Dual Docker: NGINX/Kong/Envoy + Security Agent

In this option you will deploy two docker images:

• NGINX or Kong - managed locally by you

• CloudGuard WAF Agent - centrally managed via WebUI or API

The benefit of this mode is that you can upgrade each docker separately.

Step 1: Pull agent container image

As part of your CI, use the checkpoint/infinity-next-nano-agent registry to pull the Nano-Agent image.

Step 2: Obtain the registration token

Step 3: Run the agent

Run the agent with this command:

docker run -d --name=agent-container --ipc=host -v=<path to persistent location for agent config>:/etc/cp/conf -v=<path to persistent location for agent data files>:/etc/cp/data -v=<path to persistent location for agent debugs and logs>:/var/log/nano_agent –e https_proxy=<user:password@Proxy address:port> -it <agent-image> /cp-nano-agent --token <token>

Step 4: Replace the NGINX/Kong container with the Check Point NGINX/Kong container

Replace the NGINX container using the following registry to pull the image for this deployment:

• For NGINX: checkpoint/infinity-next-nginx

• For Kong: checkpoint/infinity-next-kong

Step 5: Modify the NGINX/Kong run command

Change your existing NGINX/Kong docker run command and add the --ipc=host parameter.

Step 6: Deploy the two containers

Deploy the two containers.

To make sure that it is running, run: docker ps.

Step 7: Configure SSL certificates (optional if the servers do not use HTTPS)

To configure SSL certificates in NGINX follow these guides:

• NGINX

• NGINX PLUS

To configure SSL certificates in Kong follow the guide in the following link.

Step 8: Verify installation

Following the steps above, the agent will install and connect automatically. CloudGuard WAF web portal should display a successful connection message: