Protect a Web Application

CloudGuard WAF provides a configuration wizard that allows you to set up everything you need for basic protection of your web application. Once you completed the wizard you can set up a CloudGuard WAF's AppSec Gateway or Agent to enforce security.

Web Application wizard

Step 1: Launch the configuration wizard:

When logged in to the management portal, click the Policy option in the main navigation menu on the left. You should see the CloudGuard Getting Started page.
In the Policy -> Getting Started page, click New Asset, then Select Web Application. The configuration wizard should open.

Follow these configuration steps in the New Web Application wizard:

Step 2: Application Details

Complete the following details (which you have prepared before):

Name - choose a clear distinguishable name for your application
Tags (Optional) - can be used for searches
Application URLs for users - configure at least one host address with optional port. CloudGuard WAF will protect these hosts. Examples:
- https://www.acme.com (listen to inbound traffic to this address on all ports)
- http://www.acme.com:80 (only listen to inbound traffic to this address on port 80)
- https://www.acme.com/sales
- https://sales.acme.com
- https://172.20.20.4:3000
Single application URL for the reverse proxy function - This URL is required, if the asset is secured by a CloudGuard WAF deployment in which the reverse proxy function is configured through the WAF Management. The Reverse Proxy translates the external URL, used by users, into an internal URL and forwards the request to it. This internal URL should be written here (See diagram).

Step 3: Practices

Select the Practices that you want to enable and their Mode:

Modes:

Learn/Detect - we recommend starting with this mode as it allows the Machine Learning engine to train and you can examine the system behavior, all while traffic is not affected.
Prevent - in this mode traffic will be blocked if malicious traffic is found.

Step 4: Platform and Deployment configuration

Choose a deployment method:

CloudGuard WAF can be deployed as:

A pre-packaged Gateway (Virtual Machine for secure managed reverse proxy):
- In AWS
- In Azure
- In VMware vSphere
Early Availability - WAF as a service (SaaS) in supported regions world-wide (DNS configuration for your domain will change to its location)
A pre-packaged docker containing a secure managed reverse proxy. Note - a user can opt to manage the reverse proxy settings locally.
A separate Reverse Proxy/API server Docker + WAF Agent Docker
An add-on to an existing/new NGINX Kubernetes Ingress
An add-on to an existing/new supported Reverse Proxy/API Server.

If you choose the option of a Virtual Machine (VM), the option of SaaS or the option of a managed docker, you must also enter the internal URL of the application or API or internal load balancer so the reverse proxy function will know to which URL should these asset's external URL be forwarded. This URL must be accessible to the managed Reverse Proxy server but will not be exposed to the outside. This URL was configured in step 1 of the wizard.

Step 5: Learning

Define how the Machine Learning engine should distinguish between different API or Human users and who the users are that can be trusted.

Select the method by which different users will be distinguished from one another:

X-Forwarded-For Header - When there is a Reverse Proxy or ALB between the Reverse Proxy the agent is running on, and the internet - the original source IP address cannot be seen on the networking level. This option allows the Nano-Agent to identify the original source IP inside the X-Forwarded-For header. No additional parameters are required in the common case where a single Reverse Proxy/ALB is found before the agent's deployment.

In the less common case, where there is more than 1 reverse proxy and/or ALB deployments before the reverse proxy with CloudGuard WAF:

After the wizard is completed you must edit the created Web Application/API asset object.
Add the IP addresses of the previous hops, to allow the distinction between them and the original source address.

This is explained in more details here.

Source IP Address - The Nano-Agent uses the source IP address as the identifier. No additional parameters are required.

Additional methods can be defined later by editing the Web Application/API asset object. These include:

Cookie Key - when you select this option, you need to add the key name within the cookie whose value is used as the unique identifier of the original source.
HTTP Header - when you select this option, you need to add the HTTP header name whose value is used as the unique identifier of the original source.
JWT Key - Authenticated API calls send a JSON Web Token (JWT) received by authentication API. This JWT usually contains identifying field. When you select this option, the value of one of the JWT keys can be used as the unique identifier of the original source.

2. If you do not intend to use additional methods, you may already define trusted sources that serve as a baseline for comparison for benign behavior, and how many Users/Addresses must exhibit similar activity for it to really be considered benign by the learning model (Otherwise it is recommended to perform this step after the wizard has been completed by editing the asset and after changing the method by which users are distinguished).

Step 6: Certificate storage configuration and deployment instructions

If, during the previous step, a "New Profile" option was selected, then the "Certificates" page will also prompt a decision, relevant for all CloudGuard WAF's AppSec Gateways that will connect to this profile, regarding where the certificates for HTTPS traffic will be stored.

For the WAF SaaS option - the option of bringing your own SSL/TLS certificates will be available in the future.

This decision is only relevant for the pre-packaged Gateway (Virtual Machine) option in AWS and Azure. In those cases it is possible to either select a secure vault in the relevant public cloud, or local storage. This configuration can be later changed by editing the created profile via Cloud->Profiles.

If the "Existing Profile" option was selected, then it will not be possible to choose a different configuration from what is already set in this profile.

Exact setup instructions for certificates will be available in the profile page.

For CloudGuard WAF on AWS or Azure, there are two methods for storing certificates and private keys. For all other deployments only the first is available:

On the WAF Gateway itself - a simple procedure allows you to upload the certificates and private keys directly to your gateway(s) using Secure Copy Protocol (SCP/SSH). No further configuration is required - CloudGuard WAF will locate the local files automatically.
- Advantage: you have full control of your secrets
- Disadvantage: does not support automatic scaling
If you are using CloudGuard WAF on AWS or Azure you can store secrets in secured vaults of these platforms and CloudGuard WAF's AppSec Gateway can fetch it from there.

For WAF SaaS deployment this page will support in the future the option of certificates provided by you. The available option is for WAF SaaS to provide the certificates.

Completing the deployment and providing certificates requires actions after the wizard has ended, for each domain configured on the new asset:

Proving ownership of each domain to allow issuing the certificates for it on WAF SaaS side.
Configuring the DNS record for each domain so traffic to it will be routed to WAF SaaS.

For all other deployment options there is no configuration required through WAF web management. However, instructions on how to install the certificates for each deployment appear in both wizard and later on when editing the profile in Cloud->Profiles.

Step 7: Reporting

During the Web Application onboarding it is possible to configure a new Report Trigger to send a summary report, based on your preferences to a list of email addresses or use an existing, pre-configured Report Trigger.

Step 7: Summary

Review the configuration summary and choose how you would like to proceed.

By keeping the default selections and clicking Done, you can Publish & Enforce your settings and proceed to the Profile page, which includes instructions for deployment of an CloudGuard WAF's AppSec Gateway, WAF SaaS or Agent.

You can also choose Advanced Settings to explore additional features and later proceed with enforcement point deployment.