Management & Automation

CloudGuard WAF provides Enterprise grade SaaS management including ability to group changes and apply them together, ability for multiple admins to work in parallel with a sophisticated locking mechanism, audit-logs, undo/redo and other. Administration can be done using Web User Interface, GraphQL API or Infrastructure-as-code via Terraform.


CloudGuard WAF management allows admins to make multiple changes, review them and then either Enforce them altogether or make them available to other administrators.

When an administrator logs-in and upon API authentication, a new session starts. The changes that the administrator makes during the session are only available to that administrator. Other administrators see a lock icon on object and rules that are being edited. The changes are saved automatically. There is no need to manually save.

Publish and Enforce

To make your changes available to other administrators, and to save the database before enforcing a policy, you must publish the session. When you publish a session, a new database version is created. You can do this by clicking the Publish button at the top menu. Before you publish the session, you can add some informative attributes to it.

When you click the Enforce, button at the top menu, you also are prompted to publish all unpublished changes in the current session to the profiles of your choice. You cannot enforce a policy if the included changes in the session are not published. Unpublished changes from other sessions will not be included in the policy installation.

There is no need to save changes when working on a session. Changes are saved automatically. You can also log-out without publishing your changes from the session. You will see the changes next time you log in.

Upon clicking Enforce you can select between 2 options:

  • Enforce policy on all profiles

  • Enforce policy on specific profiles - This option opens the list of your configured profiles and an option to select one or more of them. Only agents connected to those profiles will receive the new policy. If a profile object itself is new, or has changed, a purple marking will denote that.

Object Locking

Any object, changed during a session by a user with write permissions, becomes immediately locked for additional configuration changes by other users, until changes are either published or discarded. See Discard section for more explanation regarding who can discard changes and how.

A locked object will show a lock icon. Upon hovering over the lock icon a user can see which user locked this object and how long ago did this configuration change occur.


It is possible to discard all change in a session, by clicking on the Publish button and then clicking Discard All.

An emergency way to Discard All Sessions is available under Support->System. This operation can become handy if an administrator leaves some objects locked and is not available to complete his session, thus preventing others from doing changes.


It is possible to Undo/Redo any change until you publish a session by clicking the arrows in the top banner of the portal.

Audit Logs

The system creates automatically an audit log for any configuration change. The log contains the details of the change, administrator and time stamp.

You can view the Audit Logs through Global Settings -> Audits.

Automation & APIs

CloudGuard WAF provides two automation methods: GraphQL API and Infrastructure-as-code using Terraform. Both allow to Create, Read, Update or Delete any object in the system.

Main Objects

To do any kind of automation it is important to understand the main objects in CloudGuard WAF and their relations. The root objects are always Assets. Assets can refer to other objects according to the following hierarchy:

  • Asset - Web Application or Web API asset that you wish to protect.

  • Asset Behaviors - Trusted Sources used by the Machine Learning Engine.

  • Profile - defines shared settings of agents.

  • Practices - Web Application Protection Practice or Web API Protection Practice.

    • Triggers - Logging settings.

    • Behaviors - Web User Response and Exceptions.


CloudGuard WAF provides a collection of GraphQL APIs that allows to Authenticate, Create, Read, Update or Delete any object in the system as well as Publish or Enforce a set of changes.

GraphQL is a strongly typed API query language. It allows clients to define the structure of the data required, and exactly the same structure of the data is returned from the server. This avoids both the problems of over and under-fetching data, while also allowing for a powerful and flexible API.

See here more about about the API:

Management APIGitHub

To learn more about GraphQL see here

Infrastructure-as-code using Terraform

Provisioning and managing infrastructure is a critical task in DevOps. To accomplish this, modern practices rely on Infrastructure as Code (IaC). By storing your infrastructure configuration in version control systems, you can standardize configuration across your organization, and simplify infrastructure updates.

CloudGuard WAF Terraform provider allows configuration of all aspects of CloudGuard WAF using HCL Infrastructure as Code (IaC).

Terraform uses the concept of Providers to provide an open source feature-rich plugin system. Providers adopt specific conventions programmatically that allow them to express the CRUD lifecycle of individual resources and how to maintain and verify the state of existing deployed resources.

For more information see:

Use Terraform to Manage CloudGuard WAF

Last updated