CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot (Web Bots Security)
    • API Discovery and Security
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit / DDoS Control
    • Snort rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page

Was this helpful?

  1. HOW TO

Upgrade your Reverse Proxy when a Linux/NGINX agent is installed

PreviousRotate profile authentication tokenNextUse Terraform to Manage CloudGuard WAF

Last updated 2 months ago

Was this helpful?

One of the possible deployments for CloudGuard WAF is a Linux agent installed on top over a .

If you wish to upgrade the Reverse Proxy while the agent is installed, follow the steps described in this documentation page.

NGINX

Step 1: Delete the agent module's load_module line

  • Locate your nginx modules folder path by running: nginx -V and look for the value of the "--modules-path" parameter. It is usually /usr/share/nginx/modules or /usr/lib/nginx/modules

  • Via command line access to the machine with the NGINX server and the agent, edit the following file: /etc/nginx/nginx.conf

  • Delete the following line (look for the path located previously): load_module /<modules folder path>/ngx_cp_attachment_module.so;

Step 2: Comment out the agent module's configuration lines

  • Edit all files in the paths /etc/nginx/conf.d/* or /etc/nginx/sites_enabled/*

    • Comment out (add '#' in the beginning of the line) all the lines, if exist, that begin with: cp-nano-nginx-attachment

  • If you added manually additional lines in other server configuration files - comment them out as well.

Step 3: Run a test command

Run the command 'nginx -t'. You should see it print out "test is successful".

Step 4: Upgrade the NGINX's software version

Run any commands you intended to run in order to upgrade the NGINX's software version

Step 5: Stop and start the agent, while triggering deployment of a new attachment

Run the following commands: cpnano -q rm -rf /etc/cp/packages rm /etc/cp/conf/manifest.json cpnano -r

Step 6: Verify the agent has restarted

After one minute that the agent has restarted successfully using the following command: cpnano -s

Last update status should state “Succeeded” and Last update should show a time in the scope of the last few minutes.

Step 7: Undo the changes done in step 2

Remove the "comment out" character ('#') from all the lines it was added to in step 2 (In the paths /etc/nginx/conf.d/* or /etc/nginx/sites_enabled/* )

Step 8: NGINX reload

Run the following commands: nginx -s reload systemctl restart nginx

supported Reverse Proxy