Fastly CDN/WAF

Applies to: Fastly CDN, WAF

Overview

Fastly is a Content Delivery Network (CDN). This makes content available through users/organizations websites and Internet-accessible (hosted) application programming interfaces (APIs).

Fastly Web Application Firewall (WAF) protects your applications from malicious attacks designed to compromise web servers. The Fastly WAF provides rules that detect and block potential attacks. The rules are collected into a policy and deployed within your Fastly service at the edge.

EventTracker, when integrated with Fastly CDN/WAF, collects log from Fastly CDN/WAF and creates a detailed reports, alerts, dashboards and saved searches. These attributes of EventTracker helps users to view the most critical and important information on a single platform.

Reports will contain detailed overview of activities like:

Fastly user login/ logout
Fastly login failed, user management events
Fastly service management events
devices
Fastly access events by success and failure.
URL and IP severity
Blocked URL and IP
Matched Rule ID and its message

Fastly user login/ logout will include details such as user login/logout time, their device type or user-agent, if user is an admin or not, and their user id’s.

Alerts are provided as soon as any critical event is triggered by Fastly CDN/WAF. With alerts, users will be able to get real time events such as:

Login failed
Service or service version deletion in their email services
Blocked URL or high severity URL
Visual representation/ overview of top activities being performed in Fastly CDN/WAF
Unauthorized user access (failed)
Blocked request with location
High severity URL detected
Attacks with reason
Count can be viewed on EventTracker ‘dashboard’

“Fastly CDN/WAF - Access events by user agent” dashlet displays the user-agents trying to access any specific domain/ URL.

“Fastly CDN/WAF - User login fail (Audit events by region)” dashlet displays the login failure occurring in Fastly account in a world map by country. Dashlets associated with WAF activity will display information such as, PHP Injections attacks, SQL injection attacks, application attack session fixation, application attack RCE (Remote code execution), etc.

EventTracker monitors all the Fastly CDN events from services like system manager, Fastly audit and access events. They are given as below.

Security – User login failed, blocked URLs
Compliance – Service has been deleted and service version has been deleted.
Operation – Fastly CDN access events by success and error messages, User management, and service management, Fastly CDN has received domain access errors.

Once Fastly CDN is configured to deliver events to EventTracker Manager; alerts, dashboards, and reports can be configured into EventTracker.

Compliance

Alerts

Fastly CDN service version has been deactivated (Audit events) – This alert is triggered when any user deactivates an active version of Fastly service.
Fastly CDN service has been deleted (Audit events) – This alert is triggered in event of deletion of Fastly service/s.

Reports

Fastly CDN - service management (Audit events) -This report includes the summary of Fastly service-related activity, i.e. service create, delete, update, version activate, deactivate, etc.
Fastly CDN - User management (Audit events) – This report includes the summary of Fastly user management activity, i.e. user create, delete, lock, etc.

Operations

Alerts

Fastly CDN has received domain access error (Access events) – This alert is triggered when an end user is trying to access the given domain, instead gets an error, such as request timeout.
Fastly WAF has detected high severity URLs – This alert is triggered when an WAF detects any URL having severity 0,1,2 or 3.

Reports

Fastly CDN - Error events (Access events) – This report includes summary of the activities of URL’s which has error codes like 503, or 404, etc.
Fastly CDN - Success events (Access events) - This report includes summary of the activities of URL’s which has success code i.e. 302.
Fastly CDN - Login success (Audit events) – This report gives a detailed summary of successful user login occurrences in Fastly.
Fastly WAF - OWASP Threats – This report gives a detailed summary of all the WAF threat scores of URL and IP.
Fastly WAF - WAF States – This report gives the detailed summary of WAF rule id matched with its message for URL.

Security

Alerts

Fastly CDN - User login failed (Audit events) - This alert is triggered when there is an unauthorized or incorrect login activity happens in Fastly.
Fastly WAF Blocked URLs - This alert is triggered when any URL is blocked by Fastly WAF.

Reports

Fastly CDN - Login failure (Audit events) – This report includes the summary of failed login of a user via web-based user interface or via API.
Fastly WAF – Blocked URLs - This report includes the summary of Blocked URLs with IP, WAF rule and messages.

Scope

The configuration details are consistent with EventTracker version 9.x and later, and Fastly CDN.

Documentation

To configure Fastly CDN to send logs to EventTracker, refer the How to Guide.

For more information, please refer the Fastly CDN Integration Guide.