CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot (Web Bots Security)
    • API Discovery and Security
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit / DDoS Control
    • Snort rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page
  • Platforms
  • Certificates and Private Keys
  • Storage options
  • Multiple certificates
  • Validating the certificate of the internal server

Was this helpful?

  1. Getting started
  2. Deploy Enforcement Point

Gateway/Virtual Machine

PreviousDeploy Enforcement PointNextAWS

Last updated 5 months ago

Was this helpful?

Platforms

CloudGuard WAF can be deployed as a VM on different platforms, containing a fully managed Reverse Proxy gateway, protected by a CloudGuard WAF Agent. Select your platform type below to see the corresponding deployment instructions:

A fully managed Reverse Proxy protected by a CloudGuard WAF Agent is also available as environment.

Certificates and Private Keys

CloudGuard WAF's Gateways implement a reverse proxy that can serve pages to users over HTTPS. To use this capability, you need to provide a Certificate and Private keys that correspond to the site name(s) that users will access (e.g. https://www.acme.com, https://api.acme.com).

Storage options

There are two methods for storing certificates and private keys when deploying on AWS or Azure. When deploying on VMWare, only the first option is available:

  • - a simple procedure allows you to upload the certificates and private keys directly to your gateway(s) using Secure Copy Protocol (SCP/SSH). No further configuration is required - CloudGuard WAF will locate the local files automatically.

    • Advantage: you have full control of your secrets

    • Disadvantage: does not support automatic scaling

  • If you are using CloudGuard WAF on or you can store secrets in secured vaults of these platforms and CloudGuard WAF's Gateway can fetch it from there.

The certificates are fetched when CloudGuard WAF's Gateway first loads and checked again for updates every time you Enforce policy.

When deploying on Azure/AWS, storage selection occurs during the asset configuration wizard if a new profile is created. It is also available via Cloud->Profiles for CloudGuard WAF's Gateway profiles that enforce assets with HTTPS URLs.

For all other deployment options, the same location still contains "Setup Instructions" for the method to deploy certificates for HTTPS traffic.

Multiple certificates

When there are multiple Web Applications APIs, CloudGuard WAF's Gateway can automatically fetch the relevant certificates and private keys.

Example: you have two applications and one API end-point to protect:

  • www.acme.com

  • www.acme.com/sales

  • products.acme.com/catalog

Consider two possible cases:

  1. You have one wildcard certificate for *.acme.com

    • Place the certificate on your gateway by following the instructions in the next section. CloudGuard WAF will use it for all relevant applications.

  2. You have two certificates: (1) for www.acme.com and (2) for products.acme.com

    • Place both certificates on your gateway by following the instructions in the next section. CloudGuard WAF will automatically use certificate 1 for the first two Applications/APIs and certificate 2 for the last Application.

Validating the certificate of the internal server

The reverse proxy takes incoming HTTP/S requests and forwards them to an internal server.

When using HTTPS, the forwarded request to the internal server returns with a certificate which the best practice is to validate.

include the configuration option for "Trusted CA chain for protected server SSL verification". Use this option to configure the trusted CA chain that will validate the certificate presented by the internal server for enhanced security.

AWS
Azure
VMware
container in docker
On the WAF Gateway itself
AWS
Azure
Advanced Reverse Proxy settings