WAF-as-a-Service (WAF SaaS)

Overview

CloudGuard WAF SaaS delivers the full security capabilities of CloudGuard WAF—without the need for complex deployment. It simplifies protection by routing your domain’s traffic through CloudGuard's cloud-based service, where traffic is inspected and forwarded securely to your internal servers. In addition to streamlined deployment, WAF SaaS enhances your security posture with advanced DDoS protection.

The service operates as a reverse proxy, inspecting incoming traffic and applying CloudGuard WAF security policies before passing requests to your origin servers.

CloudGuard WAF SaaS Points of Presence (PoPs)

When setting up your CloudGuard WAF SaaS account, you selected a data region. This defines your data residency—the physical or geographic location where your data is stored—and determines the region of the Infinity Portal where you can view and manage configurations and logs.

For more information, see:

WAF-as-a Service (WAF SaaS)

Deployment

Prerequisites

DNS Ownership: You must control the DNS settings for the domain you’re protecting.
Origin Accessibility · Whitelist all CloudGuard WAF SaaS IPs on your internal web server. · If you’ve just spun up a new server, you may temporarily expose it publicly for this initial phase—but must lock it down immediately after WAF goes live.

Instructions:

To protect your web application with CloudGuard WAF SaaS, follow these steps:

1. Create a New Asset

Define the website you want to protect.

Enter the public URLs (e.g. www.example.com)
Provide the upstream origin URL (e.g. your internal server’s IP or hostname)

If you want to integrate your WAF with an existing AWS CloudFront follow the steps here:

Integrating WAF SaaS with AWS CloudFront

2. Connect to a WAF SaaS Profile

Link your asset to a new or existing WAF SaaS profile. This profile contains your security policies and PoP settings, such as the geographical region in the world where you traffic will be processed.

3. Select a Certificate Management Option

Choose how SSL/TLS certificates will be handled:

Check Point Managed -Managed Certificate Let us generate and renew your certificates automatically using Let’s Encrypt.
Bring Your Own Certificate Upload an existing certificate and private key (PEM format).

4. Complete Certificate Configuration

Follow the detailed instructions based on the option selected in Step 3:

When using Check Point ‑managed certificates, setup is mostly automatic. However, for each domain protected by WAF SaaS in a specific region, you must complete the following steps to ensure traffic is fully secured.

When to perform these steps

When creating a new asset
When adding new domains to an existing asset
When attaching a WAF SaaS profile to an asset that wasn’t previously protected
When editing a domain (remove the old one after adding and configuring the new one)

Prove Domain Ownership

To authorizes Check Point to issue certificates for your domain using Let’s Encrypt, Follow the steps bellow:

In the Infinity Portal, go to Policy → Profiles.
Select the CloudGuard WAF SaaS profile created during the Asset setup.
Find the domain marked as “Pending Action” and click it.
Copy the DNS CNAME record shown under the domain ownership verification step.
In your DNS provider’s console, add the CNAME record with the name and value provided.

You must complete this step for each domain individually (e.g. www.myapp.com and api.myapp.com)

While CloudGuard WAF SaaS offers managed public SSL/TLS certificates signed by Let’s Encrypt, you may choose to use your own certificate and private key—ideal for compliance needs or existing certificate infrastructure.

Your private key is end-to-end encrypted during upload, ensuring complete confidentiality and security.

To configure HTTPS traffic with your own certificates, follow the steps below:

Upload Certificate and Private Key

In the Infinity Portal, navigate to Policy → Profiles.
Select the CloudGuard WAF SaaS profile linked to your asset.
For each domain listed, click on it and:
- Upload the public certificate (PEM format)
- Upload the private key
- Ensure the certificate includes the full chain

This process must be repeated for each domain, e.g., www.myapp.com and api.myapp.com.

Connect your domain to WAF SaaS
Before performing this stage, disable any existing AWS CloudFront configuration for your website's address if you have any.
Once the previous step is completed, a new CNAME value will be generated (this may take up to 30 minutes).
1. In your DNS configuration, replace the existing CNAME record for your domain with the new CNAME value issued by Check Point.
Allow WAF SaaS to Access Your Origin Server
To ensure smooth traffic flow between WAF SaaS and your internal web server:
1. Allow incoming traffic from the IP addresses provided in the WAF SaaS deployment form.
2. Do not remove existing access rules until:
  - 72 hours have passed (to allow full DNS propagation), and
  - You have confirmed successful traffic flow through WAF SaaS.
If the origin was previously publicly accessible, restrict access to only WAF SaaS IPs after DNS switchover. If you were using another reverse proxy, consider removing its IPs from the access list after confirming the switch.
Test Access to Your Site
After completing the above steps:
- Confirm that the website is reachable over HTTPS.
- Verify that traffic is flowing through WAF SaaS (you can check headers or logs in the Infinity Portal).
- Double-check that your origin server is no longer publicly accessible (unless intentionally exposed).
While DNS changes typically take just a few hours, allow up to 72 hours for full global propagation before making final changes.
Make sure you have not left a publicly exposed domain in your previous environment!

PreviousConfigure networking in VMware Deployments NextIntegrating WAF SaaS with AWS CloudFront

Last updated 5 days ago

Was this helpful?