diff --git a/sites/platform/src/domains/cdn/managed-fastly.md b/sites/platform/src/domains/cdn/managed-fastly.md index c0c2616383..edfe47272e 100644 --- a/sites/platform/src/domains/cdn/managed-fastly.md +++ b/sites/platform/src/domains/cdn/managed-fastly.md @@ -45,10 +45,26 @@ You can also set up consumption alerts for your resource usage. Click the Alert {{< /note >}} +## How Managed Fastly works + +{{% vendor/name %}}’s Managed Fastly CDN routes incoming traffic through the Fastly edge network before requests reach your application. This enables global caching, edge logic (VCL), performance optimisation, and optional security features. + +The Fastly CDN must be provisioned and managed by {{% vendor/name %}}. Features such as the {{% vendor/name %}} Web Application Firewall (WAF), edge rate limiting, and image optimisation depend on this managed integration and cannot be used with a customer-managed Fastly account. + +Once enabled, Fastly operates as the first point of contact for all HTTP requests, allowing requests to be cached, filtered, transformed, or blocked entirely at the edge. + +{{< note theme="info" title="Feature dependencies">}} + +- The {{% vendor/name %}} WAF requires the {{% vendor/name %}} Managed Fastly CDN. +- Customers cannot attach the WAF to an existing third-party Fastly service. +- Advanced Fastly features such as virtual patching and per-project logging require a configurable Fastly workspace. + +{{< /note >}} + ### Domain control validation When you request for a new domain to be added to your Fastly service, -{{% vendor/name %}} support provides you with a [`CNAME` record](/domains/steps/dns.md) for [domain control validation](/domains/troubleshoot.md#ownership-verification). +{{% vendor/name %}} [support](/learn/overview/get-support.md) provides you with a [`CNAME` record](/domains/steps/dns.md) for [domain control validation](/domains/troubleshoot.md#ownership-verification). To add this `CNAME` record to your domain settings, see how to [configure your DNS provider](/domains/steps/_index.md#2-configure-your-dns-provider). @@ -94,4 +110,43 @@ typically located at `/mnt/shared/fastly_tokens.txt`. {{% /note %}} ## Dynamic ACL and rate limiting -For details about updating an access control list (ACL) and applying rate limiting, check out the [Working with {{% vendor/name %}} rate-limiting implementation](https://support.platform.sh/hc/en-us/articles/29528777071890-Upsun-Fastly-Rate-Limiting-How-it-works-how-to-tune-it) article in the Upsun Community. \ No newline at end of file + +For details about updating an access control list (ACL) and applying rate limiting, check out the [Working with {{% vendor/name %}} rate-limiting implementation](https://support.platform.sh/hc/en-us/articles/29528777071890-Upsun-Fastly-Rate-Limiting-How-it-works-how-to-tune-it) article in the Upsun Community. + +## Edge-level rate limiting + +{{% vendor/name %}} provides edge-level rate limiting through Fastly, allowing you to control how many requests a single IP address or network can make within a given time window. + +Rate limiting is applied at the edge, before requests reach your application, helping to reduce load and mitigate abusive traffic patterns. + +### What Edge-level rate limiting can do + +- Protect sensitive endpoints such as `/login`, `/admin`, or checkout paths +- Limit request floods from a single IP or IP range +- Reduce application load during traffic spikes +- Enable {{% vendor/company_name %}} Support to better handle attacks or high-traffic events by throttling traffic at the edge + +Edge-level rate limiting is: +- Included with all {{% vendor/company_name %}} Fastly Next-Gen WAF tiers +- Available as a standalone add-on (without the WAF) + +### Configuration and defaults + +There are no default rate-limiting rules applied automatically. Rate limiting is configured during onboarding, or by request via {{% vendor/name %}} [Support](/learn/overview/get-support.md). + +Rules can be scoped by: + +- Request path +- Request type +- IP address or network +- Custom thresholds and actions (block, allow, log) + +### Limitations + +Edge-level rate limiting is a rule-based control mechanism, not an automated bot-detection system. It does not: + +- Identify bots automatically +- Present CAPTCHA or JavaScript challenges +- Provide AI-driven mitigation + +For advanced bot and scraper protection, {{% vendor/name %}} offers separate third-party integrations. \ No newline at end of file diff --git a/sites/platform/src/security/web-application-firewall/fastly-waf.md b/sites/platform/src/security/web-application-firewall/fastly-waf.md index 12a0cd3c20..e6977ed0cc 100644 --- a/sites/platform/src/security/web-application-firewall/fastly-waf.md +++ b/sites/platform/src/security/web-application-firewall/fastly-waf.md @@ -6,16 +6,16 @@ banner: type: tiered-feature --- -On top of the [{{% vendor/name %}} Web Application Firewall (WAF)](/security/web-application-firewall/waf.md) included in Upsun Fixed Enterprise and Elite plans, -you can subscribe to the Fastly Next-Gen WAF to further protect your app from security threats. +On top of the [{{% vendor/name %}} Web Application Firewall (WAF)](/security/web-application-firewall/waf.md) included in {{% vendor/name %}} Fixed Enterprise and Elite plans, +you can subscribe to the Fastly Next-Gen Web Application Firewall (Next-Gen WAF) to further protect your app from security threats. ## Available offers If you want to subscribe to the Fastly Next-Gen WAF through {{% vendor/name %}}, you can choose from two offers: -- If you subscribe to the **Basic** offer, your WAF is fully managed by {{% vendor/name %}} -- If you subscribe to the **Basic configurable** offer, your WAF is fully managed by {{% vendor/name %}} too, but with additional flexibility and visibility provided +- If you subscribe to the **Basic** offer, your WAF is fully managed by {{% vendor/name %}}. +- If you subscribe to the **Basic configurable** offer, your WAF is fully managed by {{% vendor/name %}} too, but with additional flexibility and visibility provided. To view a list of all the features included in each offer, see the following table. @@ -40,3 +40,103 @@ Included features may present limitations compared to those advertised by Fastly To subscribe to a Fastly Next-Gen WAF offer through {{% vendor/name %}}, [contact Sales](https://upsun.com/contact-us/). + +## Next-Gen WAF Tier Comparison + +#### Basic + +- Block-only mode +- Default attack and anomaly signals enabled +- No virtual patching +- No default dashboards +- No custom signals, response codes, or API/ATO signals + +This tier is best suited for baseline protection with minimal configuration requirements. + +#### Basic Configurable + +- Block, not blocking, and off modes +- Default attack and anomaly signals enabled +- Virtual patching available in block mode +- Default dashboards reviewed during quarterly business reviews +- No custom signals, response codes, or API/ATO signals + +This tier is best for customers needing custom rules, CVE protection, per-project visibility, or log integration. + +## How the Fastly Next-Gen WAF Works + +The Fastly Next-Gen WAF evaluates incoming requests using a combination of signals, conditions, actions, and thresholds. + +### Signals + +Signals classify and tag requests based on observed patterns, such as: + +- SQL injection attempts +- Cross-site scripting payloads +- Repeated 404 requests +- Known attack signatures + +Signals are informational and are not inherently “good” or “bad”. + +### Conditions + +Conditions define where and when a rule applies. Examples include: + +- Specific URL paths +- Request methods +- Geographic origin +- Presence of certain signals + +### Actions + +Actions define what happens when a rule matches (allow/log apply to the configurable offer): + +- Block the request +- Allow the request +- Log the request for analysis + +{{< note theme="info" >}} + +The Basic Next-Gen WAF offer operates in block-only mode. + +{{< /note >}} + +### Thresholds + +Thresholds define volume-based triggers. For example, block if more than `N` suspicious requests occur from the same IP within a defined time window to distinguish normal user behaviour from automated probing or attacks. + +### Virtual Patching + +Virtual patches are temporary WAF rules provided by Fastly to block known CVEs at the edge. They: + +- Protect against specific, identified vulnerabilities +- Buy time while application dependencies are patched +- Do not replace proper application updates + +{{< note theme="info" >}} + +Virtual patching is available only in the Basic Configurable Next-Gen WAF tier. + +{{< /note >}} + +## Scope and Limitations + +The Fastly Next-Gen WAF mitigates many common web-based attacks, including parts of the OWASP Top 10. However, it does not replace application-level security. The WAF does not automatically protect against: + +- Weak authentication or password policies +- Insecure application design +- Business-logic flaws +- All bot or scraper traffic +- All DDoS attack types + +Some attacks are mitigated at the CDN network layer, while others require identifiable patterns that can be enforced via WAF or rate-limiting rules. + +{{< note theme="info" title="No automatic challenges">}} + +{{% vendor/name %}}’s Fastly Next-Gen WAF does not provide automatic CAPTCHA or JavaScript challenges. Traffic is evaluated using rule-based signals, thresholds, and actions configured during onboarding or [via Support](/learn/overview/get-support.md). + +{{< /note >}} + +## Configuration and enablement + +Fastly Next-Gen WAF features are not self-service. Enablement and configuration occur during customer onboarding, or via a [Support request](/learn/overview/get-support.md) after purchase.