CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot
    • API Protection
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
    • Snort Rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page
  • Source Identity and Trusted Sources
  • What's Next?

Was this helpful?

  1. HOW TO

Configure Contextual Machine Learning for Best Accuracy

PreviousAdd Data Loss Prevention (DLP) rulesNextTrack Agent Status

Last updated 3 months ago

Was this helpful?

The reaches a verdict more accurately when it can differentiate between users or sources of HTTP requests. CloudGuard WAF allows to configure how to identify the source of a web request, per web application or API.

Once CloudGuard WAF knows how to identify the source, you can also configure trusted sources. Understanding the behavior of multiple trusted sources helps the contextual machine learning engine to learn faster what is considered a benign or malicious request for a specific web application or API.

Configuration of the below items can accelerate the learning process and allow reaching more accurate decision by the Machine Learning Engine.

Configuring trusted sources is not a method of exclusion. It is a method to enhance the learning capabilities of the contextual machine learning. .

Source Identity and Trusted Sources

The instructions below can refer to configuring trusted sources during step 4 of the wizard during creation of a or a .

They can also be found when browsing to Policy->Assets and editing an asset under Source Identity and Trusted Sources.

Step 1: Identify the source of the web request

The source of an HTTP web request can be identified in a number of ways. Use the below table to select the appropriate identifier for the sources of your web application.

Definition
Parameter
View

Source IP

This is the HTTP request source IP or CIDR. No additional parameters are necessary.

X-Forwarded-For Header in HTTP requests

Header Key

If you select this option, it is necessary to add the header field name. This value is used for identification.

JWT Key

If you select this option, it is necessary to add the key within the JWT. This value is used for identification. This option is recommended.

Cookie

When you select this option, it is necessary to add the key within the cookie. This value is used for identification. A recommended key is oauth2_proxy

  1. Go to Cloud->Assets and select the Asset you want to configure.

  2. Select a method to distinguish the sources according to the above table.

  3. (Optional) Add the name of field that uniquely identifies the user.

Step 2: Configure Trusted Sources

  1. Add specific IP addresses (incase of Source IP or X-Forward-For) or specific user identifiers (incase of Header/JWT/Cookie) of trusted sources to the list

  2. Minimum Users To Trust - You may change the default from 3 to a lower (not recommended) number or higher. If we take the example of "3", the learning mechanism will not learn about "benign" behavior from the trusted sources until at least 3 of them created similar traffic patterns. This is to avoid one source becoming a "malicious source of truth". The number of trusted sources in the table has to be at least that minimum number, to allow the machine learning engine to have a good indication of "benign behavior".

  3. Click Publish to publish the changes to the management.

  4. Click Enforce to deploy the changes to the enforcement points.

What's Next?

Depending on amount and variance of traffic, after some time, the machine learning engine will reach a stage where it has observed a sufficient amount of web requests to understand how the application is used. The faster this stage is reached, the faster detection is accurate and it is recommended to move to prevent mode.

IP address or CIDR of the trusted source is received in the X-Forwarded-For header. If you select this option, you must add the IP addresses of previous reverse proxy/ALB hops to distinguish the unique IP address of the source from them. For example: Note - Adding the address of previous hops is required when there is more than 1 reverse proxy and/or ALB before Reverse Proxy with CloudGuard WAF installation. If there is only one, it is not required.

Read more about how you can optimize and tune the Machine Learning process in the section of this documentation.

Track Learning and Move from Detect to Prevent
Contextual Machine Learning
Exclusions are configured separately
Web Application asset
Web API asset