1. Home
  2. Guides
  3. Next-Gen WAF
  4. Setup and configuration
  5. Edge WAF deployment

Edge WAF deployment using the Fastly control panel

IMPORTANT: This guide only applies to customers with access to the Next-Gen WAF product in the Fastly control panel. If you don't have access to the product in the Fastly control panel, refer to the Next-Gen WAF control panel guides instead.

The Edge WAF deployment method hosts the Next-Gen WAF on Fastly’s Edge Cloud platform via our global network of POPs, integrates with Fastly’s caching layer, and is managed by Fastly. Since security processing happens at the edge, the Next-Gen WAF can inspect all traffic before it enters your origin infrastructure and block attacks close to where they originated. You do not need to make any modifications to your own hosting environment.

Prerequisites

Before setting up an Edge WAF deployment, be sure you have the necessary prerequisites in place.

Limitations and considerations

When enabling the Next-Gen WAF for your services, keep the following in mind:

  • Enabling, disabling, or making changes to Fastly Next-Gen WAF on a service immediately impacts all service versions, including the active one.
  • A service can be linked to a maximum of one workspace. A workspace can be linked to multiple services.
  • Only users assigned the superuser role can enable and configure the Edge WAF deployment for services.

Additionally, if you're deploying the Next-Gen WAF on a CDN service, keep the following in mind:

  • Edge WAF deployment is not compatible with CDN services that use mutual TLS to the origin.
  • Adding the Next-Gen WAF to an existing CDN service counts against the service chain limit.
  • Updates made to your origins in the Fastly control panel are automatically synched to the Edge WAF. This means you never need to manually synchronize your origins.

Setting up the deployment

  1. Fastly control panel
  2. Fastly Products API

To deploy the Next-Gen WAF on an existing CDN or Compute service, complete the following steps:

  1. Log in to the Fastly control panel.
  2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.

  3. Click Service configuration and then Security.

  4. Fill out the following deployment settings on the Next-Gen WAF card:

    Edit Next-Gen WAF deployment settings

    • From the Workspace menu, select the workspace that you want to link to the service. If your account only has one workspace, this field is read-only.
    • (CDN services only) In the % of traffic field, enter the percentage of traffic that you want the Next-Gen WAF to inspect. When set to 100, all traffic to your service is inspected. When the value is less than 100, a random sample of the specified percentage is inspected.

  5. Click the Next-Gen WAF switch to the On position.

  6. In the confirmation window, click Update all versions.

  7. (Optional) Use attack tooling to verify that the Next-Gen WAF is monitoring your web application and identifying malicious and anomalous requests.

Configuring the deployment

  1. Fastly control panel
  2. Fastly Products API

To update your deployment on a CDN or Compute service, complete the following steps:

  1. Log in to the Fastly control panel.
  2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.

  3. Click Service configuration and then Security.

  4. Fill out the following deployment settings on the Next-Gen WAF card.

    HINT: If the Next-Gen WAF is already enabled, click the pencil Pencil icon to edit the settings and then Submit to save the updated values.

    • From the Workspace menu, select the workspace that you want to link to the service. If your account only has one workspace, this field is read-only.
    • (CDN services only) In the % of traffic field, enter the percent of traffic that you want the Next-Gen WAF to inspect. When set to 100, all traffic to your service is inspected. When the value is less than 100, a random sample of the specified percentage is inspected.

  5. Set the Next-Gen WAF switch to the On position to enable the Next-Gen WAF for your service or to the Off position to disable the Next-Gen WAF for your service.

  6. In the confirmation window, click Update all versions.

  7. (Optional) Use attack tooling to verify that the Next-Gen WAF is monitoring your web application and identifying malicious and anomalous requests.

Disabling the deployment

To disable Edge WAF deployment for a CDN or Compute service, complete the following steps.

  1. Fastly control panel
  2. Fastly Products API
  1. Log in to the Fastly control panel.
  2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
  3. Click Service configuration and then Security.
  4. In the Next-Gen WAF card, set the Next-Gen WAF to the Off position.
  5. In the confirmation window, click Update all versions.

Using headers to customize inspection

You can use X-SigSci- headers to force the Next-Gen WAF to inspect requests, to disable inspection, and to skip initial inspection.

Related content

Fastly
© Fastly 2026