---
title: Configuring site alerts (signal thresholds)
summary: null
url: >-
  https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/configuring-site-alerts
---

Site alerts (also known as signal thresholds) are a type of [threshold configuration](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/about-threshold-configurations/) that you can create to monitor and handle requests from IP addresses that contain specific signals. A site alert (signal threshold) outlines:

- the criteria that must be met for an IP address to be flagged. For example, flag an IP address when there are 25 SQL Injection attack signals in 1 minute.
- how to handle requests from IP addresses that are flagged. You can either log subsequent requests or block subsequent requests containing [attack signals](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/#attacks) from the IP address.
- how long to block or log subsequent requests from flagged IP addresses.

## Limitations and considerations

When working with site alerts (signal thresholds), keep the following things in mind:

- Accounts are limited to 50 site alerts (signal thresholds) per site (workspace).
- Site alerts (signal thresholds) are considered custom rules for purposes of [packaged entitlement](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability) limitations.
- If you've been assigned an [observer role](https://www.fastly.com/documentation/guides/next-gen-waf/account-info/using-user-roles-and-permissions/) (or the [user or billing role](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/about-user-roles-and-permissions)), you cannot configure site alerts (signal thresholds).
- You can block all requests from IP addresses that have been flagged for events using request rules with the Site Flagged IP (`SITE-FLAGGED-IP`) anomaly signal. However, it is not included with the [Essential or Professional platforms](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability).

## Adding site alerts (signal thresholds)

To create a site alert (signal threshold), follow the instructions for the control panel that you use to access the Next-Gen WAF.

### Next Gen Waf Control Panel

The steps to add a site alert depend on the [platform](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability) or [packaged offering](https://www.fastly.com/package-entitlements/) that you've purchased.

- For the Professional and Premier platforms or a packaged offering, use the **Site Alerts** page.
- For the Essential platform, use the **Signals** page.

### Site Alerts page

If you're on the Professional or Premier platform or have purchased the Security Core, Security Core Plus, or Security Total [packaged offering](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability), complete the following steps:

1.   Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

2.   From the **Sites** menu, select a site if you have more than one site.

3. From the **Rules** menu, select **Site Alerts**.

4. Click **Add site alert**.

   ![create a site alert](/img/ngwaf/create-site-alert.png)

5. Fill out the Add form as follows:

   - In the **Long name** field, enter a descriptive name for the alert.
   - From the **Signal** menu, select the signal that the site alert should track.
   - In the **Threshold** field, enter how many requests containing the signal should be detected before the IP address is flagged.
   - From the **Interval** menu, select the number of minutes during which signals from the IP address are counted to determine if the threshold has been met.
   - Under **When an IP hits the threshold**, select whether the alert should log a sample of subsequent requests from the IP address or block subsequent requests containing [attack signals](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/#attacks) from the IP address. If you selected an [anomaly signal](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals#anomalies) from the **Signal** menu, then you will only be able to log subsequent requests from the IP address.
   - Under **Take action for**, select how long the IP address should be flagged. By default, IP addresses are flagged for 24 hours. You can set a custom duration by selecting **Custom duration** and choosing a duration.
   - Leave the **Notifications** checkbox selected to send an external notification (e.g., email and Slack) when the site alert is triggered. Deselect the checkbox to not send any external notifications.
   - Click the **Status** switch to enable the site alert.

6. Click **Save alert**.

### Signals page

If you're on the Essential platform, complete the following steps:

1.   Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

2.   From the **Sites** menu, select a site if you have more than one site.

3. Click the **Signals** tab.

4. On the **Signals** page, click **View** in the row of the CVE signal that you want to enable.

5. Click the **Configuration** tab.

6. Click the **Alerts** tab and then **Add alert**.

7. Fill out the alert fields as follows:

   - In the **Long name** field, enter a descriptive name for the alert.
   - In the **Threshold** field, enter how many requests containing the signal should be detected before the IP address is flagged.
   - From the **Interval** menu, select the number of minutes during which signals from the IP address are counted to determine if the threshold has been met.
   - Under **When an IP hits the threshold**, select whether the alert should log subsequent requests or block subsequent requests containing [attack signals](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/#attacks) from the IP address. For CVE signals, you can only block subsequent requests.
   - Under **Take action for**, select how long the IP address should be flagged. By default, IP addresses are flagged for 24 hours. You can set a custom duration by selecting **Custom duration** and choosing a duration.
   - Leave the **Notifications** checkbox selected to send an external notification (e.g., email and Slack) when the site alert is triggered. Deselect the checkbox to not send any external notifications.
   - Click the **Status** switch to enable the site alert.

8. Click **Save alert**.

### Fastly Control Panel

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   Go to **Security** > **Next-Gen WAF** > [**Signals**](https://manage.fastly.com/security/ngwaf/signals).

3.   From the workspaces bar, click the menu <span class="inline-icons"><img src="/img/icons/chevron-down.png" alt="Menu icon" /></span> to the right of the workspace name and select a workspace.

4. Click the document icon <span class="inline-icons"><img src="/img/icons/document.png" alt="Document icon" /></span> next to the appropriate signal.

5. Click **Add signal threshold**.

   ![add a signal threshold to the Tor Traffic signal](/img/ngwaf/add-signal-threshold.png)

6. Fill out the **Add signal threshold** form as follows:

   - In the **Name** field, enter a descriptive name for the signal threshold.
   - In the **Threshold** field, enter how many requests containing the signal should be detected before the IP address is flagged.
   - From the **Interval** menu, select the number of minutes during which signals from the IP address are counted to determine if the threshold has been met.
   - Under **When an IP hits the threshold**, select whether the threshold should log a sample of subsequent requests from the IP address or block subsequent requests containing [attack signals](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/#attacks) from the IP address. If you selected an [anomaly signal](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals#anomalies) from the **Signal** menu, then you will only be able to log subsequent requests from the IP address. If you're on the Essentials platform and selected a CVE signal from the **Signal** menu, you can only block subsequent requests.
   - From the **Duration** menu, select how long the IP address should be flagged. By default, IP addresses are flagged for 24 hours. You can set a custom duration by selecting **Custom** and then setting a duration.
   - Leave the **Notifications** checkbox selected to send an external notification (e.g., email and Slack) when the signal threshold is triggered. Deselect the checkbox to not send any external notifications.
   - Click the **Status** switch to enable the signal threshold.

7. Click **Add signal threshold**.

## Editing site alerts (signal thresholds)

To edit a site alert (signal threshold), follow the instructions for the control panel that you use to access the Next-Gen WAF.

### Next Gen Waf Control Panel

The steps to edit a site alert depend on the [platform](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability) or [packaged offering](https://www.fastly.com/package-entitlements/) that you've purchased.

- For the Professional and Premier platforms or a packaged offering, use the **Site Alerts** page.
- For the Essential platform, use the **Signals** page.

### Site Alerts page

If you're on the Professional or Premier platform or have purchased the Security Core, Security Core Plus, or Security Total [packaged offering](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability), complete the following steps:

1.   Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

2.   From the **Sites** menu, select a site if you have more than one site.

3. From the **Rules** menu, select **Site Alerts**.

4. Click the name of the site alert that you want to edit.

5. Click **Edit site alert**.

6. Fill out the Edit form as follows:

   - In the **Long name** field, enter a descriptive name for the alert.
   - From the **Signal** menu, select the signal that the site alert should track.
   - In the **Threshold** field, enter how many requests containing the signal should be detected before the IP address is flagged.
   - From the **Interval** menu, select the number of minutes during which signals from the IP address are counted to determine if the threshold has been met.
   - Under **When an IP hits the threshold**, select whether the alert should log a sample of subsequent requests from the IP address or block subsequent requests containing [attack signals](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/#attacks) from the IP address. If you selected an [anomaly signal](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals#anomalies) from the **Signal** menu, then you will only be able to log subsequent requests from the IP address.
   - Under **Take action for**, select how long the IP address should be flagged. By default, IP addresses are flagged for 24 hours. You can set a custom duration by selecting **Custom duration** and choosing a duration.
   - Leave the **Notifications** checkbox selected to send an external notification (e.g., email and Slack) when the site alert is triggered. Deselect the checkbox to not send any external notifications.
   - Click the **Status** switch to the **On** position to enable the site alert or the **Off** position to disable the site alert.

7. Click **Save alert**.

### Signals page

If you're on the Essentials platform, complete the following steps:

1.   Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

2.   From the **Sites** menu, select a site if you have more than one site.

3. Click the **Signals** tab.

4. On the **Signals** page, click **View** in the row of the CVE signal that you want to enable.

5. Click the **Configuration** tab and then the **Alerts** tab.

6. Click the name of the site alert that you want to modify.

7. Click **Edit alert**.

8. Fill out the alert fields as follows:

   - In the **Long name** field, enter a descriptive name for the alert.
   - In the **Threshold** field, enter how many requests containing the signal should be detected before the IP address is flagged.
   - From the **Interval** menu, select the number of minutes during which signals from the IP address are counted to determine if the threshold has been met.
   - Under **When an IP hits the threshold**, select whether the alert should log subsequent requests or block subsequent requests containing [attack signals](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/#attacks) from the IP address. For CVE signals, you can only block subsequent requests.
   - Under **Take action for**, select how long the IP address should be flagged. By default, IP addresses are flagged for 24 hours. You can set a custom duration by selecting **Custom duration** and choosing a duration.
   - Leave the **Notifications** checkbox selected to send an external notification (e.g., email and Slack) when the site alert is triggered. Deselect the checkbox to not send any external notifications.
   - Click the **Status** switch to the **On** position to enable the site alert or the **Off** position to disable the site alert.

9. Click **Save alert**.

### Fastly Control Panel

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   Go to **Security** > **Next-Gen WAF** > [**Signals**](https://manage.fastly.com/security/ngwaf/signals).

3.   From the workspaces bar, click the menu <span class="inline-icons"><img src="/img/icons/chevron-down.png" alt="Menu icon" /></span> to the right of the workspace name and select a workspace.

4. Click the document icon <span class="inline-icons"><img src="/img/icons/document.png" alt="Document icon" /></span> next to the appropriate signal.

5. Click the **Configuration** tab and then the **Thresholds** tab.

6. Click the pencil <span class="inline-icons"><img src="/img/icons/pencil.png" alt="Pencil icon" /></span> to the right of the signal threshold that you want to edit.

   ![edit the signal threshold for the Tor Traffic signal](/img/ngwaf/edit-signal-threshold.png)

7. Fill out the **Edit signal threshold** form as follows:

   - In the **Name** field, enter a descriptive name for the signal threshold.
   - In the **Threshold** field, enter how many requests containing the signal should be detected before the IP address is flagged.
   - From the **Interval** menu, select the number of minutes during which signals from the IP address are counted to determine if the threshold has been met.
   - Under **When an IP hits the threshold**, select whether the threshold should log a sample of subsequent requests from the IP address or block subsequent requests containing [attack signals](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/#attacks) from the IP address. If you selected an [anomaly signal](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals#anomalies) from the **Signal** menu, then you will only be able to log subsequent requests from the IP address. If you're on the Essentials platform and selected a CVE signal from the **Signal** menu, you can only block subsequent requests.
   - From the **Duration** menu, select how long the IP address should be flagged. By default, IP addresses are flagged for 24 hours. You can set a custom duration by selecting **Custom** and then setting a duration.
   - Leave the **Notifications** checkbox selected to send an external notification (e.g., email and Slack) when the signal threshold is triggered. Deselect the checkbox to not send any external notifications.
   - Click the **Status** switch to the **On** position to enable the site alert or the **Off** position to disable the site alert.

8. Click **Update signal threshold**.

## Deleting site alerts (signal thresholds)

To delete a site alert (signal threshold), follow the instructions for the control panel that you use to access the Next-Gen WAF.

### Next Gen Waf Control Panel

The steps to delete a site alert depend on the [platform](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability) or [packaged offering](https://www.fastly.com/package-entitlements/) that you've purchased.

- For the Professional and Premier platforms or a packaged offering, use the **Site Alerts** page.
- For the Essential platform, use the **Signals** page.

### Site Alerts page

If you're on the Professional or Premier  or have purchased the Security Core, Security Core Plus, or Security Total [packaged offering](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability), complete the following steps:

1.   Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

2.   From the **Sites** menu, select a site if you have more than one site.

3. From the **Rules** menu, select **Site Alerts**.
4. Click the name of the site alert that you want to delete.
5. Click **Remove site alert** and then **Delete**.

### Signals page

If you're on the Essentials platform, complete the following steps:

1.   Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

2.   From the **Sites** menu, select a site if you have more than one site.

3. Click the **Signals** tab.
4. On the **Signals** page, click **View** in the row of relevant signal.
5. Click **Configuration** and then **Alerts**.
6. Click the name of the site alert that you want to delete.
7. Click **Remove alert** and then **Delete**.

### Fastly Control Panel

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   Go to **Security** > **Next-Gen WAF** > [**Signals**](https://manage.fastly.com/security/ngwaf/signals).

3.   From the workspaces bar, click the menu <span class="inline-icons"><img src="/img/icons/chevron-down.png" alt="Menu icon" /></span> to the right of the workspace name and select a workspace.

4. Click the document icon <span class="inline-icons"><img src="/img/icons/document.png" alt="Document icon" /></span> next to the appropriate signal.
5. Click the **Configuration** tab and then the **Thresholds** tab.
6. Click the trash <span class="inline-icons"><img src="/img/icons/trash.png" alt="Trash icon" /></span> next to the signal threshold that you want to delete and then **Delete signal threshold**.

## Related content

- [About threshold configurations](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/about-threshold-configurations)
- [Using an API with the Next-Gen WAF](https://www.fastly.com/documentation/guides/next-gen-waf/developer/using-an-api-with-the-next-gen-waf)