The Fastly Next-Gen WAF provides advanced protection for your applications, APIs, and microservices, wherever they live, from a single unified solution.
The Fastly Next-Gen Web Application Firewall (WAF) takes a fundamentally different approach to application security, enabling increased protection without tuning, deployment anywhere you need, and industry-leading time-to-value.
Defeat advanced threats
Get protection that goes beyond OWASP Top 10 injection-style web attacks. Gain coverage against advanced threats, including account takeover (ATO) via credential stuffing, malicious bots, API abuse, and more — all in one solution.
Visibility for faster remediation
Reporting and alerting feedback loops provide Layer 7 visibility across your entire app and API footprint. Integrations with DevOps and security toolchains encourage the sharing and correlation of data and help simplify automation, both decreasing security risks and speeding up CI/CD.
Protection everywhere
Fastly offers the most flexibly deployed WAF on the market and can protect your apps and APIs wherever they are with one integrated solution offering the same level of visibility and actionable insights and alerts.
Features
What sets Fastly apart
Traditional WAFs rely on regex pattern-matching rules that are difficult to manage and require constant tuning to avoid false positives that block legitimate traffic. Fastly’s Next-Gen WAF effectively detects and blocks malicious traffic without tuning, so your AppSec teams can focus on bigger problems. Use sophisticated techniques like deception easily to frustrate attackers without custom development.
Our Next-Gen WAF uses SmartParse, a highly accurate detection method, to evaluate the context of each request and how it would execute, to determine if there are malicious or anomalous payloads in requests. SmartParse enables near-zero tuning and the ability to start detecting threats immediately.
Preemptive security
NLX is a trusted IP reputation feed based on anonymized, confirmed malicious activity collected from tens of thousands of our customers’ distributed software agents. It uniquely recognizes attack patterns across our customer network, then alerts upon and preemptively defends your web apps and APIs.
Flexible Deployment
Designed for maximum deployment flexibility, our hybrid SaaS WAF quickly installs via an agent-module software pair or via edge or cloud-based options that require no software installation. With our A10 Networks partnership, you can deploy the Next-Gen WAF through Thunder ADC for efficient protection powered by high-performance hardware and virtual platforms.
Threat Coverage
The modern WAAP solution
Fastly’s industry-leading web application and API protection (WAAP) solution provides real-time visibility and highly effective security for:
OWASP Top 10
Protect against both classic OWASP Top 10 attacks and advanced web attacks.
API Protection
Stop API abuse by monitoring for unexpected values and parameters submitted by endpoints and blocking unauthorized requests. Fastly can detect and block attacks in SOAP, REST, gRPC, WebSockets, and GraphQL APIs. Learn more about our GraphQL Inspection.
Bot Protection
Prevent bad bots from performing malicious actions against your websites and APIs by identifying and mitigating them before they can negatively impact your bottom line or your user experience.
Account Takeover
Block account takeover (ATO) attacks by inspecting web requests and correlating anomalous activity with malicious intent.
DDoS
Prevent malicious automated traffic that aims to overwhelm or abuse your apps so they are unavailable. When defined traffic thresholds for key application functions are met we automatically block the abusive traffic.
Rate Limiting
Stop malicious and anomalous high-volume web requests, reduce web server and API utilization, and let legitimate traffic through to application and API endpoints with our advanced rate limiting features.
How Linktree scaled to support 4 million new users in 3 months
SaaS/PaaS
"We’ve got a lot on our plate, so we look for technology that gives us what we need out of the box. [Security solutions like the Fastly Next-Gen WAF] that you can turn on and immediately get known threat signature detection is really helpful for a team like ours."
"Fastly and its team of security experts genuinely know what it means to keep companies safe from hackers. The customer experience has been outstanding and added support is rated five stars. I would 100% recommend any company join the Fastly band if you want to ensure your customer data is secure."
Application Security Engineer
Media Industry (Gartner Peer Insights review)
Most loved security company chooses most trusted web defense
Software and Services
“We were really impressed with how easy deployment went. Dropping Fastly’s Next-Gen WAF into our existing highly-available architecture with minimal effort was critical to the project’s success.”
Nick Soulliere
VP of Production Engineering
Security that’s fully visible for developers and completely invisible to users
Digital publishing
"I have no concerns with Fastly’s ability to handle large scale attacks and mitigate malicious traffic at scale at the edge. And that’s a huge benefit for us."
Fastly is the only vendor to be named a Customers’ Choice for Web Application and API Protection seven years in a row. See why Fastly is one of the highest-rated vendors.
Discover how Fastly's web application and API protection (WAAP) solutions delivered a 235% ROI and $4.23M in net benefits over three years.
Learn more
Product Overview
Why our WAF is “Next-Gen”
Learn why companies are leaving their outdated security tools behind and are relying on the Fastly Next-Gen WAF to protect their websites, apps, and APIs.
SmartParse
The key to our reliable, accurate decisions lies in our patented architecture and proprietary detection technology, SmartParse. Learn how SmartParse makes instantaneous decisions in line to determine if malicious or anomalous payloads are present.
Network Learning Exchange
Network Learning Exchange (NLX) is a collective threat feed built into our Next-Gen WAF that identifies and shares potentially threatening IP addresses across our customer networks. The shared threat data fosters a network effect, where the collective intelligence of all customers contributes to stronger security for each organization.
Fastly is the only vendor to be named a Customers’ Choice for Web Application and API Protection seven years in a row. See why Fastly is one of the highest-rated vendors.
Dive into the OWASP Top 10 web application security risks with helpful insights, examples, and strategies.
Download the white paper
Frequently asked questions
What is a WAF?
A Web Application Firewall (WAF) is a specialized security solution that shields a web application from the internet, safeguarding the server by detecting and blocking malicious HTTP and HTTPS traffic to and from a web service.
How does a WAF work?
WAFs often function as reverse proxies between the internet and protected web applications. However, you can also deploy WAFs in various configurations, including inline, cloud-based, or on-premises, to suit specific security requirements. Regardless of the deployment method, a WAF inspects all incoming traffic before it reaches application servers, creating a protective shield against potential threats.
What are WAF policies?
WAFs don’t protect against all types of threats and attacks; instead, they are one crucial element of a wider suite of tools used to protect websites and apps. The rules determining what traffic is deemed safe and what is malicious; in other words, what kind of traffic a WAF will allow or block are called “policies.”
What are the different types of WAF deployments?
1) Cloud-based WAFs: Cloud-based WAFs, hosted by vendors, offer a convenient and quick way to provide WAF protection.
2) Edge deployment: Edge deployment positions the WAF at the edge of a content delivery network (CDN) or closer to the traffic origin. This strategic placement blocks threats before they reach the network, providing an additional security layer.
3) Hybrid WAFs: Hybrid WAFs combine on-premises and cloud-based deployments, providing visibility into web requests directed at apps and APIs in any environment.
When should you use a WAF?
A WAF is a crucial part of a comprehensive security strategy. WAFs can help protect against OWASP Top 10 vulnerabilities, automatically. Use of a WAF is also essential when deploying new applications to protect them and monitor incoming traffic. WAFs are also great at preventing account takeovers and are helpful in maintaining regulatory compliance. Finally, they are essential for preventing DDoS attacks, preventing unauthorized access, and just improving your overall security posture.
