FAQ
Find answers to common questions about setup, configuration, troubleshooting, and best practices to help you get the most out of your CloudGuard WAF.
Data Regions
Which data regions are available?
For managing your configuration and data there are four data regions: Europe (EU), United States (US), India (IN) and Australia (AU). Your configuration and logs will be kept there. After selecting a region via the relevant portal address or when creating a tenant for EU/US, the data region cannot be changed later. Portal addresses: EU/US: https://portal.checkpoint.com (select the region when opening a tenant) IN: https://in.portal.checkpoint.com AU: https://au.portal.checkpoint.com
For WAF SaaS Points of Presence (PoPs) where your web traffic is routed to be secured by WAF, there are 3 data regions: Europe, United States, and Japan. For additional information regarding WAF SaaS visit our dedicated documentation.
Which IP address / URLs / Ports are used by CloudGuard WAF Gateways and Nano Agents when connecting to the Cloud?
IP addresses according to data region: EU: 75.2.123.205, 99.83.172.252 – Port 443 US: 52.223.30.193, 35.71.144.247 – Port 443 IN: 15.197.167.248, 3.33.187.244 – Port 443 AU: 15.197.214.233, 3.33.222.204 – Port 443
URLs according to data region: EU: https://inext-agents.cloud.ngen.checkpoint.com US: https://inext-agents-us.cloud.ngen.checkpoint.com IN: https://inext-agents-in.cloud.ngen.checkpoint.com AU: https://inext-agents-au.cloud.ngen.checkpoint.com
Information Privacy and Data Security
Information Privacy
All enforcement is done on the agent side this includes IPS/WAAP/File Security and more.
One exception to this policy is the file sandboxing feature. In this case, the file is uploaded to Check Point’s cloud sandbox and is inspected there, and the verdict is moved to the agent through the cloud.
Logs and Metrics are uploaded to management - log detail is controlled by Log Trigger config and does not cover body payloads and allowed traffic by default.
If there’s a need to send the body to logs – there’s a way to add exceptions for specific URIs/parameters (like passwords)
ML Engine might send some parameter names and URIs to the cloud – this is only in case we have suspected some indicators in the traffic.
Data Security
All Data transfer between WAF Gateways/Agents and Check Point Cloud is encrypted using HTTPS/TLS.
Authentication: Initial agent registration is done with a multi-use or one-time token All agent APIs use a JWT for authentication and authorization (OAUTH 2.0).
Check Point Infinity Next Cloud is protected using best-in-class Access Control and Threat Prevention mechanisms and is monitored constantly.
We regularly update and patch our system components in the cloud as well as regularly perform penetration tests and vulnerability scanning.
Data Residency and PII
We have 4 data regions: EU, US, IN, and AU. Customers can choose which one to use. Their configuration and data will be kept only in that region.
Policy and configuration information is stored securely in the cloud.
By default, logs are sent to the cloud. Logs include IP addresses and potentially emails and portions of traffic payload that may include PII.
Customer can choose not to send logs to the cloud, but rather to their log repository. In this case, some features will not be supported.
AI learning information is sent to the cloud for sharing between agents of the same customer. The learning data include just key names and not values, hence the risk of PII exposure is limited.
For example, if HTTP posts include –“firstName”:”John”. We only send to the cloud the key name “firstName” and we do not send “John”.
Agent Operations
Once I install an agent, how much time is expected for it to complete installation and enforce the policy?
The time will vary according to your internet connection, but on average it is expected to complete installation and start enforcing within 10-60 seconds.
I used the "cpnano -s" command and saw the "Rady" status for one of the services. What does it mean?
“Ready” status means that a service is waiting for the first input. For example, the agent is waiting for the first HTTP traffic to pass. When running an agent in a closed lab environment, it is likely to see this status after installation when using this command.
Performance Impact
I am using the "Web Application" / "Web API" security practices. Do any of their internal configuration options cause a wide performance impact?
The CSRF Protection and Error Disclosure options have a larger performance impact than other options in these practices.
WAF Gateway
Can I configure a proxy for CloudGuard WAF Gateway/Agent access to the Check Point Cloud?
Yes. For Agents deployed in Linux, Proxy settings are inherited from the Linux OS settings. For CloudGuard WAF Gateway proxy settings can be configured via the Gateway Web UI or CLI.
If I install CloudGuard WAF in AWS, can I use SHA as the Gateway password hash method
AWS EC2 instances do not support SHA to be used as the Gateway's password hash.
What are the minimum Requirements for VM Configuration?
WAF performance is affected by many variables which are dependent on the application it protects. For example, the number of requests per second, Size of the requests, Request type (binary, JSON, etc.), and Logging options.
As a rule of thumb, we can process ~500 requests per second, per CPU core, however, it is recommended to check the machine load and adjust accordingly.
The following are suggested configurations:
Minimal configuration: 2vCPU, 4GB RAM, 50GB Disk
Recommended configuration: 4vCPU, 8GB RAM, 50GB Disk
WAF as a Service
Why do we need to use a CNAME for Domain Verification, and not use DNS TXT records
CloudGuard WAF as a Service uses an AWS certificate as CA at the moment. They require CNAME and do not support TXT records.
Does CloudGuard WAF is using CDN?
Yes, we utilize CDN but without caching policy.
What is the difference between the tenant's Data Residency and the SaaS PoPs?
Data Residency refers to the physical or geographical location where your data is stored. For CloudGuard WAF users, we currently offer several data residency locations, including the United States (US), European Union (EU), India (IN), and Australia (AU). These locations are crucial for compliance with local laws and regulations regarding data sovereignty. The storage includes all the logs and assets data, data residency is created once in the creation of the tenant in the Infinity Portal and cannot be changed. The Role of PoPs (Points of Presence) are crucial for the performance and security of your web applications. They refer to the physical locations where our AppSec agents are deployed, directly influencing your applications' security efficiency and response time.
Can I move between PoPs?
With CloudGuard WAF, you have the flexibility to create or delete PoPs as your needs evolve. Assets can be seamlessly moved from one PoP to another, allowing for a dynamic and adaptable security posture.
Last updated