CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot
    • API Protection
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
    • Snort Rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page
  • Overview
  • Enforcement Profile
  • Authentication Token
  • Download & Deployment

Was this helpful?

  1. Getting started

Deploy Enforcement Point

PreviousProtect a Web Application / APINextGateway/Virtual Machine

Last updated 5 months ago

Was this helpful?

Overview

CloudGuard WAF Enforcement Points are instances deployed in an environment that inspects traffic and enforce security policies. The Enforcement Points can have different form factors (Virtual Machine, Kubernetes Ingress, Docker container or Linux Agent) depending on the environment in which they are deployed. An enforcement point will be referred to as CloudGuard WAF's Gateway or Agent in this documentation. You can read more about the different enforcement points in the section.

While most deployment options below support a scalable solution behind a load balancer, there is no full sync High Availability (HA) option. The state between multiple instances within a single deployment is not synced.

Platform
Reverse Proxy / API Server
WAF Agent

Provided by Check Point and managed via WebUI/API/Terraform

Provided by Check Point and managed via WebUI/API/Terraform

Provided by Check Point as a Service and managed via WebUI

Provided by Check Point as a Service and managed via WebUI

Provided and managed by Admin

Provided by Check Point and managed via WebUI/API/Terraform

Option 1: Provided by Check Point and managed via WebUI/API/Terraform.

Option 2: Managed by Admin while initial deployment can be provided by Check Point. Initial deployment can be in the same container as the WAF agent or a separate one.

Provided by Check Point and managed via WebUI/API/Terraform

Provided and managed by Admin

Provided by Check Point and managed via WebUI/API/Terraform

Enforcement Profile

To deploy a CloudGuard WAF's AppSec Gateway or Agent you need an Enforcement Profile that determines the deployment type and other parameters related to the deployment.

If you completed the Web Application or Web API configuration wizard, an Enforcement Profile was created for you by the configuration wizard.

To view your profile, select Policy, then Profiles in the menu on the left.

  • If you have just one profile, the system will automatically present it.

  • If you have more than one profile, you will be presented with a list of profiles and you can select the one you wish to use.

Profile Type cannot be changed but you can always create a new one by clicking Back to get the the Profiles selection screen and choosing New at the top toolbar.

Authentication Token

To establish a secure communication between the CloudGuard WAF's AppSec Gateways or Agents and the Check Point Cloud an authentication token is required. You will be asked to enter this token during deployment either in CLI or in a web form. The token can be obtained by clicking the Copy button near the Token field.

If the profile object was just created, make sure to "Enforce" the new configuration prior to using the copied authentication token.

Existing agents that were already registered are not affected. Note - Once rotated, in order to allow deployments of additional agents, replace all deployment scripts/configuration files/key vault entries that contain the now-invalid token.

Download & Deployment

On the right side of a Profile page you will find the Download & Deployment instructions per the profile type you selected.

You can follow the on-screen instructions or the more detailed instructions available in the next pages of the documentation.

According to security best practices, it is recommended to periodically rotate the token for all future new installations. Clicking on the icon will invalidate the current token and create a new one that can be copied.

Gateways & Agents
AWS, Azure, VMWare
WAF
as a Service
Kuberenetes Ingress
Docker
Linux/NGINX/Kong