The PerimeterX Fastly Enforcer requires advanced functionality from Fastly. This must be enabled by the Fastly support team before the Enforcer can be activated.
To enable the advanced Fastly functionality, e-mail [email protected] as follows:
- Subject: “Please enable PerimeterX support for our Fastly service ID ”
- Body: Hi Fastly Support, Please enable PerimeterX support for our service ID and confirm when it is completed.
You must request to enable functionality for each service ID that is being protected by PerimeterX.
Your current VCL must be reviewed by a PerimeterX Solution Architect. Contact your PerimeterX Solution Architect or PerimeterX Support for more information.
In order to use Fastly integration, a binary block result cookie must be defined in the PerimeterX Portal:
- Go to Admin > Policies, and select the policy.
- In the Risk Cookie tab, select Advanced Mode, and click Continue in the pop-up.
- Select the Cookie Version (V2), set the Binary Score/Threshold Score (100), and the Validity as appropriate.
- Click Apply.
To define a syslog, follow the instructions in the Fastly Syslog documentation
PX-Syslog - To send important Syslogs to PerimeterX syslog servers the PX-Syslog must be defined. If you name the syslog
PX-Syslogyou do not need to change
PX_SYSLOG_NAMEon in the configuration table.
- Name: PX-Syslog
- Address: px-fst-syslog.perimeterx.net : 6514
- Use TLS: Yes
- All other fields: No change is needed, use the default values.
Once the PX-Syslog is defined, you must create a new request condition to prevent the Syslog from sending every request automatically. To do this, the request condition must be defined as
- Click Attach a condition next to PX-Syslog.
- Click Create a New Response Condition.
- Name the condition
- Apply if...
req.url == "neverTrue"
- Under Advanced option, set the priority to 10.
See the Fastly Conditions documentation for more details.
- PX-Debug - Optional debug logging endpoint. Define an endpoint to use
enable_debug. If you name the syslog PX-Debug you will not need to change
*DEBUG_SYSLOG_NAME*in the VCL configuration table.
- PX-Error - Optional error logging endpoint. You should define and endpoint to use
- PX-Waf-Prefetch-Condition - Optional Disable WAF condition. This condition ensure the WAF will be disabled during PerimeterX request validation flow to avoid wrong WAF score calculation.
The condition JSON definition is available on the Fastly VCL Enforcer code.
condition type =
To define a logging endpoint - See the Fastly Logging documentaitons
Basic configuration changes to your VCL are require before uploading the VCL.
The PerimeterX Fastly VCL Enforcer consists of 4 VCL files which need to be uploaded to your service. Select
main.vcl as the main VCL. (This will happen automatically if
main.vcl is the first VCL uploaded). please note: VCL object names are case sensitive.
main.vcl- VCL name: "MAIN" - Default Fastly's VCL.
PX.vcl- VCL name: "PX" - Contains all the internal PerimeterX logic.
px_configs.vcl- VCL name: "PX_CONFIGS" - Contains customer logic.
px_custom.vcl- VCL name: "PX_CUSTOM" - Contains customer config files.
To upload the VCLs:
- Click Upload Your First VLC File.
- Name the VCL file MAIN. This ensures that main.vcl is your main VCL.
- Upload the corresponding VCL file.
- Click Create.
- Click +Upload a New VCL File, and repeat the process for the remaining three VCL files, naming the files according to the list above.
.. figure:: /_static/add_vcls.gif?raw=true
:alt: Adding VCLs
main.vcl with the PerimeterX `main.vcl.
PerimeterX subroutine calls must be the first call in each subroutine on MAIN vcl.
Fastly allows you to create your own VCL files with specialized configurations.
By default, the ability to upload custom VCL code is disabled when you sign up. Contact [email protected] to upload your custom VCL code.
Note: You must activate your service version after every change performed to the VCL.
PerimeterX Enforcer uses VCL error codes. These should remain unused by other VCL applications.
Using any of the following codes in other applications may lead to unexpected behavior.
- 991 -
- 992 -
- 995 -
- 996 -
Updated about 1 month ago