CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot
    • API Protection
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
    • Snort Rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page
  • New Asset Wizard
  • Deploy Enforcement Point - Gateway or Agent

Was this helpful?

  1. Getting started

Protect a Web Application / API

PreviousLog in to the Infinity PortalNextDeploy Enforcement Point

Last updated 1 month ago

Was this helpful?

CloudGuard WAF provides a configuration wizard that allows you to set up everything you need for basic protection of your web application. Once you completed the wizard you can set up a CloudGuard WAF's AppSec Gateway or Agent to enforce security.

New Asset Wizard

Step 1: Launch the configuration wizard:

  • When logged in to the management portal, click the Policy option in the main navigation menu on the left. You should see the CloudGuard Getting Started page.

  • In the Policy -> Getting Started page, then click New Asset. The configuration wizard should open.

Follow these configuration steps in the New Web Application / API wizard:

Step 2: Application Details

  • Name - choose a clear distinguishable name for your application

  • Tags (Optional) - can be used for searches

  • Application URLs for users - configure at least one host address with optional port. CloudGuard WAF will protect these hosts. Examples:

    • https://www.acme.com (listen to inbound traffic to this address on all ports)

    • http://www.acme.com:80 (only listen to inbound traffic to this address on port 80)

    • https://www.acme.com/sales

    • https://sales.acme.com

    • https://172.20.20.4:3000

  • Single application URL for the reverse proxy function - This URL is required, if the asset is secured by a CloudGuard WAF deployment in which the reverse proxy function is configured through the WAF Management. The Reverse Proxy translates the external URL, used by users, into an internal URL and forwards the request to it. This internal URL should be written here (See diagram).

Step 3: Practices

Select the Practices that you want to enable and their Mode:

Modes:

  • Learn/Detect - we recommend starting with this mode as it allows the Machine Learning engine to train and you can examine the system behavior, all while traffic is not affected.

  • Prevent - in this mode traffic will be blocked if malicious traffic is found.

Step 4: Platform and Deployment configuration

  1. Choose a deployment method:

CloudGuard WAF can be deployed as:

  • A pre-packaged Gateway (Virtual Machine for secure managed reverse proxy):

    • In AWS

    • In Azure

    • In VMware

  • WAF as a service in supported regions world-wide (DNS configuration for your domain will change to its location)

  • A pre-packaged docker containing a secure managed reverse proxy. Note - a user can opt to manage the reverse proxy settings locally.

  • A separate Reverse Proxy/API server Docker + WAF Agent Docker

  • An add-on to an existing/new NGINX Kubernetes Ingress

  • An add-on to an existing/new supported Reverse Proxy/API Server.

If you choose the option of a Virtual Machine (VM), the option of SaaS or the option of a managed docker, you must also enter the internal URL of the application or API or internal load balancer so the reverse proxy function will know to which URL should these asset's external URL be forwarded. This URL must be accessible to the managed Reverse Proxy server but will not be exposed to the outside. This URL was configured in step 1 of the wizard.

Step 5: Learning

Define how the Machine Learning engine should distinguish between different API or Human users and who the users are that can be trusted.

  1. Select the method by which different users will be distinguished from one another:

  • X-Forwarded-For Header - When there is a Reverse Proxy or ALB between the Reverse Proxy the agent is running on, and the internet - the original source IP address cannot be seen on the networking level. This option allows the Nano-Agent to identify the original source IP inside the X-Forwarded-For header. No additional parameters are required in the common case where a single Reverse Proxy/ALB is found before the agent's deployment.

In the less common case, where there is more than 1 reverse proxy and/or ALB deployments before the reverse proxy with CloudGuard WAF:

  • After the wizard is completed you must edit the created Web Application/API asset object.

  • Add the IP addresses of the previous hops, to allow the distinction between them and the original source address.

  • Source IP Address - The Nano-Agent uses the source IP address as the identifier. No additional parameters are required.

Additional methods can be defined later by editing the Web Application/API asset object. These include:

  • Cookie Key - when you select this option, you need to add the key name within the cookie whose value is used as the unique identifier of the original source.

  • HTTP Header - when you select this option, you need to add the HTTP header name whose value is used as the unique identifier of the original source.

  • JWT Key - Authenticated API calls send a JSON Web Token (JWT) received by authentication API. This JWT usually contains identifying field. When you select this option, the value of one of the JWT keys can be used as the unique identifier of the original source.

2. If you do not intend to use additional methods, you may already define trusted sources that serve as a baseline for comparison for benign behavior, and how many Users/Addresses must exhibit similar activity for it to really be considered benign by the learning model (Otherwise it is recommended to perform this step after the wizard has been completed by editing the asset and after changing the method by which users are distinguished).

Step 6: Certificate storage configuration and deployment instructions

If, during the previous step, a "New Profile" option was selected, then the "Certificates" page will also prompt a decision, relevant for all CloudGuard WAF's AppSec Gateways that will connect to this profile, regarding where the certificates for HTTPS traffic will be stored.

For the WAF SaaS option - the option of bringing your own SSL/TLS certificates will be available in the future.

This decision is only relevant for the pre-packaged Gateway (Virtual Machine) option in AWS and Azure. In those cases it is possible to either select a secure vault in the relevant public cloud, or local storage. This configuration can be later changed by editing the created profile via Cloud->Profiles.

If the "Existing Profile" option was selected, then it will not be possible to choose a different configuration from what is already set in this profile.

Exact setup instructions for certificates will be available in the profile page.

For CloudGuard WAF on AWS or Azure, there are two methods for storing certificates and private keys. For all other deployments only the first is available:

    • Advantage: you have full control of your secrets

    • Disadvantage: does not support automatic scaling

For WAF SaaS deployment this page will support in the future the option of certificates provided by you. The available option is for WAF SaaS to provide the certificates.

Completing the deployment and providing certificates requires actions after the wizard has ended, for each domain configured on the new asset:

  1. Proving ownership of each domain to allow issuing the certificates for it on WAF SaaS side.

  2. Configuring the DNS record for each domain so traffic to it will be routed to WAF SaaS.

For all other deployment options there is no configuration required through WAF web management. However, instructions on how to install the certificates for each deployment appear in both wizard and later on when editing the profile in Cloud->Profiles.

Step 7: Reporting

During the Web Application onboarding it is possible to configure a new Report Trigger to send a summary report, based on your preferences to a list of email addresses or use an existing, pre-configured Report Trigger.

Step 7: Summary

Review the configuration summary and choose how you would like to proceed.

By keeping the default selections and clicking Done, you can Publish & Enforce your settings and proceed to the Profile page, which includes instructions for deployment of an CloudGuard WAF's AppSec Gateway, WAF SaaS or Agent.

You can also choose Advanced Settings to explore additional features and later proceed with enforcement point deployment.

Deploy Enforcement Point - Gateway or Agent

You are minutes away from protecting your Web Application. The last step is to deploy an Enforcement Point. See instructions here:

Complete the following details (which you have ):

This is explained in more details .

- a simple procedure allows you to upload the certificates and private keys directly to your gateway(s) using Secure Copy Protocol (SCP/SSH). No further configuration is required - CloudGuard WAF will locate the local files automatically.

If you are using CloudGuard WAF on or you can store secrets in secured vaults of these platforms and CloudGuard WAF's AppSec Gateway can fetch it from there.

prepared before
here
On the WAF Gateway itself
AWS
Azure
Deploy Enforcement Point