---
title: Virtual patches for CVEs
summary: null
url: >-
https://www.fastly.com/documentation/guides/next-gen-waf/virtual-patches-for-cves
---
To help protect your web application against [Common Vulnerabilities and Exposures](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (CVE), you can enable virtual patches. A virtual patch is a pre-constructed rule that targets a specific CVE. Once enabled, requests that meet the virtual patch's criteria are tagged with the appropriate CVE signal and then blocked or logged per your enablement specification. We announce new virtual patches through our [changelog](https://www.fastly.com/documentation/reference/changes/ngwaf-announcements) guide.
## Working with virtual patches using the Next-Gen WAF control panel
From the Next-Gen WAF control panel, you can enable virtual patches and subscribe to virtual patch release notifications.
### Enabling virtual patches
The steps to enable a CVE virtual patch depend on the [platform](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability) or [packaged offering](https://www.fastly.com/package-entitlements/) that you've purchased.
### Professional and Premier platforms or packaged offerings
If you're on the Professional or Premier platform or have purchased the Security Core, Security Core Plus, or Security Total packaged offering, complete the following steps:
1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).
2. From the **Sites** menu, select a site if you have more than one site.
3. From the **Rules** menu, select **Templated Rules**.
4. Click **View** to the right of the virtual patch rule you want to enable or edit.
5. Click **Configure** and then **Add trigger**.
6. Select the **Block requests from an IP immediately if the CVE-YYYY-NNNNN signal is observed** checkbox.
7. Click **Update rule**.
### Essential platform
If you're on the Essential platform, complete the following steps:
1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).
2. From the **Sites** menu, select a site if you have more than one site.
3. Click the **Signals** tab.
4. Click **View** in the row of the CVE signal that you want to enable.
5. Click the **Detections** tab and then **Add detection**.
6. Verify the switch is set to **Enabled**.
7. Click **Create detection**.
8. Click the **Alerts** tab and then **Add alert**.
9. In the **Status** area, set the switch to **Enabled**.
10. Click **Save alert**.
### Subscribing to virtual patch announcements
To receive an email when we release a new virtual patch, complete the following steps using the Next-Gen WAF control panel:
1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).
2. From the corp navigation bar, click **My Profile**.
3. In the **Corp subscriptions** section, select the **Alert me when a new Virtual Patch for a CVE is available ** checkbox.
## Enabling virtual patches using the Fastly control panel
From the Fastly control panel, you can enable a CVE virtual patch:
1. Log in to the [Fastly control panel](https://manage.fastly.com).
2. Go to **Security** > **Next-Gen WAF** > [**Workspaces**](https://manage.fastly.com/security/ngwaf/workspaces).
3. Click the gear 
next to the workspace that you want to modify.
4. Click **Virtual patches**.
5. Use the search bar to find the virtual patch you want to apply, and then click the pencil 
to the right of the patch.
6. From the **Status** menu, select **Enabled**.
7. _(Optional)_ If your workspace is in blocking mode, choose whether to **Block requests** or **Log requests** when the signal is observed.
8. Click **Update virtual patch**.
## Related content
- [Configuring system signals](https://www.fastly.com/documentation/guides/next-gen-waf/signals/configuring-system-signals)