CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot
    • API Protection
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
    • Snort Rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page

Was this helpful?

  1. Troubleshooting
  2. WAF as a Service

How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS

Goal: Provide a static IP address to update root domain DNS settings to redirect to a subdomain protected by our Web Application Firewall, typically "www.".

PreviousCertificate Validation Failed: Adjusting CAA RecordNextHow To: Extend Connection Timeout to Upstream

Last updated 4 months ago

Was this helpful?

Overview:

Setup a Network Load Balancer (NLB) with two static IPs:

  • Static_IP_1 (e.g., 192.0.2.10)

  • Static_IP_2 (e.g., 192.0.2.20)

The NLB redirects the traffic to ALB

This guide will walk you through obtaining a certificate for your root domain, configuring an Application Load Balancer (ALB) rule for the redirect, and verifying the setup.

Step 1: Request a Certificate for the Root Domain

  1. Navigate to AWS Certificate Manager (ACM).

  2. Request a new certificate for your root domain (e.g., ).

    1. Click on "Request a certificate", then select "Request a public certificate" and follow the prompts.

    2. For Domain name, enter your root domain.

    3. Choose DNS validation for the validation method.

  3. Find your Validation Challenge: Add the DNS validation record provided by ACM to your DNS configuration to complete the validation process. (CNAME name and CNAME value). You can find this in ACM -> Certificates -> <your certificate> :

  4. Wait until the Certificate is Validate It may take some time for DNS changes to propagate and for ACM to validate the certificate. Monitor the certificate status in ACM.

Step 2: Add a Rule in the ALB

  1. Navigate to your ALB in the EC2 Management Console.

  2. Select the listener that handles incoming requests for your domain.

  3. Add a new rule to redirect requests from the root domain to the subdomain.

    1. Condition: host header match to your root domain

    2. Action: Redirect to the subdomain with appropriate protocol (HTTP or HTTPS), port and path.

Step 3: Add certificate

In the ALB screen click on certificates tab and then add certificate:

Then find the certificate you have added in step 1.

Step 4: Add Relevant Tags in Rule

  • Tagging rules can help with organization and billing. Add any relevant tags as per your organization's tagging strategy.

  • add the relevant tags as the other rules

Step 5: Test

To test the redirect, use the following curl commands:

  • curl --resolve example.com:443:Static_IP_1 https://example.com -v

  • curl --resolve example.com:443:Static_IP_2 https://example.com -v

Replace example.com with your actual root domain and Static_IP_1 and Static_IP_2 with the static IP addresses of your Network Load Balancer (e.g., 192.0.2.10 and 192.0.2.20).

The expected result is a 301 redirect response pointing to the subdomain.

Step 1: Create a sub-domain that will be protected by CloudGuard WAF

  1. Navigate to Azure DNS Zones.

  2. In the DNS zone, click on "+ Record set" to create a new record set.

    1. Set the name field to the desired sub-domain (in this example it is 'www'):

    2. Set the Type field to be CNAME

    3. Click Add.

Step 2: Onboard the sub-domain to CloudGuard WAF as a Service

Follow the instructions on the Infinity Portal

Step 3: Create an Alias Record for the root domain

  1. In the DNS zone, click on "+ Record set" to create a new record set.

  2. Set the Name field to "@" to indicate the root domain. Set the Type to "A" or "CNAME" depending on your setup.

  3. In the Alias record set section, toggle the switch to "Yes".

  4. In the Alias type dropdown, select "Zone record set".

  5. In the zone record set dropdown, select the subdomain you have created and onboarded to CloudGuard WAF as a Service in stages 1 and 2.

  6. Save the Record.

example.com