CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot
    • API Protection
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
    • Snort Rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page
  • CloudGuard WAF Security Practices
  • Security Engines
  • Contextual Machine Learning-based WAF: Prevent OWASP Top 10 and Advanced Attacks
  • API Security: Validate Schema and Prevent Attacks
  • Anti-Bot Protection: Distinguish Humans from Bots
  • Intrusion Prevention (IPS) for HTTP/S
  • File Security
  • Custom Signatures (Snort Engine) - Early Availability

Was this helpful?

  1. Concepts

Security Practices

A practice refers to a recommended method for configuring and managing systems to achieve optimal security. It may include setting security policies, monitoring traffic, or deploying features like API Discovery. These practices help users effectively utilize WAF to protect web applications and APIs, ensuring compliance with cybersecurity best practices.

CloudGuard WAF provides two Security Best Practices that can be easily activated in Detect/Learn mode or Prevent Mode: Web Application Protection and Web API Protection.

The practices use multiple security engines to analyze HTTP web requests and to deliver accurate verdict whether the request is malicious or benign. The engines protect applications and APIs against unknown and advanced web attacks, validate the input of APIs, distinguish humans from bots and protects against industry's well known attacks and CVEs.

CloudGuard WAF Security Practices

  • Web Application Protection Practice

    • Contextual Machine Learning based-WAF

    • Anti-Bot Protection

    • Intrusion Prevention

    • File Security

    • Custom Signatures (SNORT)

  • Web API Protection Practice

    • Machine Learning based-WAF looks for malicious payload inside API requests

    • Schema Validation module ensure that API requests adhere to API schema

    • Intrusion Prevention

    • File Security

    • Custom Signatures (SNORT)

Security Engines

Contextual Machine Learning-based WAF: Prevent OWASP Top 10 and Advanced Attacks

  1. Superior false-positive rate than traditional WAF (in traditional WAF decisions are mainly based on matches to signatures).

  2. Provide zero-day protection by blocking different attack scenarios that are not blocked with a signature-only approach. For example, Log4Shell and Spring4Shell were blocked by CloudGuard WAF preemptively, without any software update.

  3. Reduction in administration time because it is not constantly necessary to tune the engine, create exceptions, disable signatures, and more.

API Security: Validate Schema and Prevent Attacks

Frequently, software developers do not include verification of API input in their code.

The CloudGuard WAF API security component provides two protection models: positive and negative. Administrators can enable one of them, or the two of them.

  • The positive model delivers preemptive protection for possible API vulnerabilities through a schema validation procedure.

    API schemas in OpenAPI (such as used in "Swagger") are uploaded to CloudGuard WAF.

    Incoming API requests are validated against these schemas to block all invalid API requests.

CloudGuard WAF supports OpenAPI Schemas V3 and above

  • The negative model uses the WAF and automatically detects and blocks malicious payloads in the API.

Anti-Bot Protection: Distinguish Humans from Bots

CloudGuard WAF Anti-Bot protection component performs a three-step procedure:

  1. Inject scripts into web application pages, such as login pages.

  2. Collect data about input patterns and canalize key stroke sequences, mouse moves, and finger touches.

    Bots do not use such patterns. If a bot artificially creates such patterns, CloudGuard WAF identifies them.

  3. Make a decision if the input is entered by a human or by an automatic script (such as a bot), and block this activity.

Intrusion Prevention (IPS) for HTTP/S

In addition to the Contextual Machine-Learning based engine, CloudGuard WAF provides traditional signature-based protections for over 2800 web-based CVEs (Common Vulnerabilities and Exposures). The signatures arrive automatically to agents/gateways as soon as Check Point Security Research team releases them. One of the benefit of these signatures is the ability to see logs that indicate specific CVE number.

File Security

Files being uploaded to the web server may contain malicious content. CloudGuard WAF's File security contains several engines that allow detection of those malicious files.

Custom Signatures (Snort Engine) - Early Availability

Admins can add signatures in Snort format and they will be enforced by CloudGuard WAF Security Engines.

PreviousManagement & AutomationNextContextual Machine Learning

Last updated 4 months ago

Was this helpful?

This patented engine protect against advanced and zero-day web attacks. It executes a three-stage HTTP web request analysis and delivers an accurate verdict. It uses to identify if a web request is malicious or benign and provides:

Learn more about the engines in the next section of this documentation.

Contextual Machine Learning
Contextual Machine Learning