Detection and blocking with the Next-Gen WAF

Web Application Firewall (WAF)API securitySecurity

The Fastly Next-Gen WAF’s patented approach to detection and blocking provides broad, highly accurate protection without required tuning.

On this page

The limitations of legacy detection and blocking techniques 

Legacy web application firewalls (WAF) that rely on regular-expression pattern-matching rules require an extensive tuning period to ensure that default rule sets do not generate false positives and block legitimate traffic for their applications. The legacy approach of using default rules leaves you with subpar options: you can enable only a small number of rules you’ve validated as “safe” yet leave your applications exposed. Or you can enable more rules that risk blocking legitimate traffic in exchange for catching more potential attacks.

Legacy regex-based WAF approach

Legacy regex-based WAF approach diagram

A superior approach to detection 

The Fastly Next-Gen WAF (powered by Signal Sciences) was designed by security practitioners that have lived the pain of constant rules tuning and have seen where pattern matching and signature-based rule sets fall short. Compared to legacy WAFs that rely on regex matching and are rarely used in blocking mode, almost 90% of Fastly’s customers enable full blocking mode across all default attack types without any tuning. The key to our reliable, accurate decisions lies in our patented architecture and proprietary detection technology, SmartParse, developed by Signal Sciences. SmartParse makes instantaneous decisions in line to determine if malicious or anomalous payloads are present. By evaluating the context of the request and how it would actually execute, SmartParse is able to make highly accurate detections. For advanced coverage of today’s unique, complex application logic abuse and attacks, our Next-Gen WAF offers rules which are easy to set up and provide unparalleled flexibility and customization to protect your web applications and services. With our intuitive rule builder, there are no regexes to tune and no complicated rules or scripting language to learn or manage. Through a combination of SmartParse and customizable rules, Fastly delivers automated defense against OWASP Top 10 threats—and beyond.

Key Benefits

The Fastly Next-Gen WAF’s patented approach to detection and blocking delivers significant benefits to DevOps and security teams:

  • Reliable, automated attack detection 

  • No manual rules tuning required 

  • Less time wasted on false positives 

  • Secures applications without breaking them

Injection attacks 

With injection attacks via SQLi or XSS, untrusted data is sent to an interpreter as part of a command or query. SmartParse analyzes request parameters to determine whether the code is actually executable and tokenizes the results. The tokenized representation of the request is analyzed, at runtime, to detect attacks such as SQLi, XSS, and other OWASP Top 10 injection attacks. This approach has a much lower false-positive rate and is much faster than signature-based detection approaches.

SmartParse detection method

SmartParse detection method diagram

Coverage beyond injection attacks 

Beyond detection and blocking of SQLi and XSS attacks, Fastly enables you to automatically detect other OWASP Top 10 attacks through rules. With rules, you can set up thresholds, rate limiting, automatic blocking, and alert triggers specific to your web applications and business logic within the Next-Gen WAF console. Rules can also apply vulnerability patches to address outdated or otherwise compromised components, such as libraries, frameworks, and other software modules that run with the same privileges as an application. Rules can be created on individual sites (site rules) as well as globally (corp rules) to be easily used across multiple sites.

NGWAF site rules screenshot

Virtual patching with rules 

A virtual patch prevents the exploitation of a known vulnerability in either a module or framework. It analyzes transactions and intercepts attacks in transit, so malicious traffic never reaches the web application. The resulting outcome from applying a virtual patch is that, while the actual source code of the application itself has not been modified, the exploitation attempt does not succeed. This buys time in the development process to fix the underlying vulnerability while the patch is protecting the application at runtime. Fastly provides and enables you to apply virtual patches that address various Common Vulnerability and Exposures (CVEs) and immediately block requests containing the CVE exploit. Within the console, you can use templated rules that cover various CVEs in a default list.

NGWAF templated rules screenshot

A superior approach to blocking 

The Fastly Next-Gen WAF vastly improves detection accuracy by separating blocking decisions from initial detections using a threshold-based approach. Instead of the legacy approach of blocking any incoming request that matches a regular expression (regex) immediately, our Next-Gen WAF uses SmartParse detections coupled with time-based thresholds and anomaly data around the request and response to make informed blocking decisions. 

When incoming requests contain attacks, a snippet of that request is sent to our Cloud Engine (see the Data Redactions FAQ to learn how this is done in a safe and private manner). The Cloud Engine aggregates attacks from across all deployed agents—including other customers’ agents through our proprietary Network Learning Exchange. When enough malicious activity is seen from a potential attacker based on pre-defined yet customizable thresholds built using big data analytics, the engine flags that user for blocking. This method results in highly accurate detections and provides broader context around various attacks. 

Using a combination of default detections plus rules functionality, users of the Fastly Next-Gen WAF are able to gain more accurate and far greater blocking coverage across the OWASP Top 10 and advanced threats. Request a demo to learn more about our patented solution for securing web applications.

Fastly Next-Gen WAF Datasheet

Learn how our Next-Gen WAF automatically protects against web layer attacks and easily integrates with DevOps tools.

Analyst Report
Gartner® Magic Quadrant™ for WAAP Analyst Report

Fastly is a Cloud WAAP Challenger. Compare vendors in this report.

Blog Post
WAF Efficacy Framework

Discover how the WAF efficacy framework helps you measure the effectiveness of your WAF.

Blog Post
How to deploy Fastly's Next-Gen WAF in less than 10 minutes

See how easy it is to get started with Fastly’s Next-Gen WAF

Meet a more powerful global network.

Our network is all about greater efficiency. With our strategically placed points of presence (POPs), you can scale on-demand and deliver seamlessly during major events and traffic spikes. Get the peace of mind that comes with truly reliable performance — wherever users may be browsing, watching, shopping, or doing business.

336 Tbps

Edge network capacity1

150 ms

Mean purge time2

>1.8 trillion

Daily requests served4

~90% of customers

Run Next-Gen WAF in blocking mode3

As of March 31, 2024

As of December 31, 2019

As of March 31, 2021

As of July 31, 2023

Ready to get started?

Get in touch.