CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot (Web Bots Security)
    • API Discovery and Security
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit / DDoS Control
    • Snort rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page
  • Sessions
  • Publish and Enforce
  • Object Locking
  • Discard
  • Undo/Redo
  • Audit Logs
  • Automation & APIs
  • Main Objects
  • GraphQL API
  • Infrastructure-as-code using Terraform

Was this helpful?

  1. Concepts

Management & Automation

PreviousGateways & AgentsNextSecurity Practices

Last updated 3 months ago

Was this helpful?

CloudGuard WAF provides Enterprise grade SaaS management including ability to group changes and apply them together, ability for multiple admins to work in parallel with a sophisticated locking mechanism, audit-logs, undo/redo and other. Administration can be done using Web User Interface, GraphQL API or Infrastructure-as-code via Terraform.

Sessions

CloudGuard WAF management allows admins to make multiple changes, review them and then either Enforce them altogether or make them available to other administrators.

When an administrator logs-in and upon API authentication, a new session starts. The changes that the administrator makes during the session are only available to that administrator. Other administrators see a lock icon on object and rules that are being edited. The changes are saved automatically. There is no need to manually save.

Publish and Enforce

To make your changes available to other administrators, and to save the database before enforcing a policy, you must publish the session. When you publish a session, a new database version is created. You can do this by clicking the Publish button at the top menu. Before you publish the session, you can add some informative attributes to it.

When you click the Enforce, button at the top menu, you also are prompted to publish all unpublished changes in the current session to the profiles of your choice. You cannot enforce a policy if the included changes in the session are not published. Unpublished changes from other sessions will not be included in the policy installation.

There is no need to save changes when working on a session. Changes are saved automatically. You can also log-out without publishing your changes from the session. You will see the changes next time you log in.

Upon clicking Enforce you can select between 2 options:

  • Enforce policy on all profiles

  • Enforce policy on specific profiles - This option opens the list of your configured profiles and an option to select one or more of them. Only agents connected to those profiles will receive the new policy. If a profile object itself is new, or has changed, a purple marking will denote that.

Object Locking

A locked object will show a lock icon. Upon hovering over the lock icon a user can see which user locked this object and how long ago did this configuration change occur.

Discard

It is possible to discard all change in a session, by clicking on the Publish button and then clicking Discard All.

An emergency way to Discard All Sessions is available under Support->System. This operation can become handy if an administrator leaves some objects locked and is not available to complete his session, thus preventing others from doing changes.

Undo/Redo

It is possible to Undo/Redo any change until you publish a session by clicking the arrows in the top banner of the portal.

Audit Logs

The system creates automatically an audit log for any configuration change. The log contains the details of the change, administrator and time stamp.

You can view the Audit Logs through Global Settings -> Audits.

Automation & APIs

CloudGuard WAF provides two automation methods: GraphQL API and Infrastructure-as-code using Terraform. Both allow to Create, Read, Update or Delete any object in the system.

Main Objects

To do any kind of automation it is important to understand the main objects in CloudGuard WAF and their relations. The root objects are always Assets. Assets can refer to other objects according to the following hierarchy:

  • Asset - Web Application or Web API asset that you wish to protect.

  • Asset Behaviors - Trusted Sources used by the Machine Learning Engine.

  • Profile - defines shared settings of agents.

  • Practices - Web Application Protection Practice or Web API Protection Practice.

    • Triggers - Logging settings.

    • Behaviors - Web User Response and Exceptions.

GraphQL API

CloudGuard WAF provides a collection of GraphQL APIs that allows to Authenticate, Create, Read, Update or Delete any object in the system as well as Publish or Enforce a set of changes.

GraphQL is a strongly typed API query language. It allows clients to define the structure of the data required, and exactly the same structure of the data is returned from the server. This avoids both the problems of over and under-fetching data, while also allowing for a powerful and flexible API.

See here more about about the API:

Infrastructure-as-code using Terraform

Provisioning and managing infrastructure is a critical task in DevOps. To accomplish this, modern practices rely on Infrastructure as Code (IaC). By storing your infrastructure configuration in version control systems, you can standardize configuration across your organization, and simplify infrastructure updates.

CloudGuard WAF Terraform provider allows configuration of all aspects of CloudGuard WAF using HCL Infrastructure as Code (IaC).

Terraform uses the concept of Providers to provide an open source feature-rich plugin system. Providers adopt specific conventions programmatically that allow them to express the CRUD lifecycle of individual resources and how to maintain and verify the state of existing deployed resources.

For more information see:

Any object, changed during a session by a user with write permissions, becomes immediately locked for additional configuration changes by other users, until changes are either published or discarded. See section for more explanation regarding who can discard changes and how.

To learn more about GraphQL see

Management API
GitHub
here
Use Terraform to Manage CloudGuard WAF
Discard