Limitations
While CloudGuard WAF provides comprehensive protection against a wide array of web application threats, it is important to understand its limitations.
Last updated
While CloudGuard WAF provides comprehensive protection against a wide array of web application threats, it is important to understand its limitations.
Last updated
Issue ID | Details |
---|---|
Issue ID | Details |
---|---|
Issue ID | Details |
---|---|
Issue ID | Details |
---|---|
Issue ID | Details |
---|---|
INXT-29590
CloudGuard WAF’s Gateway does not support proxy functions for NTLM traffic (mostly used by IIS-based applications such as OWA).
Similar to the common NGINX Reverse Proxy which has the same known limitation.
INXT-32513
When deploying CloudGuard WAF’s Gateway as a Scale Set or VMSS in AWS or Azure, you must verify that a security group between the Scale Set/VMSS and the load balancer exists.
It should allow keep-alive traffic on TCP port 8117 in case of NLB or ports 80 and 443 in case of ALB.
INXT-32649
During the wizard, if the default route is configured to an address in the 192.168.1.x/24 network, it is overridden when the wizard ends at 192.168.1.254. To resolve this, go to the routing configuration and change the address to the correct one. The issue is contained in the wizard and usage of the 192.168.1.x/24 network only.
INXT-33008
CloudGuard WAF’s Gateway cannot protect web servers with an obsolete SSL version that does not support ciphers from a client that uses OpenSSL 1.1.1 and up.
INXT-37610
To connect to the IN or AU regions, during installation the administrator must use the usually optional “Fog Address” field.
In AWS it appears under the “Check Point Infinity Next Cloud” section, while in Microsoft Azure it appears at the bottom of the “Create CloudGuard WAF” form.
The following value is required according to the region:
IN: https://inext-agents-in.cloud.ngen.checkpoint.com
AU: https://inext-agents-au.cloud.ngen.checkpoint.com
INXT-29590
CloudGuard WAF SaaS does not support proxy functions for NTLM traffic (mostly used by IIS-based applications such as OWA).
Similar to the common NGINX Reverse Proxy which has the same known limitation.
INXT-41861
Root Domain protection is currently not supported:
According to the DNS protocol, it is impossible to add a CNAME record to a root domain, therefor it is not supported. Customers will have to redirect the traffic from the root domain to the www record to be protected.
INXT-42240
Customers using AWS CloudFront:
These customers will not be able to onboard as AWS does not allow 2 CloudFront's with the same URL. Customers will have to delete their CloudFront prior to onboarding and use ours.
INXT-34249
By default, the standard health check path will be defined as ‘/’ after installation.
For the LB associated with the WAF Ingress Controller to process traffic, the health check path must be changed to ‘/livez’ and ‘/readyz’ following the latest changes to AKS.
This will be fixed in later versions of WAF for Kubernetes.
INXT-30526
SELinux in “Enforced” mode is not supported.
When SELinux is used in “Enforced” mode on the machine running the reverse proxy server and the agent, deployment of the agent might fail during registration.
SELinux in “Enforced” mode, blocks the registration attempt.
INXT-31460
WAF Country-based Exception rules:
When configuring exceptions in Asset edit->Exceptions Tab, an exception rule using the keys Country Name or Country Code cannot be defined with additional conditions based on other keys in the same exception.
There’s an implicit OR logic between different exception rules, so it is possible to define different exception rules, some using country code/name, and others using other keys.
INXT-32348
"WAF Web Bots Security:
The “Web Bots” security configuration does not support a reverse proxy and an activated “proxy_cache” option.
It must be set to “off” before enabling this security configuration in WAF."
INXT-42430
Method-based Exception rules: An agent of version v1004280 and above is needed to enforce the new Method-based configuration.