CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot (Web Bots Security)
    • API Discovery and Security
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit / DDoS Control
    • Snort rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page
  • Overview
  • Installation

Was this helpful?

  1. Getting started
  2. Deploy Enforcement Point
  3. Gateway/Virtual Machine

Azure

PreviousStore certificates on GatewayNextStore Certificates in Azure

Last updated 4 months ago

Was this helpful?

Overview

If you are deploying a CloudGuard WAF Gateway to protect an existing production website, we recommend you also read the HOW-TO guide for this particular deployment.

CloudGuard WAF can be deployed as either a single virtual machine or a Scale-Set in Azure. It acts as a reverse proxy where before / after you can deploy Azure Load Balancers:

Make sure you obtain the <token> from the Enforcement Profile page, Authentication section. You will need it in during agent deployment.

Installation

Follow these steps to deploy CloudGuard WAF in Azure using an ARM Template:

Step 1: Azure Log in

Log in to to your Azure account.

Step 2: Verify required permissions

Verify that you have the required permissions:

Azure permissions

Microsoft.Resources:

Purchase Resource

Validate Deployment

Microsoft.Insights:

Update autoscale setting

Microsoft.Compute:

Create or Update Virtual Machine Scale Set

Microsoft.KeyVault: Update Access Policy

Microsoft.Network:

Create or Update Public Ip Address

Create or Update Virtual Network

Create or Update Route Table

Create or Update Network Security Group

Create or Update Load Balancer

Microsoft.Storage:

Update Storage Account Create

If deploying VMSS with a new Azure Key Vault:

Microsoft.KeyVault:

Update Key Vault

Write Secret

Step 3: Deployment using ARM Template

  • Open the CloudGuard WAF's Azure page: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/checkpoint.checkpoint_waap?tab=Overview.

  • Click the blue "Get It Now" button to start the configuration wizard.

You have two options to store certificates:

Store Certificates in Azure
Store Certificates on Gateway