Deploy and configure Fastly Next-Gen WAF (formerly Signal Sciences) for a web application

Verified steps

1. Choose your deployment model: Edge WAF runs on Fastly's global edge (no agent installation required, traffic routed through Fastly CDN); Cloud WAF runs on Fastly-hosted infrastructure and requires DNS or load-balancer changes; On-Prem WAF installs an agent directly on your web servers.
2. For On-Prem WAF, install the Next-Gen WAF agent on each origin server following the Getting Started with the Agent documentation; the agent runs as a service, listens on a local port or Unix socket, and communicates with the Fastly cloud engine every 30 seconds to receive updated rule configurations and upload redacted request data.
3. In the Fastly Next-Gen WAF console, create a Corp (the top-level organisation), add a Site for each web application, and configure the site's detection mode: blocking mode enforces rules; detection mode logs without blocking (use this for initial rollout).
4. Configure signals and rules in the console: built-in signals detect common attack patterns (SQLi, XSS, traversal, scanner agents); custom signals can match on any request attribute; rules specify what action to take when a signal fires (block, flag, allow).
5. Integrate the agent with your web server: for Nginx, the OpenResty or NGINX Plus module proxies requests through the agent; for Apache, use the mod_security-compatible module; the Terraform provider (Signal Sciences Terraform Provider) can manage site and rule configuration as code.
6. Review the Fastly Next-Gen WAF dashboard for request signals, attack traffic trends, and flagged IPs; promote detection-mode findings to block rules only after confirming no false positives against known-good traffic.