Virtual patches for CVEs
To help protect your web application against Common Vulnerabilities and Exposures (CVE), you can enable virtual patches. A virtual patch is a pre-constructed rule that targets a specific CVE. Once enabled, requests that meet the virtual patch's criteria are tagged with the appropriate CVE signal and then blocked or logged per your enablement specification. We announce new virtual patches through our Announcements guide.
Working with virtual patches using the Next-Gen WAF control panel
From the Next-Gen WAF control panel, you can enable virtual patches and subscribe to virtual patch release notifications.
Enabling virtual patches
To enable a CVE virtual patch using the Next-Gen WAF control panel, complete the following steps:
- Professional or Premier platform
- Essentials platform
Log in to the Next-Gen WAF control panel.
From the Sites menu, select a site if you have more than one site.
- From the Site Rules menu, select Templated Rules.
- Click View to the right of the virtual patch rule you want to enable or edit.
- Click Configure and then Add trigger.
- Select the Block requests from an IP immediately if the CVE-YYYY-NNNNN signal is observed checkbox.
- Click Update rule.
Subscribing to virtual patch announcements
To receive an email when we release a new virtual patch, complete the following steps using the Next-Gen WAF control panel:
Log in to the Next-Gen WAF control panel.
- From the corp navigation bar, click My Profile.
- In the Corp subscriptions section, select the Alert me when a new Virtual Patch for a CVE is available checkbox.
Enabling virtual patches using the Fastly control panel
From the Fastly control panel, you can enable a CVE virtual patch:
Log in to the Fastly control panel.
Go to Security > Next-Gen WAF > Workspaces.
Click the gear
next to the workspace that you want to modify.Click Virtual patches.
Use the search bar to find the virtual patch you want to apply, and then click the pencil
to the right of the patch.From the Status menu, select Enabled.
(Optional) If your workspace is in blocking mode, choose whether to Block requests or Log requests when the signal is observed.
Click Update virtual patch.