CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot
    • API Protection
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
    • Snort Rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page
  • Authentication
  • Creating an API Key
  • Using an API Key to authenticate
  • API Reference
  • View and usage without an external client (using GraphQL)
  • Sending GraphQL requests from external sources
  • GraphQL methods
  • Object structure overview
  • Object sharing (visibility field)
  • API tester

Was this helpful?

  1. references

Management API

PreviousAgent CLINextEvent Query Language

Last updated 5 months ago

Was this helpful?

CloudGuard WAF provides a collection of GraphQL APIs that allows to Authenticate, Create, Read, Update Delete any object in the system as well as Publish or Enforce a set of changes.

GraphQL is a strongly typed API query language. It allows clients to define the structure of the data required, and exactly the same structure of the data is returned from the server. This avoids both the problems of over and under-fetching data, while also allowing for a powerful and flexible API.

See here the .

Authentication

Creating an API Key

Go to Account Settings -> API Keys and create a new API Key for the 'CloudGuard WAF' service. Configure the Expiration date.

After clicking on Create your Client ID and Secret Key will be shown for a single time. Copy it to a secure location as they are not retrievable once the window will be closed.

The ID and Key provide access to your account from the Internet. Secure your keys very carefully. We strongly recommend to use a vault solution for holding your keys and to rotate them periodically.

Using an API Key to authenticate

Before using the specific GraphQL API, you first need to create a valid token to Infinity Portal.

Infinity Portal uses REST API. Use the following REST API:

POST <server address>/auth/external

Example of adding the authorization bearer token "abcde-f12345f" to an API call using curl:

curl -H "Authorization: Bearer abcde-f12345f" https://<infinity portal address>/app/waf/graphql/v1

API Reference

View and usage without an external client (using GraphQL)

Under Support->API we provide a GraphQL-based interface for:

  1. Viewing all available functions, divided into query functions that are available for Read-Only users as well, and mutations functions which change configuration and are not available for Read-only Users.

  2. Running custom requests and seeing the result received from the backend.

Configuration changes (mutation functions) done using this API will still require clicking on the Publish button in order to be saved in the database and unlocked for usage of other administrators, or by running the publishChanges API request.

The left hand screen allows you to modify GraphQL JSON queries. The middle screen shows the response upon clicking the play button. The right hand screen is the GraphQL documentation of all available functions.

Sending GraphQL requests from external sources

If you have a JWT temporary token using the authentication API described above, and you are familiar with creating a query or a mutation operation JSON body, then you can post such a JSON to the following URL with the JSON as the request body:

POST https://<infinity portal address>/app/waf/graphql/v1

Several clients (e.g. Postman) have a GraphQL mode that allows easily constructing the exact request body from the GraphQL JSON.

GraphQL methods

Most methods documented are about CRUD operations vs object in the database.

Read operations (queries) usually start with get* prefix, and GraphQL allows you to modify what exact fields you are interested in viewing. There are also read operations with the suffix *UsedBy which allow you to check for an object if it used by other objects (for example, a practice that is used by multiple assets and zones).

All non-Read operations are methods that are called mutations (as opposed to queries). For Create, Update and Delete operations on objects, the prefixes are usually new*, update* and delete*.

add*, move* and remove* are parallel prefixes for connecting between existing objects (for example, adding a practice to an asset).

share* methods are explained better in the objects structure overview – they are used for taking an existing object, which up until now has been used and owned by a single other object, and making them available to be used and shared by other objects as well (for example, taking an existing practice owned by a specific asset object, and making it globally available to be reused by additional assets and zones).

There are also additional special actions:

  • Agent revocation – revoke* methods

  • Publish configuration – A critical method to activate when the changes are completed, otherwise the objects will be locked for other administrators. There is also a method for discarding all changes.

  • Policy enforce operations – Sending a request to enforce the latest published policy by agents. The query method isEnforcePolicy provides information if a published policy is waiting to be enforced.

Object structure overview

The main hierarchy of objects in Infinity Next Management starts with an asset object (which can come in a variety of types) or a zone object (which represents a usually-dynamic group of assets according to a query).

This object can own other objects according to the following hierarchy:

In CloudGuard WAF's usage of GraphQL, an object can be owned by another object, or can be owned by a connection between 2 objects (and then it will have 2 owning IDs).

When creating an object that should be owned by a parent object, run the relevant get* method on the owning object to get its ID value prior to the object creation method call.

There are several objects in the behavior family. Some can be owned by an asset/zone object and some can be owned by the connection between an asset/zone and a practice.

  • The connection between an Asset/Zone and a Practice can own the following behavior object types:

    WebUserResponseBehavior

    ExceptionBehavior

  • A Web API or a Web Application asset can own the following behavior object type:

    TrustedSourceBehavior

Object sharing (visibility field)

Practices and behavior objects also have a visibility field that can have either the value of “Local” or “Shared”. A “Local” visibility object must contain an owning object ID and cannot be used by any other object in parallel. It will be deleted when the parent object is deleted as it is wholly owned by it.

However, through the share* methods you can make a “Local” visibility object into a “Shared” one which can be owned by multiple objects – Basically you are turning it into a globally used object which will not be deleted if any of the parent objects are deleted.

The “Share” action is irreversible – A Shared object cannot be turned into a “Local” visibility object.

When creating a practice or a behavior object make sure you have IDs of the parent object/s by using the relevant get* method/s if the visibility is set to “Local”. An empty owning ID can only exist if the visibility is set to “Shared” during the object creation.

When getting all objects, that can be either local or shared, the default behavior is to return only shared objects. A specific parameter is needed to be added to request to see the local objects as well. Specifically: getPractices will require includePrivatePractices to return local practice objects. getBehaviors will require includePrivateBehaviors to retun local behavior objects.

API tester

  1. Example usage of the GraphQL API.

Use the relevant server address as documented , to generate a JSON Web Token (JWT).

This token allows temporary usage of the application API using Bearer Authentication (as explained in ) until token expiration or revocation. It should be used as Authorization: Bearer [token] header for each API call.

The infinity portal address depends on the region you are working with, and can be seen in the .

The GitHub repository - includes the following:

JSON file of the API postman collection to import.

here
RFC 6750
Infinity Portal REST API documentation
infinitynext-mgmt-api-resources
management GraphQL
official GraphQL documentation