Gateway/Virtual Machine


CloudGuard WAF can be deployed as a VM on different platforms, containing a fully managed Reverse Proxy gateway, protected by a CloudGuard WAF Agent. Select your platform type below to see the corresponding deployment instructions:


A fully managed Reverse Proxy protected by a CloudGuard WAF Agent is also available as container in docker environment.

Certificates and Private Keys

CloudGuard WAF's AppSec Gateways implement a reverse proxy that can serve pages to users over HTTPS. To use this capability, you need to provide a Certificate and Private keys that correspond to the site name(s) that users will access (e.g.,

Storage options

There are two methods for storing certificates and private keys when deploying on AWS or Azure. When deploying on VMWare, only the first option is available:

  • On the WAF Gateway itself - a simple procedure allows you to upload the certificates and private keys directly to your gateway(s) using Secure Copy Protocol (SCP/SSH). No further configuration is required - CloudGuard WAF will locate the local files automatically.

    • Advantage: you have full control of your secrets

    • Disadvantage: does not support automatic scaling

  • If you are using CloudGuard WAF on AWS or Azure you can store secrets in secured vaults of these platforms and CloudGuard WAF's AppSec Gateway can fetch it from there.

The certificates are fetched when CloudGuard WAF's AppSec Gateway first loads and checked again for updates every time you Enforce policy.

When deploying on Azure/AWS, storage selection occurs during the asset configuration wizard if a new profile is created. It is also available via Cloud->Profiles for CloudGuard WAF's AppSec Gateway profiles that enforce assets with HTTPS URLs.

For all other deployment options, the same location still contains "Setup Instructions" for the method to deploy certificates for HTTPS traffic.

Multiple certificates

When there are multiple Web Applications APIs, CloudGuard WAF's AppSec Gateway can automatically fetch the relevant certificates and private keys.

Example: you have two applications and one API end-point to protect:




Consider two possible cases:

  1. You have one wildcard certificate for *

    • Place the certificate on your gateway by following the instructions in the next section. CloudGuard WAF will use it for all relevant applications.

  2. You have two certificates: (1) for and (2) for

    • Place both certificates on your gateway by following the instructions in the next section. CloudGuard WAF will automatically use certificate 1 for the first two Applications/APIs and certificate 2 for the last Application.

Validating the certificate of the internal server

The reverse proxy takes incoming HTTP/S requests and forwards them to an internal server.

When using HTTPS, the forwarded request to the internal server returns with a certificate which the best practice is to validate.

Advanced Reverse Proxy settings include the configuration option for "Trusted CA chain for protected server SSL verification". Use this option to configure the trusted CA chain that will validate the certificate presented by the internal server for enhanced security.

Last updated