Fastly

Overview

The Fastly integration connects the Praetorian Guard Platform (PGP) with both Fastly's content delivery network (CDN) and its Next-Gen WAF (NGWAF) to discover domain names, backend addresses, and service configurations that are part of your external attack surface.

Content delivery networks and web application firewalls often sit in front of your applications, and the domains and origin servers configured in them may not appear in other asset discovery sources. This integration closes that visibility gap by pulling data directly from the Fastly API, giving your security team a complete picture of externally accessible services behind Fastly infrastructure.

Note: This integration is currently in beta. It is available upon request and may not appear in the integrations list for all accounts.

What the Integration Does

The Fastly integration provides two independently configurable modules:

  • Asset Discovery (CDN and WAF) — Enumerates all Fastly CDN services to discover associated domain names, then queries the Next-Gen WAF product API to discover WAF-protected domains and their backend origin addresses (hostnames and IPs). Each discovered item is imported as an asset into PGP.
  • WAF Whitelisting — Intended to automatically whitelist Guard static IP ranges in Fastly WAF rules so that scanning traffic is not blocked. This module is not yet implemented and will have no effect if enabled.

The integration uses the official Fastly Go SDK for all API communication. It does not make raw HTTP requests.

All asset discovery operations are strictly read-only. PGP does not create, modify, or delete any Fastly services, domains, or configurations.

CDN Asset Discovery

When asset discovery is enabled, the integration enumerates your Fastly CDN services to discover domain names.

How It Works

  1. List services — The integration paginates through all Fastly services in your account, fetching 100 services per page.
  2. Get service details — For each service, it retrieves the full service detail, which includes the active version and its associated domains.
  3. Extract domains — From the active version of each service, domain names are extracted and sent to PGP as assets.

Pagination retrieves up to 100 services per page with a safety limit of 100 pages (10,000 services maximum). If a service's details cannot be retrieved (e.g., due to permissions), the integration logs a warning and continues to the next service.

WAF Asset Discovery

The integration also discovers assets protected by Fastly's Next-Gen WAF (NGWAF). This runs automatically as part of asset discovery and does not require a separate configuration toggle.

How It Works

  1. List WAF-enabled services — The integration queries the Fastly NGWAF product API to retrieve the IDs of all services that have the Next-Gen WAF product enabled.
  2. Get service details — For each WAF-enabled service, it retrieves the service detail to extract domains and backend configurations from the active version.
  3. Extract domains — Domain names from the active version of each WAF service are sent to PGP as assets.
  4. Extract backend addresses — For each WAF service, the integration lists all configured backends and extracts their addresses. It checks four fields per backend: address, hostname, ipv4, and ipv6.
  5. Deduplicate — Backend addresses are deduplicated within each backend entry (e.g., if address and hostname contain the same value, it is only emitted once).
  6. Filter private IPs — Private IP addresses (RFC 1918, link-local, etc.) are excluded using Go's standard library net.ParseIP and ip.IsPrivate(). Only publicly routable IPs and domain names are imported as assets.

If a WAF service's details or backends cannot be retrieved, the integration logs a warning and continues to the next service. If backend enumeration fails for a service, its domains are still imported.

Prerequisites

Before setting up the Fastly integration, ensure you have:

  • A Fastly account with at least one configured service
  • A Fastly API token with the appropriate scope:
    • For asset discovery only: global:read scope (read-only)
    • For asset discovery and WAF whitelisting: global scope (read-write)
  • An Engineer role on the Fastly account (required for the token to have the necessary permissions)

Creating a Fastly API Token

  1. Sign in to the Fastly Management Console.
  2. Navigate to Account > Personal API tokens (or Automation tokens for service accounts).
  3. Click Create Token.
  4. Set the Scope to global:read for read-only asset discovery, or global if you also plan to enable WAF whitelisting in the future.
  5. Optionally set an expiration date for the token.
  6. Click Create Token and copy the generated token immediately. It will not be shown again.

Setup

  1. In PGP, navigate to the Integrations page.
  2. Find Fastly under the Content Delivery Solutions category.
  3. Fill in the fields described below.
  4. Click Save. PGP will validate that the token scope matches the enabled modules before saving.

Field Reference

Field

Type

Description

Required

API Token

Password

Your Fastly API token. Requires a token with the appropriate scope and an Engineer role. Learn more about roles and permissions.

Yes

Asset Discovery (CDN and WAF)

Checkbox

When enabled, discovers domains from CDN services and domains plus backend addresses from NGWAF-protected services. Requires global:read scope (or global). Enabled by default.

No (default: on)

Whitelist Guard static IP ranges in WAF

Checkbox

When enabled, whitelists Guard scanning infrastructure IPs in Fastly WAF rules. Requires global (read-write) scope. Not yet implemented — enabling this option will have no effect at this time. Disabled by default.

No (default: off)

Note: At least one module (Asset Discovery or WAF Whitelisting) must be enabled. The integration will return an error if both are disabled.

Troubleshooting

Issue

Cause

Fix

"missing Fastly API token"

The API token field was left empty or contains only whitespace.

Enter a valid Fastly API token in the integration configuration.

"token scope is 'X', but 'global:read' or 'global' scope is needed for asset discovery"

The token does not have sufficient read permissions.

Generate a new token with global:read (or global) scope in the Fastly Management Console.

"token scope is 'global:read', but 'global' scope is needed for WAF whitelisting"

WAF whitelisting requires read-write access, but the token only has read-only scope.

Generate a new token with global scope, or disable the WAF Whitelisting checkbox if you only need asset discovery.

"at least one module must be enabled"

Both the Asset Discovery and WAF Whitelisting checkboxes are unchecked.

Enable at least one of the two modules.

"failed to verify token"

The API token is invalid, expired, or has been revoked.

Generate a new API token in the Fastly Management Console and update the integration.

No assets discovered

No CDN services are configured, or services have no domains on their active version.

Verify your Fastly account has active services with domain configurations. Services without an active version or without domains will not produce assets.

Partial data sync (some services missing)

The token may lack permissions for certain services, or individual service detail requests failed.

Ensure the token was created by an account with visibility into all required services. The integration logs warnings for services it cannot access but continues processing remaining services.