentation/reference/api/products/ngwaf)