Dual Docker: NGINX/Kong/Envoy + Security Agent
In this option you will deploy two docker images:
NGINX/Kong/Envoy - managed locally by you
CloudGuard WAF Agent - centrally managed via WebUI or API
The benefit of this mode is that you can upgrade each docker separately.
Step 1: Pull agent container image
As part of your CI, use the checkpoint/infinity-next-nano-agent registry to pull the Nano-Agent image.
Step 2: Obtain the registration token
Step 3: Run the agent
Run the agent with this command:
docker run -d --name=agent-container --ipc=host -v=<path to persistent location for agent config>:/etc/cp/conf -v=<path to persistent location for agent data files>:/etc/cp/data -v=<path to persistent location for agent debugs and logs>:/var/log/nano_agent –e https_proxy=<user:password@Proxy address:port> -it <agent-image> /cp-nano-agent --token <token>
Step 4: Replace the NGINX container with the Check Point NGINX container
Replace the NGINX container using the following registry to pull the image for this deployment: checkpoint/infinity-next-nginx
As part of creating your reverse proxy for this environment, make sure that the reverse proxy is deployed with the correct downstream and upstream routing.
Step 5: Modify the run command
Change your existing NGINX/Kong docker run command and add the --ipc=host
parameter.
Step 6: Deploy the two containers
Deploy the two containers.
To make sure that it is running, run: docker ps
.
Step 7: Configure SSL certificates (optional if the servers do not use HTTPS)
To configure SSL certificates in NGINX follow these guides:
Step 8: Verify installation
Following the steps above, the agent will install and connect automatically. CloudGuard WAF web portal should display a successful connection message:
Last updated
Was this helpful?