CloudGuard WAF
Search
K

Deploy Enforcement Point

Overview

CloudGuard WAF Enforcement Points are instances deployed in an environment that inspects traffic and enforce security policies. The Enforcement Points can have different form factors (Virtual Machine, Kubernetes Ingress, Docker container or Linux Agent) depending on the environment in which they are deployed. An enforcement point will be referred to as CloudGuard WAF's AppSec Gateway or Agent in this documentation. You can read more about the different enforcement points in the Gateways & Agents section.
While most deployment options below support a scalable solution behind a load balancer, there is no full sync High Availability (HA) option. The state between multiple instances within a single deployment is not synced.
Platform
Reverse Proxy / API Server
WAF Agent
Provided by Check Point and managed via WebUI/API/Terraform
Provided by Check Point and managed via WebUI/API/Terraform
Provided and managed by Admin
Provided by Check Point and managed via WebUI/API/Terraform
Docker
Option 1: Provided by Check Point and managed via WebUI/API/Terraform (Alpha).
Option 2: Managed by Admin while initial deployment can be provided by Check Point. Initial deployment can be in th esame container as the WAF agent or a separate one.
Provided by Check Point and managed via WebUI/API/Terraform
Provided and managed by Admin
Provided by Check Point and managed via WebUI/API/Terraform

Enforcement Profile

To deploy a CloudGuard WAF's AppSec Gateway or Agent you need an Enforcement Profile that determines the deployment type and other parameters related to the deployment.
If you completed the Web Application or Web API configuration wizard, an Enforcement Profile was created for you by the configuration wizard.
To view your profile, select Cloud, then Profiles in the menu on the left.
  • If you have just one profile, the system will automatically present it.
  • If you have more than one profile, you will be presented with a list of profiles and you can select the one you wish to use.
Profile Type cannot be changed but you can always create a new one by clicking Back to get the the Profiles selection screen and choosing New at the top toolbar.

Authentication Token

To establish a secure communication between the CloudGuard WAF's AppSec Gateways or Agents and the Check Point Cloud an authentication token is required. You will be asked to enter this token during deployment either in CLI or in a web form. The token can be obtained by clicking the Copy button near the Token field.
If the profile object was just created, make sure to "Enforce" the new configuration prior to using the copied authentication token.
According to security best practices, it is recommended to periodically rotate the token for all future new installations. Clicking on the
icon will invalidate the current token and create a new one that can be copied.
Existing agents that were already registered are not affected. Note - Once rotated, in order to allow deployments of additional agents, replace all deployment scripts/configuration files/key vault entries that contain the now-invalid token.

Download & Deployment

On the right side of a Profile page you will find the Download & Deployment instructions per the profile type you selected.
You can follow the on-screen instructions or the more detailed instructions available in the next pages of the documentation.