Integrating WAF SaaS with AWS CloudFront

This guide walks you through integrating the Check Point WAF with your existing AWS CloudFront distribution.

Prerequisites

Before starting, make sure you have:

• An active Check Point WAF subscription with access to the WAF management UI.

• An existing AWS CloudFront distribution configured with your domain.

• Access to update your DNS records.

Deployment

1. Deploy WAF SaaS

Follow the instructions bellow:

in step 1 (Define the website you want to protect) - make sure to input

• Enter the public URLs (e.g. www.example.com)

  • Use the internet-facing domain, not the CloudFront domain.

• Provide the upstream origin URL (e.g. your internal server’s IP or hostname)

  • Do not set the upstream server as CloudFront — this is a common mistake.

2. Copy the WAF DNS Endpoint

Once the asset has been created the WAF will provides a WAF DNS endpoint (e.g., xxxx.checkpoint.com).

3. Update CloudFront Configuration - Review Current Origin (Before Change)

1. Open your CloudFront distribution in the AWS Console.

2. Under Origins, review the current configuration (typically pointing to your application server or load balancer).

4. Update CloudFront Configuration - Change Origin to WAF

1. Edit the origin configuration.

2. Set the Origin Domain Name to the WAF DNS endpoint from Step 2.2.

3. Save changes.

5. Deploy and Verify Changes

After saving, CloudFront will redeploy with the new settings.

Once deployed, traffic will flow:

Internet → CloudFront → WAF → Application Origin

6. DNS Considerations

• If DNS already points to CloudFront (recommended), no changes are needed.

• If DNS was pointing directly to your origin, update it to point to the CloudFront distribution domain.

7. Validation

1. Visit your domain (e.g., https://www.example.com).

2. In the WAF logs, confirm that requests are reaching the WAF.

You have successfully integrated Check Point WAF with CloudFront.