CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot
    • API Protection
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
    • Snort Rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page
  • Web API Wizard
  • Deploy Enforcement Point - Gateway or Agent
  • API Discovery and API Schema Validation

Was this helpful?

  1. Getting started

Protect a Web API

Last updated 4 months ago

Was this helpful?

CloudGuard WAF provides a configuration wizard that allows you to set up everything you need for basic protection of your web API, as well as the ability to automatically detect your API usage and schema, providing an extra layer of security via visibility.

Once you completed the wizard you can set up a CloudGuard WAF's AppSec Gateway or Agent to enforce security.

Web API Wizard

Step 1: launch the configuration Wizard:

  1. When logged in to the management portal, click the Policy option in the main navigation menu on the left. You should see the Cloud Getting Started page.

  2. In the Policy -> Getting Started page, click New Asset, then Select Web API. The configuration wizard should open.

Follow these configuration steps in the New Web API wizard:

Step 2: API Server Details

  • Name - choose a clear distinguishable name for your API

  • Tags (Optional) - can be used for searches

  • API URLs for users - configure at least one host address with optional port. CloudGuard WAF will protect these hosts. Examples:

    • https://www.acme.com (listen to inbound traffic to this address on all ports)

    • http://www.acme.com:80 (only listen to inbound traffic to this address on port 80)

    • https://www.acme.com/api

    • https://sales.acme.com/api

    • https://172.20.20.4:3000

  • Single application URL for the reverse proxy function - This URL is required, if the asset is secured by a CloudGuard WAF deployment in which the reverse proxy function is configured through the WAF Management. The Reverse Proxy translates the external URL, used by users, into an internal URL and forwards the request to it. This internal URL should be written here (See diagram).

Step 3: Practices

Select the Practices that you want to enable and their Mode:

Activated modes for API Security:

  • Learn/Detect - we recommend starting with this mode as it allows the Machine Learning engine to train and you can examine the system behavior, all while traffic is not affected.

  • Prevent - in this mode traffic will be blocked if malicious traffic is found.

Activated modes for API Discovery:

  • Active - API discovery does not block traffic, hence it only has a single "Active" mode.

Step 4: Platform and Deployment configuration

  1. Choose a deployment method:

CloudGuard WAF can be deployed as:

  • A pre-packaged Gateway (Virtual Machine for secure managed reverse proxy):

    • In AWS

    • In Azure

    • In VMware vSphere

  • WAF as a Service - in supported regions world-wide (DNS configuration for your domain will change to its location)

  • A pre-packaged docker containing a secure managed reverse proxy. Note - a user can opt to manage the reverse proxy settings locally.

  • A separate Reverse Proxy/API server Docker + WAF Agent Docker

  • An add-on to an existing/new NGINX Kubernetes Ingress

  • An add-on to an existing/new supported Reverse Proxy/API Server.

If you choose the option of a Virtual Machine (VM), the option of SaaS or the option of a managed docker, you must also enter the internal URL of the application or API or internal load balancer so the reverse proxy function will know to which URL should these asset's external URL be forwarded. This URL must be accessible to the managed Reverse Proxy server but will not be exposed to the outside. This URL was configured in step 1 of the wizard.

Step 5: Learning

Define how the Machine Learning engine should distinguish between different API sources and who the sources are that can be trusted.

  1. Select the method by which different sources will be distinguished from one another:

  • X-Forwarded-For Header - When there is a Reverse Proxy or ALB between the Reverse Proxy the agent is running on, and the internet - the original source IP address cannot be seen on the networking level. This option allows the Nano-Agent to identify the original source IP inside the X-Forwarded-For header. No additional parameters are required in the common case where a single Reverse Proxy/ALB is found before the agent's deployment.

In the less common case, where there are more than 1 reverse proxy and/or ALB deployments before the reverse proxy with CloudGuard WAF:

  • After the wizard is completed you must edit the created Web Application/API asset object.

  • Add the IP addresses of the previous hops, to allow the distinction between them and the original source address.

  • Source IP Address- The Nano-Agent uses the source IP address as the identifier. No additional parameters are required.

Additional methods can be defined later by editing the Web Application/API asset object. These include:

  • Cookie Key - when you select this option, you need to add the key name within the cookie whose value is used as the unique identifier of the original source.

  • HTTP Header - when you select this option, you need to add the HTTP header name whose value is used as the unique identifier of the original source.

  • JWT Key - Authenticated API calls send a JSON Web Token (JWT) received by authentication API. This JWT usually contains identifying field. When you select this option, the value of one of the JWT keys can be used as the unique identifier of the original source.

2. If you do not intend to use additional methods, you may already define trusted sources that serve as a baseline for comparison for benign behavior, and how many sources/Addresses must exhibit similar activity for it to really be considered benign by the learning model (Otherwise it is recommended to perform this step after the wizard has been completed by editing the asset and after changing the method by which sources are distinguished).

Step 6: Certificate storage configuration and deployment instructions

If, during the previous step, a "New Profile" option was selected, then the "Certificates" page will also prompt a decision, relevant for all CloudGuard WAF's AppSec Gateways that will connect to this profile, regarding where the certificates for HTTPS traffic will be stored.

This decision is only relevant for the pre-packaged Gateway (Virtual Machine) option in AWS and Azure. In those cases it is possible to either select a secure vault in the relevant public cloud, or local storage. This configuration can be later changed by editing the created profile via Cloud->Profiles.

If the "Existing Profile" option was selected, then it will not be possible to choose a different configuration from what is already set in this profile.

Exact setup instructions for certificates will be available in the profile page.

For CloudGuard WAF on AWS or Azure, there are two methods for storing certificates and private keys. For all other deployments only the first is available:

    • Advantage: you have full control of your secrets

    • Disadvantage: does not support automatic scaling

Completing the deployment and providing certificates requires actions after the wizard has ended, for each domain configured on the new asset:

  1. Proving ownership of each domain to allow issuing the certificates for it on WAF SaaS side.

  2. Configuring the DNS record for each domain so traffic to it will be routed to WAF SaaS.

For all other deployment options there is no configuration required WAF web management. However, instructions on how to install the certificates for each deployment appear in both wizard and later on when editing the profile in Policy->Profiles.

Step 7: Reporting

During the Web Application onboarding it is possible to configure a new Report Trigger to send a summary report, based on your preferences to a list of email addresses or use an existing, pre-configured Report Trigger.

Step 8: Summary

Review the configuration summary and choose how you would like to proceed.

By keeping the default selections and clicking Done, you can Publish & Enforce your settings and proceed to the Profile page, which includes instructions for deployment of a CloudGuard WAF's AppSec Gateway, WAF SaaS or Agent.

You can also choose Advanced Settings to explore additional features (such as in Step 6 below) and later proceed with enforcement point deployment.

Deploy Enforcement Point - Gateway or Agent

You are minutes away from protecting your Web API. The last step is to deploy an Enforcement Point. See instructions here:

API Discovery and API Schema Validation

API Security

CloudGuard WAF protects your API from malicious attacks, and if provided with a schema file, it can enforce it. However, this is not the only manner of security for API use.

Maintaining and enforcing a secure schema file is a difficult task for a security officer. The developers of the web server add and change APIs, and even with a well-defined, well-reviewed and well-maintained schema file, an API can allow access of sensitive data in a way the schema file will not show. The frequency of changes to APIs can also cause much difficulty in keeping such a schema file well-reviewed and well-maintained.

API discovery provides security by visibility:

  1. Discovery of the initial schema.

  2. Discovery of API additions/deletions, and changes to existing APIs.

  3. Discovery of APIs with sensitive data.

API discovery is the recommended way to maintain the schema file you can eventually, after a sufficient leaning period, use for Schema Validation.

The flow of working with API discovery is explained in detail in this documentation:

Activating schema validation if you already have a trusted schema file

Important reminder - The API discovery engine was designed to learn what API is actually being used. Even if you have a well-maintained schema file for your API, it is still recommended to wait before activating the Schema Validation Security engine, until the API discovery practice has learned the actual API usage in your system and suggested a schema.

At that point we recommend comparing the suggested schema with the schema file you had, and deciding on the exact schema to enforce accordingly.

If you decide to skip API discovery (not recommended) and move directly to schema validation with your own well-maintained schema file, skip directly to the following documentation and use the option of uploading your own schema file:

Complete the following details (which you have ):

This is explained in more details .

For the option - Using your own issued certificates will be available in the future.

- a simple procedure allows you to upload the certificates and private keys directly to your gateway(s) using Secure Copy Protocol (SCP/SSH). No further configuration is required - CloudGuard WAF will locate the local files automatically.

If you are using CloudGuard WAF on or you can store secrets in secured vaults of these platforms and CloudGuard WAF's AppSec Gateway can fetch it from there.

For deployment this page will support in the future the option of certificates provided by you. The available option is for WAF SaaS to provide the certificates.

Once there is a well-maintained schema file, such as the schema the API discovery engine provides once it learned traffic to a high enough level, adding a schema file and activating the Schema Validation enforcement engine can further increase the security level by adding an schema file for your API. CloudGuard WAF will enforce the different unique applicative validations described in the schema file and alert upon attempts to use APIs in a way that does not match your schema.

prepared before
here
WAF SaaS
On the WAF Gateway itself
AWS
Azure
WAF SaaS
Deploy Enforcement Point
API Protection
openAPI
Enforce API Schema