Virtual patches for CVEs

To help protect your web application against Common Vulnerabilities and Exposures (CVE), you can enable virtual patches. A virtual patch is a pre-constructed rule that targets a specific CVE. Once enabled, requests that meet the virtual patch's criteria are tagged with the appropriate CVE signal and then blocked or logged per your enablement specification. We announce new virtual patches through our Announcements guide.

Working with virtual patches using the Next-Gen WAF control panel

From the Next-Gen WAF control panel, you can enable virtual patches and subscribe to virtual patch release notifications.

Enabling virtual patches

To enable a CVE virtual patch using the Next-Gen WAF control panel, complete the following steps:

  1. Professional or Premier platform
  2. Essentials platform
  1. Log in to the Next-Gen WAF control panel.

  2. From the Sites menu, select a site if you have more than one site.

  3. From the Site Rules menu, select Templated Rules.
  4. Click View to the right of the virtual patch rule you want to enable or edit.
  5. Click Configure and then Add trigger.
  6. Select the Block requests from an IP immediately if the CVE-YYYY-NNNNN signal is observed checkbox.
  7. Click Update rule.

Subscribing to virtual patch announcements

To receive an email when we release a new virtual patch, complete the following steps using the Next-Gen WAF control panel:

  1. Log in to the Next-Gen WAF control panel.

  2. From the corp navigation bar, click My Profile.
  3. In the Corp subscriptions section, select the Alert me when a new Virtual Patch for a CVE is available checkbox.

Enabling virtual patches using the Fastly control panel

From the Fastly control panel, you can enable a CVE virtual patch:

  1. Log in to the Fastly control panel.

  2. Go to Security > Next-Gen WAF > Workspaces.

  3. Click the gear Gear icon next to the workspace that you want to modify.

  4. Click Virtual patches.

  5. Use the search bar to find the virtual patch you want to apply, and then click the pencil Pencil icon to the right of the patch.

    The form to enable the CVE-2024-34102 virtual patch in blocking mode

  6. From the Status menu, select Enabled.

  7. (Optional) If your workspace is in blocking mode, choose whether to Block requests or Log requests when the signal is observed.

  8. Click Update virtual patch.