Stats
Actions
Tags
From fastly-agent-toolkit
Audits Fastly Next-Gen WAF workspaces for critical templated protection rules (login, credit card, gift card) and identifies missing or disabled rules.
How this skill is triggered — by the user, by Claude, or both
Slash command
/fastly-agent-toolkit:fastly-ngwafThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Audits NGWAF workspaces to verify critical templated rules are configured and enabled. Use the **fastly-cli** skill to configure rules; this skill identifies gaps.
Audits NGWAF workspaces to verify critical templated rules are configured and enabled. Use the fastly-cli skill to configure rules; this skill identifies gaps.
Run the bundled assessment script (requires jq and FASTLY_API_KEY):
./scripts/assess_ngwaf_rules.sh
For manual inspection or partial audits, use the API calls below.
curl -s -H "Fastly-Key: $FASTLY_API_KEY" \
"https://api.fastly.com/ngwaf/v1/workspaces?limit=200" | jq '.data[].id'
If empty, NGWAF is not configured for this account.
curl -s -H "Fastly-Key: $FASTLY_API_KEY" \
"https://api.fastly.com/ngwaf/v1/workspaces/$WORKSPACE_ID/rules?limit=200"
For each workspace, verify these templated rules exist and enabled is true:
| Category | Required Signals |
|---|---|
| Login Protection | LOGINDISCOVERY, LOGINATTEMPT, LOGINSUCCESS, LOGINFAILURE |
| Credit Card Validation | CC-VAL-ATTEMPT, CC-VAL-FAILURE, CC-VAL-SUCCESS |
| Gift Card Validation | GC-VAL-ATTEMPT, GC-VAL-FAILURE, GC-VAL-SUCCESS |
Check a specific signal:
curl -s -H "Fastly-Key: $FASTLY_API_KEY" \
"https://api.fastly.com/ngwaf/v1/workspaces/$WORKSPACE_ID/rules?limit=200" \
| jq '[.data[] | select(.actions[].signal == "LOGINDISCOVERY") | {enabled, id}]'
When LOGINATTEMPT is missing or disabled, search recent request logs for login-like traffic the WAF isn't protecting:
curl -s -H "Fastly-Key: $FASTLY_API_KEY" \
"https://api.fastly.com/ngwaf/v1/workspaces/$WORKSPACE_ID/requests?limit=100&page=1&q=from%3A-30min%20method%3APOST%20path%3A~%22%2Alogin%2A%22" \
| jq -r '.data[].path' | sort | uniq -c
Healthy workspace — all signals present and enabled:
### Workspace: abc123
[LOGIN Rules]
- LOGINDISCOVERY: ENABLED
- LOGINATTEMPT: ENABLED
- LOGINSUCCESS: ENABLED
- LOGINFAILURE: ENABLED
[CC Rules]
- CC-VAL-ATTEMPT: ENABLED
- CC-VAL-FAILURE: ENABLED
- CC-VAL-SUCCESS: ENABLED
[GC Rules]
- GC-VAL-ATTEMPT: ENABLED
- GC-VAL-FAILURE: ENABLED
- GC-VAL-SUCCESS: ENABLED
Unhealthy workspace — missing or disabled rules require remediation:
### Workspace: def456
[LOGIN Rules]
- LOGINDISCOVERY: NOT CONFIGURED (Recommended: CRITICAL: Configure and enable this rule to discover unknown login endpoints)
- LOGINATTEMPT: IS DISABLED (Recommended: Enable this rule)
- LOGINSUCCESS: ENABLED
- LOGINFAILURE: ENABLED
-> LOGINATTEMPT is not enabled. Searching recent request logs for potential login paths...
-> Found potential login paths in last 30 minutes:
3 /api/v1/login
1 /auth/signin
| Error | Cause | Fix |
|---|---|---|
FASTLY_API_KEY not set | Environment variable missing | export FASTLY_API_KEY=<token> |
API call failed with status 403 | Token lacks NGWAF scope | Verify token has global:read permission |
No workspaces found | NGWAF not provisioned | Enable NGWAF on the account first |
jq is not installed | Missing dependency | brew install jq or apt-get install -y jq |
npx claudepluginhub fastly/fastly-agent-toolkit --plugin fastly-agent-toolkitDeploys and tunes Web Application Firewall rules on AWS, Azure, and Cloudflare to protect against OWASP Top 10 attacks. Covers managed rules, custom rules, rate limiting, and bot management.
Deploys and tunes WAF rules on AWS WAF, Azure WAF, and Cloudflare to protect cloud apps against OWASP Top 10, with managed/custom rules, rate limiting, bot management, and false positive reduction via logging. Use for API security, brute force defense, and compliance.
Deploys and tunes WAF rules on AWS WAF, Azure WAF, and Cloudflare to protect cloud apps against OWASP Top 10, with managed/custom rules, rate limiting, bot management, and false positive reduction via logging. Use for API security, brute force defense, and compliance.