# Integrating WAF SaaS with AWS CloudFront

This guide walks you through integrating the Check Point WAF with your existing AWS CloudFront distribution.

{% hint style="danger" %}
The WAF must be deployed *after* CloudFront, since CloudFront is the entry point exposed to the public internet.
{% endhint %}

### Prerequisites

Before starting, make sure you have:

* An active **Check Point WAF subscription** with access to the WAF management UI.
* An existing **AWS CloudFront distribution** configured with your domain.
* Access to **update your DNS records**.

### Deployment

#### 1. Deploy WAF SaaS

Follow the instructions bellow: 

{% content-ref url="../../../concepts/waf-as-a-service-waf-saas" %}
[waf-as-a-service-waf-saas](https://waf-doc.inext.checkpoint.com/concepts/waf-as-a-service-waf-saas)
{% endcontent-ref %}

 in step 1 (Define the website you want to protect) - make sure to input 

* Enter the **public URLs** (e.g. `www.example.com`)
  * Use the **internet-facing domain**, not the CloudFront domain.
* Provide the **upstream origin URL** (e.g. your CloudFront origin)
  * Do **not** set the upstream server as CloudFront — this is a common mistake.

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FANNr3iEg5BBosnCSvRVX%2Fimage.png?alt=media&#x26;token=78921363-fda5-4517-9c68-b1f00d438810" alt=""><figcaption></figcaption></figure>

***

#### 2. Copy the WAF DNS Endpoint

Once the asset has been created the WAF will provides a **WAF DNS endpoint** (e.g., `xxxx.checkpoint.com`).

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FB09piZIxovse6Q7djHNN%2Fimage.png?alt=media&#x26;token=2859cf20-cc71-47f2-baef-df42ca2f6a1a" alt=""><figcaption></figcaption></figure>

#### 3. Update CloudFront Configuration - Review Current Origin (Before Change)

1. Open your CloudFront distribution in the **AWS Console**.
2. Under **Origins**, review the current configuration (typically pointing to your application server or load balancer).

#### 4. Update CloudFront Configuration - Change Origin to WAF

1. Edit the **origin configuration**.
2. Set the **Origin Domain Name** to the **WAF DNS endpoint** from Step 2.2.
3. Save changes.

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2F1W3hIv4pE8f8IyLJqnXE%2F%7B6C193AFB-AA8D-4081-810D-D292FEEB879A%7D.png?alt=media&#x26;token=5a24177d-4a9d-46d3-bfea-0378e380d596" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2F0uR5VUMJ84Sq3jvzx592%2Fimage.png?alt=media&#x26;token=3d776c67-e92f-4633-bf3b-f79f7c41961a" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FjwshSzJIvMGZ9x50fxUu%2Fimage.png?alt=media&#x26;token=ddf8cfbe-877f-4bd2-9c72-bb3ca47a0287" alt=""><figcaption></figcaption></figure>

#### 5. Deploy and Verify Changes

After saving, CloudFront will redeploy with the new settings.

Once deployed, traffic will flow:

```
Internet → CloudFront → WAF → Application Origin
```

#### 6. DNS Considerations

* If **DNS already points to CloudFront** (recommended), no changes are needed.
* If DNS was pointing **directly to your origin**, update it to point to the **CloudFront distribution domain**.

#### 7. Validation

1. Visit your domain (e.g., `https://www.example.com`).
2. In the **WAF logs**, confirm that requests are reaching the WAF.

You have successfully integrated Check Point WAF with CloudFront.