Dual Docker: NGINX/Kong/Envoy + Security Agent

Step 1: Pull agent container image

As part of your CI, use the checkpoint/infinity-next-nano-agent registry to pull the Nano-Agent image.

Step 2: Obtain the registration token

Step 3: Run the agent

Run the agent with this command:

docker run -d --name=agent-container --ipc=host -v=<path to persistent location for agent config>:/etc/cp/conf -v=<path to persistent location for agent data files>:/etc/cp/data -v=<path to persistent location for agent debugs and logs>:/var/log/nano_agent –e https_proxy=<user:password@Proxy address:port> -it <agent-image> /cp-nano-agent --token <token>

Step 4: Replace the Kong container with the Check Point Kong container

Replace the NGINX container using the following registry to pull the image for this deployment: checkpoint/infinity-next-kong

Step 5: Modify the run command

Change your existing NGINX/Kong docker run command and add the --ipc=host parameter.

Step 6: Deploy the two containers

Deploy the two containers.

To make sure that it is running, run: docker ps.

Step 7: Configure SSL certificates (optional if the servers do not use HTTPS)

To configure SSL certificates in Kong follow the guide in the following link.

Step 8: Verify installation

Following the steps above, the agent will install and connect automatically. CloudGuard WAF web portal should display a successful connection message:

Step 1: Pull agent container image

As part of your CI, use the checkpoint/infinity-next-nano-agent registry to pull the Nano-Agent image.

Step 2: Obtain the registration token

Step 3: Run the agent

Run the agent with this command:

docker run -d --name=agent-container --ipc=host -v=<path to persistent location for agent config>:/etc/cp/conf -v=<path to persistent location for agent data files>:/etc/cp/data -v=<path to persistent location for agent debugs and logs>:/var/log/nano_agent –e https_proxy=<user:password@Proxy address:port> -it <agent-image> /cp-nano-agent --token <token>

Step 4: Replace the Envoy container with the Check Point Envoy container

Replace the NGINX container using the following registry to pull the image for this deployment:  checkpoint/cloudguard-waf-envoy

Step 5: Load the CloudGuard WAF attachment in the proxy configuration

In the Envoy configuration file, which is typically called envoy.yaml make sure to have the CloudGuard WAF attachment loaded as a filter for HTTP traffic.

The CloudGuard WAF attachment is usually located here: /usr/lib/libenvoy_attachment.so

Step 6: Deploy the two containers

Deploy the two containers.

To make sure that it is running, run: docker ps.

Step 7: Configure SSL certificates (optional if the servers do not use HTTPS)

To configure SSL certificates in Envoy follow the guide in the following link.

Step 8: Verify installation

Following the steps above, the agent will install and connect automatically. CloudGuard WAF web portal should display a successful connection message: