Document toolboxDocument toolbox

Fastly Next-Gen WAF collector

Overview

The Fastly Next-Gen WAF (powered by Signal Sciences) is a web application firewall that monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify.

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

not allowed

Running environments

  • collector server

  • on-premise

Populated Devo events

table

Flattening preprocessing

no

Allowed source events obfuscation

yes

Data sources

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

List corp activity events

Lists activity events for a corporation.

api/v0/corps/{corpName}/activity

 

corp_activity_events

waf.fastly.nextgen_waf.corp_activity.{corpName}.{site}

v1.0.0

List site activity events

Lists activity events of a corporation for a given site.

api/v0/corps/{corpName}/sites/{siteName}/analytics/events

site_activity_events

waf.fastly.nextgen_waf.site_activity.{corpName}.{site}

v1.0.0

List corp events.

Lists all events of a corporation for a given site.

api/v0/corps/{corpName}/sites/{siteName}/events

corp_events

waf.fastly.nextgen_waf.corp_event.{corpName}.{site}

v1.0.0

Get request feed.

Lists all of a corporation's request feed data for a given site.

api/v0/corps/{corpName}/sites/{siteName}/feed/requests

feed_requests

waf.fastly.nextgen_waf.request_feed.{corpName}.{site}

v1.0.0

For more information on how the events are parsed, visit our page.

Vendor setup

You must have a Fasly Next-Gen WAF account. For information on how to create an account check this guide.

With the creation of the account you will get:

  • User email: The user's email to configure the collector.

  • Corporation: It is a necessary parameter to configure the collector. It is provided by the Fastly Next-Gen WAF team during account creation.

  • Site: It is a necessary parameter to configure the collector. It is provided by the Fastly Next-Gen WAF team during account creation.

To generate the required API access token, follow these steps:

  1. Log in to the Fastly console here.

  2. From the My Profile menu, select API access tokens.

  3. Click Add API access token.

  4. In the Token name field, enter a name to identify the access token.

  5. Click Create API access token.

  6. Record the token in a secure location for your use.

Note that this is the only time the token will be visible. Record the token and keep it secure. For your security, it will not appear in the console.

  1. Click Continue to finish creating the token.

  2. Copy the token to set the collector's api_token parameter.

For more information check this article.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

Setting

Details

user_email

The username for the Next-Gen WAF API. 

api_token

The API Token for the Next-Gen WAF API.. To find out how to get it, see the Vendor Setup guide.

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Accepted authentication methods

Authentication method

API Token

user_email

Required

api_token

Required

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).We use a piece of software called Collector Server to host and manage all our available collectors.

To enable the collector for a customer:

  1. In the Collector Server GUI, access the domain in which you want this instance to be created

  2. Click Add Collector and find the one you wish to add.

  3. In the Version field, select the latest value.

  4. In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).

  5. In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.

  6. In the Parameters section, establish the Collector Parameters as follows below:

Editing the JSON configuration

{ "global_overrides": { "debug": <debug_status> }, "inputs": { "fastly": { "id": "<short_unique_id>", "corp_name": "<corp_name_value>", "site": "<site_value>", "enabled": true, “environment”: “<environment_value>”, "credentials": { "user_email": "<user_email_value>", “api_token”": "<api_token_value>", }, "services": { "corp_activity_events": { "request_period_in_seconds": <request_period_in_seconds_value>, "override_tag": <override_tag_value>, "start_time_utc": <start_time_in_utc_value> }, "site_activity_events": { "request_period_in_seconds": <request_period_in_seconds_value>, "override_tag": <override_tag_value>, "start_time_utc": <start_time_in_utc_value> }, "corp_events": { "request_period_in_seconds": <request_period_in_seconds_value>, "override_tag": <override_tag_value>, "start_time_utc": <start_time_in_utc_value> }, "feed_requests": { "request_period_in_seconds": <request_period_in_seconds_value>, "override_tag": <override_tag_value>, "start_time_utc": <start_time_in_utc_value> }, } } } }

Parameter

Data type

Type

Value Range

Details

collector_name

str

Mandatory

Minimum length: 1

Use this param to give a name to this collector.

devo_address

str

Mandatory

collector-us.devo.io 

collector-eu.devo.io 

Use this parameter to identify the Devo Cloud where the events will be sent.

chain_filename

str

Mandatory

minimum length: 4

maximum length: 20

Use this parameter to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: chain.crt.

cert_filename

str

Mandatory

minimum length: 4

maximum length: 20

Use this parameter to identify the file.cert downloaded from your Devo domain.

key_filename

str

Mandatory

minimum length: 4

maximum length: 20

Use this parameter to identify the file.key downloaded from your Devo domain.

short_unique_id

int

Mandatory

Minimum length: 1

Maximum length: 5

Use this param to give an unique id to this input service.

corp_name_value

int

Mandatory

Minimum length: 1

 

The corporation for the Next-Gen WAF API. To find out how to get it, see the Vendor Setup guide..

site_value

int

Mandatory

Minimum length: 1

 

The site for the Next-Gen WAF API. To find out how to get it, see the Vendor Setup guide..

environment_value

str

Optional

Minimum length: 1

This is an optional control parameter that is injected into the events and allows to differentiate the environment. For example: dev and prod.

user_email_value

str

Mandatory

Minimum length: 1

 

The user email for the  Next-Gen WAF API. To find out how to get it, see the Vendor Setup guide.

api_token_value

str

Mandatory

Minimum length: 1

 

The api_token for the  Next-Gen WAF API. To find out how to get it, see the Vendor Setup guide.

override_tag_value

str

Optional

Devo tag-friendly string (no special characters, spaces, etc.) For more information see Devo Tags.

An optional tag that allows users to override the service default tags.

start_time_utc_value

str

Optional

UTC datetime string having datetime string format %Y-%m-%dT%H:%M:%SZ

 (e.g., “2023-07-11T01:23:01Z”)

This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.

request_period_in_seconds_value

int

Optional

minimum length: 1

Period in seconds used between each data pulling. This value will overwrite the default value (60 seconds).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Internal process and deduplication method

Data is collected by setting a start date and by pagination. To eliminate duplicates, the date of the last event sent to Devo and the IDs of events with the same date are stored.

Devo categorization and destination

All events of this service are ingested into the table waf.fastly.nextgen_waf.request_feed.{corpName}.{site}

Setup output

A successful run has the following output messages for the setup module:

INFO InputProcess::MainThread -> ServiceThread(fastly,1234123,corp_activity_events,predefined) - Starting thread (execution_period=60s) INFO InputProcess::MainThread -> FastlyPullerSetup(fastly_collector,fastly#1234123,corp_activity_events#predefined) -> Starting thread WARNING InputProcess::FastlyPullerSetup(fastly_collector,fastly#1234123,corp_activity_events#predefined) -> The token/header/authentication has not been created yet INFO InputProcess::FastlyPullerSetup(fastly_collector,fastly#1234123,corp_activity_events#predefined) -> Setup for module <FastlyEventsPuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

INFO InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) Starting the execution of pre_pull() INFO InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> Reading persisted data INFO InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> Data retrieved from the persistence: None WARNING InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> Persistence will be overridden due to the retrieved state is empty INFO InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> Running the persistence upgrade steps INFO InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> Running the persistence corrections steps INFO InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> Running the persistence corrections steps WARNING InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> Some changes have been detected and the persistence needs to be updated. Previous content: None. New content: {'@persistence_version': 1, 'start_time_epoch': 1673400180, 'last_event_time_epoch': 1673400180, 'last_id': None} INFO InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> Updating the persistence WARNING InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> Persistence has been updated successfully INFO InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) Finalizing the execution of pre_pull() INFO InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> Starting data collection every 60 seconds INFO InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> Pull Started INFO InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1700122878630):Number of requests made: 1; Number of events received: 13; Number of duplicated events filtered out: 0; Number of events generated and sent: 13; Average of events per second: 6.338. INFO InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1700122878630):Number of requests made: 1; Number of events received: 13; Number of duplicated events filtered out: 0; Number of events generated and sent: 13; Average of events per second: 6.336. INFO InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> The data is up to date! INFO InputProcess::FastlyEventsPuller(fastly,1234123,corp_activity_events,predefined) -> Data collection completed. Elapsed time: 2.070 seconds. Waiting for 57.930 second(s) until the next one

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the start_time_utc parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type

Error ID

Error message

Cause

Solution

InitVariablesError

1

Invalid start_time_utc: {datetime_utc_now}. Must be in the past.

The user has set the start_time_utc parameter in the future

Set the start_time_utc parameter to a date and time earlier than the current one in the configuration file.

2

Invalid start_time_utc: {datetime_utc_now}. The maximum value is 24 hours and 5 minutes in the past (in utc time).

The user has set the start_time_utc parameter out of range.

Set the start_time_utc parameter within the indicated range.

SetupError

102

ERROR: The base url is invalid. Cause: {cause}

The url is malformed because you have entered an invalid corporation or site value.

Check if the corporation and site values are correct.

ApiError

400

HTTP ERROR 400: Bad request: The server could not understand the request.

The API request is malformed.

Contact the Devo team

401

HTTP ERROR 401:                         Unauthorized: Authentication is required and has failed or has not been provided.

The user is not authorized to access the requested service.

Check the permissions and that the credentials are not expired.

402

HTTP ERROR 500: Server Error: An error occurred on the server.

Unknown server error.

Check that the internet connection works correctly and contact the company that manages the server on which the events are hosted.

403

Request Error: Received status code {status_code}

Unknown API error

Contact the Devo team.

404

HTTP ERROR 429: Too Many Requests: The user has sent too many requests in a given amount of time.

Too many requests have been sent to the resource.

Check:

  • That there is only one POD running.

  • That there are no more computers using the same credentials

Wait several minutes before restarting the collector.

If nothing works, contact the Devo team.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services

Description

Sender services

Description

internal_senders

In charge of delivering internal metrics to Devo such as logging traces or metrics.

standard_senders

In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace

Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds)

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

  • 44 events were sent to Devo since the collector started.

  • The last checkpoint timestamp was 2022-06-28 10:39:22.511671+00:00.

  • 21 events where sent to Devo between the last UTC checkpoint and now.

  • Those 21 events required 0.007 seconds to be delivered.

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

  • The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.

  • The global pressure of the available memory is displayed in the global value.

  • All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Change log

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

v1.0.0

Oct 10, 2023

INITIAL RELEASE



Deployed the first Beta version of the Fastly Next-Gen WAF with the following services:

  • List corp activity events.

  • List site activity events.

  • List corp events.

  • Get request feed.

  • DCSDK Version: 1.10.0

-