# Deploy Enforcement Point ## Overview CloudGuard WAF Enforcement Points are instances deployed in an environment that inspects traffic and enforce security policies. The Enforcement Points can have different form factors (Virtual Machine, Kubernetes Ingress, Docker container or Linux Agent) depending on the environment in which they are deployed. An enforcement point will be referred to as CloudGuard WAF's Gateway or Agent in this documentation. You can read more about the different enforcement points in the [Gateways & Agents](/concepts/gateways-and-agents.md) section. {% hint style="warning" %} While most deployment options below support a scalable solution behind a load balancer, there is no full sync High Availability (HA) option. The state between multiple instances within a single deployment is not synced. {% endhint %} | Platform | Reverse Proxy / API Server | WAF Agent | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- | | [AWS, Azure, VMWare](/getting-started/deploy-enforcement-point/gateway-virtual-machine.md) | Provided by Check Point and managed via WebUI/API/Terraform | Provided by Check Point and managed via WebUI/API/Terraform | | [WAF ](/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas.md)[as a Service](/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas.md) | Provided by Check Point as a Service and managed via WebUI | Provided by Check Point as a Service and managed via WebUI | | [Kuberenetes Ingress](/getting-started/deploy-enforcement-point/kubernetes.md) | Provided and managed by Admin | Provided by Check Point and managed via WebUI/API/Terraform | | [Docker](/getting-started/deploy-enforcement-point/docker.md) |

Option 1: Provided by Check Point and managed via WebUI/API/Terraform.

Option 2: Managed by Admin while initial deployment can be provided by Check Point.
Initial deployment can be in the same container as the WAF agent or a separate one.

| Provided by Check Point and managed via WebUI/API/Terraform | | [Linux/NGINX/Kong](/getting-started/deploy-enforcement-point/linux.md) | Provided and managed by Admin | Provided by Check Point and managed via WebUI/API/Terraform | ## Enforcement Profile To deploy a CloudGuard WAF's AppSec Gateway or Agent you need an **Enforcement Profile** that determines the deployment type and other parameters related to the deployment. If you completed the **Web Application** or **Web API** configuration wizard, an **Enforcement Profile** was created for you by the configuration wizard. To view your profile, select **Policy**, then **Profiles** in the menu on the left. * If you have just one profile, the system will automatically present it. * If you have more than one profile, you will be presented with a list of profiles and you can select the one you wish to use. {% hint style="info" %} Profile Type cannot be changed but you can always create a new one by clicking **Back** to get the the Profiles selection screen and choosing **New** at the top toolbar. {% endhint %} ## Authentication Token To establish a secure communication between the CloudGuard WAF's AppSec Gateways or Agents and the Check Point Cloud an authentication token is required. You will be asked to enter this token during deployment either in CLI or in a web form. The token can be obtained by clicking the Copy button near the Token field. ![](/files/tAyti9aG3utyFHls2McN) {% hint style="warning" %} If the profile object was just created, make sure to "Enforce" the new configuration prior to using the copied authentication token. {% endhint %} {% hint style="info" %} According to security best practices, it is recommended to periodically rotate the token for all future new installations.\ Clicking on the ![](/files/iDNvTN0uQJx7wvqTUg8X) icon will invalidate the current token and create a new one that can be copied. Existing agents that were already registered are not affected.\ **Note** - Once rotated, in order to allow deployments of additional agents, replace all deployment scripts/configuration files/key vault entries that contain the now-invalid token. {% endhint %} ## Download & Deployment On the right side of a **Profile** page you will find the Download & Deployment instructions per the profile type you selected. You can follow the on-screen instructions or the more detailed instructions available in the next pages of the documentation. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.