Certificates Managed by Check Point
When using CloudGuard‑managed certificates, setup is mostly automatic. However, for each domain protected by WAF SaaS in a specific region, you must complete the following steps to ensure traffic is fully secured.
When to perform these steps
When creating a new asset
When adding new domains to an existing asset
When attaching a WAF SaaS profile to an asset that wasn’t previously protected
When editing a domain (remove the old one after adding and configuring the new one)
Step 1: Prove Domain Ownership
This step authorizes CloudGuard to issue certificates for your domain using Let’s Encrypt.
In the Infinity Portal, go to Policy → Profiles.
Select the CloudGuard WAF SaaS profile created during the Asset setup.
Find the domain marked as “Pending Action” and click it.
Copy the DNS CNAME record shown under the domain ownership verification step.
In your DNS provider’s console, add the CNAME record with the name and value provided.
You must complete this step for each domain individually (e.g. www.myapp.com
and api.myapp.com
)
Step 2: Connect your domain to WAF SaaS
Before performing this stage, disable any existing AWS CloudFront configuration for your website's address if you have any.
Once ownership is verified, a new CNAME value will be generated (this may take up to 30 minutes).
In your DNS configuration, replace the existing CNAME record for your domain with the new CNAME value issued by CloudGuard.
Step 3: Allow WAF SaaS to Access Your Origin Server
To ensure smooth traffic flow between WAF SaaS and your internal web server:
Allow incoming traffic from the IP addresses provided in the WAF SaaS deployment form.
Do not remove existing access rules until:
72 hours have passed (to allow full DNS propagation), and
You have confirmed successful traffic flow through WAF SaaS.
Step 4: Test Access to Your Site
After completing the above steps:
Confirm that the website is reachable over HTTPS.
Verify that traffic is flowing through WAF SaaS (you can check headers or logs in the Infinity Portal).
Double-check that your origin server is no longer publicly accessible (unless intentionally exposed).
Make sure you have not left a publicly exposed domain in your previous environment!
Last updated
Was this helpful?