# Table of Contents - [Documentation Overview | CloudGuard WAF](#documentation-overview-cloudguard-waf) - [What is CloudGuard WAF? | CloudGuard WAF](#what-is-cloudguard-waf-cloudguard-waf) - [Prepare key information | CloudGuard WAF](#prepare-key-information-cloudguard-waf) - [Deploy Enforcement Point | CloudGuard WAF](#deploy-enforcement-point-cloudguard-waf) - [Log in to the Infinity Portal | CloudGuard WAF](#log-in-to-the-infinity-portal-cloudguard-waf) - [Protect a Web Application / API | CloudGuard WAF](#protect-a-web-application-api-cloudguard-waf) - [AWS | CloudGuard WAF](#aws-cloudguard-waf) - [Store Certificates in AWS | CloudGuard WAF](#store-certificates-in-aws-cloudguard-waf) - [Gateway/Virtual Machine | CloudGuard WAF](#gateway-virtual-machine-cloudguard-waf) - [Store certificates on Gateway | CloudGuard WAF](#store-certificates-on-gateway-cloudguard-waf) - [Azure | CloudGuard WAF](#azure-cloudguard-waf) - [Store Certificates on Gateway | CloudGuard WAF](#store-certificates-on-gateway-cloudguard-waf) - [Configure networking in VMware Deployments | CloudGuard WAF](#configure-networking-in-vmware-deployments-cloudguard-waf) - [Kubernetes | CloudGuard WAF](#kubernetes-cloudguard-waf) - [Store Certificates on Gateway | CloudGuard WAF](#store-certificates-on-gateway-cloudguard-waf) - [DDoS Dashboard | CloudGuard WAF](#ddos-dashboard-cloudguard-waf) - [Istio Application Security | CloudGuard WAF](#istio-application-security-cloudguard-waf) - [WAF Dashboard | CloudGuard WAF](#waf-dashboard-cloudguard-waf) - [Monitor Events | CloudGuard WAF](#monitor-events-cloudguard-waf) - [Docker | CloudGuard WAF](#docker-cloudguard-waf) - [Notifications | CloudGuard WAF](#notifications-cloudguard-waf) - [Integrating WAF SaaS with AWS CloudFront | CloudGuard WAF](#integrating-waf-saas-with-aws-cloudfront-cloudguard-waf) - [VMware | CloudGuard WAF](#vmware-cloudguard-waf) - [WAF-as-a-Service (WAF SaaS) | CloudGuard WAF](#waf-as-a-service-waf-saas-cloudguard-waf) - [DDoS Protection | CloudGuard WAF](#ddos-protection-cloudguard-waf) - [Kong Application Security | CloudGuard WAF](#kong-application-security-cloudguard-waf) - [Single Docker | CloudGuard WAF](#single-docker-cloudguard-waf) - [Email Reports | CloudGuard WAF](#email-reports-cloudguard-waf) - [File Security | CloudGuard WAF](#file-security-cloudguard-waf) - [API Discovery Dashboard | CloudGuard WAF](#api-discovery-dashboard-cloudguard-waf) - [Store Certificates in Azure | CloudGuard WAF](#store-certificates-in-azure-cloudguard-waf) - [WAF-as-a Service (WAF SaaS) | CloudGuard WAF](#waf-as-a-service-waf-saas-cloudguard-waf) - [View Policy of all your Web Applications/APIs | CloudGuard WAF](#view-policy-of-all-your-web-applications-apis-cloudguard-waf) - [Contextual Machine Learning | CloudGuard WAF](#contextual-machine-learning-cloudguard-waf) - [Event Views | CloudGuard WAF](#event-views-cloudguard-waf) - [Track Agent Status | CloudGuard WAF](#track-agent-status-cloudguard-waf) - [Anti-Bot | CloudGuard WAF](#anti-bot-cloudguard-waf) - [Rotate profile authentication token | CloudGuard WAF](#rotate-profile-authentication-token-cloudguard-waf) - [Linux / NGINX / Kong | CloudGuard WAF](#linux-nginx-kong-cloudguard-waf) - [Security Practices | CloudGuard WAF](#security-practices-cloudguard-waf) - [API Discovery | CloudGuard WAF](#api-discovery-cloudguard-waf) - [Setup Log Triggers | CloudGuard WAF](#setup-log-triggers-cloudguard-waf) - [Setup Agent Upgrade Schedule | CloudGuard WAF](#setup-agent-upgrade-schedule-cloudguard-waf) - [Add Data Loss Prevention (DLP) rules | CloudGuard WAF](#add-data-loss-prevention-dlp-rules-cloudguard-waf) - [Gateways & Agents | CloudGuard WAF](#gateways-agents-cloudguard-waf) - [Rate Limit | CloudGuard WAF](#rate-limit-cloudguard-waf) - [Snort Rules | CloudGuard WAF](#snort-rules-cloudguard-waf) - [Protect an existing production site with CloudGuard WAF's Gateway | CloudGuard WAF](#protect-an-existing-production-site-with-cloudguard-waf-s-gateway-cloudguard-waf) - [Setup Web User Response Pages | CloudGuard WAF](#setup-web-user-response-pages-cloudguard-waf) - [Setup Behavior Upon Failure | CloudGuard WAF](#setup-behavior-upon-failure-cloudguard-waf) - [Setup Report Triggers | CloudGuard WAF](#setup-report-triggers-cloudguard-waf) - [Edit Web Application/API Settings | CloudGuard WAF](#edit-web-application-api-settings-cloudguard-waf) - [Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only | CloudGuard WAF](#restrict-access-to-backend-servers-from-cloudguard-waf-as-a-service-ips-only-cloudguard-waf) - [Management & Automation | CloudGuard WAF](#management-automation-cloudguard-waf) - [Edit Reverse Proxy Advanced Settings for a Web Asset | CloudGuard WAF](#edit-reverse-proxy-advanced-settings-for-a-web-asset-cloudguard-waf) - [Deployment using 'docker' command | CloudGuard WAF](#deployment-using-docker-command-cloudguard-waf) - [Upgrade your Reverse Proxy when a Linux/NGINX agent is installed | CloudGuard WAF](#upgrade-your-reverse-proxy-when-a-linux-nginx-agent-is-installed-cloudguard-waf) - [Enable Mutual TLS (mTLS) Authentication in Gateway / Virtual Machine and Single Docker | CloudGuard WAF](#enable-mutual-tls-mtls-authentication-in-gateway-virtual-machine-and-single-docker-cloudguard-waf) - [API Protection | CloudGuard WAF](#api-protection-cloudguard-waf) - [Track API Discovery Learning | CloudGuard WAF](#track-api-discovery-learning-cloudguard-waf) - [Setup Notification Triggers | CloudGuard WAF](#setup-notification-triggers-cloudguard-waf) - [Intrusion Prevention System (IPS) | CloudGuard WAF](#intrusion-prevention-system-ips-cloudguard-waf) - [NGINX Application Security | CloudGuard WAF](#nginx-application-security-cloudguard-waf) - [Dual Docker: NGINX/Kong/Envoy + Security Agent | CloudGuard WAF](#dual-docker-nginx-kong-envoy-security-agent-cloudguard-waf) - [Certificate Validation Failed: Adjusting CAA Record | CloudGuard WAF](#certificate-validation-failed-adjusting-caa-record-cloudguard-waf) - [Enforce API Schema | CloudGuard WAF](#enforce-api-schema-cloudguard-waf) - [CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical) | CloudGuard WAF](#cve-2025-1097-cve-2025-1098-cve-2025-24514-cve-2025-1974-ingress-nginx-controller-rce-critical-cloudguard-waf) - [Linux | CloudGuard WAF](#linux-cloudguard-waf) - [Event Advisor | CloudGuard WAF](#event-advisor-cloudguard-waf) - [CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH) | CloudGuard WAF](#cve-2022-3786-and-cve-2022-3602-openssl-x-509-email-address-buffer-overflows-high-cloudguard-waf) - [Authorize Temporary Access for Check Point Support | CloudGuard WAF](#authorize-temporary-access-for-check-point-support-cloudguard-waf) - [SELinux: Checking Status and Disabling | CloudGuard WAF](#selinux-checking-status-and-disabling-cloudguard-waf) - [Event Query Language | CloudGuard WAF](#event-query-language-cloudguard-waf) - [Agent CLI | CloudGuard WAF](#agent-cli-cloudguard-waf) - [Configure Contextual Machine Learning for Best Accuracy | CloudGuard WAF](#configure-contextual-machine-learning-for-best-accuracy-cloudguard-waf) - ["Unable to find a tag containing the vault's name in the VMSS" Error | CloudGuard WAF](#-unable-to-find-a-tag-containing-the-vault-s-name-in-the-vmss-error-cloudguard-waf) - [WAF SaaS Certificate Expiration | CloudGuard WAF](#waf-saas-certificate-expiration-cloudguard-waf) - [WAF as a Service | CloudGuard WAF](#waf-as-a-service-cloudguard-waf) - [How To: Configure Key Vault for a Single Gateway | CloudGuard WAF](#how-to-configure-key-vault-for-a-single-gateway-cloudguard-waf) - [WAF Gateway / Virtual Machine | CloudGuard WAF](#waf-gateway-virtual-machine-cloudguard-waf) - [Writing Snort Signatures | CloudGuard WAF](#writing-snort-signatures-cloudguard-waf) - [How To: Extend Connection Timeout to Upstream | CloudGuard WAF](#how-to-extend-connection-timeout-to-upstream-cloudguard-waf) - [Azure | CloudGuard WAF](#azure-cloudguard-waf) - [Use Terraform to Manage CloudGuard WAF | CloudGuard WAF](#use-terraform-to-manage-cloudguard-waf-cloudguard-waf) - [GitHub | CloudGuard WAF](#github-cloudguard-waf) - [Docker Hub | CloudGuard WAF](#docker-hub-cloudguard-waf) - [NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream | CloudGuard WAF](#nginx-error-upstream-sent-too-big-header-while-reading-response-header-from-upstream-cloudguard-waf) - [Track Learning and Move from Learn/Detect to Prevent | CloudGuard WAF](#track-learning-and-move-from-learn-detect-to-prevent-cloudguard-waf) - [Deployment in Azure App Services | CloudGuard WAF](#deployment-in-azure-app-services-cloudguard-waf) - [Management API | CloudGuard WAF](#management-api-cloudguard-waf) - [How To: Compare Between the Gateway's Certificate and the Upstream Certificate | CloudGuard WAF](#how-to-compare-between-the-gateway-s-certificate-and-the-upstream-certificate-cloudguard-waf) - [Integrate CloudGuard WAF with Prometheus | CloudGuard WAF](#integrate-cloudguard-waf-with-prometheus-cloudguard-waf) - [Setup Custom Rules and Exceptions | CloudGuard WAF](#setup-custom-rules-and-exceptions-cloudguard-waf) - [Events/Logs Schema | CloudGuard WAF](#events-logs-schema-cloudguard-waf) - [How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS | CloudGuard WAF](#how-to-redirect-a-root-domain-to-a-subdomain-protected-by-waf-saas-cloudguard-waf) - [Protect a Web API | CloudGuard WAF](#protect-a-web-api-cloudguard-waf) - [Authentication Enforcement | CloudGuard WAF](#authentication-enforcement-cloudguard-waf) --- # Documentation Overview | CloudGuard WAF Check Point CloudGuard WAF documentation includes several sections. You can easily navigate between them using the menu on the left (on a mobile device, click ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FClIma171eY3kr4tXMCQf%252Fimage.png%3Falt%3Dmedia%26token%3D9527faff-2a24-474e-ab14-7f23aa7c18ac&width=40&dpr=4&quality=100&sign=9021627b&sv=2)): * [**Getting Started**](https://waf-doc.inext.checkpoint.com/getting-started/prepare-key-information) \- Allows you to jump right into the setup. We recommend following the pages in the Getting Started section one after the other to quickly set up a working system. * [**Concepts**](https://waf-doc.inext.checkpoint.com/concepts/waf-as-a-service-waf-saas) - In-depth overview of key topics and concepts. Read the ones you find interesting, or read them all to get fully acquainted with how the product works. * [**Additional Security Engines**](https://waf-doc.inext.checkpoint.com/additional-security-engines/anti-bot) - Technical overview of the additional security practices provided with CloudGuard WAF and steps to activate them. * [**Setup Instructions**](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions) - Step-by-step guides for setting up additional configurations and options. * [**How To's**](https://waf-doc.inext.checkpoint.com/how-to/edit-web-application-api-settings) - Step-by-step guides for day-to-day operations and advanced features. * [**Troubleshooting**](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine) - Guides for solving common issues with WAF for each deployment type. * [**References**](https://waf-doc.inext.checkpoint.com/references/agent-cli) - Detailed description of the Agent CLI, Management API, and Event Query language. * [**Resources**](https://waf-doc.inext.checkpoint.com/resources/github) - External materials related to the product. [NextWhat is CloudGuard WAF?](https://waf-doc.inext.checkpoint.com/what-is-cloudguard-waf) Last updated 6 months ago Was this helpful? This site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the [privacy policy](https://www.checkpoint.com/privacy/cookies/) . AcceptReject --- # What is CloudGuard WAF? | CloudGuard WAF CloudGuard WAF is a fully automated Web Application & API Security solution. It is powered by a patented machine learning engine which continuously analyzes users' HTTP/S requests as they visit the website or API. The analysis includes the application structure and how users interact with the content in order to identify patterns and automatically stop and block malicious requests and bad actors. [](https://waf-doc.inext.checkpoint.com/what-is-cloudguard-waf#main-features-of-cloudguard-waf) Main features of CloudGuard WAF ------------------------------------------------------------------------------------------------------------------------------------ * **Machine Learning-based Application Firewall** - stop application layer attacks, including OWASP Top 10, with very minimal tuning and no false positives. Pre-emptive (no software updates) protection for zero-days such as Log4Shell and Spring4Shell. * **HTTPS Traffic inspection** \- SSL certificates and private keys can be stored locally or in public cloud secrets storage (AWS/Azure) * **Integration into modern environments** and workloads (public cloud & Kubernetes) and CI/CD workflows supporting [**AWS**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws) **,** [**Azure**](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/azure) **,** [**VMWare**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware) **,** [**Kubernetes Ingress**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes) **,** [**Docker**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker) **,** [**Linux Servers**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong) **, or** [**as a Service**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas) **.** * **Ease of ongoing management and maintenance** – Enterprise Grade SaaS Web UI, GraphQL API, and Infrastructure-as-code using Terraform [](https://waf-doc.inext.checkpoint.com/what-is-cloudguard-waf#additional-security-engines) Additional Security Engines ---------------------------------------------------------------------------------------------------------------------------- * [**Anti-Bot**](https://waf-doc.inext.checkpoint.com/additional-security-engines/anti-bot) \- Identify and stop automated attacks before they negatively impact the bottom line or customer experience * [**API Protection**](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection) - Automatically detect API usage and sensitive content to provide security via visibility. Stop malicious API access and abuse. Enforce the API schema provided by the user or automatically detected by CloudGuard WAF. * [**File Security**](https://waf-doc.inext.checkpoint.com/additional-security-engines/file-security) \- prevents malicious files from being uploaded by utilizing Check Point's Threat Cloud. * [**Intrusion Prevention System (IPS)**](https://waf-doc.inext.checkpoint.com/additional-security-engines/intrusion-prevention-system-ips) - protections for over 2,800 WEB CVEs, based on Check Point award award-winning NSS-Certified IPS + Support for custom Snort 3.0 signatures. * [**Rate Limit**](https://waf-doc.inext.checkpoint.com/additional-security-engines/rate-limit) - Limit the number of requests to a matched URI within a configured time scope, according to the source identifier. * [**Snort Rules**](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules) - Enforce a set of Snort signatures in the same way regular IPS signatures are enforced. [PreviousDocumentation Overview](https://waf-doc.inext.checkpoint.com/) [NextPrepare key information](https://waf-doc.inext.checkpoint.com/getting-started/prepare-key-information) Last updated 6 months ago Was this helpful? --- # Prepare key information | CloudGuard WAF It is recommended to prepare the information below before you start deployment, as it will help you in the configuration process. [](https://waf-doc.inext.checkpoint.com/getting-started/prepare-key-information#target-environment-and-deployment-type) Target Environment and Deployment Type ------------------------------------------------------------------------------------------------------------------------------------------------------------------- Identify where you are going to install CloudGuard WAF and enforce security. The environment and deployment type will define which [Enforcement Point](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) applies to your project. You can read more about the different enforcement points in the [Gateways & Agents](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents) section. Options are to deploy as: * As a Gateway/Virtual Machine in [AWS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws) , [Azure,](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure) or VMware. * As [a Service](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas) in specified regions worldwide. Routing through the service is done by configuring the relevant DNS records for the site's domain. * in Kubernetes environments - It integrates with the most popular [NGINX Ingress Controller](https://kubernetes.github.io/ingress-nginx) , [Kong Ingress Controller](https://github.com/Kong/kubernetes-ingress-controller) , and as well as Istio Ingress Controller. * Using Docker in one of two main configurations: [Single Docker](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker) - a single Docker image containing a managed reverse proxy server and the CloudGuard WAF Security agent, or as [Dual D](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent) ocker - NGINX Reverse Proxy Docker or Kong API Gateway Docker + CloudGuard WAF Security Agent Docker. * As an [add-on for NGINX](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong) , thus protects any applications and APIs served by NGINX Reverse Proxy. ### [](https://waf-doc.inext.checkpoint.com/getting-started/prepare-key-information#data-regions-and-points-of-presence-pops) Data regions and Points of Presence (PoPs) Data Residency refers to the physical or geographical location where your data is stored. In the specific case of [WAF SaaS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas) , there are also separate supported regions for Points of Presence (PoPs). They refer to the physical locations where our Reverse Proxy and WAF agents are deployed, directly influencing your applications' security efficiency and response time. According to your environment's location (for latency concerns) and, if applicable, regulation concerns, select the data region (and PoP if applicable) from the supported options. [](https://waf-doc.inext.checkpoint.com/getting-started/prepare-key-information#application-or-api-configuration-details) Application or API Configuration Details ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- Collect the following information about the web application(s) or API(s) you are going to protect. You will need this to configure the CloudGuard WAF Assets. * What is the internal URL or IP address and port of the web application(s), API(s), or internal load balancer in front of them? These are often URLs that will only be accessible from your reverse proxy/security Gateway and not directly exposed to the Internet. * What is the external URL and port that you would like to expose to the users? For example - https://www.acme.com or https://acme.com/api. * In the common case, you use HTTPS, then depending on the deployment type, you should have access to the SSL certificate and private key (some deployments, like SaaS, do not require that you provide your certificates) * What is the best way to distinguish between users of the application or API? This is useful for the CloudGuard WAF machine learning process: * Specific header in the HTTP request * Specific key in an HTTP cookie * Specific key in HTTP JWT * IP address in the X-Forwarded-For header * IP address of the request [PreviousWhat is CloudGuard WAF?](https://waf-doc.inext.checkpoint.com/what-is-cloudguard-waf) [NextLog in to the Infinity Portal](https://waf-doc.inext.checkpoint.com/getting-started/log-in-to-the-infinity-portal) Last updated 5 months ago Was this helpful? --- # Deploy Enforcement Point | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point#overview) Overview -------------------------------------------------------------------------------------------------------- CloudGuard WAF Enforcement Points are instances deployed in an environment that inspects traffic and enforce security policies. The Enforcement Points can have different form factors (Virtual Machine, Kubernetes Ingress, Docker container or Linux Agent) depending on the environment in which they are deployed. An enforcement point will be referred to as CloudGuard WAF's Gateway or Agent in this documentation. You can read more about the different enforcement points in the [Gateways & Agents](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents) section. While most deployment options below support a scalable solution behind a load balancer, there is no full sync High Availability (HA) option. The state between multiple instances within a single deployment is not synced. Platform Reverse Proxy / API Server WAF Agent [AWS, Azure, VMWare](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine) Provided by Check Point and managed via WebUI/API/Terraform Provided by Check Point and managed via WebUI/API/Terraform [WAF](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas) [as a Service](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas) Provided by Check Point as a Service and managed via WebUI Provided by Check Point as a Service and managed via WebUI [Kuberenetes Ingress](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes) Provided and managed by Admin Provided by Check Point and managed via WebUI/API/Terraform [Docker](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker) Option 1: Provided by Check Point and managed via WebUI/API/Terraform. Option 2: Managed by Admin while initial deployment can be provided by Check Point. Initial deployment can be in the same container as the WAF agent or a separate one. Provided by Check Point and managed via WebUI/API/Terraform [Linux/NGINX/Kong](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong) Provided and managed by Admin Provided by Check Point and managed via WebUI/API/Terraform [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point#enforcement-profile) Enforcement Profile ------------------------------------------------------------------------------------------------------------------------------ To deploy a CloudGuard WAF's AppSec Gateway or Agent you need an **Enforcement Profile** that determines the deployment type and other parameters related to the deployment. If you completed the **Web Application** or **Web API** configuration wizard, an **Enforcement Profile** was created for you by the configuration wizard. To view your profile, select **Policy**, then **Profiles** in the menu on the left. * If you have just one profile, the system will automatically present it. * If you have more than one profile, you will be presented with a list of profiles and you can select the one you wish to use. Profile Type cannot be changed but you can always create a new one by clicking **Back** to get the the Profiles selection screen and choosing **New** at the top toolbar. [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point#authentication-token) Authentication Token -------------------------------------------------------------------------------------------------------------------------------- To establish a secure communication between the CloudGuard WAF's AppSec Gateways or Agents and the Check Point Cloud an authentication token is required. You will be asked to enter this token during deployment either in CLI or in a web form. The token can be obtained by clicking the Copy button near the Token field. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FodEuUgaIWcxkuTtYrJ2n%252Fappsec-profiles-authentication-token.PNG%3Falt%3Dmedia%26token%3Daaa5d4ad-7a5b-4986-9378-7ec39b22aadd&width=300&dpr=4&quality=100&sign=372cae61&sv=2) If the profile object was just created, make sure to "Enforce" the new configuration prior to using the copied authentication token. According to security best practices, it is recommended to periodically rotate the token for all future new installations. Clicking on the ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FZSgdc1pUg3GPoZxvlBFM%252Frotate-icon.PNG%3Falt%3Dmedia%26token%3D77bd7cd8-658a-41f4-bb68-b5cffe4f404a&width=300&dpr=4&quality=100&sign=96a3e00c&sv=2) icon will invalidate the current token and create a new one that can be copied. Existing agents that were already registered are not affected. **Note** - Once rotated, in order to allow deployments of additional agents, replace all deployment scripts/configuration files/key vault entries that contain the now-invalid token. [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point#download-and-deployment) Download & Deployment ------------------------------------------------------------------------------------------------------------------------------------ On the right side of a **Profile** page you will find the Download & Deployment instructions per the profile type you selected. You can follow the on-screen instructions or the more detailed instructions available in the next pages of the documentation. [PreviousProtect a Web Application / API](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-application-api) [NextGateway/Virtual Machine](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine) Last updated 11 months ago Was this helpful? --- # Log in to the Infinity Portal | CloudGuard WAF The [**Check Point Infinity Portal**](https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Portal-Admin-Guide/Topics-Infinity-Portal/Introduction-to-Infinity-Portal.htm) is a web-based platform that hosts Check Point's Security-as-a-Service (SaaS) offerings. To get started with CloudGuard WAF the first thing you need is an account in the Check Point Infinity Portal. [](https://waf-doc.inext.checkpoint.com/getting-started/log-in-to-the-infinity-portal#check-point-infinity-portal) Check Point Infinity Portal --------------------------------------------------------------------------------------------------------------------------------------------------- Complete the following steps to log in and create a User Account and a Company Account in the Infinity Portal. #### [](https://waf-doc.inext.checkpoint.com/getting-started/log-in-to-the-infinity-portal#step-1-log-in-to-check-point-infinity-portal) **Step 1: Log In to Check Point Infinity Portal** Go to Check Point's Infinity Portal address - [https://portal.checkpoint.com](https://portal.checkpoint.com/) . Select the data region you wish to log into. The data region cannot change for an account once created, and you will need to sign out if you wish to login to a different data region. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FcM2SQ2geD3pd7afs5XvU%252Fgeneral-portal-loginPage.PNG%3Falt%3Dmedia%26token%3D72cb398c-9602-4d6c-a641-9f3d73652acb&width=768&dpr=4&quality=100&sign=737f4576&sv=2) If you already have an account, log in and skip to Step 2. If you don't have an account yet, click _**Don't have an account? Register here**_ and enter your details in the registration form. Make sure to select your data residency region from the available options correctly if this restriction is critical to your operation. This setting cannot be changed later. The following example screenshot comes from the EU/US portal and so it includes the question about the data residency. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FJ3nYYktwBkvE3B0PuZGg%252Fgeneral-portal-create-account.PNG%3Falt%3Dmedia%26token%3Dd72bcf9f-ae41-437a-8689-bdad71275adc&width=768&dpr=4&quality=100&sign=33b24458&sv=2) If this is the first time you used an email address in Infinity Portal, you will receive an email for initial login. Follow the link in the email until you are securely logged in. #### [](https://waf-doc.inext.checkpoint.com/getting-started/log-in-to-the-infinity-portal#step-2-select-your-account) Step 2: Select your Account If this is the first time you use Infinity Portal, skip to Step 3. Your user can be associated with multiple accounts. Near the left side of the top banner of Infinity Portal it is possible to see the current account (in the example of the screenshot below it possible to see "_my-tenant-name_"). Make sure the selected account is the account you want to use for CloudGuard WAF. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FkDjysl8nfhDssqZKlR8S%252Fgeneral-portal-welcome.PNG%3Falt%3Dmedia%26token%3Dafaaa3b1-60f1-4549-9422-0fa3be0aa569&width=768&dpr=4&quality=100&sign=c002aab1&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/log-in-to-the-infinity-portal#step-3-select-an-application) Step 3: Select an Application Click on the Application Selector icon ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FSFHhE6DJURePQA65Krm9%252Fimage.png%3Falt%3Dmedia%26token%3Da9156fd3-edd1-4bc1-a698-845e537fef5c&width=47&dpr=4&quality=100&sign=dcc231e2&sv=2) on the top left corner and select **WAF** in the **CloudGuard** pillar. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F0A9Na3M1zjtCKxqIvbVO%252Fgeneral-portal-apps-menu.PNG%3Falt%3Dmedia%26token%3D5a573fdc-9952-4e13-b97d-e61e8e02ac87&width=768&dpr=4&quality=100&sign=cfd70cd8&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/log-in-to-the-infinity-portal#step-4-accept-the-terms-of-service-and-privacy-policy) Step 4: Accept the Terms of Service and Privacy Policy Accept the Infinity Portal Terms of Service and the Privacy Policy by selecting the corresponding checkbox. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FnTt61I5HpeNO9tjl0ZKV%252Fgeneral-inxt-app-terms-of-service.PNG%3Falt%3Dmedia%26token%3D2b6faceb-dd0c-4079-b5a2-0ba474d56031&width=768&dpr=4&quality=100&sign=bc0ac73a&sv=2) [PreviousPrepare key information](https://waf-doc.inext.checkpoint.com/getting-started/prepare-key-information) [NextProtect a Web Application / API](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-application-api) Last updated 5 months ago Was this helpful? --- # Protect a Web Application / API | CloudGuard WAF CloudGuard WAF provides a configuration wizard that allows you to set up everything you need for basic protection of your web application. Once you completed the wizard you can set up a CloudGuard WAF's AppSec Gateway or Agent to enforce security. [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-application-api#new-asset-wizard) New Asset Wizard ----------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-application-api#step-1-launch-the-configuration-wizard) Step 1: Launch the configuration wizard: * When logged in to the management portal, click the **Policy** option in the main navigation menu on the left. You should see the **CloudGuard Getting Started** page. * In the **Policy -> Getting Started** page, then click **New Asset**. The configuration wizard should open. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FGHBapsNQhSD55Nl2ZADx%252Fappsec-policy-getting-started.PNG%3Falt%3Dmedia%26token%3D733795d4-dcbd-4b52-837e-9d28823dc895&width=768&dpr=4&quality=100&sign=5f5bfeda&sv=2) Follow these configuration steps in the **New Web Application / API** wizard: #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-application-api#step-2-application-details) Step 2: Application Details Complete the following details (which you have [prepared before](https://waf-doc.inext.checkpoint.com/getting-started/prepare-key-information) ): ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FKcu4egcXzb5qVO8fRbxp%252F1-Application.png%3Falt%3Dmedia%26token%3D128bcf74-dba4-46de-ac8f-8d3b6b7208f6&width=768&dpr=4&quality=100&sign=1410fbc4&sv=2) * Name - choose a clear distinguishable name for your application * Tags (Optional) - can be used for searches * Application URLs for users - configure at least one host address with optional port. CloudGuard WAF will protect these hosts. Examples: * `https://www.acme.com` (listen to inbound traffic to this address on all ports) * `http://www.acme.com:80` (only listen to inbound traffic to this address on port 80) * `https://www.acme.com/sales` * `https://sales.acme.com` * `https://172.20.20.4:3000` * Single application URL for the reverse proxy function - This URL is required, if the asset is secured by a CloudGuard WAF deployment in which the reverse proxy function is configured through the WAF Management. The Reverse Proxy translates the external URL, used by users, into an internal URL and forwards the request to it. This internal URL should be written here (See diagram). #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-application-api#step-3-practices) Step 3: Practices Select the Practices that you want to enable and their Mode: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fq3Hrn6DkwNw0ts2AO87w%252F2-Practices.png%3Falt%3Dmedia%26token%3D7d2f3570-1814-467c-b2e5-ad95318d0dc0&width=768&dpr=4&quality=100&sign=368c57d1&sv=2) Modes: * **Learn/Detect** - we recommend starting with this mode as it allows the Machine Learning engine to train and you can examine the system behavior, all while traffic is not affected. * **Prevent** \- in this mode traffic will be blocked if malicious traffic is found. #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-application-api#step-4-platform-and-deployment-configuration) Step 4: Platform and Deployment configuration 1. Choose a deployment method: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FxGMgTvzb1CK35Cg9gywh%252F3-Platform.png%3Falt%3Dmedia%26token%3Dfa45fc5c-dd24-4573-aefa-c673fc735e66&width=768&dpr=4&quality=100&sign=23d181b0&sv=2) CloudGuard WAF can be deployed as: * A pre-packaged Gateway (Virtual Machine for secure managed reverse proxy): * In AWS * In Azure * In VMware * WAF as a service in supported regions world-wide (DNS configuration for your domain will change to its location) * A pre-packaged docker containing a secure managed reverse proxy. **Note** - a user can opt to manage the reverse proxy settings locally. * A separate Reverse Proxy/API server Docker + WAF Agent Docker * An add-on to an existing/new NGINX Kubernetes Ingress * An add-on to an existing/new supported Reverse Proxy/API Server. If you choose the option of a **Virtual Machine (VM)**, the option of **SaaS** or the option of a **managed docker**, you must also enter the internal URL of the application or API or internal load balancer so the reverse proxy function will know to which URL should these asset's external URL be forwarded. This URL must be accessible to the managed Reverse Proxy server but will not be exposed to the outside. This URL was configured in step 1 of the wizard. #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-application-api#step-5-learning) Step 5: Learning Define how the Machine Learning engine should distinguish between different API or Human users and who the users are that can be trusted. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FeEzNmsjk73dtRzyfxCDM%252F4-Learning.png%3Falt%3Dmedia%26token%3D9411fa55-2126-45eb-8ac7-ce910bafaf80&width=768&dpr=4&quality=100&sign=f3701fc1&sv=2) 1. Select the method by which different users will be distinguished from one another: * **X-Forwarded-For Header** - When there is a Reverse Proxy or ALB between the Reverse Proxy the agent is running on, and the internet - the original source IP address cannot be seen on the networking level. This option allows the Nano-Agent to identify the original source IP inside the X-Forwarded-For header. No additional parameters are required in the common case where a single Reverse Proxy/ALB is found before the agent's deployment. In the less common case, where there is more than 1 reverse proxy and/or ALB deployments before the reverse proxy with CloudGuard WAF: * After the wizard is completed you must edit the created Web Application/API asset object. * Add the IP addresses of the previous hops, to allow the distinction between them and the original source address. This is explained in more details [here](https://waf-doc.inext.checkpoint.com/how-to/configure-contextual-machine-learning-for-best-accuracy) . * **Source IP** **Address** \- The Nano-Agent uses the source IP address as the identifier. No additional parameters are required. Additional methods can be defined later by editing the Web Application/API asset object. These include: * **Cookie Key** - when you select this option, you need to add the key name within the cookie whose value is used as the unique identifier of the original source. * **HTTP Header** - when you select this option, you need to add the HTTP header name whose value is used as the unique identifier of the original source. * **JWT Key** - Authenticated API calls send a JSON Web Token (JWT) received by authentication API. This JWT usually contains identifying field. When you select this option, the value of one of the JWT keys can be used as the unique identifier of the original source. 2\. If you do not intend to use additional methods, you may already define trusted sources that serve as a baseline for comparison for _benign behavior_, and how many Users/Addresses must exhibit similar activity for it to really be considered benign by the learning model (Otherwise it is recommended to perform this step after the wizard has been completed by editing the asset and after changing the method by which users are distinguished). ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fw3ZGgvg8I3LWjyKburm4%252Fimage.png%3Falt%3Dmedia%26token%3D722fd9ac-d2f1-420d-89bc-7ca71c158c18&width=768&dpr=4&quality=100&sign=d2585bc6&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-application-api#step-6-certificate-storage-configuration-and-deployment-instructions) Step 6: Certificate storage configuration and deployment instructions If, during the previous step, a "New Profile" option was selected, then the "Certificates" page will also prompt a decision, relevant for all CloudGuard WAF's AppSec Gateways that will connect to this profile, regarding where the certificates for HTTPS traffic will be stored. For the WAF SaaS option - the option of bringing your own SSL/TLS certificates will be available in the future. This decision is only relevant for the pre-packaged Gateway (Virtual Machine) option in AWS and Azure. In those cases it is possible to either select a secure vault in the relevant public cloud, or local storage. This configuration can be later changed by editing the created profile via **Cloud->Profiles.** If the "Existing Profile" option was selected, then it will not be possible to choose a different configuration from what is already set in this profile. Exact setup instructions for certificates will be available in the profile page. For CloudGuard WAF on AWS or Azure, there are two methods for storing certificates and private keys. For all other deployments only the first is available: * [On the WAF Gateway itself](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/store-certificates-on-gateway) - a simple procedure allows you to upload the certificates and private keys directly to your gateway(s) using Secure Copy Protocol (SCP/SSH). No further configuration is required - CloudGuard WAF will locate the local files automatically. * **Advantage**: you have full control of your secrets * **Disadvantage**: does not support automatic scaling * If you are using CloudGuard WAF on [AWS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws) or [Azure](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure) you can store secrets in secured vaults of these platforms and CloudGuard WAF's AppSec Gateway can fetch it from there. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F6H2Hq2XunVIiSoWiD01g%252F5-Certificates-AWS.png%3Falt%3Dmedia%26token%3D4a16e423-4b67-4a0b-9e9c-bfb59f5014ca&width=768&dpr=4&quality=100&sign=21b8895a&sv=2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Firp25TnHbR36HbIl5R9T%252F5-Certificates-Azure.png%3Falt%3Dmedia%26token%3D098ae3bc-ccc6-4726-830d-da384319853a&width=768&dpr=4&quality=100&sign=5c4476ae&sv=2) For WAF SaaS deployment this page will support in the future the option of certificates provided by you. The available option is for WAF SaaS to provide the certificates. Completing the deployment and providing certificates requires actions after the wizard has ended, for each domain configured on the new asset: 1. Proving ownership of each domain to allow issuing the certificates for it on WAF SaaS side. 2. Configuring the DNS record for each domain so traffic to it will be routed to WAF SaaS. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F1FYa7VThNoX50YLPOPsn%252F5-Certificates-SaaS.png%3Falt%3Dmedia%26token%3D02ee0997-5aa2-43d4-922b-7dbe590db0d9&width=768&dpr=4&quality=100&sign=ac76de31&sv=2) For all other deployment options there is no configuration required through WAF web management. However, instructions on how to install the certificates for each deployment appear in both wizard and later on when editing the profile in **Cloud->Profiles**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FFSaUYEji2pUXCddm4nfV%252Fappsec-assets-wizard-05-certificates-embedded.PNG%3Falt%3Dmedia%26token%3D0375cc49-f1ba-4347-8fa8-da83909c2c4e&width=768&dpr=4&quality=100&sign=1136e41&sv=2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FVUiuofe0OdbaCliVb4fy%252Fappsec-assets-wizard-05-certificates-k8s-ingress.PNG%3Falt%3Dmedia%26token%3D4d8362e0-48b6-44c3-a8f1-188f16417632&width=768&dpr=4&quality=100&sign=b2c1c59&sv=2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F02NcdyRAI6l2div0xrWT%252Fappsec-assets-wizard-05-certificates-vmware.PNG%3Falt%3Dmedia%26token%3D0a33b860-bb53-4003-b79f-67fd5cd838fc&width=768&dpr=4&quality=100&sign=5f2174cf&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-application-api#step-7-reporting) Step 7: Reporting During the Web Application onboarding it is possible to configure a new Report Trigger to send a summary report, based on your preferences to a list of email addresses or use an existing, pre-configured Report Trigger. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F8l6TYUmH2HL2EI7hA07x%252F6-Reporting.png%3Falt%3Dmedia%26token%3Dfee2c14c-cd49-4519-ab4b-597cd5fe43fd&width=768&dpr=4&quality=100&sign=1e3dac15&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-application-api#step-7-summary) Step 7: Summary Review the configuration summary and choose how you would like to proceed. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FnlBhEST8548SUWzmDt4k%252F7-Summary.png%3Falt%3Dmedia%26token%3Dd6ca2271-1b29-43cd-ba34-63e1aadfe897&width=768&dpr=4&quality=100&sign=16d93734&sv=2) By keeping the default selections and clicking **Done**, you can Publish & Enforce your settings and proceed to the **Profile** page, which includes instructions for deployment of an CloudGuard WAF's AppSec Gateway, WAF SaaS or Agent. You can also choose Advanced Settings to explore additional features and later proceed with enforcement point deployment. ### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-application-api#deploy-enforcement-point-gateway-or-agent) Deploy Enforcement Point - Gateway or Agent You are minutes away from protecting your Web Application. The last step is to deploy an Enforcement Point. See instructions here: [Deploy Enforcement Point](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) [PreviousLog in to the Infinity Portal](https://waf-doc.inext.checkpoint.com/getting-started/log-in-to-the-infinity-portal) [NextDeploy Enforcement Point](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) Last updated 6 months ago Was this helpful? --- # AWS | CloudGuard WAF **Overview** If you are deploying a CloudGuard WAF AppSec Gateway to protect an existing production website, we recommend you also read the [HOW-TO guide for this particular deployment](https://waf-doc.inext.checkpoint.com/how-to/protect-an-existing-production-site-with-cloudguard-wafs-gateway) . CloudGuard WAF can be deployed as either a single virtual machine or Auto-Scaling Group in AWS. It acts as a reverse proxy where before / after you can deploy AWS Load Balancers: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FKme4fpG9iLiyGspQLgCp%252Fdownload%2520%282%29.svg%3Falt%3Dmedia%26token%3Dcd53c52f-f89f-4942-8f83-03f497b75fda&width=768&dpr=4&quality=100&sign=a81690de&sv=2) When deploying an auto-scaling group, the external load balancer is deployed automatically [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#installation) Installation -------------------------------------------------------------------------------------------------------------------------------------------- Follow these steps to deploy CloudGuard WAF in AWS using a supplied CloudFormation Template: #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#step-1-aws-console-log-in) Step 1: AWS Console Log in Log in to **AWS Console** and select the relevant region. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#step-2-activate-cloudguard-waf-through-the-aws-marketplace-once-per-region) Step 2: Activate CloudGuard WAF through the AWS Marketplace (Once per Region) Search for [CloudGuard WAF in AWS Marketplace](https://aws.amazon.com/marketplace/server/procurement?productId=d9ada83e-6d91-448f-8097-63a789504f5f) . During activation, a form with a field to select one of the AWS regions, is shown. Select the region in which you wish to deploy CloudGuard WAF's Gateway. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#step-3-verify-required-permissions) Step 3: Verify required permissions Verify that you have the required **IAM permissions:** IAM permissions[](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#iam-permissions) CloudFormation::DescribeStackEvents CloudFormation::DescribeStacks CloudFormation::ListStacks CloudFormation::ListStackResources CloudFormation::CreateStack elasticloadbalancing::DescribeLoadBalancers elasticloadbalancing::DescribeListeners elasticloadbalancing::DescribeTargetGroups elasticloadbalancing::CreateTargetGroup elasticloadbalancing::CreateListener elasticloadbalancing::CreateLoadBalancer elasticloadbalancing::ModifyTargetGroupAttributes elasticloadbalancing::ModifyLoadBalancerAttributes SNS::CreateTopic SNS::GetTopicAttributes SNS::Subscribe IAM::GetRolePolicy IAM::PutRolePolicy IAM::CreateInstanceProfile IAM::CreateRole IAM::AddRoleToInstanceProfile EC2::DescribeInternetGateways EC2::DescribeLaunchTemplates EC2::DescribeLaunchTemplateVersions EC2::DescribeKeyPairs EC2::DescribeSecurityGroups EC2::DescribeSubnets EC2::DescribeVpcs EC2::DescribeAccountAttributes EC2::CreateTags EC2::AuthorizeSecurityGroupIngress EC2::CreateLaunchTemplate EC2::CreateSecurityGroup EC2::RunInstances CloudWatch::PutMetricAlarm Health::DescribeEventAggregates **If you want AutoScaling setup:** AutoScaling::UpdateAutoScalingGroup AutoScaling::CreateAutoScalingGroup AutoScaling::DescribeAutoScalingGroups AutoScaling::DescribeScalingActivities AutoScaling::PutScalingPolicy AutoScaling::PutNotificationConfiguration **If you want to store certificates in AWS:** KMS::CreateGrant KMS::DescribeKey #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#step-4-deployment-using-cloudformation) Step 4: **Deployment using CloudFormation** Choose one of three deployment options : Single Gateway into new VPC Single Gateway into existing VPC Auto-Scaling group into existing VPC ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FBwCux7kmhj3wLDGWWSTW%252FdiagramaAws1.jpg%3Falt%3Dmedia%26token%3Dc612b9a0-ae13-4186-bce5-e2a7fd2276b0&width=768&dpr=4&quality=100&sign=e724cf33&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#choose-the-correct-fulfillment-option-in-the-marketplace-offer) Choose the correct fulfillment option in the Marketplace offer: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FNH7KsTlWMOBRq0pmVoyr%252Fimage.png%3Falt%3Dmedia%26token%3D9d4a5ae7-411a-4ce2-ba31-686e34f5c08d&width=768&dpr=4&quality=100&sign=4c45128f&sv=2) **VPC Network Configuration** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FGuPXzFD0ebcIj8Q5P3WH%252Fappsec-gateway-aws-vpc-network-configuration.png%3Falt%3Dmedia%26token%3Decd7a885-e37e-4205-8d6d-f282df2efaba&width=768&dpr=4&quality=100&sign=5dea0e97&sv=2) * **Availability Zone** - The availability zone in which to deploy the instance. * **VPC CIDR** - If you launched the CloudFormation template to create a new VPC - The CIDR of the new VPC. * **Public Subnet CIDR** - The Public (Frontend) subnet of the CloudGuard WAF's Gateway. * **Private Subnet CIDR** - The Private (Backend) subnet of the CloudGuard WAF's Gateway. **EC2 Instance Configuration** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fiel7LLmYizxkCroGTzV2%252Fappsec-gateway-aws-ec2-instance-configuration.png%3Falt%3Dmedia%26token%3D93e844fb-9ea3-4aba-af7f-30573bc83015&width=768&dpr=4&quality=100&sign=882843f8&sv=2) * **Gateway Name** - EC2 name. * **Gateway Instance type** - The machine size of the VM. Each machine size has its own compute price. See [Amazon EC2 Instance Types](https://aws.amazon.com/ec2/instance-types/) . * Minimum requirements: c5.large * **Key name** - The EC2 Key Pair you created for this region. * **Auto Assign Public IP** - If selected Yes, then the solution has a public IP address. * **Enable AWS Instance Connect** - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the [AWS EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html) . **Check Point Settings** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FB3RYuxgMQ3w1v2o7WDs4%252Fappsec-gateway-aws-check-point-settings.png%3Falt%3Dmedia%26token%3Df82cf425-e4fb-427b-b052-abdb06e87c3d&width=768&dpr=4&quality=100&sign=b6982706&sv=2) * **Gateway’s Password hash** – The hashed password for the Gaia Administration Portal. User is set to ‘admin’. Use this command to create the hash: `openssl passwd -1 <``_password_``>`. It is also possible to create a password using the SHA512 algorithm as follows: `openssl passwd -6 <``_password_``>`. * **Infinity Next Agent Token** - The token copied from the profile. Make sure you obtain the from the [Enforcement **Profile**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page, **Authentication** section. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FodEuUgaIWcxkuTtYrJ2n%252Fappsec-profiles-authentication-token.PNG%3Falt%3Dmedia%26token%3Daaa5d4ad-7a5b-4986-9378-7ec39b22aadd&width=300&dpr=4&quality=100&sign=372cae61&sv=2) * **Fog Address (optional)** - Not used in production installations. The production cloud address is determined automatically. **Advanced Settings** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fstwz3AsGrpKhewHoe1hv%252Fappsec-gateway-aws-advanced-settings.png%3Falt%3Dmedia%26token%3D9fc927af-b6c7-43fb-84e1-b9ed04c9fb97&width=768&dpr=4&quality=100&sign=1b8abeec&sv=2) * **Gateway Hostname (Optional)** - The Gaia Hostname. * **Bootstrap Script (Optional)** The default Security Group associated to the created VPC is defined with these ports for Inbound traffic: * TCP Port 22 - for SSH. * TCP Port 443 - for HTTPS. * TCP Port 30443 - The CloudGuard WAF Gateway's Web UI. * TCP Port 80 - for HTTP. * To configure a single CloudGuard WAF gateway installation with SSL, refer to [Infinity Next Deployment and Configuration](https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Next-Admin-Guide/Topics-Infinity-Next/Infinity-Next-Deployment-and-Configuration.htm?tocpath=Infinity%20Next%20Deployment%20and%20Configuration%7C_____0#How-to-Manually-Upload-Certificates) . ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FMhSlWVXsTVlCuoXl5BXm%252FdiagramaAws2.jpg%3Falt%3Dmedia%26token%3D06cce8cb-4ab3-46c5-b220-0fd0ecb49ab3&width=768&dpr=4&quality=100&sign=191deedf&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#choose-the-correct-fulfillment-option-in-the-marketplace-offer-1) Choose the correct fulfillment option in the Marketplace offer: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FYxVZ16HR0l3TgUmoy39N%252Fimage.png%3Falt%3Dmedia%26token%3D2feb1bc9-a04c-4558-a1e3-68c48cee69d2&width=768&dpr=4&quality=100&sign=9893400a&sv=2) **VPC Network Configuration** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FirkAVNXBfpYohSM7tfv1%252Fappsecgw-aws-single-gw-existing-vpc-settings.png%3Falt%3Dmedia%26token%3D9d66c9bf-e51f-4ae3-89a5-98e2d3b9cc60&width=768&dpr=4&quality=100&sign=3a8d0bb5&sv=2) * **VPC** - Select an existing Virtual Private Network from your region. * **Public Subnet CIDR** - Select the Public (Frontend) subnet of the CloudGuard WAF's AppSec Gateway from the available list. * **Private Subnet CIDR** - Select the Private (Backend) subnet of the CloudGuard WAF's AppSec Gateway from the available list. * **Internal route table (optional)** - keep empty. **EC2 Instance Configuration** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fiel7LLmYizxkCroGTzV2%252Fappsec-gateway-aws-ec2-instance-configuration.png%3Falt%3Dmedia%26token%3D93e844fb-9ea3-4aba-af7f-30573bc83015&width=768&dpr=4&quality=100&sign=882843f8&sv=2) * **Gateway Name** - EC2 name. * **Gateway Instance type** - The machine size of the VM. Each machine size has its own compute price. See [Amazon EC2 Instance Types](https://aws.amazon.com/ec2/instance-types/) . * Minimum requirements: c5.large * **Key name** - The EC2 Key Pair you created for this region. * **Auto Assign Public IP** - If selected Yes, then the solution has a public IP address. * **Enable AWS Instance Connect** - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the [AWS EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html) . **Check Point Settings** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FB3RYuxgMQ3w1v2o7WDs4%252Fappsec-gateway-aws-check-point-settings.png%3Falt%3Dmedia%26token%3Df82cf425-e4fb-427b-b052-abdb06e87c3d&width=768&dpr=4&quality=100&sign=b6982706&sv=2) * **Gateway’s Password hash** – The hashed password for the Gaia Administration Portal. User is set to ‘admin’. Use this command to create the hash: `openssl passwd -1 <``_password_``>`. * **Infinity Next Agent Token** - The token copied from the profile. Make sure you obtain the from the [Enforcement **Profile**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page, **Authentication** section. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FYzvLEF7i3WaT1i7658Gz%252Fimage.png%3Falt%3Dmedia%26token%3D51c2f533-ee81-4457-b98d-039f725b6587&width=300&dpr=4&quality=100&sign=456237d1&sv=2) * **Fog Address (optional)** - Not used in production installations. The production cloud address is determined automatically **Advanced Settings** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fstwz3AsGrpKhewHoe1hv%252Fappsec-gateway-aws-advanced-settings.png%3Falt%3Dmedia%26token%3D9fc927af-b6c7-43fb-84e1-b9ed04c9fb97&width=768&dpr=4&quality=100&sign=1b8abeec&sv=2) * **Gateway Hostname (Optional)** - The Gaia Hostname * **Bootstrap Script (Optional)** A security group with the name suffix "\*\_PermissiveSecurityGroup" will be created and associated with the existing VPC. This security group is defined with these ports for Inbound traffic: * TCP Port 22 - for SSH. * TCP Port 443 - for HTTPS. * TCP Port 30443 - The CloudGuard WAF AppSec Gateway's Web UI. * TCP Port 80 - for HTTP. * To configure a single CloudGuard WAF AppSec gateway installation with SSL, refer to [Infinity Next Deployment and Configuration](https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Next-Admin-Guide/Topics-Infinity-Next/Infinity-Next-Deployment-and-Configuration.htm?tocpath=Infinity%20Next%20Deployment%20and%20Configuration%7C_____0#How-to-Manually-Upload-Certificates) . ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FCtzVyfsAwFlGxvJHbBf4%252FdiagramaAws3.jpg%3Falt%3Dmedia%26token%3Df8d2addd-ceba-41a2-a8ec-eceb655948a0&width=768&dpr=4&quality=100&sign=6490c474&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#choose-the-correct-fulfillment-option-in-the-marketplace-offer-2) Choose the correct fulfillment option in the Marketplace offer: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F7N7E7GRHOBqwJLXzlNxq%252Fimage.png%3Falt%3Dmedia%26token%3Ddf89accb-f10f-43b4-8cc7-435a4dc6ab77&width=768&dpr=4&quality=100&sign=725157c4&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#vpc-network-configuration) VPC Network Configuration ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FpwVSIPn932h5fNhspM7v%252Fappsecgw-aws-auto-scale-existing-vpc-settings.png%3Falt%3Dmedia%26token%3D644d8040-113d-4098-a5e2-5a2bf972648b&width=768&dpr=4&quality=100&sign=de1deb51&sv=2) * **VPC** \- Select an existing Virtual Private Network from your region. * **Gateways subnets** – Select at least two subnets in your VPC. The subnets must allow outbound traffic to the internet for communicating with CloudGuard WAF's Cloud. **EC2 Instance Details** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F91BY0amK4Epy2FEbjCvc%252Fimage.png%3Falt%3Dmedia%26token%3D61752d30-ff8a-4823-861e-20eb7b5888d8&width=768&dpr=4&quality=100&sign=17757455&sv=2) * **Auto Scaling Group name** - The name of the Auto Scaling Group. This name determines the VM's hostname prefix. * **Gateway Instance type** - The machine size of the VM. Each machine size has its own compute price. See [Amazon EC2 Instance Types](https://aws.amazon.com/ec2/instance-types/) . Minimum requirements: **c5.large** * **Volume encryption** - EBS encryption of the instances volumes using AWS managed KMS key. Custom KMS keys are not supported. If regional encryption is used then both AWS managed and Custom KMS keys are supported. * **Allow access from** - Specifies the client IP addresses that can reach your instance. This IP address range must be in CIDR notation. * To add IP addresses after the deployment: 1. Go to your deployed Stack > Resources or go to Services > EC2 > Security Groups and select the relevant Security Group. 2. Click Edit inbound rules. 3. Below the Source field, enter a list of IP addresses. * **Key name** - The EC2 Key Pair you created for this region. * **Enable EC2 Instance Connect** - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the [AWS EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html) . * **Gateway’s Password hash (Optional)** – This relates to Check Point Gaia administration portal. Read the next section for further explanation. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#check-point-related-settings) **Check Point Related Settings** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FVuapVL9FYiHqiVuuT09C%252Fimage.png%3Falt%3Dmedia%26token%3D719f6f1b-2548-4644-a173-00ac24a18ee3&width=768&dpr=4&quality=100&sign=bbcd66a2&sv=2) * **Gateway’s Password hash (Optional, appears in EC2 instance details section)** – The hashed password for the Gaia Administration Portal. User is set to ‘admin’. Use this command to create the hash: `openssl passwd -1 <``_password_``>`. * **Infinity Next Agent Token** - The token copied from the profile. Make sure you obtain the from the [Enforcement **Profile**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page, **Authentication** section. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FYzvLEF7i3WaT1i7658Gz%252Fimage.png%3Falt%3Dmedia%26token%3D51c2f533-ee81-4457-b98d-039f725b6587&width=300&dpr=4&quality=100&sign=456237d1&sv=2) * **Fog Address (optional)** - Not used in production installations. The production cloud address is determined automatically. * **Specify an S3 bucket for scaling events** - This option allows defining an S3 bucket (a new or existing one) which allows scaling events to occur without the need to connect to Check Point's cloud. It is recommended to use an S3 bucket so scaling events will be not be disrupted by temporary Internet connectivity issues, for example, as the new instance must get its software and policy. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FV0hvv4XGQAnbG4irUaLp%252Fimage.png%3Falt%3Dmedia%26token%3D60d1cbf9-3068-4859-872c-e4aa523dc591&width=768&dpr=4&quality=100&sign=fed06ad5&sv=2) * **Specify an S3 bucket name** - If you selected "existing S3 bucket" or "new S3 bucket", you must specify the name of the S3 bucket here. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#auto-scaling-group-settings) Auto Scaling Group Settings ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FZsGuwQqAwQ9QNpqDBreH%252Fappsecgw-aws-asg-settings.png%3Falt%3Dmedia%26token%3D75356923-8ee8-468f-a31d-91ca10a3a1d7&width=768&dpr=4&quality=100&sign=a3cd423c&sv=2) * **Type of the Load Balancer** - Choose whether you want to deploy a solution with network or application load balancer. Note - For application load balancer, in order to configure the HTTP health checks the following settings must be added to the Infinity Next profile: Key: agent.rpmanager.nginxIncludeLines Value: server {listen 8117; return 200;} Key: agent.config.orchestration.healthCheckProbe.enable Value: false ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FLSxbTpf8g11fD00DGsSu%252Fimage.png%3Falt%3Dmedia%26token%3D352e725d-ffbf-4339-b1ae-9ef782d2a781&width=300&dpr=4&quality=100&sign=ddd7b14c&sv=2) * **Scheme of the Load Balancer** - Choose if the load balancer should be Internal or External. * **Initial number of gateways** – The initial number of EC2 instances that is deployed together with the Auto Scaling Group. * **Maximum number of gateways** – The maximum number of EC2 instances the Auto Scaling Group can scale to. * **Bootstrap script (Optional)** - An optional script to run on the initial boot. * **Administrator email address (Optional)** \- An email address to notify users about scaling events. Creating the stack in AWS takes about 6-8 minutes. When the CloudGuard WAF EC2 loads it will automatically connect to Check Point, register using the token you provided and fetch your policy. Then, either [Store Certificates in AWS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws) or [Store Certificates on the Gateway](https://app.gitbook.com/o/NmlxbSkVNQHTmh0JtAB1/s/EWA4nfgNrSRL8dA6Kap7/~/changes/h5oX1fXrzha8sEBzZWYF/getting-started/deploy-appsec-gateway-agent/deployment-as-vm-gateway/store-certificates-on-the-gateway) . If successful, you will see a green notification bar in this portal with a message that your Agent/Gateway successfully connected. **Troubleshooting Tips**[](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#troubleshooting-tips) * After launching the CloudFormation, you can monitor AWS resources creation progress in AWS console under the 'Resources' tab of the deployed parent and nested stacks. In any case of provisioning failure, the created resources will be deleted, and the reason of failure can be viewed under 'Events' tab of the failed stack. * Verify that you entered the correct Token taken from the profile page. Otherwise your AppSec Gateway will not be able to connect to Check Point cloud * Verify that the subnet where you deploy the AppSec Gateway have outbound internet connectivity * Verify that the chosen EC2 instance type is available in your region * Verify that you have sufficient IAM permissions as listed above to run the CloudFormation stack #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#step-5-ssl-certificates) Step 5: SSL Certificates Choose the desired SSL Certificates storage method: [Store Certificates in AWS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws) [Store certificates on Gateway](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-on-gateway) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws#step-6-launch-the-stack) Step 6: Launch the stack To launch the Stack, select these two checkboxes: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FYXV9Ts25ourPZl3OY92z%252Fappsecgw-aws-launch-stack.png%3Falt%3Dmedia%26token%3D4dcf5cae-6b05-4f48-854d-1ccd630aee5a&width=768&dpr=4&quality=100&sign=fed568cf&sv=2) When deploying CloudGuard WAF Gateway without assets connected to the profile, the Gateway will be deployed with the Orchestrator nano-service only. In this case, a manual change in the LB health check configuration will need to be changed manually from port 5555 to port 8117. [PreviousGateway/Virtual Machine](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine) [NextStore Certificates in AWS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws) Last updated 7 months ago Was this helpful? --- # Store Certificates in AWS | CloudGuard WAF Follow these steps to store your certificate and private keys in AWS that can be used by CloudGuard WAF to process HTTPS traffic ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws#note-about-certificate-renewal) Note About Certificate Renewal When a certificate is renewed, you must update the certificate manager according to the instructions below, then enforce policy again (even if configuration has not changed) by clicking on "**Enforce**" on the top bar of the web administration application for CloudGuard WAF in the portal, or by using [management API](https://waf-doc.inext.checkpoint.com/references/management-api) . ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws#certificates-usage) Certificates Usage In order to use encrypted traffic (HTTPS) a managed reverse proxy must have access to the relevant certificates of the domains and URLs it exposes. **Example - you have two applications and one API endpoint to protect:** * www.acme.com * www.acme.com/sales * products.acme.com/catalog Examples Certificates used Required action Case 1 You have one wildcard certificate for \*.acme.com Place the certificate in the desired certificate storage by following the instructions below. CloudGuard WAF will use it for all relevant applications Case 2 You have two certificates: (1) for www.acme.com and (2) for products.acme.com Place both certificates in the desired certificate storage by following the instructions below. CloudGuard WAF will automatically use certificate 1 for the first two Applications/APIs and certificate 2 for the last Application ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws#setting-a-certificate-in-aws-certificate-manager) Setting a certificate in AWS certificate manager #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws#step-1-aws-console) Step 1: AWS Console Log in to **AWS Console** and select the relevant Region. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws#step-2-aws-certificate-manager) Step 2: **AWS Certificate Manager** Navigate to the **AWS Certificate Manager (ACM)** and import a PEM-encoded certificate and private key. The certificate must be imported from a different certificate provider and only hosted by the ACM. Creation of the certificate via the ACM is not supported as this prevents access to the private key required in the next step. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws#step-3-prepare-your-private-key-for-storage-in-aws-secrets-manager) Step 3: Prepare your private key for storage in **AWS Secrets Manager** Encode your private key into base64 using this command (Linux or Mac): `_openssl base64 -A -in -out _` You will need the output of the command in Step 4. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws#step-4-store-your-private-key-as-a-secret) Step 4: Store your private key as a secret Navigate to **AWS Secrets Manager** and click **Store a new secret:** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F3lrTTQ7RKrKSJltpHhWe%252Fimage.png%3Falt%3Dmedia%26token%3D5b21eee1-375f-402e-8cab-063e35e0e61e&width=768&dpr=4&quality=100&sign=b73512cd&sv=2) * Choose **Other types of secret**, and add a new secret key-value pair: * In the **key** cell enter: _private key_ * In the **value** cell enter your private key as a _base64 encoded single string (the output of the openssl command above)_. * Set the **Encryption key** to: _aws/secretmanager_ * Click **Next** It is recommended to copy the base64 encoded key into a text editor and then to the Secrets Manager to make sure it is copied correctly. Sometimes, copying directly from a terminal is not working well. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws#step-5-secret-name-and-tags) Step 5: Secret Name and Tags ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FuFUBWIFyE7mydjfclwY7%252Fimage.png%3Falt%3Dmedia%26token%3D513fc79f-0e7b-4b68-98b3-b617875325d5&width=768&dpr=4&quality=100&sign=5f913963&sv=2) * Enter the name of your secret in the **secret name** field * In the Tags section, add Key-Value Pair: * In the **key** cell enter: _certificate_ * In the **value** cell enter the Amazon Resource Name (ARN) of the matching certificate that you placed in the **AWS Certificate Manager** (step 4 above). Repeat the above steps for each additional private key you have. You must store each private key as a separate secret. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws#step-6-launch-cloudformation-stack) Step 6: Launch CloudFormation Stack ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FlrRCLkco3K2x6pGqmarG%252Fimage.png%3Falt%3Dmedia%26token%3Ddc592728-6b39-4f12-85a0-67e2a4244384&width=768&dpr=4&quality=100&sign=3d459897&sv=2) To launch the CloudFormation Stack, select the acknowledgement check boxes and click **Create stack**. The CloudFormation template allows you to input only two certificates and private keys. After the stack launches for additional certificates, go to the created IAM Role and edit the **GetCertificatesPolicy** and **GetSecretsPolicy** with the additional ARNs, after you repeat Steps 1-5. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws#step-7-enforce-cloudguard-waf-policy) Step 7: Enforce CloudGuard WAF Policy Open CloudGuard WAF Web Interface in your browser and click the **Enforce** button at the top bar. This will signal the Gateways to read the certificates from AWS. [PreviousAWS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws) [NextStore certificates on Gateway](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-on-gateway) Last updated 1 year ago Was this helpful? --- # Gateway/Virtual Machine | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine#platforms) Platforms ---------------------------------------------------------------------------------------------------------------------------------- CloudGuard WAF can be deployed as a VM on different platforms, containing a fully managed Reverse Proxy gateway, protected by a CloudGuard WAF Agent. Select your platform type below to see the corresponding deployment instructions: [AWS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws) [Azure](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure) [VMware](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware) A fully managed Reverse Proxy protected by a CloudGuard WAF Agent is also available as [container in docker](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker) environment. [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine#certificates-and-private-keys) Certificates and Private Keys -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- CloudGuard WAF's Gateways implement a reverse proxy that can serve pages to users over HTTPS. To use this capability, you need to provide a Certificate and Private keys that correspond to the site name(s) that users will access (e.g. https://www.acme.com, https://api.acme.com). ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine#storage-options) Storage options There are two methods for storing certificates and private keys when deploying on AWS or Azure. When deploying on VMWare, only the first option is available: * [On the WAF Gateway itself](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway) - a simple procedure allows you to upload the certificates and private keys directly to your gateway(s) using Secure Copy Protocol (SCP/SSH). No further configuration is required - CloudGuard WAF will locate the local files automatically. * **Advantage**: you have full control of your secrets * **Disadvantage**: does not support automatic scaling * If you are using CloudGuard WAF on [AWS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws) or [Azure](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure) you can store secrets in secured vaults of these platforms and CloudGuard WAF's Gateway can fetch it from there. The certificates are fetched when CloudGuard WAF's Gateway first loads and checked again for updates every time you Enforce policy. When deploying on Azure/AWS, storage selection occurs during the asset configuration wizard if a new profile is created. It is also available via **Cloud->Profiles** for CloudGuard WAF's Gateway profiles that enforce assets with HTTPS URLs. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FEob3711p1x4P0sWd09jv%252Fappsec-profiles-ssl-certificates-aws.PNG%3Falt%3Dmedia%26token%3Ddcb0361b-0ddf-4201-9ddf-9e0bfa4bf828&width=768&dpr=4&quality=100&sign=b9904171&sv=2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FCJUOrmoaEURE7Fn7XLJO%252Fappsec-profiles-ssl-certificates-azure.PNG%3Falt%3Dmedia%26token%3D16446833-a490-4881-9869-f234c65ff7dd&width=768&dpr=4&quality=100&sign=82e89265&sv=2) For all other deployment options, the same location still contains "**Setup Instructions**" for the method to deploy certificates for HTTPS traffic. ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine#multiple-certificates) Multiple certificates When there are multiple Web Applications APIs, CloudGuard WAF's Gateway can automatically fetch the relevant certificates and private keys. **Example**: you have two applications and one API end-point to protect: * www.acme.com * www.acme.com/sales * products.acme.com/catalog Consider two possible cases: 1. You have one wildcard certificate for \*.acme.com * Place the certificate on your gateway by following the instructions in the next section. CloudGuard WAF will use it for all relevant applications. 2. You have two certificates: (1) for www.acme.com and (2) for products.acme.com * Place both certificates on your gateway by following the instructions in the next section. CloudGuard WAF will automatically use certificate 1 for the first two Applications/APIs and certificate 2 for the last Application. ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine#validating-the-certificate-of-the-internal-server) Validating the certificate of the internal server The reverse proxy takes incoming HTTP/S requests and forwards them to an internal server. When using HTTPS, the forwarded request to the internal server returns with a certificate which the best practice is to validate. [Advanced Reverse Proxy settings](https://waf-doc.inext.checkpoint.com/how-to/edit-reverse-proxy-advanced-settings-for-a-web-asset) include the configuration option for "**Trusted CA chain for protected server SSL verification**". Use this option to configure the trusted CA chain that will validate the certificate presented by the internal server for enhanced security. [PreviousDeploy Enforcement Point](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) [NextAWS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws) Last updated 12 months ago Was this helpful? --- # Store certificates on Gateway | CloudGuard WAF ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-on-gateway#note-about-certificate-renewal) Note About Certificate Renewal When a certificate is renewed, you must update the certificate according to the instructions below, then enforce policy again (even if configuration has not changed) by clicking on "**Enforce**" on the top bar of the web administration application for CloudGuard WAF in the portal, or by using [management API](https://waf-doc.inext.checkpoint.com/references/management-api) . ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-on-gateway#certificates-usage) Certificates Usage In order to use encrypted traffic (HTTPS) a managed reverse proxy must have access to the relevant certificates of the domains and URLs it exposes. **Example - you have two applications and one API endpoint to protect:** * www.acme.com * www.acme.com/sales * products.acme.com/catalog Examples Certificates used Required action Case 1 You have one wildcard certificate for \*.acme.com Place the certificate in the desired certificate storage by following the instructions below. CloudGuard WAF will use it for all relevant applications Case 2 You have two certificates: (1) for www.acme.com and (2) for products.acme.com Place both certificates in the desired certificate storage by following the instructions below. CloudGuard WAF will automatically use certificate 1 for the first two Applications/APIs and certificate 2 for the last Application ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-on-gateway#storing-certificates-locally-on-cloudguard-wafs-gateway) Storing certificates locally on CloudGuard WAF's Gateway Follow these steps to store your certificates and private keys **locally on the gateway** that can be used by CloudGuard WAF to process HTTPS traffic: * **Advantage**: you have full control of your secrets * **Disadvantage**: does not support automatic scaling #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-on-gateway#step-1-download-command-line-tool) **Step 1: Download command-line tool** The tool's purpose is to verify the certificate and key files and generate an output .pkg file with a unique name [Linux Download](https://sc1.checkpoint.com/nano-agent/certverify/linux/certverify) or run: `_wget https://sc1.checkpoint.com/nano-agent/certverify/linux/certverify && chmod +x certverify_` [Mac Download](https://sc1.checkpoint.com/nano-agent/certverify/darwin/certverify) [Windows Download](https://sc1.checkpoint.com/nano-agent/certverify/windows/certverify.exe) You can use this tool on any machine where you have the files, before you actually store them on your CloudGuard WAF's Gateway(s). #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-on-gateway#step-2-run-the-command-line-tool) **Step 2: Run the command-line tool** Linux and Mac: * PEM certificates: `_./certverify --cert {certificate.pem} --key {private-key.key}_` * PFX certificates: _._`_/certverify --cert {certificate.pfx} --pass {password}_` Windows: * PEM certificates : `_certverify --cert {certificate.pem} --key {private-key.key}_` * PFX certificates : `_certverify --cert {certificate.pfx} --pass {password}_` Repeat this step for each certificate/private key you wish to use Only certificates that contain Subject Alternative Name (SAN) are supported The tool will verify the certificate and key files, and generate an output .pkg file with a unique name that includes both. **Step 3: Store certificate and private key on your CloudGuard WAF Gateway using SCP** You must store the files in directory /etc/certs on CloudGuard WAF's Gateway or else it will not be identified. If the commands below end with an error, navigate to /etc and make sure a directory exists called "certs" (in linux, use the `mkdir` command). The input pkg file for this step is the uniquely named pkg output file of the previous step. * Linux or Mac: `_./scp {unique-name.pkg} admin@{gateway-ip}:/etc/certs_` * Windows: `_"C:\Program Files (x86)\WinSCP\WinSCP.com" /command "open scp://admin:{password}@{gateway-ip}" "put cert_cert.pkg /etc/certs/" "exit"_` Repeat this step for each certificate/private key you wish to use **and** for each CloudGUard WAF Gateway. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-on-gateway#step-4-enforce-policy) **Step 4: Enforce Policy** CloudGuard WAF will now use the relevant certificates with HTTPS clients that are trying to access your applications. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-on-gateway#step-5-change-relevant-dns-entries) **Step 5: Change relevant DNS entries** You can now change your DNS entries as relevant to point to your CloudGuard WAF Gateway IP or to a Load Balancer in front of several CloudGuard WAF's Gateways. [PreviousStore Certificates in AWS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws) [NextAzure](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure) Last updated 12 months ago Was this helpful? --- # Azure | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure#overview) Overview -------------------------------------------------------------------------------------------------------------------------------------- If you are deploying a CloudGuard WAF Gateway to protect an existing production website, we recommend you also read the [HOW-TO guide for this particular deployment](https://waf-doc.inext.checkpoint.com/how-to/protect-an-existing-production-site-with-cloudguard-wafs-gateway) . CloudGuard WAF can be deployed as either a single virtual machine or a Scale-Set in Azure. It acts as a reverse proxy where before / after you can deploy Azure Load Balancers: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FKme4fpG9iLiyGspQLgCp%252Fdownload%2520%282%29.svg%3Falt%3Dmedia%26token%3Dcd53c52f-f89f-4942-8f83-03f497b75fda&width=768&dpr=4&quality=100&sign=a81690de&sv=2) Make sure you obtain the from the [Enforcement **Profile**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page, **Authentication** section. You will need it in during agent deployment. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FodEuUgaIWcxkuTtYrJ2n%252Fappsec-profiles-authentication-token.PNG%3Falt%3Dmedia%26token%3Daaa5d4ad-7a5b-4986-9378-7ec39b22aadd&width=300&dpr=4&quality=100&sign=372cae61&sv=2) [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure#installation) Installation ---------------------------------------------------------------------------------------------------------------------------------------------- Follow these steps to deploy CloudGuard WAF in Azure using an ARM Template: #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure#step-1-azure-log-in) Step 1: Azure Log in Log in to to your Azure account. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure#step-2-verify-required-permissions) Step 2: Verify required permissions Verify that you have the required permissions: Azure permissions[](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure#azure-permissions) Microsoft.Resources: Purchase Resource Validate Deployment Microsoft.Insights: Update autoscale setting Microsoft.Compute: Create or Update Virtual Machine Scale Set Microsoft.KeyVault: Update Access Policy Microsoft.Network: Create or Update Public Ip Address Create or Update Virtual Network Create or Update Route Table Create or Update Network Security Group Create or Update Load Balancer Microsoft.Storage: Update Storage Account Create If deploying VMSS with a new Azure Key Vault: Microsoft.KeyVault: Update Key Vault Write Secret #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure#step-3-deployment-using-arm-template) Step 3: **Deployment using ARM Template** * Open the CloudGuard WAF's Azure page: [https://azuremarketplace.microsoft.com/en-us/marketplace/apps/checkpoint.checkpoint\_waap?tab=Overview](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/checkpoint.checkpoint_waap?tab=Overview) . * Click the blue "Get It Now" button to start the configuration wizard. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure#you-have-two-options-to-store-certificates) You have two options to store certificates: [Store Certificates in Azure](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure) [Store Certificates on Gateway](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/store-certificates-on-gateway) [PreviousStore certificates on Gateway](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-on-gateway) [NextStore Certificates in Azure](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure) Last updated 12 months ago Was this helpful? --- # Store Certificates on Gateway | CloudGuard WAF ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway#note-about-certificate-renewal) Note About Certificate Renewal When a certificate is renewed, you must update the certificate according to the instructions below, then enforce policy again (even if configuration has not changed) by clicking on "**Enforce**" on the top bar of the web administration application for CloudGuard WAF in the portal, or by using [management API](https://waf-doc.inext.checkpoint.com/references/management-api) . ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway#certificates-usage) Certificates Usage In order to use encrypted traffic (HTTPS) a managed reverse proxy must have access to the relevant certificates of the domains and URLs it exposes. **Example - you have two applications and one API endpoint to protect:** * www.acme.com * www.acme.com/sales * products.acme.com/catalog Examples Certificates used Required action Case 1 You have one wildcard certificate for \*.acme.com Place the certificate in the desired certificate storage by following the instructions below. CloudGuard WAF will use it for all relevant applications Case 2 You have two certificates: (1) for www.acme.com and (2) for products.acme.com Place both certificates in the desired certificate storage by following the instructions below. CloudGuard WAF will automatically use certificate 1 for the first two Applications/APIs and certificate 2 for the last Application ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway#storing-certificates-locally-on-cloudguard-wafs-gateway) Storing certificates locally on CloudGuard WAF's Gateway Follow these steps to store your certificate and private keys on the gateway that can be used by CloudGuard WAF to process HTTPS traffic: * **Advantage**: you have full control of your secrets * **Disadvantage**: does not support automatic scaling #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway#step-1-download-command-line-tool) **Step 1: Download command-line tool** The tool's purpose is to verify the certificate and key files and generate an output .pkg file with a unique name. [Linux Download](https://sc1.checkpoint.com/nano-agent/certverify/linux/certverify) or run: `_wget https://sc1.checkpoint.com/nano-agent/certverify/linux/certverify && chmod +x certverify_` [Mac Download](https://sc1.checkpoint.com/nano-agent/certverify/darwin/certverify) [Windows Download](https://sc1.checkpoint.com/nano-agent/certverify/windows/certverify.exe) You can use this tool on any machine where you have the files, before you actually store them on your CloudGuard WAF Gateway(s). #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway#step-2-run-the-command-line-tool) **Step 2: Run the command-line tool** Linux and Mac: * PEM certificates: `_./certverify --cert {certificate.pem} --key {private-key.key}_` * PFX certificates: _._`_/certverify --cert {certificate.pfx} --pass {password}_` Windows: * PEM certificates : `_certverify --cert {certificate.pem} --key {private-key.key}_` * PFX certificates : `_certverify --cert {certificate.pfx} --pass {password}_` Repeat this step for each certificate/private key you wish to use. Only certificates that contain Subject Alternative Name (SAN) are supported. The tool will verify the certificate and key files, and generate an output .pkg file with a unique name that includes both. **Step 3: Store certificate and private key on your CloudGuard WAF Gateway using SCP** You must store the files in directory /etc/certs on CloudGuard WAF Gateway or else they will not be identified. If the commands below end with an error, navigate to /etc and make sure a directory exists called "certs" (in linux, use the `mkdir` command). The input pkg file for this step is the uniquely named pkg output file of the previous step. * Linux or Mac: `_./scp {unique-name.pkg} admin@{gateway-ip}:/etc/certs_` * Windows: `_"C:\Program Files (x86)\WinSCP\WinSCP.com" /command "open scp://admin:{password}@{gateway-ip}" "put cert_cert.pkg /etc/certs/" "exit"_` Repeat this step for each certificate/private key you wish to use **and** for each CloudGuard WAF Gateway. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway#step-4-enforce-policy) **Step 4: Enforce Policy** CloudGuard WAF will now use the relevant certificates with HTTPS clients that are trying to access your applications. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway#step-5-change-relevant-dns-entries) **Step 5: Change relevant DNS entries** You can now change your DNS entries as relevant to point to your CloudGuard WAF Gateway IP or to a Load Balancer in front of several CloudGuard WAF's Gateways. [PreviousStore Certificates in Azure](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure) [NextVMware](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware) Last updated 12 months ago Was this helpful? --- # Configure networking in VMware Deployments | CloudGuard WAF When installing a CloudGuard WAF [Gateway in a VMware](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware) deployment, after initial installation, an administrator might require networking changes. [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/configure-networking-in-vmware-deployments#browsing-to-the-networking-administration-portal-of-the-cloudguard-waf-gateway) Browsing to the networking administration portal of the CloudGuard WAF Gateway ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Using a browser from a machine with access to the CloudGuard WAF gateway, browse to: **https://:30443** At first login, use the username 'admin' and the password that was set up during initial deployment. Afterwards you may have configured additional users and/or changed passwords. [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/configure-networking-in-vmware-deployments#networking-configuration-options) **Networking Configuration Options** -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The browser will now show the administration portal following your login credentials as you set them during the [OVF deployment](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware) . ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FCs11VOHC72ddFa8t7THg%252Fappsec-gw-vmware-networking-admin-portal-main.JPG%3Falt%3Dmedia%26token%3Dc947a44f-5f74-4ae8-8b7c-7131bef16f54&width=768&dpr=4&quality=100&sign=73b63c53&sv=2) ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/configure-networking-in-vmware-deployments#network-interfaces) Network Interfaces Additional network interfaces can be configured here: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FCqmdn6p5een3yeFoyZP1%252Fappsec-gw-vmware-networking-admin-portal-network-interfaces-configuration.JPG%3Falt%3Dmedia%26token%3D3268a912-392c-40da-941c-af0c91523e32&width=768&dpr=4&quality=100&sign=67db38b0&sv=2) ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/configure-networking-in-vmware-deployments#hosts-and-dns) Hosts and DNS DNS configuration including additional DNS servers on top of the primary address can be configured here: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FrbGRvAu5QBlM8Bqsbx4x%252Fappsec-gw-vmware-networking-admin-portal-dns-configuration.JPG%3Falt%3Dmedia%26token%3Da5b2c39d-d477-44d8-9adc-2f954c299d17&width=768&dpr=4&quality=100&sign=ed068ea8&sv=2) ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/configure-networking-in-vmware-deployments#routing-configuration) Routing Configuration Additional routes or changes to the default route can be configured here: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FD9zx6zqOqWRKyFNWS2B6%252Fappsec-gw-vmware-networking-admin-portal-routes-configuration.JPG%3Falt%3Dmedia%26token%3D89d4d0f8-1e1f-40b8-9c77-2f770f999be7&width=768&dpr=4&quality=100&sign=8df03270&sv=2) ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/configure-networking-in-vmware-deployments#time-configuration) Time Configuration The time zone configuration and any changes between automatic NTP-based time configuration to manual can be configured here: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FgMlRwXDCODQynruAw4Ne%252Fappsec-gw-vmware-networking-admin-portal-time-configuration.JPG%3Falt%3Dmedia%26token%3D01dc0b50-1240-48d3-8ae8-77cb7cf04876&width=768&dpr=4&quality=100&sign=fcf04551&sv=2) [PreviousStore Certificates on Gateway](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/store-certificates-on-gateway) [NextWAF-as-a-Service (WAF SaaS)](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas) Last updated 12 months ago Was this helpful? --- # Kubernetes | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes#overview) Overview ------------------------------------------------------------------------------------------------------------------- CloudGuard WAF for Kubernetes protects vulnerable applications and APIs running in Kubernetes environments. It integrates with the most popular [NGINX Ingress Controller](https://kubernetes.github.io/ingress-nginx) , [Kong Ingress Controller](https://github.com/Kong/kubernetes-ingress-controller) , and as well as Istio Ingress Controller, and serves as a secure HTTP/S load balancer for one or more [Services](https://kubernetes.io/docs/concepts/services-networking/service/) inside Kubernetes [clusters](https://kubernetes.io/docs/concepts/architecture/) . **For Kong and Istio dedicated instructions, click here:** [NGINX Application Security](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/nginx-application-security) [Kong Application Security](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security) [Istio Application Security](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/istio-application-security) Kubernetes [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) exposes HTTP/S routes from outside the cluster to [services](https://kubernetes.io/docs/concepts/services-networking/service/) within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. [PreviousIntegrating WAF SaaS with AWS CloudFront](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas/integrating-waf-saas-with-aws-cloudfront) [NextKong Application Security](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security) Last updated 3 months ago Was this helpful? --- # Store Certificates on Gateway | CloudGuard WAF ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/store-certificates-on-gateway#note-about-certificate-renewal) Note About Certificate Renewal When a certificate is renewed, you must update the certificate according to the instructions below, then enforce policy again (even if configuration has not changed) by clicking on "**Enforce**" on the top bar of the web administration application for CloudGuard WAF in the portal, or by using [management API](https://waf-doc.inext.checkpoint.com/references/management-api) . ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/store-certificates-on-gateway#certificates-usage) Certificates Usage In order to use encrypted traffic (HTTPS) a managed reverse proxy must have access to the relevant certificates of the domains and URLs it exposes. **Example - you have two applications and one API endpoint to protect:** * www.acme.com * www.acme.com/sales * products.acme.com/catalog Examples Certificates used Required action Case 1 You have one wildcard certificate for \*.acme.com Place the certificate in the desired certificate storage by following the instructions below. CloudGuard WAF will use it for all relevant applications Case 2 You have two certificates: (1) for www.acme.com and (2) for products.acme.com Place both certificates in the desired certificate storage by following the instructions below. CloudGuard WAF will automatically use certificate 1 for the first two Applications/APIs and certificate 2 for the last Application ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/store-certificates-on-gateway#storing-certificates-locally-on-cloudguard-waf-gateway) Storing certificates locally on CloudGuard WAF Gateway Follow these steps to store your certificate and private keys on the gateway that can be used by CloudGuard WAF to process HTTPS traffic: * **Pros**: you have full control of your secrets. * **Cons**: Method fits a single gateway deployment, not an auto-scaled deployment. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/store-certificates-on-gateway#step-1-download-command-line-tool) **Step 1: Download command-line tool** The tool's purpose is to verify the certificate and key files and generate an output .pkg file with a unique name. [Linux Download](https://sc1.checkpoint.com/nano-agent/certverify/linux/certverify) or run: `_wget https://sc1.checkpoint.com/nano-agent/certverify/linux/certverify && chmod +x certverify_` [Mac Download](https://sc1.checkpoint.com/nano-agent/certverify/darwin/certverify) [Windows Download](https://sc1.checkpoint.com/nano-agent/certverify/windows/certverify.exe) You can use this tool on any machine where you have the files, before you actually store them on your CloudGuard WAF's Gateway(s). #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/store-certificates-on-gateway#step-2-run-the-command-line-tool) **Step 2: Run the command-line tool** Linux and Mac: * PEM certificates: `_./certverify --cert {certificate.pem} --key {private-key.key}_` * PFX certificates: _._`_/certverify --cert {certificate.pfx} --pass {password}_` Windows: * PEM certificates : `_certverify --cert {certificate.pem} --key {private-key.key}_` * PFX certificates : `_certverify --cert {certificate.pfx} --pass {password}_` Repeat this step for each certificate/private key you wish to use. Only certificates that contain Subject Alternative Name (SAN) are supported. The tool will verify the certificate and key files, and generate an output .pkg file with a unique name that includes both. **Step 3: Store certificate and private key on your CloudGuard WAF Gateway using SCP** You must store the files in directory /etc/certs on the CloudGuard WAF Gateway or else it will not be identified. If the commands below end with an error, navigate to /etc and make sure a directory exists called "certs" (in linux, use the `mkdir` command). The input pkg file for this step is the uniquely named pkg output file of the previous step. * Linux or Mac: `_./scp {unique-name.pkg} admin@{gateway-ip}:/etc/certs_` * Windows: `_"C:\Program Files (x86)\WinSCP\WinSCP.com" /command "open scp://admin:{password}@{gateway-ip}" "put cert_cert.pkg /etc/certs/" "exit"_` Repeat this step for each certificate/private key you wish to use **and** for each CloudGuard WAF Gateway. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/store-certificates-on-gateway#step-4-enforce-policy) **Step 4: Enforce Policy** CloudGuard WAF will now use the relevant certificates with HTTPS clients that are trying to access your applications. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/store-certificates-on-gateway#step-5-change-relevant-dns-entries) **Step 5: Change relevant DNS entries** You can now change your DNS entries as relevant to point to your CloudGuard WAF Gateway IP or to a Load Balancer in front of several CloudGuard WAF's Gateways. [PreviousVMware](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware) [NextConfigure networking in VMware Deployments](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/configure-networking-in-vmware-deployments) Last updated 12 months ago Was this helpful? --- # DDoS Dashboard | CloudGuard WAF The DDoS Dashboard offers centralized, real-time visibility into Distributed Denial of Service (DDoS) activity targeting your applications and APIs. It enables security teams to quickly assess the scope, behavior, and progression of ongoing and past attacks. DDoS Protection is available for CloudGuard WAF SaaS. It is not available with other local (Gateway, Agent) editions of the product. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FfS222viRG2fYqQZhpOTa%252Fimage.png%3Falt%3Dmedia%26token%3Dbecd6dae-73a1-4663-a4ad-878dc1a9b48e&width=768&dpr=4&quality=100&sign=d103070c&sv=2) Following is a description of the Dashboard sections: Section Description Recent Attacks Displays a timeline of detected DDoS attacks, including start time, status (e.g., ongoing or resolved), and affected domains. Users can select an event to drill down into detailed telemetry. Top Source IP Addresses Lists the IPs responsible for the most traffic during an attack. This helps identify major attack sources or botnet activity. Visual bars help compare relative impact. Top Destination URLs Shows the application endpoints most frequently targeted by DDoS traffic, helping to pinpoint abuse patterns [DDoS Dashboard](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/ddos-dashboard#ddos-dashboard) Top Referrers Identifies external referrer domains linked to attack traffic. This can highlight misused third-party websites or coordinated bot campaigns. Top User Agents Displays the most common User-Agent headers observed during an attack, revealing whether bots are spoofing browser or device signatures. Top Source Countries Visualizes geographic origin of traffic in a chart, indicating which regions are contributing to the attack load. Useful for geolocation-based defense strategies. See also: [DDoS Protection](https://waf-doc.inext.checkpoint.com/concepts/ddos-protection) [PreviousAPI Discovery Dashboard](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/api-discovery-dashboard) [NextEvent Views](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-views) Last updated 3 months ago Was this helpful? --- # Istio Application Security | CloudGuard WAF This feature is currently in Early Availability and is available only upon request from the local Check Point team. CloudGuard WAF for Istio is deployed using a Helm chart that includes a namespace-level webhook. This webhook monitors changes to the Istio IngressGateway deployment and automatically adds the necessary agent and attachment to the deployment. The configuration of the Istio Ingress controller follows standard practices for setting up gateway and virtual service resources to expose your applications. This diagram shows an example of a Kubernetes service exposed outside the Kubernetes cluster with an Istio Ingress controller protected with CloudGuard WAF. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F6ZUsrLz5efFrHzv1RKKc%252Fdownload.svg%3Falt%3Dmedia%26token%3D9d2c9e7e-2ad0-492f-b61d-5df48e5c47b0&width=768&dpr=4&quality=100&sign=70fc8f49&sv=2) [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/istio-application-security#prerequisites) Prerequisites -------------------------------------------------------------------------------------------------------------------------------------------------------- * Istio version 1.20.0+ cluster * [Helm 3 Package Manager](https://helm.sh/docs/intro/install/) installed on your local machine * The `kubectl` and `wget` command-line tools installed on your bastion or platform that you use to access the Kubernetes cluster [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/istio-application-security#installation) Installation ------------------------------------------------------------------------------------------------------------------------------------------------------ #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/istio-application-security#step-1-download-helm-chart) Step 1: Download Helm chart Run the following command: `wget https://cloudguard-waf.i2.checkpoint.com/downloads/helm/cloudguard-waf-istio.tgz` The webhook only manages deployment in the same namespace where it is installed, so it should be deployed on the relevant istio-ingressgateway namespace. Note to change the <`ingress-gateway namespcae`\> to the relevant one. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/istio-application-security#step-2-install-helm-chart) Step 2: Install Helm chart Make sure you obtained the token from the [Enforcement Profile](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page first, you will need it in the command to deploy the Helm chart. Obtain the from the **Profile** page, **Authentication** section. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FodEuUgaIWcxkuTtYrJ2n%252Fappsec-profiles-authentication-token.PNG%3Falt%3Dmedia%26token%3Daaa5d4ad-7a5b-4986-9378-7ec39b22aadd&width=300&dpr=4&quality=100&sign=372cae61&sv=2) Run the following command: Copy helm install cloudguard-waf-istio.tgz \ --name-template cloudguard-waf-istio \ -n \ --set token= \ --set webhook.objectSelector.labelValue=istio-ingress \ --set webhook.objectSelector.labelName=app \ #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/istio-application-security#step-3-add-the-cloudguard-waf-label-to-your-ingress-gateway-namespace) Step 3: Add the CloudGuard WAF label to your ingress-gateway namespace CloudGuard WAF webhook will function only when this flag is added to the Istio Ingress Controller environment. To add the flag, run the following command: Copy kubectl label namespace inject-waf-attachment="true" --overwrite #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/istio-application-security#step-4-restart-your-ingress-gateway-deployment) Step 4: Restart your ingress gateway deployment Run the following command: Copy kubectl rollout restart deployment -n [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/istio-application-security#un-installation) Un-Installation ------------------------------------------------------------------------------------------------------------------------------------------------------------ In order to remove the CloudGuard WAF Nano Agent from your Istio Ingress Controller, follow these steps. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/istio-application-security#step-1-remove-helm-chart) Step 1: Remove Helm chart Run the following command: Copy helm upgrade --reuse-values --set removeWaf=true cloudguard-waf-istio ./cloudguard-waf-istio.tgz -n **Step 2: Remove the CloudGuard WAF label from your ingress-gateway namespace** Run the following command: Copy kubectl label namespace inject-waf-attachment- #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/istio-application-security#step-3-restart-your-ingress-gateway-deployment) Step 3: Restart your ingress gateway deployment Run the following command: Copy kubectl rollout restart deployment istio-ingressgateway -n [PreviousKong Application Security](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security) [NextNGINX Application Security](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/nginx-application-security) Last updated 3 months ago Was this helpful? --- # WAF Dashboard | CloudGuard WAF The WAF dashboard is a single-pane view of important security events. To reach the dashboard select **Monitor**, then **WAF Dashboard** in the main menu. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F8z6tlHoXSDxxn55V3dvX%252Fappsec-monitor-dashboard-example.png%3Falt%3Dmedia%26token%3D227260d7-b419-4ae1-a9c9-a487479aeae4&width=768&dpr=4&quality=100&sign=a1512d5&sv=2) Following is a description of the Dashboard sections: Section Description Overall HTTP Traffic Statistics show the number of overall request for the time period and unique number of users and, or identities that use the protected web servers. Malicious Activity Overall statistics of the number of attackers (users and, or identities) and the number of attacks on web servers. Security Actions Overall number of events that where prevented and detected. Top Attack Sources * A chart of the top attackers by the number of events. * Number of events on a time line, gives visibility to the changes in the security posture Attacks Level Chart of the number of attacks by severity. Top Attack Assets Chart of the most attacked web servers. Asset Statistics Table of protected web server(s) and its statistics. Attacks Timeline Shows a specific time period on the dashboard ### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/waf-dashboard#undefined) [PreviousMonitor Events](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events) [NextAPI Discovery Dashboard](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/api-discovery-dashboard) Last updated 3 months ago Was this helpful? --- # Monitor Events | CloudGuard WAF CloudGuard WAF provides the following views for monitoring system events: #### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events#graphical-dashboard) Graphical Dashboard Graphical view of security events with Critical & High severity, includes the following Dashboards: [WAF Dashboard](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/waf-dashboard) [API Discovery Dashboard](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/api-discovery-dashboard) [DDoS Dashboard](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/ddos-dashboard) [Event Advisor](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-advisor) #### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events#events-view) Events View Tabular view of security events with Critical & High severity, and All Events [Event Views](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-views) #### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events#notifications) Notifications tabular view of administrative system events. [Notifications](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/notifications) #### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events#email-reports) Email Reports Graphical summary sent by email to requested addresses. [Email Reports](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/email-reports) [PreviousLinux / NGINX / Kong](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong) [NextWAF Dashboard](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/waf-dashboard) Last updated 2 months ago Was this helpful? --- # Docker | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker#overview) Overview --------------------------------------------------------------------------------------------------------------- CloudGuard WAF can be deployed using Docker Images in one of two main configurations: * **Single Docker** - a single docker image containing a managed reverse proxy server and the CloudGuard WAF Security agent. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FynoroP79nHKfrVX6OHDS%252Fimage.png%3Falt%3Dmedia%26token%3D73922ffc-60ac-4bcf-9f14-5e670965805a&width=768&dpr=4&quality=100&sign=d282bf69&sv=2) * **Dual Dockers** - **NGINX Reverse Proxy** **Docker** or **Kong API Gateway Docker** + **CloudGuard WAF Security Agent Docker** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FYO8N9aSYFk9x4JAixNXF%252Fimage.png%3Falt%3Dmedia%26token%3Dfa58121b-921a-4cc5-bf11-d5fb34761435&width=768&dpr=4&quality=100&sign=c7886d5&sv=2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fe4rUYecE44Nan7vWiLQu%252Fimage.png%3Falt%3Dmedia%26token%3D17684743-56ec-4c23-926b-029bc3a682dc&width=768&dpr=4&quality=100&sign=651af4ac&sv=2) The following table compares the two options: Single Docker Dual Docker CloudGuard WAF Full Full NGINX Managed Centrally via WebUI/API or Locally Managed Locally Kong Not Available Managed Locally Upgrade Standard Each Docker can be upgraded separately Docker Compose protecting a specific Application Supported Not Supported Run in PaaS platforms such as Azure App Services Supported Not Supported [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker#deployment-instructions) Deployment Instructions --------------------------------------------------------------------------------------------------------------------------------------------- [Single Docker](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker) [Dual Docker: NGINX/Kong/Envoy + Security Agent](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent) [PreviousNGINX Application Security](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/nginx-application-security) [NextSingle Docker](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker) Last updated 11 months ago Was this helpful? --- # Notifications | CloudGuard WAF When browsing to **Monitor->Notifications** a specific log view is shown. This view includes notifications to the user about an issue and a remediation action item, usually regarding detection of a configuration or environment issue CloudGuard WAF has detected around it. The Log view includes a "Remediation" column where the instructions will be shown. Urgent notifications, if there are any, will appear on the top bar of the application in any page, leading to this page for additional information. [PreviousEvent Views](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-views) [NextEmail Reports](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/email-reports) Last updated 3 months ago Was this helpful? --- # Integrating WAF SaaS with AWS CloudFront | CloudGuard WAF This guide walks you through integrating the Check Point WAF with your existing AWS CloudFront distribution. The WAF must be deployed _after_ CloudFront, since CloudFront is the entry point exposed to the public internet. ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas/integrating-waf-saas-with-aws-cloudfront#prerequisites) Prerequisites Before starting, make sure you have: * An active **Check Point WAF subscription** with access to the WAF management UI. * An existing **AWS CloudFront distribution** configured with your domain. * Access to **update your DNS records**. ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas/integrating-waf-saas-with-aws-cloudfront#deployment) Deployment #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas/integrating-waf-saas-with-aws-cloudfront#id-1.-deploy-waf-saas) 1\. Deploy WAF SaaS Follow the instructions bellow: [WAF-as-a Service (WAF SaaS)](https://waf-doc.inext.checkpoint.com/concepts/waf-as-a-service-waf-saas) in step 1 (Define the website you want to protect) - make sure to input * Enter the **public URLs** (e.g. `www.example.com`) * Use the **internet-facing domain**, not the CloudFront domain. * Provide the **upstream origin URL** (e.g. your CloudFront origin) * Do **not** set the upstream server as CloudFront — this is a common mistake. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FANNr3iEg5BBosnCSvRVX%252Fimage.png%3Falt%3Dmedia%26token%3D78921363-fda5-4517-9c68-b1f00d438810&width=768&dpr=4&quality=100&sign=7cab2f9c&sv=2) * * * #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas/integrating-waf-saas-with-aws-cloudfront#id-2.-copy-the-waf-dns-endpoint) 2\. Copy the WAF DNS Endpoint Once the asset has been created the WAF will provides a **WAF DNS endpoint** (e.g., `xxxx.checkpoint.com`). ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FB09piZIxovse6Q7djHNN%252Fimage.png%3Falt%3Dmedia%26token%3D2859cf20-cc71-47f2-baef-df42ca2f6a1a&width=768&dpr=4&quality=100&sign=cc8156e&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas/integrating-waf-saas-with-aws-cloudfront#id-3.-update-cloudfront-configuration-review-current-origin-before-change) 3\. Update CloudFront Configuration - Review Current Origin (Before Change) 1. Open your CloudFront distribution in the **AWS Console**. 2. Under **Origins**, review the current configuration (typically pointing to your application server or load balancer). #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas/integrating-waf-saas-with-aws-cloudfront#id-4.-update-cloudfront-configuration-change-origin-to-waf) 4\. Update CloudFront Configuration - Change Origin to WAF 1. Edit the **origin configuration**. 2. Set the **Origin Domain Name** to the **WAF DNS endpoint** from Step 2.2. 3. Save changes. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F1W3hIv4pE8f8IyLJqnXE%252F%257B6C193AFB-AA8D-4081-810D-D292FEEB879A%257D.png%3Falt%3Dmedia%26token%3D5a24177d-4a9d-46d3-bfea-0378e380d596&width=768&dpr=4&quality=100&sign=2faa55e2&sv=2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F0uR5VUMJ84Sq3jvzx592%252Fimage.png%3Falt%3Dmedia%26token%3D3d776c67-e92f-4633-bf3b-f79f7c41961a&width=768&dpr=4&quality=100&sign=8e98bb20&sv=2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FjwshSzJIvMGZ9x50fxUu%252Fimage.png%3Falt%3Dmedia%26token%3Dddf8cfbe-877f-4bd2-9c72-bb3ca47a0287&width=768&dpr=4&quality=100&sign=7e79098a&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas/integrating-waf-saas-with-aws-cloudfront#id-5.-deploy-and-verify-changes) 5\. Deploy and Verify Changes After saving, CloudFront will redeploy with the new settings. Once deployed, traffic will flow: Copy Internet → CloudFront → WAF → Application Origin #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas/integrating-waf-saas-with-aws-cloudfront#id-6.-dns-considerations) 6\. DNS Considerations * If **DNS already points to CloudFront** (recommended), no changes are needed. * If DNS was pointing **directly to your origin**, update it to point to the **CloudFront distribution domain**. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas/integrating-waf-saas-with-aws-cloudfront#id-7.-validation) 7\. Validation 1. Visit your domain (e.g., `https://www.example.com`). 2. In the **WAF logs**, confirm that requests are reaching the WAF. You have successfully integrated Check Point WAF with CloudFront. [PreviousWAF-as-a-Service (WAF SaaS)](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas) [NextKubernetes](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes) Last updated 1 month ago Was this helpful? --- # VMware | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware#overview) Overview --------------------------------------------------------------------------------------------------------------------------------------- If you are deploying a CloudGuard WAF Gateway to protect an existing production website, we recommend you also read the [HOW-TO guide for this particular deployment](https://waf-doc.inext.checkpoint.com/how-to/protect-an-existing-production-site-with-cloudguard-wafs-gateway) . CloudGuard WAF can be deployed as either a single virtual machine or several virtual machines in VMware vSphere. It acts as a reverse proxy where before / after you can deploy load balancer. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FKme4fpG9iLiyGspQLgCp%252Fdownload%2520%282%29.svg%3Falt%3Dmedia%26token%3Dcd53c52f-f89f-4942-8f83-03f497b75fda&width=768&dpr=4&quality=100&sign=a81690de&sv=2) [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware#installation) Installation ----------------------------------------------------------------------------------------------------------------------------------------------- Follow these steps to deploy CloudGuard WAF in **VMware vSphere 6.5** and above: **Minimal configuration for CloudGuard WAF VM is:** 2\*vCPU, 4GB RAM, 50GB Disk **Recommended configuration for CloudGuard WAF VM is:** 4\*vCPU, 8GB RAM, 50GB Disk #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware#step-1-download-the-cloudguard-waf-installation-package-for-vmware) Step 1: Download the CloudGuard WAF installation package for VMware Download the software archive and extract the files from here: [https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.DCFileAction&eventSubmit\_doGetdcdetails=&fileid=128551](https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=128551) The file will be a zipped file with the prefix "**Check\_Point\_CloudGuard\_Infinity\_Next\_Gateway\_V**\*". Unzip it to extract the included 4 files (a **vmdk** file, an **ovf** file, an **mf** file and a **cert** file). #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware#step-2-launch-vsphere-web-client) Step 2: Launch vSphere Web Client Open a Web browser and enter the URL of your vCenter's vSphere Web Client e.g: https://{vcenter\_server\_ip\_address\_or\_fqdn}/vsphere-client #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware#step-3-deploy-ovf-template) Step 3: Deploy OVF Template * Go to either the **Hosts and Clusters** or **VMs and Templates** tab and right-click on the data center to deploy the VM in. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FFUVhdqzZ3RNABvd57ZmR%252Fappsec-vcenter-deployment-deploy-ovf.jpg%3Falt%3Dmedia%26token%3D636e4f2b-47a8-405f-803d-2c4e6d916d75&width=768&dpr=4&quality=100&sign=fafe6a67&sv=2) * Click Deploy OVF Template. * Go to Local file and select the four extracted files. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F2IKu5cCm0aPyAyTNojKc%252Fappsec-vcenter-deployment-select-ovf-files.jpg%3Falt%3Dmedia%26token%3D763150be-5c50-4e0e-8197-ad10b081df8c&width=768&dpr=4&quality=100&sign=c0ee903e&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware#step-4-complete-the-necessary-details-of-the-ovf-deployment-forms) Step 4: Complete the necessary details of the OVF deployment forms * Click **Next** until you get to Review details where you can find details about the certificate, product version, and more. Click **Next** again once you have reviewed them. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FEyHq1pUhpnznOUtVB8up%252Fappsec-vcenter-deployment-review-details.jpg%3Falt%3Dmedia%26token%3D2f3c9d11-6194-4e4c-a7fb-d35ea2fba55d&width=768&dpr=4&quality=100&sign=de035eac&sv=2) * Select storage, network, and customize the template options as you wish. * **Select storage** - allows changing the VM Storage Policy such as the virtual disk format (thin or thick provisioning) and selecting the exact storage volume to use. Make sure you have at least X free size of storage for CloudGuard WAF's Gateway. * **Select networks** - The network chosen for the VM must include internet connectivity to Check Point's cloud network. If needed it will be possible later to create more than the single interface that is automatically configured. * **Customize template** \- There are several required fields to fill before clicking "Next": ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FfwJpfNq2m6ugr7UDFjOe%252Fappsec-vcenter-deployment-customize-template.jpg%3Falt%3Dmedia%26token%3Df16d5d40-f908-442b-beb6-a5f8db90c398&width=768&dpr=4&quality=100&sign=29e7152a&sv=2) 1. **Hostname** \- a valid linux hostname (e.g. no spaces). 2. **Default Gateway Address** 3. **Admin password** - set the password used by the user 'admin' when connecting via terminal, ssh, or web portal. 4. **IP address & subnet** - A valid routable IP address and subnet of the main interface for this VM. 5. **Primary DNS** - The address of the DNS server to be used by the CloudGuard WAF Gateway. 6. **(Usually not required) Proxy Configuration** - This is for the less common case where internet access from the CloudGuard WAF VM can only go through a main proxy server. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FAa3dhr9BHrVCkruGyhCK%252Fappsec-vcenter-deployment-customize-template-scrolled-down.jpg%3Falt%3Dmedia%26token%3D29fb2e9a-74ab-441f-81d2-f9545deac32d&width=768&dpr=4&quality=100&sign=96174373&sv=2) 1. **(Not required) NTP Server Configuration** - If you want the time configuration for this machine to use an NTP server such as ntp.checkpoint.com or an NTP server for your organization. 2. **Infinity Next Agent Token** - Required to be added twice. The token copied from the WAF Gateway profile. 3. The form allows an advanced administrator to add their own custom configuration commands to run automatically at the end of the deployment operation. Those commands can be Linux commands or [Gaia Clish commands](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/Gaia-Clish-Commands.htm) : 1. **(Not required) Additional Clish Commands** - The commands must be encoded in Base64. You can optionally add any additional configuration commands using the [Check Point Gaia Clish commands](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/Gaia-Clish-Commands.htm) if relevant to your network. The method to do it is as follows: 1. Prepare a file in a Linux environment with the Clish command/s you wish to run. (If the file was originally created in Windows, copy it to Linux and run dos2unix on it before continuing to the next step) 2. Run the following command: _**cat | base64 -w 0**_ 3. The output of this command should be copied and pasted into the "Additional Clish Commands" box in the "Customize Template" form. 2. **(Not Required) Advanced Configuration Settings** - The commands must be encoded in Base64. You can optionally add any additional Linux bash configuration commands. The method to do it is as follows (the same as with Clish commands): 1. Prepare a file in a Linux environment with the Linux command/s you wish to run. (If the file was originally created in Windows, copy it to Linux and run dos2unix on it before continuing to the next step) 2. Run the following command: _**cat | base64 -w 0**_ 3. The output of this command should be copied and pasted into the "Advanced Configuration Settings" box in the "Customize Template" form. Make sure you obtain the from the [Enforcement **Profile**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page, **Authentication** section. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FodEuUgaIWcxkuTtYrJ2n%252Fappsec-profiles-authentication-token.PNG%3Falt%3Dmedia%26token%3Daaa5d4ad-7a5b-4986-9378-7ec39b22aadd&width=300&dpr=4&quality=100&sign=372cae61&sv=2) * Click **Next** and then **Finish**. The deployment starts. * Power on the new VM that was created. To access the Cloud, the Gateway requires access to DNS and to the Internet in port 443. If you wish to limit access to specific IPs or URL, a list of Check Point operated regional public Fogs can be found in the management portal, under **Support->FAQ** #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware#step-5-power-on-the-newly-created-vm) Step 5: Power on the newly created VM Locate the newly created machine on the VCenter, right click the object and select "**Power On**". ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Ftx8fI9ngfw5p0tFfEcWJ%252Fappsec-vcenter-deployment-power-on.PNG%3Falt%3Dmedia%26token%3Dbe5ff803-89c0-4687-b8d1-718ab8ca75dc&width=768&dpr=4&quality=100&sign=83b7095&sv=2) After a few minutes, the CloudGuard WAF Gateway will connect to the CloudGuard WAF Management portal and you will be able to view its details on the **Policy->Agents** view. It is recommended that Time Zone will be configured using the networking administration portal of the newly created CloudGuard WAF Gateway. For advanced networking configurations as well as time zone configuration: [Configure networking in VMware Deployments](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/configure-networking-in-vmware-deployments) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware#step-6-optional-store-certificates) Step 6 (optional): Store certificates [Store Certificates on Gateway](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway) [PreviousStore Certificates on Gateway](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway) [NextStore Certificates on Gateway](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/store-certificates-on-gateway) Last updated 11 months ago Was this helpful? --- # WAF-as-a-Service (WAF SaaS) | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas#overview) Overview ---------------------------------------------------------------------------------------------------------------------------------- CloudGuard WAF SaaS delivers the full security capabilities of CloudGuard WAF—without the need for complex deployment. It simplifies protection by routing your domain’s traffic through CloudGuard's cloud-based service, where traffic is inspected and forwarded securely to your internal servers. In addition to streamlined deployment, WAF SaaS enhances your security posture with advanced DDoS protection. The service operates as a reverse proxy, inspecting incoming traffic and applying CloudGuard WAF security policies before passing requests to your origin servers. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FIYthzLacD6h06TaRZEIC%252Fappsec-as-a-service-deployment-diagram.PNG%3Falt%3Dmedia%26token%3Db71582bc-d20e-42b3-8bdf-ce181ce61de5&width=768&dpr=4&quality=100&sign=583d3f3e&sv=2) [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas#cloudguard-waf-saas-points-of-presence-pops) CloudGuard WAF SaaS Points of Presence (PoPs) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- When setting up your CloudGuard WAF SaaS account, you selected a **data region**. This defines your **data residency**—the physical or geographic location where your data is stored—and determines the region of the **Infinity Portal** where you can view and manage configurations and logs. For more information, see: [WAF-as-a Service (WAF SaaS)](https://waf-doc.inext.checkpoint.com/concepts/waf-as-a-service-waf-saas) ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas#deployment) Deployment #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas#prerequisites) Prerequisites * **DNS Ownership:** You must control the DNS settings for the domain you’re protecting. * **Origin Accessibility** · Whitelist all CloudGuard WAF SaaS IPs on your internal web server. · If you’ve just spun up a new server, you may temporarily expose it publicly for this initial phase—but _must_ lock it down immediately after WAF goes live. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas#instructions) Instructions: To protect your web application with **CloudGuard WAF SaaS**, follow these steps: #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas#id-1.-create-a-new-asset) 1\. Create a New Asset Define the website you want to protect. * Enter the **public URLs** (e.g. `www.example.com`) * Provide the **upstream origin URL** (e.g. your internal server’s IP or hostname) If you want to integrate your WAF with an existing AWS CloudFront follow the steps here: [Integrating WAF SaaS with AWS CloudFront](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas/integrating-waf-saas-with-aws-cloudfront) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fxt0WEyxRHozxfjRkxAtU%252Fimage.png%3Falt%3Dmedia%26token%3Df46fee00-9faa-4a52-9b7a-6464e1d13095&width=768&dpr=4&quality=100&sign=655ce86&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas#id-2.-connect-to-a-waf-saas-profile) 2\. Connect to a WAF SaaS Profile Link your asset to a **new or existing WAF SaaS profile**. This profile contains your security policies and PoP settings, such as the geographical region in the world where you traffic will be processed. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FOoOlDAFVYYePmRxyF3VM%252Fimage.png%3Falt%3Dmedia%26token%3D6bcb6046-bed4-4ba3-8c87-2099f92fc3fd&width=768&dpr=4&quality=100&sign=814e2427&sv=2) **3\. Select a Certificate Management Option** Choose how SSL/TLS certificates will be handled: * **Check Point Managed -Managed Certificate** Let us generate and renew your certificates automatically using Let’s Encrypt. * **Bring Your Own Certificate** Upload an existing certificate and private key (PEM format). ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fe6FC4lR2AYcV1wvWdMJR%252Fimage.png%3Falt%3Dmedia%26token%3Da614ef98-a34d-49f9-96ed-bcf69e05df1b&width=768&dpr=4&quality=100&sign=2a8b0ee9&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas#id-4.-complete-certificate-configuration) 4\. Complete Certificate Configuration Follow the detailed instructions based on the option selected in Step 3: Certificates Managed by Check Point Bring Your Own Certificate (BYOC) When using **Check Point ‑managed certificates**, setup is mostly automatic. However, for **each domain** protected by **WAF SaaS in a specific region**, you must complete the following steps to ensure traffic is fully secured. **When to perform these steps** * When creating a new asset * When adding new domains to an existing asset * When attaching a WAF SaaS profile to an asset that wasn’t previously protected * When editing a domain (remove the old one _after_ adding and configuring the new one) **Prove Domain Ownership** To authorizes Check Point to issue certificates for your domain using Let’s Encrypt, Follow the steps bellow: 1. In the Infinity Portal, go to **Policy → Profiles**. 2. Select the **CloudGuard WAF SaaS profile** created during the Asset setup. 3. Find the domain marked as “Pending Action” and click it. 4. Copy the **DNS CNAME record** shown under the domain ownership verification step. 5. In your DNS provider’s console, **add the CNAME record** with the name and value provided. You must complete this step **for each domain** individually (e.g. `www.myapp.com` and `api.myapp.com`) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FCqsiN0Dnx9pfBx7ViF0M%252Fappsec-as-a-service-profiles-pending-validation.PNG%3Falt%3Dmedia%26token%3Db4e9cc3b-324c-4a36-9afd-ed86b745218b&width=768&dpr=4&quality=100&sign=854581c1&sv=2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F6vAdZ85bB6DDv4au6Jzw%252Fappsec-as-a-service-profiles-validation-instructions.PNG%3Falt%3Dmedia%26token%3Dd980a407-1205-4123-b283-5229b543c70a&width=768&dpr=4&quality=100&sign=b7378dda&sv=2) While CloudGuard WAF SaaS offers managed public SSL/TLS certificates signed by Let’s Encrypt, you may choose to use your **own certificate and private key**—ideal for compliance needs or existing certificate infrastructure. Your private key is **end-to-end encrypted** during upload, ensuring complete confidentiality and security. To configure HTTPS traffic with your own certificates, follow the steps below: #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas#upload-certificate-and-private-key) Upload Certificate and Private Key 1. In the Infinity Portal, navigate to **Policy → Profiles**. 2. Select the **CloudGuard WAF SaaS profile** linked to your asset. 3. For each domain listed, click on it and: * Upload the **public certificate** (PEM format) * Upload the **private key** * Ensure the certificate includes the **full chain** This process must be repeated for **each domain**, e.g., `www.myapp.com` and `api.myapp.com`. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FCqsiN0Dnx9pfBx7ViF0M%252Fappsec-as-a-service-profiles-pending-validation.PNG%3Falt%3Dmedia%26token%3Db4e9cc3b-324c-4a36-9afd-ed86b745218b&width=768&dpr=4&quality=100&sign=854581c1&sv=2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FYLWc1K7YCifExzMFtZTc%252FPicture1.png%3Falt%3Dmedia%26token%3D04b3a011-6fde-497d-a815-f575ab4819a1&width=768&dpr=4&quality=100&sign=ed1316d&sv=2) 1. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas#connect-your-domain-to-waf-saas) Connect your domain to WAF SaaS Before performing this stage, disable any existing AWS CloudFront configuration for your website's address if you have any. Once the previous step is completed, a new **CNAME value** will be generated (this may take up to 30 minutes). 1. In your DNS configuration, replace the existing CNAME record for your domain with the **new CNAME value** issued by Check Point. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FjtFIyjHwZh16TlbPB8OL%252Fappsec-as-a-service-profiles-validation-completed.PNG%3Falt%3Dmedia%26token%3De3312c60-320f-4ebf-8154-29a0b73c02a8&width=768&dpr=4&quality=100&sign=f03b7dd6&sv=2) 2. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas#allow-waf-saas-to-access-your-origin-server) Allow WAF SaaS to Access Your Origin Server To ensure smooth traffic flow between WAF SaaS and your internal web server: 1. **Allow incoming traffic** from the IP addresses provided in the **WAF SaaS deployment form**. 2. **Do not remove** existing access rules until: * 72 hours have passed (to allow full DNS propagation), and * You have confirmed successful traffic flow through WAF SaaS. If the origin was previously publicly accessible, restrict access to only WAF SaaS IPs after DNS switchover. If you were using another reverse proxy, consider removing its IPs from the access list after confirming the switch. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FDdWkbnTqXs0DtqqdEZEg%252Fappsec-as-a-service-profiles-deployment-instructions.PNG%3Falt%3Dmedia%26token%3D4736c2ed-2ca7-4a7c-9a0b-8dc4669d287e&width=768&dpr=4&quality=100&sign=6558de63&sv=2) 3. **Test Access to Your Site** After completing the above steps: * Confirm that the website is reachable over HTTPS. * Verify that traffic is flowing through WAF SaaS (you can check headers or logs in the Infinity Portal). * Double-check that your origin server is **no longer publicly accessible** (unless intentionally exposed). While DNS changes typically take just a few hours, allow up to **72 hours** for full global propagation before making final changes. Make sure you have not left a publicly exposed domain in your previous environment! [PreviousConfigure networking in VMware Deployments](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/configure-networking-in-vmware-deployments) [NextIntegrating WAF SaaS with AWS CloudFront](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas/integrating-waf-saas-with-aws-cloudfront) Last updated 2 months ago Was this helpful? --- # DDoS Protection | CloudGuard WAF CloudGuard WAF SaaS delivers built-in, always-on Distributed Denial of Service (DDoS) protection. It natively defends against high-volume and stealthy attacks across network and application layers without requiring separate DDoS services, appliances, or manual setup. This protection engine is available for CloudGuard WAF SaaS. It is not available with local editions of the product such as Gateway & Agent. [](https://waf-doc.inext.checkpoint.com/concepts/ddos-protection#how-it-works) How It Works ------------------------------------------------------------------------------------------------ 1. **Global Edge Defense:** Traffic is analyzed and scrubbed at globally distributed PoPs - blocking large-scale attacks before they reach your infrastructure. 2. **Traffic Profiling & Learning:** During the first 3–7 days, the DDoS Protection Engine baselines normal traffic. 3. **Automatic Prevention:** Once baseline is created, the DDoS Protection Engine starts blocking anomalies in real time. No setup is needed. 4. **Multi-Layer Mitigation:** * **Layer 3/4:** Blocks SYN floods, reflection/amplification attacks, DNS floods. * **Layer 7:** Detects HTTP floods and stealth attacks via behavior-based AI. 5. **IP reputation:** By leveraging threat intelligence identify and block traffic from malicious IP addresses known to be involved in DDoS attacks or reconnaissance activities. 6. **Health-Aware Detection:** Adaptive thresholds ensure mitigation only activates when service health is at risk - reducing false positives and avoiding performance degradation. 7. **24/7 Expert Monitoring:** The DDoS Response Team (DRT) is automatically alerted to DDoS events and proactively supports mitigation efforts. [](https://waf-doc.inext.checkpoint.com/concepts/ddos-protection#the-ddos-dashboard) The DDoS Dashboard ------------------------------------------------------------------------------------------------------------ The DDoS dashboard is populated when an attack happens and gives security teams live visibility and control of attack details. As needed, upon attack, you will also be contacted by our DRT team. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FJEWX7t2rLkZULqFkezw2%252Fimage.png%3Falt%3Dmedia%26token%3D030136ca-16c7-4648-a4ee-ed225a672a1b&width=768&dpr=4&quality=100&sign=2bc02167&sv=2) [](https://waf-doc.inext.checkpoint.com/concepts/ddos-protection#example-scenario) Example Scenario -------------------------------------------------------------------------------------------------------- An attacker launches a sophisticated HTTP/2 flood on your login API. * CloudGuard WAF SaaS detects anomalies against your traffic baseline. * Edge PoPs begin filtering out malicious sessions. * DDoS mitigation activates without affecting real users. * The dashboard shows the attack timeline, response actions, and forensic logs. * The DRT monitors and notifies your team if escalation is needed. Related: [Rate Limit](https://waf-doc.inext.checkpoint.com/additional-security-engines/rate-limit) [Anti-Bot](https://waf-doc.inext.checkpoint.com/additional-security-engines/anti-bot) [PreviousContextual Machine Learning](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning) [NextAnti-Bot](https://waf-doc.inext.checkpoint.com/additional-security-engines/anti-bot) Last updated 4 months ago Was this helpful? --- # Kong Application Security | CloudGuard WAF The Kong Ingress controller and CloudGuard WAF for Kubernetes agent are deployed together with a single Helm chart. The configuration of the Kong Ingress controller is done with common methods for configuring Ingress using both Kubernetes Ingress resources or Kong Ingress resources. This diagram shows an example of a Kubernetes service exposed outside the Kubernetes cluster with an Kong Ingress controller protected with CloudGuard WAF. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fae8IamAHizG4bPpJDgRY%252Fdownload%2520%281%29.svg%3Falt%3Dmedia%26token%3Dd779471a-8e28-43ef-8dec-7d0f82cd9bfe&width=768&dpr=4&quality=100&sign=b8256263&sv=2) [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security#prerequisites) Prerequisites ------------------------------------------------------------------------------------------------------------------------------------------------------- * Kong version 1.22.0+ cluster with [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) enabled with Cluster admin permissions * [Helm 3 Package Manager](https://helm.sh/docs/intro/install/) installed on your local machine * The `kubectl` and `wget` command-line tools installed on your bastion or platform that you use to access the Kubernetes cluster [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security#installation) Installation ----------------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security#step-1-download-helm-chart) Step 1: Download Helm chart Run the following command depending on your Kubernetes version: `wget https://github.com/CheckPointSW/Infinity-Next/raw/main/deployments/cp-k8s-appsec-kong-2.22.0.tgz -O cp-k8s-appsec-kong-2.22.0.tgz` #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security#step-2-install-helm-chart) Step 2: Install Helm chart Make sure you obtained the token from the [Enforcement Profile](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page first, you will need it in the command to deploy the Helm chart. Obtain the from the **Profile** page, **Authentication** section. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FodEuUgaIWcxkuTtYrJ2n%252Fappsec-profiles-authentication-token.PNG%3Falt%3Dmedia%26token%3Daaa5d4ad-7a5b-4986-9378-7ec39b22aadd&width=300&dpr=4&quality=100&sign=372cae61&sv=2) Run the following command depending on your Kubernetes version (**Note** - package file names contain the name appsec - short for "Application Security" provided by CloudGuard WAF): `helm install cp-k8s-appsec-kong-2.22.0.tgz --name-template cp-appsec --set appsec.agentToken="" --create-namespace -n kong` #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security#step-3-create-ssl-tls-secret-optional-if-the-servers-do-not-use-https) Step 3: Create SSL/TLS Secret (optional if the servers do not use HTTPS) Kubernetes Secrets are used for TLS termination of the Ingress resource. The public/private key pair must already exist before creating the Secret. Read more about Kubernetes TLS Secrets in the [Official Kubernetes Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) . Create a Kubernetes SSL/TLS Secret using the following command with the public key certificate for `--cert` .PEM-encoded and matching the private key for `--key`: `kubectl create secret tls --key --cert $` #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security#step-4-configure-the-ingress-resource) Step 4: Configure the Ingress resource 1. Edit your ingress.yaml with your favorite editor 2. If needed add the following annotation: `kubernetes.io/ingress.class: "nginx"` ingress.yaml example[](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security#ingress.yaml-example) The ingress.yaml in this example exposes two Kubernetes Services in the 'applications-ns' namespace: * portal-svc (port 8080) exposed through portal.acme.com on port 443 * api-svc (port 80) exposed through api.acme.com on port 80 Copy apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: example-ingress namespace: applications-ns annotations: kubernetes.io/ingress.class: "nginx" spec: tls: - hosts: - portal.acme.com secretName: tls rules: - host: portal.acme.com http: paths: - path: / pathType: Prefix backend: service: name: portal-svc port: number: 8080 - host: api.acme.com http: paths: - path: / pathType: Prefix backend: service: name: api-svc port: number: 80 #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security#step-5-deploy-the-ingress) Step 5: Deploy the Ingress In environments that can allow short downtime, uninstall the older ingress and install the new one. `kubectl apply -f ingress.yaml` In environments that require zero-downtime: 1. Redirect your DNS traffic from the old ingress to the new ingress 2. Log traffic from both controllers during this changeover 3. Uninstall the old ingress once traffic has fully drained from it [PreviousKubernetes](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes) [NextIstio Application Security](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/istio-application-security) Last updated 12 months ago Was this helpful? --- # Single Docker | CloudGuard WAF CloudGuard WAF can be deployed as a single docker containing a managed reverse proxy server and the CloudGuard Security agent. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FSIyX0komvjgBOEvNNrxa%252Fimage.png%3Falt%3Dmedia%26token%3D5d1b9eb1-f342-47b8-b1ac-750668c17888&width=768&dpr=4&quality=100&sign=5202bed0&sv=2) [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker#configuration) Configuration --------------------------------------------------------------------------------------------------------------------------------------- When creating either Web application or Web API assets: * Define the URLs that Users/Clients will access (1) * Define the Application/API URL that will be accessed by the Reverse Proxy (2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F4eKkiJoNrp34hNc5Qlq8%252Fappsec-assets-wizard-01-web-application.PNG%3Falt%3Dmedia%26token%3D7845c28a-3d11-4798-8f90-eca1c9e86485&width=768&dpr=4&quality=100&sign=75972f30&sv=2) If you plan to deploy in Azure App Services the URLs should be http and not https, because Azure is handling the SSL encryption opening by itself. Certificate configuration will be done in Azure (explained later) * Make sure to select a Docker based profile if creating a new profile to protect the asset (keep the default settings for **Single docker container** and without selecting to manage NGINX yourself): ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FTkebLJYxEFli7Xnt0gH2%252Fappsec-assets-wizard-03-platform-docker.PNG%3Falt%3Dmedia%26token%3D52d345a6-7940-4bc6-8842-0b953d2a8a51&width=768&dpr=4&quality=100&sign=93b88398&sv=2) For deployment in Azure App Services, you can skip the Certificates page in the Wizard above. [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker#deployment-options) Deployment options ------------------------------------------------------------------------------------------------------------------------------------------------- Select the deployment option that best fits your environment and requirements: Manually deploying using the docker command: [Deployment using 'docker' command](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command) Deployment using Azure App Services: [Deployment in Azure App Services](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-in-azure-app-services) [PreviousDocker](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker) [NextDeployment using 'docker' command](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command) Last updated 11 months ago Was this helpful? --- # Email Reports | CloudGuard WAF It is possible to set up protected assets with a Trigger object of type "**Report**". Such an object contains a list of email addresses and a daily/weekly schedule according to which an email will be sent to the configured addresses, with an attached summary report. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FNomfsWNeCOeCSzaReU4F%252Fwaf-email-report-example-content.png%3Falt%3Dmedia%26token%3Da83c22e6-9c41-4761-8943-297173a068f8&width=768&dpr=4&quality=100&sign=34e6340b&sv=2) (In this example, the top countries are shown due to being used in example attacks from various locations, not by real attackers) For a more detailed explanation see here: [Setup Report Triggers](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-report-triggers) [PreviousNotifications](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/notifications) [NextEvent Advisor](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-advisor) Last updated 3 months ago Was this helpful? --- # File Security | CloudGuard WAF In addition to the Contextual Machine-Learning based engine, CloudGuard WAF provides file security, aimed at preventing malicious files from being uploaded to the organization's servers. The file security engine scans the HTTP traffic coming into the organization, analyzes any files uploaded, and consults Check Point's Threat Cloud regarding the file's reputation. [](https://waf-doc.inext.checkpoint.com/additional-security-engines/file-security#how-to-change-file-security-settings) How to change File Security settings ----------------------------------------------------------------------------------------------------------------------------------------------------------------- When defining a new Web Application / API, file security is inactive by default. However - a security administrator may choose to activate the mode of the file security engine. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/file-security#step-1-browse-to-policy-greater-than-assets-and-edit-the-web-application-api-asset) Step 1: Browse to Policy->Assets and edit the Web Application / API asset Once the asset edit window opens, select the **Web Attacks** tab and scroll to the **File Security** sub-practice. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FWpcnSTJinAhQJgpXmbRN%252FFileSecurity.png%3Falt%3Dmedia%26token%3Da60ae3f6-0d86-4d1f-b7ec-f7fb05fb3a9e&width=768&dpr=4&quality=100&sign=4e0fca30&sv=2) #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/file-security#step-2-make-sure-the-mode-of-file-security-sub-practice-is-as-desired) Step 2: Make sure the Mode of File Security sub-practice is as desired Setting the Mode to **As Top Level** means inheriting the primary mode of the practice. Otherwise you can override it only for this specific sub-practice to **Detect**/**Prevent**/**Disable**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F95rbnEmgcqdzcPzR1Pnb%252Fappsec-assets-threat-prevention-file-security-mode-enlarged.PNG%3Falt%3Dmedia%26token%3D8cb912a7-cb99-490b-a23d-8fa374415975&width=768&dpr=4&quality=100&sign=c86ff02b&sv=2) #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/file-security#step-3-edit-the-settings-of-the-file-security-sub-practice) Step 3: Edit the settings of the File Security sub-practice The settings allow: * Configuring the **severity** threshold from which the engine will take an action, if the file was discovered to contain a potential security risk. * Changing the exact behavior upon detection of signature according to its **confidence level** (**Prevent**/**Detect**/**Inactive,** or, **According to Practice** when there is no unique behavior to the group of protections) * Selecting if to extract Archive files for analysis of the extracted content and the configuring: * Maximum limit to scan within an archive file * Exact behavior (**Prevent**/**Detect**/**Inactive,** or, **According to Practice** when there is no unique behavior to the group of protections) for the instance of detecting an archived file within another archived file. * Exact behavior (**Prevent**/**Detect**/**Inactive,** or, **According to Practice** when there is no unique behavior to the group of protections) for the instance of a failure in content extraction. The following file types are considered archives in file security: * **ZIP**: `.zip` * **RAR**: `.rar` * **TAR**: `.tar` * **7z**: `.7z` * **Tar Gzip**:`.tar.gz` * **Tgz**:`.tgz` (shorthand for`.tar.gz`) * **Gz**:`.gz` (usually for single compressed files, not archives) * **Bz2**:`.tar.bz2`(or sometimes `.bz2` if it's compressing a single file) * Limiting file size and selecting the exact behavior (**Prevent**/**Detect**/**Inactive,** or, **According to Practice** when there is no unique behavior to the group of protections) any files exceeding the configured size. * Selecting the exact behavior (**Prevent**/**Detect**/**Inactive,** or, **According to Practice** when there is no unique behavior to the group of protections) for the instance of un-named files, where the title name was not provided as part of the Content-disposition header (see [RFC-1521](https://www.ietf.org/rfc/rfc1521.txt) ). * Activating the **Threat Emulation** engine. The Threat Emulation engine uses an emulated run in a sandbox located in the Check Point ThreatCloud, to prevent multi-stage attacks at the earliest stage. When selected, multiple known file types are scanned by the Threat Emulation engine - Word, Excel, PowerPoint, PDF and executable files. Files that require more than a few seconds to be analyzed by the Threat Emulation engine, may be delivered to users before a final verdict is reached to provide better connectivity. When making the first change to the default Web Application/API Best Practice's configuration such as making changes to the default configuration of the File Security engine settings, you will be prompted to change the name of the Practice to your own custom practice name ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fhu2Vump3xc5w8hiIAUcC%252Fappsec-assets-practice-custom-practice-message.PNG%3Falt%3Dmedia%26token%3Df53efb3f-faa9-4d08-8aa9-5802a2066c5f&width=768&dpr=4&quality=100&sign=63d14cf7&sv=2) #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/file-security#step-5-enforce-policy) Step 5: Enforce Policy Click **Enforce** on the top banner of the Infinity Portal. [PreviousEnforce API Schema](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema) [NextIntrusion Prevention System (IPS)](https://waf-doc.inext.checkpoint.com/additional-security-engines/intrusion-prevention-system-ips) Last updated 8 months ago Was this helpful? --- # API Discovery Dashboard | CloudGuard WAF The API Discovery dashboard is a single-pane view of API usage as detected by the API Discovery engine. This view allows security by visibility. The detected schema is visible through additional views, by visiting **Policy->Assets** and visiting the Assets which use API discovery. To reach the dashboard select **Monitor**, then **API Dashboard** in the main menu. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FKP40caYbkuJBf7vFrr5L%252Fappsec-monitor-api-dashboard-example.png%3Falt%3Dmedia%26token%3D2b5ea722-9265-45aa-bdd3-6d86712c689c&width=768&dpr=4&quality=100&sign=41cb3467&sv=2) At the top of the dashboard you can filter all numbers and the APIs shown for a specific asset, endpoint combination and also if you wish to only see changed APIs. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fh6ty86bqEFV6MrL6LS41%252Fappsec-monitor-api-dashboard-filtering.png%3Falt%3Dmedia%26token%3D0773dde3-ef6f-4c8c-8b52-c7a7d2594a5a&width=768&dpr=4&quality=100&sign=8911078&sv=2) Following is a description of the Dashboard sections: Section Description General Statistics (Top of the Dashboard) Statistics show the number of overall request for the time period, number of unique sources, number of blocked API requests and remind the user regarding Suggestions by the system to fine-tune the learning process. Most Used APIs Chart of the top APIs by request count. Least Used APIs/Not in Use Chart of the least used APIs by request count. This chart can also show unused APIs if they were previously detected by API discovery in an earlier timeframe, or if they appear in the schema used by the [Schema Validation](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema) feature. Top Sensitive Data Type Detected Chart of the top Sensitive Data Types detected by request count. By clicking on a sensitive data type to drill to events, you will be able to also see the URIs used when sending this type. Example: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FuChakaaO7sfvXJdiTw6V%252Fimage.png%3Falt%3Dmedia%26token%3Dd36736ff-d7d4-44c3-9c2a-594889ef83c6&width=300&dpr=4&quality=100&sign=fe65e60f&sv=2) Discovery of API Changes A time-based histogram chart of the dates in which a new API schema was detected, and the number of changes it detected. How many existing APIs changed and how many new APIs were detected. API Endpoints A table of all current detected APIs for the different assets, based on data from the last 7 days. The table also shows which APIs were changed compared to the last detected schema. ### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/api-discovery-dashboard#undefined) [PreviousWAF Dashboard](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/waf-dashboard) [NextDDoS Dashboard](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/ddos-dashboard) Last updated 3 months ago Was this helpful? --- # Store Certificates in Azure | CloudGuard WAF Follow the steps described in this page to store your certificate and private keys in Azure that can be used by CloudGuard WAF to process HTTPS traffic ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#note-about-certificate-renewal) Note About Certificate Renewal When a certificate is renewed, you must update the key vault according to the instructions below, then enforce policy again (even if configuration has not changed) by clicking on "**Enforce**" on the top bar of the web administration application for CloudGuard WAF in the portal, or by using [management API](https://waf-doc.inext.checkpoint.com/references/management-api) . ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#certificates-usage) Certificates Usage In order to use encrypted traffic (HTTPS) a managed reverse proxy must have access to the relevant certificates of the domains and URLs it exposes. **Example - you have two applications and one API endpoint to protect:** * www.acme.com * www.acme.com/sales * products.acme.com/catalog Examples Certificates used Required action Case 1 You have one wildcard certificate for \*.acme.com Place the certificate in the desired certificate storage by following the instructions below. CloudGuard WAF will use it for all relevant applications Case 2 You have two certificates: (1) for www.acme.com and (2) for products.acme.com Place both certificates in the desired certificate storage by following the instructions below. CloudGuard WAF will automatically use certificate 1 for the first two Applications/APIs and certificate 2 for the last Application ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#setting-a-certificate-as-part-of-the-cloudguard-waf-template-wizard) Setting a certificate as part of the CloudGuard WAF Template Wizard #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#pre-requisite-if-you-plan-to-use-an-existing-azure-key-vault) Pre-requisite if you plan to use an existing Azure Key Vault When using an existing Azure Key Vault you first need to make sure it already contains all relevant PFX certificate/s and their password/s. See the section "[Adding a new certificate to an existing Azure Key Vault](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#adding-a-new-certificate-to-an-existing-azure-key-vault) " for more information. Only PFX certificates are supported. If you already have certificates in your existing Azure Key Vault, it is not possible in Azure to see if they are in PFX or PEM format until you download them from the Azure Web Console by clicking "Download in PFX/PEM format". If your existing certificates are in PEM format, it is possible to convert them the PFX format by using the following command in linux: Copy openssl pkcs12 -inkey -in -export -out After this action follow the instructions in the "[Adding a new certificate to an existing Azure Key Vault](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#adding-a-new-certificate-to-an-existing-azure-key-vault) " section. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#step-1-https-settings-tab) Step 1: HTTPS settings tab To store certificates and private Keys in Azure Key Vault, use the HTTPS settings Tab of CloudGuard WAF for Azure ARM Template wizard: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2Fi2-s3-ui-static-content-10.s3.eu-west-1.amazonaws.com%2Fcertificates-profile%2FCertificates%2520Azure%2Fimages%2Fexisting%2520azure%2520key%2520vault.PNG&width=768&dpr=4&quality=100&sign=6c996d2d&sv=2) In the wizard **HTTPS settings tab**, follow these steps: #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#step-2-decide-if-you-use-an-existing-azure-key-or-creating-a-new-one) **Step 2: Decide if you use an existing Azure key or creating a new one** Select whether you use HTTPS protocol and whether you have an existing Azure Key vault that already contains your SSL certificates, or want to create a new one. The ARM template automatically adds appropriate secret and certificate permissions to the Key Vault for the Scale Set resource. The granted permissions are ‘List’ and ‘Get’. Only certificates that contain Subject Alternative Name (SAN) are supported. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#step-3-option-a-if-you-chose-to-create-a-new-azure-key-vault-and-upload-certificates) Step 3 option a: If you chose to create a new Azure Key Vault and upload certificates: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2Fi2-s3-ui-static-content-10.s3.eu-west-1.amazonaws.com%2Fcertificates-profile%2FCertificates%2520Azure%2Fimages%2Fnew%2520azure%2520key%2520vault.PNG&width=768&dpr=4&quality=100&sign=3aea4db2&sv=2) * **Azure Key Vault name** * **Number of certificates to upload** - Each certificate has two entries in the Key Vault secrets, one for its certificate and one for its password. * **PFX certificate file** - A PKCS#12 archive that contains the Certificate Authority (CA) certificate and private key. The file name extension for PKCS#12 archives is .p12 or .pfx * **Description** - A description of the uploaded certificate. The uploaded certificates content is encoded to base64 format and stored as 'cert\[1-5\]' in vault's secrets. A description is mandatory to keep track of them. The template allows up to 5 certificates. However - after initial deployment it is possible to add more certificates to the same location. * **Certificate password** - Password used when exporting the PFX certificate. The password is encoded to base64 format and stored in the vault’s secrets as ‘cert\[1-5\]-pw’. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#step-3-option-b-if-you-chose-to-use-an-existing-azure-key-vault) _Step 3 option b: If you chose to use an existing Azure Key Vault_ This option allows you to use a previously created Azure Key Vault that contains PFX certificates for all your applicable HTTPS based assets in the Infinity Portal. The PFX certificate must contain both the certificate and the private key. It is not necessary to have the Key Vault in the same Resource Group as the deployed template, but it must be created in the same region. Reminder: Read again the Pre-requisite section. When using an existing Azure Key Vault you first need to make sure it already contains PFX certificates and their passwords. See the section "[Adding a new certificate to an existing Azure Key Vault](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#adding-a-new-certificate-to-an-existing-azure-key-vault) " for more information. To configure the Key Vault’s access policies correctly, under **Enable Access to,** select the checkbox **Azure Virtual Machines for deployment**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2Fi2-s3-ui-static-content-10.s3.eu-west-1.amazonaws.com%2Fcertificates-profile%2FCertificates%2520Azure%2Fimages%2FAzure_Permission_Model.png&width=768&dpr=4&quality=100&sign=21b0a972&sv=2) _Finally, Click_ _**Enforce**_ _Policy in the Infinity Portal top bar_ _The certificates are fetched when CloudGuard WAF's Gateway first loads and checked again for updates every time you Enforce policy._ #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#notes) Notes * To attach a different Azure Key Vault to an already deployed Scale Set: 1. Create your Key Vault in the same region as your Scale Set with the Access Policy as described earlier 2. Go to the Scale Set resource and change the value field of the Tag named vault to your new Key Vault name. ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#adding-a-new-certificate-to-an-existing-azure-key-vault) Adding a new certificate to an existing Azure Key Vault If you already had an existing Azure Key Vault with certificates, before deploying your CloudGuard WAF's Gateway, you must make sure all existing certificates in the vault were added using the instructions in this section. Only PFX certificates are supported. If your certificates are in PEM format, it is possible to convert them the PFX format by using the following command in linux: Copy openssl pkcs12 -inkey -in -export -out #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#step-1-import-a-certificate) Step 1: Import a certificate Follow the instructions in Azure documentation regarding [importing a certificate file](https://docs.microsoft.com/en-us/azure/key-vault/certificates/tutorial-import-certificate?tabs=azure-portal) . Make sure you only import a supported certificate file (PFX) even if the examples in the documentation show an example for different types. Make sure you know what is the password of the certificate file for the next step (it is configured during the file's creation). #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#step-2-add-the-certificates-password-to-the-secrets-section) Step 2: Add the certificate's password to the secrets section For CloudGuard WAF's Gateway to associate automatically the PFX's password, you must create a password-type entry in the secrets storage of the Azure Key Vault. Its name must be **-pw** and its value will be the password of the certificate. For example, if you imported a certificate entry named "my-website-cert", then the password entry name must be "my-website-cert-pw" #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure#step-3-create-a-new-web-asset-or-add-a-url-to-an-existing-asset) Step 3: Create a new Web asset or add a URL to an existing asset Navigate to the Infinity Portal and create a new Asset or add an Application URL to an existing Asset, and then click **Enforce** policy. [PreviousAzure](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure) [NextStore Certificates on Gateway](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway) Last updated 12 months ago Was this helpful? --- # WAF-as-a Service (WAF SaaS) | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/concepts/waf-as-a-service-waf-saas#overview) Overview -------------------------------------------------------------------------------------------------- CloudGuard WAF SaaS (also known as WAF-as-a-Service or WAFaaS) is a fully managed, cloud-native Web Application & API Firewall delivered over the internet. You simply update your DNS to route traffic through our global points of presence (PoPs). They handle SSL termination (issuing and renewing certificates), DDoS and bot mitigation, and then securely forward legitimate traffic to your servers The SaaS service implements a Reverse proxy function with CloudGuard WAF's security. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FIYthzLacD6h06TaRZEIC%252Fappsec-as-a-service-deployment-diagram.PNG%3Falt%3Dmedia%26token%3Db71582bc-d20e-42b3-8bdf-ce181ce61de5&width=768&dpr=4&quality=100&sign=583d3f3e&sv=2) Using standard SSL/TLS technology ensures traffic remains secure and confidential from the moment it leaves the application client until it reaches you. Initially, data is transmitted and encrypted from the application client. Upon arrival at our WAF SaaS entry point, the data is decrypted for security inspection. Once inspected, it is re-encrypted and transmitted to the application securely. [](https://waf-doc.inext.checkpoint.com/concepts/waf-as-a-service-waf-saas#data-regions-and-points-of-presence-pops) Data Regions and Points of Presence (PoPs) -------------------------------------------------------------------------------------------------------------------------------------------------------------------- When creating an account to manage your security, a Data Region was selected. Data Residency refers to physical region where your configuration and logs are stored. Data Regions are currently available in: * EU * US * India * Australia With WAF SaaS there are also Points of Presence (PoPs). They are the physical locations where WAF workloads are deployed and traffic is actually inspected . For optimal performance, it is recommended to choose a PoP as close to your application servers as possible - this proximity ensures optimal latency. Current available PoPs: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FDxoZvQ65Ba1WWnvUxoG6%252Fimage.png%3Falt%3Dmedia%26token%3Dcf8ca496-3679-4eae-9e6b-f3841403fbaf&width=768&dpr=4&quality=100&sign=41a3b59d&sv=2) [](https://waf-doc.inext.checkpoint.com/concepts/waf-as-a-service-waf-saas#ddos-protection) DDoS Protection ---------------------------------------------------------------------------------------------------------------- CloudGuard WAF SaaS provides comprehensive L3-L7 DDoS Protection, see here: [DDoS Protection](https://waf-doc.inext.checkpoint.com/concepts/ddos-protection) [](https://waf-doc.inext.checkpoint.com/concepts/waf-as-a-service-waf-saas#prerequisites) Prerequisites ------------------------------------------------------------------------------------------------------------ * Ownership of the DNS configuration for the protected domain. * Accessibility - You must be able to configure your internal web server to be accessible from the IP addresses of WAF SaaS PoPs. * Limiting access to your backend - you must be able to limit access to your back-end from WAF SaaS PoPs only so it is not exposed directly to the Internet. For deployment instructions see here: [WAF-as-a-Service (WAF SaaS)](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas) [PreviousEvent Advisor](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-advisor) [NextGateways & Agents](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents) Last updated 4 months ago Was this helpful? --- # View Policy of all your Web Applications/APIs | CloudGuard WAF A summary of all CloudGuard WAF practices is available under **Policy->Policy** in the form of rules view. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FCYPIYXzGAMfeDwWnvgeH%252Fappsec-threat-prevention-rules-view.PNG%3Falt%3Dmedia%26token%3Ddcc0bf98-bf47-4769-9a80-3b15550be409&width=768&dpr=4&quality=100&sign=6166bd05&sv=2) ### [](https://waf-doc.inext.checkpoint.com/how-to/view-policy-of-all-your-web-applications-apis#rules-table) Rules table #### [](https://waf-doc.inext.checkpoint.com/how-to/view-policy-of-all-your-web-applications-apis#asset-zone) Asset/Zone The asset or zone (dynamic group of assets) the security practice protects #### [](https://waf-doc.inext.checkpoint.com/how-to/view-policy-of-all-your-web-applications-apis#practices) Practices The CloudGuard WAF practice configured to protect the asset/zone. #### [](https://waf-doc.inext.checkpoint.com/how-to/view-policy-of-all-your-web-applications-apis#mode) Mode The mode can be show: * **Detect** - The practice is configured to log events without blocking traffic. * **Prevent** - The practice is configured to block incoming traffic upon detection of a malicious attack. * **Disabled** * **Mixed** - The practice may be set to "Detect" or "Prevent" but a mode of at least one sub-practice (e.g. CloudGuard WAF IPS, API Schema Validation, etc.) is set to override the main mode. #### [](https://waf-doc.inext.checkpoint.com/how-to/view-policy-of-all-your-web-applications-apis#exceptions) Exceptions Shows configured exclusions configured for the practice. #### [](https://waf-doc.inext.checkpoint.com/how-to/view-policy-of-all-your-web-applications-apis#triggers) Triggers Shows the Log Trigger object/s configured for the practice. #### [](https://waf-doc.inext.checkpoint.com/how-to/view-policy-of-all-your-web-applications-apis#enforcement) Enforcement Shows the Agents Profile/s that enforce this rule. ### [](https://waf-doc.inext.checkpoint.com/how-to/view-policy-of-all-your-web-applications-apis#tab-view) Tab view When selecting a rule, the bottom tabs will show the data of the asset/zone the rule protects. * The "Attribute" tab shows a summary of the asset/zone data. * The other tabs are the same tabs shown when editing the asset/zone object and can be used to edit the asset and practice configuration without being required to go to either the Assets or Zones. [PreviousProtect an existing production site with CloudGuard WAF's Gateway](https://waf-doc.inext.checkpoint.com/how-to/protect-an-existing-production-site-with-cloudguard-wafs-gateway) [NextAdd Data Loss Prevention (DLP) rules](https://waf-doc.inext.checkpoint.com/how-to/add-data-loss-prevention-dlp-rules) Last updated 9 months ago Was this helpful? --- # Contextual Machine Learning | CloudGuard WAF CloudGuard WAF uses a Patented Contextual Machine Learning Engine that utilizes a three-phase approach for detecting and preventing web application and API attacks. In this section you will understand how these three phases deliver accurate results with a very low amount of false positives and how they protect the environment against known and unknown zero-day attacks with real-time protection. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FYv82GDAYy1RWg9mEgpIy%252Fimage.png%3Falt%3Dmedia%26token%3D8355293b-eb44-412d-842c-a50087ff2921&width=768&dpr=4&quality=100&sign=b59e47d8&sv=2) [](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning#phase-1-payload-decoding) **Phase 1 – Payload Decoding** ------------------------------------------------------------------------------------------------------------------------------------------ Effective machine learning requires a deep understanding of the underlying application protocols which is continuously evolving. The engine analyzes all fields of the HTTP request including the URLs, HTTP headers, which are critical in this case, JSON/XML extraction and payload normalization such as base64 and other decoding's. A set of parsers covering common protocols feeds the relevant data into phase 2. For example, in the case of Log4Shell attacks, some exploit attempts were using base64 and escaping encoding so it was possible to pass a space character for applying parameters. [](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning#phase-2-attack-indicators) **Phase 2 – Attack Indicators** -------------------------------------------------------------------------------------------------------------------------------------------- Following parsing and normalization, the network payload input is fed into a high-performance engine which is looking for attack indicators. An attack indicator is a pattern of exploiting vulnerabilities from various families. We derive these attack patterns based on on-going off-line supervised learning of huge number of payloads that are each assigned a score according to the likelihood of being benign or malicious. This score represents the confidence level that this pattern is part of an attack. Since combinations of these patterns can provide a better indication for an attack a score is also calculated for the combination of patterns. For example, in the case of Log4Shell and Spring4Shell attacks, CloudGuard WAF used several indicators from Command Injection / Remote Code Execution / Probing families that signaled payloads to be malicious in a very high score which was enough on its own, but to ensure accuracy and avoidance of false positives, the engine always moves to the third and last phase. [](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning#phase-3-contextual-evaluation-engine) **Phase 3 – Contextual Evaluation Engine** ------------------------------------------------------------------------------------------------------------------------------------------------------------------ This contextual engine is using machine learning techniques to make a final determination whether the payload is malicious, in the context of a specific customer/environment, user, URL and field that in a weighted function sums up to a confidence score. If the score is larger than the threshold the request is dropped. These are the factors that are considered by the engine: #### [](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning#reputation-factor) _Reputation factor_ In each request, the request originator is assigned a score. The score represents the originator’s reputation based on previous requests. This score is normalized and used to increase or decrease the confidence score. #### [](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning#application-awareness) _Application awareness_ Often modern applications allow users to modify web pages, upload scripts, use elaborate query search syntax, etc. These provide a better user experience but without application awareness, these are detected as malicious attacks. We use ML to analyze and baseline the underlying application’s behavior. #### [](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning#learn-user-input-format) _Learn user input format_ The system can identify special user input types that are known to cause false detection and apply ML to modify our detection process and allow legitimate behavior without compromising attack detection. #### [](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning#false-detection-factor) _False detection factor_ If there is an inconsistency in detection a factor is applied to the confidence score based on the reputation factor per detection location. #### [](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning#supervised-learning-module) _Supervised learning module_ Optional module that shows administrators payload and ask them to classify them thus accelerating the learning process. [](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning#additional-information) Additional Information -------------------------------------------------------------------------------------------------------------------------------- For further information on CloudGuard WAF machine learning see also: [Configure Contextual Machine Learning for Best Accuracy](https://waf-doc.inext.checkpoint.com/how-to/configure-contextual-machine-learning-for-best-accuracy) [Track Learning and Move from Learn/Detect to Prevent](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent) [PreviousSecurity Practices](https://waf-doc.inext.checkpoint.com/concepts/security-practices) [NextDDoS Protection](https://waf-doc.inext.checkpoint.com/concepts/ddos-protection) Last updated 9 months ago Was this helpful? --- # Event Views | CloudGuard WAF The Events view provides a tabular view of events with ability to select granular filter options (left pane in the image below), [search queries](https://waf-doc.inext.checkpoint.com/references/event-query-language) and Time ranges. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FFVoKuOc2IjmCRxGvAciR%252Fappsec-monitor-all-events-view.png%3Falt%3Dmedia%26token%3Dc14144a7-ccbd-4691-9716-9f61f6d5b825&width=768&dpr=4&quality=100&sign=3cbbf4df&sv=2) The events are created when a protected asset is configured with a Trigger object of the type "**Log**" - which is also the default configuration. Log triggers setup and additional configuration options are explained in further details here: [Setup Log Triggers](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers) ### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-views#event-cards) **Event Cards** When you double click on an event, a card shows details about the specific event. Examples: **Event Severity Classification** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fdo0WALvC4TpPWzRnjrN7%252Fappsec-security-events-log-card-event-info.PNG%3Falt%3Dmedia%26token%3D1e6bd425-9a41-45be-8eff-9d29941842c7&width=300&dpr=4&quality=100&sign=556572f4&sv=2) **Protected Web Asset Name and Policy** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FPuWBAV1rmdlNa88tz9JD%252Fappsec-security-events-log-card-policy.PNG%3Falt%3Dmedia%26token%3D9dddcb97-4020-42d4-af8d-743e7cce7c56&width=300&dpr=4&quality=100&sign=6563c5f6&sv=2) **HTTP Transaction Information** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FO1dMnm3cReM8a2ov9yJe%252Fappsec-security-events-log-card-transaction-and-connection.PNG%3Falt%3Dmedia%26token%3De8f8c950-9599-4cc4-a28e-f74096ce8d1e&width=300&dpr=4&quality=100&sign=f9f6a650&sv=2) **Threat Prevention details** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FFQPoDR8gyg5Lml0dTvst%252Fappsec-security-events-log-card-threat-prevention.PNG%3Falt%3Dmedia%26token%3D16f5d7d8-9efd-4769-9364-c0c7927f1ffd&width=300&dpr=4&quality=100&sign=222bd3d6&sv=2) ### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-views#time-filters) **Time filters** You can filter events based on time ranges by clicking the time filter selector at the top left corner. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fkt2ZUNBRwptKNXsiw7zG%252Fappsec-security-events-time-filters.PNG%3Falt%3Dmedia%26token%3D601f7b55-f341-4820-9eaa-3fadaf36b10a&width=768&dpr=4&quality=100&sign=d7baf0e6&sv=2) [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-views#event-query-language) Event Query Language ---------------------------------------------------------------------------------------------------------------------------------- CloudGuard WAF features an extensive event query language. For more details see here: [Event Query Language](https://waf-doc.inext.checkpoint.com/references/event-query-language) [PreviousDDoS Dashboard](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/ddos-dashboard) [NextNotifications](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/notifications) Last updated 3 months ago Was this helpful? --- # Track Agent Status | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/how-to/track-agent-status#banner-notifications-about-agents) Banner Notifications about Agents ------------------------------------------------------------------------------------------------------------------------------------------- When an agent is first connected a green banner will be shown in CloudGuard WAF's web application regardless of your location within the application, informing about the agent connection and including links to the Agents or Events view. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FzrhFNuIBv6uIUGnQsqIw%252Fappsec-agents-agent-connected-banner-notification.PNG%3Falt%3Dmedia%26token%3D47ad548e-bf80-4619-9ebf-c93fb736257f&width=768&dpr=4&quality=100&sign=ec2edfa6&sv=2) [](https://waf-doc.inext.checkpoint.com/how-to/track-agent-status#agents-view) Agents View ----------------------------------------------------------------------------------------------- Go to **Policy->Agents** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FAYAgHA4IWR7wNb7Tje0g%252Fappsec-agents-conncted-agents-view.PNG%3Falt%3Dmedia%26token%3D0e62c2c1-1edd-43ea-9d15-702b5385f64d&width=768&dpr=4&quality=100&sign=629158e3&sv=2) #### [](https://waf-doc.inext.checkpoint.com/how-to/track-agent-status#agents-table-view) Agents Table View The table columns show the important details of the agent like the agents profile to which the agent has connected. * **Latest Version** - This column indicates if the agent's software version is the latest. It is recommended you always keep your agent updated as new versions are released frequently. * **Policy Version** - This column indicates the policy version. If the column is empty, it means the agent has registered but is currently being installed and has not received yet its first policy. The latest policy version can also be seen when browsing to **Policy**\->**Profiles**, selecting the relevant profile and looking at the advanced tab: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FEN7ox1AKSgWmLqjYjEs5%252Fappsec-profiles-advanced-settings-and-policy-version.PNG%3Falt%3Dmedia%26token%3D6871b11d-9571-4d93-9e86-bcfa7ecca36d&width=768&dpr=4&quality=100&sign=c19834dd&sv=2) #### [](https://waf-doc.inext.checkpoint.com/how-to/track-agent-status#agent-details-card) Agent Details Card When selecting an agent in the table, the bottom card shows more advanced details of the agent. #### [](https://waf-doc.inext.checkpoint.com/how-to/track-agent-status#disconnected-agents) Disconnected agents It is possible to toggle the view to see agents that were previously connected but have not created any communication for over 15 minutes. This can assist with troubleshooting. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FAMgDZJ6Ktem4qu08D5kE%252Fappsec-agents-disconnected-connected-agents-combobox.PNG%3Falt%3Dmedia%26token%3Dc789d006-f8b4-444a-8d5f-9096772e37a3&width=768&dpr=4&quality=100&sign=a03a6459&sv=2) A disconnected agent might also indicate the workload it has been installed on is offline, or that connectivity to Check Point cloud has been disrupted. When an agent, which should be connected, is disconnected, please verify the Web Server/Reverse Proxy that agent is installed on is live and with connectivity before additional actions. [PreviousConfigure Contextual Machine Learning for Best Accuracy](https://waf-doc.inext.checkpoint.com/how-to/configure-contextual-machine-learning-for-best-accuracy) [NextTrack Learning and Move from Learn/Detect to Prevent](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent) Last updated 9 months ago Was this helpful? --- # Anti-Bot | CloudGuard WAF CloudGuard WAF's **Anti-Bot** engine aims at recognizing if the origin of incoming traffic to the protected web application was a human or an automatic script (such as a bot), and to allow blocking non-human activity when set to **Prevent** mode. [](https://waf-doc.inext.checkpoint.com/additional-security-engines/anti-bot#how-to-set-up-anti-bot) How to set up Anti-Bot -------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/anti-bot#step-1-locate-the-exact-uris-used-by-the-login-registration-forms-of-your-web-application) Step 1: Locate the exact URIs used by the login/registration forms of your web application The Anti-Bot protection injects scripts to the response when a user performs a "GET" request, and uses the output of the injected script to analyze the behavior upon the "POST" request of the login page, as the user fills the login/registration forms. A security administrator protecting a web application, needs to request the owner of the web application's API, for the following: * All **URIs** used to access login/registration pages (via the GET method). * All **URIs** used to POST the login/registration request/form. The required data is URIs and not URLs, meaning the relative path of the GET/POST requests (without the domain name). Once both the security administrator has both lists, the next steps are performed in the administration web application for CloudGuard WAF. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/anti-bot#step-2-browse-to-policy-greater-than-assets-and-edit-the-web-application-api-asset) Step 2: Browse to Policy->Assets and edit the Web Application / API asset Once the asset edit window opens, select the **Anti Bot** tab and click on **Click to add a new Anti Bot Practice**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FK4Yjhlo4wCcXUogM2r7K%252FAntiBot.png%3Falt%3Dmedia%26token%3Df9bcbdc1-b929-43d2-b81f-54e00457c807&width=768&dpr=4&quality=100&sign=561cf281&sv=2) #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/anti-bot#step-3-add-the-list-of-login-registration-uris-to-inject-scripts-and-uris-to-validate) Step 3: Add the list of login/registration URIs to inject scripts and URIs to validate Click on the '**+**' sign in each of the 2 URI tables and add: * In the **Injected URIs** table - the login/registration "GET" URIs from step 1. * In the **Validated URIs** table - the login/registration "POST" URIs from step 1. When making the first change to the default Web Application Best Practice's configuration such as setting URIs to activate the **Web Bots** security, you will be prompted to change the name of the Practice to your own custom practice name. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fhu2Vump3xc5w8hiIAUcC%252Fappsec-assets-practice-custom-practice-message.PNG%3Falt%3Dmedia%26token%3Df53efb3f-faa9-4d08-8aa9-5802a2066c5f&width=768&dpr=4&quality=100&sign=63d14cf7&sv=2) #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/anti-bot#step-3-make-sure-the-mode-of-the-web-bots-sub-practice-is-as-desired) Step 3: Make sure the Mode of the Web Bots sub-practice is as desired Setting the Mode to **As Top Level** means inheriting the primary mode of the practice. Otherwise you can override it only for this specific sub-practice to **Detect**/**Prevent**/**Disable**. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/anti-bot#step-4-enforce-policy) Step 4: Enforce Policy Click **Enforce** on the top banner of the Infinity Portal. [PreviousDDoS Protection](https://waf-doc.inext.checkpoint.com/concepts/ddos-protection) [NextAPI Protection](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection) Last updated 6 months ago Was this helpful? --- # Rotate profile authentication token | CloudGuard WAF ### [](https://waf-doc.inext.checkpoint.com/how-to/rotate-profile-authentication-token#importance-of-periodic-token-rotation-and-impact) Importance of periodic token rotation and impact As explained in the documentation for [deploying agents](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) , security best practices dictate that authentication tokens should be rotated periodically. The existing token will be invalidated but existing agents that were already registered are not affected. Once rotated, in order to allow deployments of additional agents, **you must** replace all deployment scripts/configuration files/key vault entries that contain the now-invalid token. ### [](https://waf-doc.inext.checkpoint.com/how-to/rotate-profile-authentication-token#how-to-invalidate-existing-token-and-create-a-new-one) How to invalidate existing token and create a new one When browsing to **Policy->Profiles** and editing any profile, its authentication token, used for authentication new deployments, can be found under Authentication section: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FodEuUgaIWcxkuTtYrJ2n%252Fappsec-profiles-authentication-token.PNG%3Falt%3Dmedia%26token%3Daaa5d4ad-7a5b-4986-9378-7ec39b22aadd&width=768&dpr=4&quality=100&sign=372cae61&sv=2) Clicking on the icon will invalidate the current token and create a new one that can be copied. Clicking on the ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FZSgdc1pUg3GPoZxvlBFM%252Frotate-icon.PNG%3Falt%3Dmedia%26token%3D77bd7cd8-658a-41f4-bb68-b5cffe4f404a&width=300&dpr=4&quality=100&sign=96a3e00c&sv=2) icon will invalidate the current token and create a new one that can be copied. [PreviousTrack Learning and Move from Learn/Detect to Prevent](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent) [NextUpgrade your Reverse Proxy when a Linux/NGINX agent is installed](https://waf-doc.inext.checkpoint.com/how-to/upgrade-your-reverse-proxy-when-a-linux-nginx-agent-is-installed) Last updated 9 months ago Was this helpful? --- # Linux / NGINX / Kong | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong#overview) Overview ------------------------------------------------------------------------------------------------------------------------- ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong#nginx) NGINX CloudGuard WAF can be deployed as an add-on for NGINX, thus providing protection to any applications and APIs served by NGINX Reverse Proxy. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FlLTc5ecLVlEBILO8EqWK%252Fimage.png%3Falt%3Dmedia%26token%3D750ee7ab-1d74-417b-9580-d5fe83d890d4&width=768&dpr=4&quality=100&sign=198046c6&sv=2) In this scenario the admin have the flexibility to manage all aspects of NGINX on their own. For more details: * [NGINX Documentation](http://nginx.org/en/docs/) * [Configuring HTTP Servers](http://nginx.org/en/docs/http/configuring_https_servers.html) ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong#additional-reverse-proxy-or-api-servers-support) Additional reverse proxy or API servers support As time passes CloudGuard adds support for additional reverse proxy servers and API servers running similarly to the NGINX example depicted above. The basic installation command is the same for all of them as the agent automatically recognizes the environment in which it is installed. Installation of SSL certificates may differ between different servers. Currently supported: * Kong ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong#proxy-vs-locally-served-applications) Proxy vs locally served applications The CloudGuard WAF Nano Agent attaches itself to the traffic being **proxied** by the Proxy Server or API server. If the server serves applications locally, and does not serve as a proxy between an exposed domain and an internal one - the Nano Agent can still inspect the traffic if you change the port for the local applications to a higher port, and add a proxy rule between the exposed listening domain and port, to the same local machine at a higher port. [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong#prerequisites) Prerequisites ----------------------------------------------------------------------------------------------------------------------------------- * An existing deployment of NGINX or Kong for Linux running over a variety of platforms. * Specific versions numbers are updated under **Support->Platforms** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FApNdeY3lNwHtK8trAzbC%252Fgeneral-support-platforms.png%3Falt%3Dmedia%26token%3Dffa33fcc-a74c-44f7-87e1-8ad3127cec5c&width=768&dpr=4&quality=100&sign=487b1f80&sv=2) [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong#installation) Installation --------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong#step-1-download-the-installer-to-the-linux-machine) Step 1: Download the Installer to the linux machine Run the following commands from the linux server shell: `sudo su` `wget https://sc1.checkpoint.com/nanoagent/nanoegg -O nanoegg` #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong#step-2-install-the-agent) Step 2: Install the Agent Run the following commands from the linux server shell, from the same location as previous step: `chmod +x nanoegg` `./nanoegg --install --token ` Make sure you obtain the from the [Enforcement **Profile**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page, **Authentication** section. you will need it during agent deployment. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FodEuUgaIWcxkuTtYrJ2n%252Fappsec-profiles-authentication-token.PNG%3Falt%3Dmedia%26token%3Daaa5d4ad-7a5b-4986-9378-7ec39b22aadd&width=300&dpr=4&quality=100&sign=372cae61&sv=2) The installer creates an initial registration with the CloudGuard WAF cloud and downloads the latest version of the agent installation. It will also add to your nginx.conf the following line: `load_module /usr/lib/nginx/modules/ngx_cp_attachment_module.so;` #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong#step-3-configure-ssl-certificates-optional-if-the-servers-do-not-use-https) Step 3: Configure SSL certificates (optional if the servers do not use HTTPS) To configure SSL certificates in **NGINX** follow these guides: * [NGINX](https://nginx.org/en/docs/http/configuring_https_servers.html) * [NGINX PLUS](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/) To configure SSL certificates in **Kong** follow the guide in the following [link](https://docs.konghq.com/gateway/latest/how-kong-works/routing-traffic/#configuring-tls-for-a-route) . #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong#step-4-verify-installation) Step 4: Verify installation The agent will automatically install, connect and should display a successful connection message within the CloudGuard WAF web portal: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FzrhFNuIBv6uIUGnQsqIw%252Fappsec-agents-agent-connected-banner-notification.PNG%3Falt%3Dmedia%26token%3D47ad548e-bf80-4619-9ebf-c93fb736257f&width=768&dpr=4&quality=100&sign=ec2edfa6&sv=2) To check agent status after the installation from the Linux server shell, you can run: `cpnano -s` [PreviousDual Docker: NGINX/Kong/Envoy + Security Agent](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent) [NextMonitor Events](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events) Last updated 1 year ago Was this helpful? --- # Security Practices | CloudGuard WAF A practice refers to a recommended method for configuring and managing systems to achieve optimal security. It may include setting security policies, monitoring traffic, or deploying features like API Discovery. These practices help users effectively utilize WAF to protect web applications and APIs, ensuring compliance with cybersecurity best practices. CloudGuard WAF provides two Security Best Practices that can be easily activated in Detect/Learn mode or Prevent Mode: Web Application Protection and Web API Protection. The practices use multiple security engines to analyze HTTP web requests and to deliver accurate verdict whether the request is malicious or benign. The engines protect applications and APIs against unknown and advanced web attacks, validate the input of APIs, distinguish humans from bots and protects against industry's well known attacks and CVEs. [](https://waf-doc.inext.checkpoint.com/concepts/security-practices#cloudguard-waf-security-practices) CloudGuard WAF Security Practices --------------------------------------------------------------------------------------------------------------------------------------------- * Web Application Protection Practice * Contextual Machine Learning based-WAF * Anti-Bot Protection * Intrusion Prevention * File Security * Custom Signatures (SNORT) * Web API Protection Practice * Machine Learning based-WAF looks for malicious payload inside API requests * Schema Validation module ensure that API requests adhere to API schema * Intrusion Prevention * File Security * Custom Signatures (SNORT) [](https://waf-doc.inext.checkpoint.com/concepts/security-practices#security-engines) Security Engines ----------------------------------------------------------------------------------------------------------- ### [](https://waf-doc.inext.checkpoint.com/concepts/security-practices#contextual-machine-learning-based-waf-prevent-owasp-top-10-and-advanced-attacks) Contextual Machine Learning-based WAF**: Prevent OWASP Top 10 and Advanced Attacks** This patented engine protect against advanced and zero-day web attacks. It executes a three-stage HTTP web request analysis and delivers an accurate verdict. It uses [Contextual Machine Learning](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning) to identify if a web request is malicious or benign and provides: 1. Superior false-positive rate than traditional WAF (in traditional WAF decisions are mainly based on matches to signatures). 2. Provide zero-day protection by blocking different attack scenarios that are not blocked with a signature-only approach. For example, Log4Shell and Spring4Shell were blocked by CloudGuard WAF preemptively, without any software update. 3. Reduction in administration time because it is not constantly necessary to tune the engine, create exceptions, disable signatures, and more. Learn more about the [Contextual Machine Learning](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning) engines in the next section of this documentation. ### [](https://waf-doc.inext.checkpoint.com/concepts/security-practices#api-security-validate-schema-and-prevent-attacks) API Security: Validate Schema and Prevent Attacks Frequently, software developers do not include verification of API input in their code. The CloudGuard WAF API security component provides two protection models: positive and negative. Administrators can enable one of them, or the two of them. * The **positive model** delivers preemptive protection for possible API vulnerabilities through a schema validation procedure. API schemas in OpenAPI (such as used in "Swagger") are uploaded to CloudGuard WAF. Incoming API requests are validated against these schemas to block all invalid API requests. CloudGuard WAF supports OpenAPI Schemas V3 and above * The **negative model** uses the WAF and automatically detects and blocks malicious payloads in the API. ### [](https://waf-doc.inext.checkpoint.com/concepts/security-practices#ddos-protection-cloudguard-waf-saas) **DDoS Protection (CloudGuard WAF SaaS)** CloudGuard WAF SaaS delivers built-in, always-on Distributed Denial of Service (DDoS) protection. It natively defends against high-volume and stealthy attacks across network and application layers. See more here: [DDoS Protection](https://waf-doc.inext.checkpoint.com/concepts/ddos-protection) ### [](https://waf-doc.inext.checkpoint.com/concepts/security-practices#anti-bot-protection-distinguish-humans-from-bots) **Anti-Bot Protection: Distinguish Humans from Bots** CloudGuard WAF Anti-Bot protection component performs a three-step procedure: 1. Inject scripts into web application pages, such as login pages. 2. Collect data about input patterns and canalize key stroke sequences, mouse moves, and finger touches. Bots do not use such patterns. If a bot artificially creates such patterns, CloudGuard WAF identifies them. 3. Make a decision if the input is entered by a human or by an automatic script (such as a bot), and block this activity. ### [](https://waf-doc.inext.checkpoint.com/concepts/security-practices#intrusion-prevention-ips) **Intrusion Prevention (IPS)** In addition to the Contextual Machine-Learning based engine, CloudGuard WAF provides traditional signature-based protections for over 2800 web-based CVEs (Common Vulnerabilities and Exposures). The signatures arrive automatically to SaaS PopS/agents/gateways as soon as Check Point Security Research team releases them. One of the benefit of these signatures is the ability to see logs that indicate specific CVE number. ### [](https://waf-doc.inext.checkpoint.com/concepts/security-practices#file-security) File Security Files being uploaded to the web server may contain malicious content. CloudGuard WAF's File security contains several engines that allow detection of those malicious files. ### [](https://waf-doc.inext.checkpoint.com/concepts/security-practices#custom-signatures-snort-engine-early-availability) Custom Signatures (Snort Engine) - Early Availability Admins can add signatures in Snort format and they will be enforced by CloudGuard WAF Security Engines. [PreviousManagement & Automation](https://waf-doc.inext.checkpoint.com/concepts/management-and-automation) [NextContextual Machine Learning](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning) Last updated 4 months ago Was this helpful? --- # API Discovery | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/api-discovery#overview) Overview ------------------------------------------------------------------------------------------------------------------------ API Discovery provides security by visibility to the API passing to the web server. API Discovery provides, after a learning period, the suggested initial schema for [API Schema validation](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema) enforcement, and from then on, assists in maintaining that schema across time by suggesting changes to it according to the actual use. For a full overview of API Discovery's role within API Security, read here: [API Protection](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection) API Discovery supports: 1. REST API 2. GraphQL API Inspecting GraphQL subscription requests, based on Web Sockets, are not supported yet, and will not be detected. [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/api-discovery#how-does-api-discovery-work) How does API discovery work? --------------------------------------------------------------------------------------------------------------------------------------------------------------- API discovery learns the actual behavior of the traffic to the web server's exposed URI paths. **API discovery inspects:** 1. Requests to the internal web server that are accepted by it. i.e. their HTTP return codes are not 4XX/5XX. 2. Traffic blocked by API Schema Validation if active and set to Prevent - In order to suggest missing APIs to the existing validated schema. Once Schema Validation is active and set to "Prevent", API Discovery **must** look at traffic blocked by Schema Validation in order to detect potential new APIs or modified APIs that were added to the client and server, but not added to the schema used by Schema Validation Security. For this reason - **Once Schema Validation is active, all new API suggested by schema validation must be reviewed and approved by the security administrator and schema owner before being added to the schema**. The API Discovery will not have knowledge which of the requests for an API that does not appear in the schema are requests that would've been accepted by the **API Discovery Learning engine has 2 stages:** 1. API detection using an iterative Machine Learning A.I. engine that detects usage of APIs (a combination of the method and the endpoint used in the request). Several different endpoints may be joined at this stage to a single API using path parameters. 2. Schema Builder looks at query parameters and the request body to build the exact schema for each API based on multiple requests. API Discovery saves up to 100 query parameters per API. At this stage, it also detects any use of sensitive data in each API. Schema Builder does not yet look at HTTP headers as part of building the schema with the exception of "Content-Type". Similarly to addition learning mechanisms in CloudGuard WAF, learning levels which track progress. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FFaOKPwvQzSSB40hSymLF%252Fappsec-track-learning-learning-levels.png%3Falt%3Dmedia%26token%3Dbaaccf0c-6497-4d0e-bbcc-1127bc7fcc7c&width=768&dpr=4&quality=100&sign=eff8fe9&sv=2) The Learning mechanism may require the user to decide between several options when the learning result is not conclusive enough. [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/api-discovery#where-can-you-see-api-discovery-results) Where can you see API Discovery Results? --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- For a full explanation of tracking API Discovery results see: [Track API Discovery Learning](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/track-api-discovery-learning) In general, there are 3 locations: 1. **Within each asset, the API Discovery engine shows the detected Schema** and its progress across versions. Versions will initially change due to iterative learning as more and more traffic passes through the engine, and later, versions will be created by a change in the behavior of the client requests and the API the web server accepts. 2. **Within each asset, the Learn tab shows a summary of the discovered schema and allows for supervised fine tuning**. 3. **An** [**API Dashboard**](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events#api-discovery-dashboard) **shows cross-asset view of all APIs** as well as top APIs (most used, least used, sensitive data APIs, etc.) API discovery requires two assets: one for the base application and another for API calls (e.g., example.com and example.com/api). To ensure proper functionality. [PreviousAPI Protection](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection) [NextTrack API Discovery Learning](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/track-api-discovery-learning) Last updated 3 months ago Was this helpful? --- # Setup Log Triggers | CloudGuard WAF CloudGuard WAF protects web servers from attacks. It is possible to trigger a logging event that includes information about the event that was detected or prevented. Logs can be configured to reach a variety of destinations. [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers#the-default-log-trigger) The Default Log Trigger ----------------------------------------------------------------------------------------------------------------------------------- The default setup of CloudGuard WAF is already configured with a log trigger, and so, to view logs triggered by CloudGuard WAF event detection, no additional action is required. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FB4Uixn1slrXTA8Pya8ld%252Fappsec-log-triggers-default-log-trigger-configuration.png%3Falt%3Dmedia%26token%3D4c52dcf3-3a0b-4a1f-ad5e-d1e3de207f42&width=768&dpr=4&quality=100&sign=9ca7d291&sv=2) The default Log Trigger object is configured to log the most interesting events: * Malicious events. * High severity (and above) suspicious events. * Most important identifying data from the request. * Events are sent to CloudGuard WAF cloud to be visible in the [events views and dashboards](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events) . The configuration of the default Log Trigger object can be altered, but the object cannot be deleted. If the default configuration has been altered, it is possible to click "**RESET TO DEFAULT VALUES**" at the bottom of the edit window to return to the default factory settings of this object as defined by Check Point. [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers#customizing-log-triggers) Customizing Log Triggers ------------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers#step-1-create-a-log-trigger-object) Step 1: Create a Log Trigger object Go to **Policy->Triggers** and click on the **New** icon, the select **Log**: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FAcxJL0iYzH3zeiZaXuzp%252Fappsec-log-triggers-new-button.png%3Falt%3Dmedia%26token%3D7f104c67-a143-47f2-9436-38840a33a712&width=768&dpr=4&quality=100&sign=29ca2bcf&sv=2) Configure a new name to the new trigger object: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F8ILdBmAJ5XaXqnss0i7C%252Fappsec-triggers-new-trigger-name.PNG%3Falt%3Dmedia%26token%3D74c19779-1e55-48b8-8404-76e807ac81a1&width=768&dpr=4&quality=100&sign=2f9f1c8c&sv=2) #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers#step-2-configure-trigger-conditions-when-to-log) Step 2: Configure Trigger conditions ("When to Log") ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FchqW1gHhvOarU9ejCuF7%252Fappsec-triggers-when-to-log-configuration.PNG%3Falt%3Dmedia%26token%3D6e0aa052-76a6-4987-b996-3d8c77d8baf8&width=768&dpr=4&quality=100&sign=13a467c9&sv=2) Select the conditions in which logs are issued: * Detect/Prevent Events - Logs events caught by CloudGuard WAF engines in "Detect" mode or blocked by CloudGuard WAF engines in "Prevent" mode in addition to blocking. If configuration in CloudGuard WAF is set to "Detect" mode, Log Trigger configuration is the only action CloudGuard WAF will take upon detecting an attack. * Logging all web requests regardless of CloudGuard WAF configuration. Logging all web requests has a substantial impact on resources and network bandwidth consumed by CloudGuard WAF. #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers#step-3-configure-trigger-additional-content-what-to-log) Step 3: Configure Trigger additional content ("What to Log") Select the additional data you want to appear in the log sent upon event. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fbt7RmZ0DPriFFKET3zZs%252Fappsec-triggers-what-to-log-configuration.PNG%3Falt%3Dmedia%26token%3D3c121963-8df3-449f-ae81-f2a2564f3309&width=768&dpr=4&quality=100&sign=18055254&sv=2) **Additional logging for suspicious events from Severity "X"** - Allows conditionally adding the Response Body and Response Code to logs according to the severity of the event reported. Adding Request Body and Response Body to logs has the potential of substantially impacting the resources and network bandwidth consumed by CloudGuard WAF, depending on the traffic. For this reason: * The response body is conditional to the severity of the suspicious event. * Either body content will not appear in the log if CloudGuard WAF blocked the request prior to reading their values (for example, upon blocking a request based on its URL). In the case of response body, it will be logged only if the action is set to "Detect" and not "Prevent" as no response will ever arrive, if the request is blocked. #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers#step-4-configure-trigger-destination-where-to-send-the-log) Step 4: Configure Trigger destination ("Where to send the Log") ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fhd9TKKSlH22kpQlSxpaJ%252Fappsec-triggers-where-to-send-logs-configuration.PNG%3Falt%3Dmedia%26token%3D5f27e78b-acb9-4b65-aedd-84e180d88f8b&width=768&dpr=4&quality=100&sign=c6ec9698&sv=2) This configuration determines the destination of the logs sent from the CloudGuard WAF agent, and multiple options can be selected. The trigger destination can be: * Cloud - CloudGuard WAF Cloud, to be viewed by the CloudGuard Application [event views under Monitor](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events) . * Gateway/agent - Logging will be saved locally when possible in the folder _**/var/log/nano\_agent**_. * Syslog service and/or CEF service - Log to an external Syslog/CEF service by adding: * A destination address * Port (Usually 514 in both cases) * Either selecting UDP (common for syslog) or TCP (common for CEF). ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FKWAZMHnGCwOqkIeDkS32%252Fappsec-triggers-where-to-send-logs-syslog-cef-configuration.PNG%3Falt%3Dmedia%26token%3D2d0746d5-c3aa-4162-9d8c-8897a1f711c2&width=768&dpr=4&quality=100&sign=3f073fe5&sv=2) #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers#step-5-setup-your-security-practice-to-use-the-new-log-trigger-object-s) Step 5: Setup your security practice to use the new Log Trigger object/s Browse to **Policy**\->**Assets** and edit the asset you wish to modify. Go to the **relevant practice** tab and scroll to the bottom. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FRUhX5rQW2fNrogQhPLSA%252FUserResponsePage.png%3Falt%3Dmedia%26token%3Dc028d198-0997-4976-9ed1-d1483688bf43&width=768&dpr=4&quality=100&sign=5a1e938c&sv=2) Click on the '**+**' icon next to **Triggers** and add your new Log Trigger object. [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers#logs-structure-to-syslog-cef) Logs structure to Syslog/CEF --------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers#syslog) Syslog Syslog protocol is defined by [RFC 5242](https://datatracker.ietf.org/doc/html/rfc5424) . The structure starts with a priority value in '<>' followed by a timestamp of the log. The agent will also send a value in the syslog header for: * Host name - indicating the host name where the agent is installed * Application name - indicating the nano-service issuing the log. Following the syslog header there are space delimited key value pairs in the structure of `keyname='value'`. The possible keys and description can be seen in the [Events/Logs Schema](https://waf-doc.inext.checkpoint.com/references/events-logs-schema) documentation page. Syslog Example[](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers#syslog-example) `<133>1 2022-05-17T05:55:37.623Z cpnano-agent-915faaab-6a40-4b55-be93-872e911397c0 HTTPTransactionHandler - 5 - title='API Request' agentId='915faaab-6a40-4b55-be93-872e911397c0' issuingEngineVersion='1.2228.372599' serviceName='HTTP Transaction Handler' eventReferenceId='eff9c697-d689-46c8-b702-87c92c728164' eventConfidence='Very High' matchedParameter='[readingValue]' matchedSample='[-45]' matchReason='[Value is lower than the minimum allowed value: -45 < 1.000000]' sourceIP='192.168.154.1' httpSourceId='192.168.154.1' sourcePort='64758' httpHostName='192.168.154.129:8080' httpMethod='POST' httpUriPath='/myApp/setParam' httpUriQuery='' ruleId='d8c0fda7-2ad1-e7ab-32bc-d1a6af6a2ca0' securityAction='Prevent' waapOverride='None' practiceType='Threat Prevention' practiceSubType='Web API' assetId='d8c0fda7-2ad1-e7ab-32bc-d1a6af6a2ca0' assetName='Customer Portal' practiceId='08c0fdac-3295-e034-be39-5ab4c2d11a28' practiceName='MY WEB API PROTECTION PRACTICE' waapIncidentType='Schema Validation' waapIncidentDetails='OpenAPI schema validation failed'` ### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers#cef) CEF CEF protocol is explained [here](https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/web-isolation/1-15/Configuring-Security-Policy/Configuring-ArcSight-Servers/ArcSight-CEF-Mapping.html) . The protocol fields are '|' character delimited and the agent will send the value for: * Device Vendor - Check Point. * Device Product - indicating the nano-service issuing the log. * Event Name - This field will appear in the log structure but is not sent in the key-value pair system. * Severity Following the CEF protocol fields there are space delimited key value pairs in the structure of `keyname=value`. The possible keys and description can be seen in the [Events/Logs Schema](https://waf-doc.inext.checkpoint.com/references/events-logs-schema) documentation page. CEF Example[](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers#cef-example) `CEF:0|Check Point|HTTPTransactionHandler||Event Driven|API Request|High|agentId=915faaab-6a40-4b55-be93-872e911397c0 issuingEngineVersion=1.2228.372599 serviceName=HTTP Transaction Handler eventReferenceId=ad7a5181-b5d3-4b54-bd5b-106e180f0c9d eventConfidence=Very High matchedParameter=[readingValue] matchedSample=[-90] matchReason=[Value is lower than the minimum allowed value: -90 < 1.000000] sourceIP=192.168.154.1 httpSourceId=192.168.154.1 sourcePort=56060 httpHostName=192.168.154.129:8000 httpMethod=POST httpUriPath=/myApp/setParam httpUriQuery= ruleId=d8c0fda7-2ad1-e7ab-32bc-d1a6af6a2ca0 securityAction=Prevent waapOverride=None practiceType=Threat Prevention practiceSubType=Web API assetId=d8c0fda7-2ad1-e7ab-32bc-d1a6af6a2ca0 assetName=Customer Portal practiceId=08c0fdac-3295-e034-be39-5ab4c2d11a28 practiceName=MY WEB API PROTECTION PRACTICE waapIncidentType=Schema Validation waapIncidentDetails=OpenAPI schema validation failed` [PreviousSetup Web User Response Pages](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-web-user-response-pages) [NextSetup Report Triggers](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-report-triggers) Last updated 8 months ago Was this helpful? --- # Setup Agent Upgrade Schedule | CloudGuard WAF **By default the system is set to automatically and seamlessly update agents**. Learn here how to configure a custom schedule instead or switch to a manual upgrade process. [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-agent-upgrade-schedule#configuring-upgrade-mode) Configuring upgrade mode ----------------------------------------------------------------------------------------------------------------------------------------------- To setup specific schedule or switch to manual updates only, navigate to **Policy->Profiles->\[select your profile\].** See the **Agent Upgrade** section. Here you can see the latest available version which you can compare with your active agents' versions. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F6gDk4zAj2LHMRe3ntmPR%252Fimage.png%3Falt%3Dmedia%26token%3Deeb6cf70-6030-4664-a7ec-15513855bab0&width=300&dpr=4&quality=100&sign=42aeb273&sv=2) You can find the currently installed agent version displayed in **Policy->Agents** [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-agent-upgrade-schedule#configuring-unscheduled-automatic-upgrades) Configuring unscheduled automatic upgrades ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The default upgrade mode is configured to **Automatic**. In this mode upgrades are performed with each release of a new agent version. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FSbnLLfIYZb2BtvH3JDQ6%252Fimage.png%3Falt%3Dmedia%26token%3D3003d5d1-d2b2-4604-a85c-65c4df923314&width=300&dpr=4&quality=100&sign=cb388e35&sv=2) [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-agent-upgrade-schedule#configuring-scheduled-automatic-upgrades) Configuring scheduled automatic upgrades ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- For scheduled agent upgrades switch the mode to **Scheduled.** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F4ufpYiY9h5cI0cUrET52%252Fimage.png%3Falt%3Dmedia%26token%3Da11c2a43-25ce-462b-ad44-6e8fa5474edd&width=300&dpr=4&quality=100&sign=4b1d0e8e&sv=2) In the **Day of week** field select any combination of days on which you want to allow upgrades to happen. Configure your desired upgrade window by setting the begin time in UTC in the **Upgrade window starts at (UTC)** field and selecting the maximum allowed upgrade window duration in the **Duration** field between 2 hours and 12 hours (configuration possible in two hour increments). In the example screenshot above scheduled upgrades take place automatically between 2am and 6am only on Sundays, Thursdays and Tuesdays whenever a new upgrade is available. [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-agent-upgrade-schedule#disabling-automatic-updates) Disabling automatic updates ----------------------------------------------------------------------------------------------------------------------------------------------------- In order to prevent automatic scheduled or unscheduled updates from happening change the upgrade mode to **Manual**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F7MtuuRBcoXtvcm599hpT%252Fimage.png%3Falt%3Dmedia%26token%3D068ad9cc-1bed-4d7c-9d9a-1e4bb40e360c&width=300&dpr=4&quality=100&sign=1bc5c5f0&sv=2) This allows you to manually control the upgrade process of your deployed agents. In order to trigger a manual upgrade hit the **Upgrade Now** button whenever there's a new version available that you want to install. The **Manual** upgrade mode option is not recommended unless you need full manual control of all agent upgrades. Instead the recommendation is to always use **Automatic** or **Scheduled** upgrade modes to prevent the agent from not being updated for a significant time (= more than three months) as after this time it becomes unsupported! [PreviousSetup Behavior Upon Failure](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-behavior-upon-failure) [NextEdit Web Application/API Settings](https://waf-doc.inext.checkpoint.com/how-to/edit-web-application-api-settings) Last updated 9 months ago Was this helpful? --- # Add Data Loss Prevention (DLP) rules | CloudGuard WAF This configuration uses HTTP response scanning. Adding traffic scanning to HTTP responses adds a performance impact. CloudGuard WAF allow configuring custom rules based on regular expressions, detected in key locations in HTTP/S traffic. The custom rules can allow creating signatures to be excluded from detection, but also adding specific signatures that will always be dropped. The ability to configure such signatures to be detected on HTTP/S Response body, provides means of configuring Data Loss Prevention (DLP) signatures that will be dropped. #### [](https://waf-doc.inext.checkpoint.com/how-to/add-data-loss-prevention-dlp-rules#step-1-prepare-dlp-signatures) Step 1: Prepare DLP signatures If there is a specific data type that should not appear on responses (for example credit card numbers, emails, etc.) - create in advance a regular expression list for each data type. #### [](https://waf-doc.inext.checkpoint.com/how-to/add-data-loss-prevention-dlp-rules#step-2-browse-to-relevant-web-assets-and-configure-custom-rules-for-each-signature) Step 2: Browse to relevant Web assets and configure custom rules for each signature A full explanation on setting up custom rules and custom rules can be found [**here**](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions) . The custom rule should: * Use the "**Drop**" action * Use the "**Response Body**" condition key. The value for each custom rule condition should be a regular expression from the list that was prepared in step 1. It is recommended that the comment will explain precisely that this is a DLP signature. Example: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FPeSgOyvK9dbjdwd4s8kI%252FPicture2.png%3Falt%3Dmedia%26token%3D2bfc5fa1-37e8-4c89-9b40-bd779fdaae96&width=768&dpr=4&quality=100&sign=241b20b8&sv=2) #### [](https://waf-doc.inext.checkpoint.com/how-to/add-data-loss-prevention-dlp-rules#step-3-enforce-policy) Step 3: Enforce Policy [PreviousView Policy of all your Web Applications/APIs](https://waf-doc.inext.checkpoint.com/how-to/view-policy-of-all-your-web-applications-apis) [NextConfigure Contextual Machine Learning for Best Accuracy](https://waf-doc.inext.checkpoint.com/how-to/configure-contextual-machine-learning-for-best-accuracy) Last updated 11 months ago Was this helpful? --- # Gateways & Agents | CloudGuard WAF CloudGuard WAF can be deployed in your Public or Private Data Center as Virtual Machine on VMware or AWS/Azure, ScaleSet/Auto-Scaling group in AWS/Azure, Docker Container, Agent for Linux or Kubernetes Ingress Controller,. All deployment vehicles share the same basic agent technology. In this section we will explain how agents work and what is the difference between the different deployment vehicles. [](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents#cloudguard-waf-agents) CloudGuard WAF Agents ---------------------------------------------------------------------------------------------------------------------- Agents are small software components that that can be easily deployed on top of an existing web server, reverse proxy or Kubernetes ingress, without changing existing architecture and while ensuring minimal latency and maximum control. In addition, Check Point provides: * A pre-packaged Virtual Machine that includes both operating system, reverse proxy and the agent. * A helm chart available to deploy a prepackaged Kubernetes ingress controller (NGINX) together with the CloudGuard WAF agent (integrated as sidecar). As security processing is done locally sensitive data does not leave the protected environment and there is no need to share certificates and private keys with third parties. More over, there is no dependency on 3rd party uptime for processing traffic. Agents can be managed by a master called **Fog.** The Fog is a SaaS component that provides registration, policy update, configuration update, software updates, logging and learning data synchronization. Check Point operates highly available and scalable Fogs in several regions in the world. Agents get all updates automatically and there is no need to upgrade them manually. It is possible to control the upgrade schedule. Agents are designed to act stand-alone and will operate without disruption to traffic and security enforcement even when Fog is unreachable. You can also run as many agents to support your load as needed with no license constraints. When Fog is unreachable some central administrative functions are not available: software and policy updates, lPS updates, logging to cloud and synchronization of learning data between agents. Logs will be kept locally in a configurable cyclic buffer and be relayed when communication resumes. It also possible to configure logging to a local syslog server. ### [](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents#agent-main-components) Agent Main Components Agents main components are detailed in the following diagram and explained below: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FwnNgd31rDxplhJu0SIAI%252Fimage.png%3Falt%3Dmedia%26token%3Dd2bd4ecf-69a8-4804-a6f1-20e4c5114d43&width=768&dpr=4&quality=100&sign=696c3338&sv=2) #### [](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents#attachment) Attachment The Attachment connects between processes that provide HTTP data and the CloudGuard WAF security logic. It is open technology and Check Point provides open source code for it. The most common attachment is for NGINX. It is a small dynamically loadable module that runs in the process space of NGINX acting as Web Server, Reverse proxy, Kubernetes ingress or API gateway. The Attachment gets HTTP data (URL, Header, Body, Response) from the hosting process and delivers it to the **HTTP Transaction handler**. The attachment does not keep any state and has no security logic. To deal with potential issues where the HTTP Transaction handler is not responding, the Attachment implements a retry mechanism and a configurable fail-open/fail-close mechanism. It also possible to order the Attachment to ignore specific IP addresses or ranges, which allows for a controlled, gradual deployment. See more details below. #### [](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents#http-transaction-handler-nano-service) HTTP Transaction handler nano-service A process (or multiple instances, depending on load) that gets data for processing from the **Attachment**, executes CloudGuard WAF security logic, returns a verdict and issues relevant logs. #### [](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents#orchestrator) Orchestrator A process in charge of agent registration, obtaining policy updates, software updates and other administrative operations. #### [](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents#watchdog) Watchdog A process in charge of making sure that all components are up and running. [](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents#deployment-vehicles) Deployment vehicles ------------------------------------------------------------------------------------------------------------------ CloudGuard WAF provides multiple deployment vehicles. All of them include the same agent technology: #### [](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents#virtual-machine-available-for-vmware-vsphere-aws-and-azure) Virtual Machine (available for VMWare vSphere, AWS and Azure) * Gaia OS - Check Point Linux-based hardened operating system. Featuring CLI and WebUI for configuration of various platform and networking aspects * Reverse Proxy * CloudGuard WAF Agent #### [](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents#kubernetes-ingress-controller) Kubernetes Ingress Controller * Helm chart * Kubernetes Ingress Controller pod (based on the Ingress-NGINX Controller) * CloudGuard WAF Agent (as sidecar container in the Ingress Controller pod) #### [](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents#container-setup) Container setup Include two docker containers that communicate with each other * NGINX (includes Cloud Guard WAF Attachment) * CloudGuard WAF Agent #### [](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents#linux-nginx) Linux NGINX An agent installation script for environment that are already running NGINX on Linux, which installs: * CloudGuard WAF attachment for NGINX * CloudGuard WAF Agent Check Point encourages and provides assistance to anyone that wishes to develop their own Attachments and deployment vehicles based on CloudGuard WAF Agent. [](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents#secure-communication) Secure Communication -------------------------------------------------------------------------------------------------------------------- Agents/Gateways communicate with the Fog over encrypted and authenticated secure channel. * Agent/Gateway is using encrypted communication over HTTP/TLS (Port 443) * One time agent registration is done using a 256bit key * The Agent/Gateway receives a unique agent key from the Fog that is used for identification * Authentication is based on OAuth 2.0 (RFC 6479) * The agent periodically asks for an updated JSON Web Token (JWT) List of IP addresses and URLs of Check Point operated regional public Fogs can be found in the management portal, under **Support->FAQ** [](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents#profiles) Profiles -------------------------------------------------------------------------------------------- Agents are associated with a Profile that simplifies management and allows applying the same settings to multiple agents. When you create the first Web Application or Web API asset using the Wizard, a Profile is automatically created. You can later re-use this profile or create a new one. Profiles determine the following shared settings: * Type of deployment: VM (AWS, Azure, VMWare vSphere), Kubernetes Ingress Controller, Docker, Linux * Registration Token for new Agents * Agent upgrade Mode: Automatic, Scheduled, Manual * SSL and Private Keys storage mode: On Gateway, in Public Cloud secure storage * Advanced settings such as max number of agents that can be deployed using the profile's token It is possible to delete an agent so that it will no longer be able to connect to the Fog. Profiles also allow granular policy enforcement. It is possible to select only specific profiles during the action of "Enforce Policy" after configuration changes have been made. Only agents connected to these profiles will receive the policy changes. [PreviousWAF-as-a Service (WAF SaaS)](https://waf-doc.inext.checkpoint.com/concepts/waf-as-a-service-waf-saas) [NextManagement & Automation](https://waf-doc.inext.checkpoint.com/concepts/management-and-automation) Last updated 4 months ago Was this helpful? --- # Rate Limit | CloudGuard WAF CloudGuard WAF agents have the ability to limit the number of requests to a matched URI within a configured time scope, according to the source identifier. [](https://waf-doc.inext.checkpoint.com/additional-security-engines/rate-limit#how-to-set-up-rate-limit-in-a-cloudguard-waf-agent) How to set up rate limit in a CloudGuard WAF agent ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/rate-limit#step-1-activate-rate-limit-from-the-practices-tab-when-editing-an-asset) Step 1: Activate Rate Limit from the Practices tab when editing an asset Browse to **Policy->Assets** and edit the relevant Web Application / API asset. Once the asset edit window opens, select the **Rate Limit** tab and click on **Click to add a new Rate Limit Practice**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FXHWiLzooV6kwscR9cIs6%252FRateLimit.png%3Falt%3Dmedia%26token%3D350483a2-e2c6-4c70-8128-4ef02b1f7d9d&width=768&dpr=4&quality=100&sign=6a59b94a&sv=2) Pay attention to the configuration of **Source Identity**. When counting requests to see if a limit was exceeded, the source identity is the key according to which they are counted. i.e. "X requests from the same source identifier..." If the source identity configuration doesn't match a value, the source IP address is used instead for the purposes of counting the request. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/rate-limit#step-2-add-a-new-rate-limit-rule) Step 2: Add a New Rate Limit Rule Click on **Click to add a new Rate Limit rule.** When creating a new rule or editing an existing rule, a configuration window will open: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FPnDA6ks1KMbdLw49H73m%252Fappsec-assets-rate-limit-rule-edit.PNG%3Falt%3Dmedia%26token%3Dc7caa612-9394-4d86-a2ef-b9a0cbb7eab8&width=768&dpr=4&quality=100&sign=696c5ef1&sv=2) A rate limit rule consists of: * **Action** configuration. there are 3 options: 1. **According to practice** - The action will be determined by the practice mode previously configured. 2. **Detect** - Only logs will be issued if the rate limit for this rule is reached. This will override the practice mode unless it is Inactive. 3. **Prevent** - Rate limit for this rule is enforced. This will override the practice mode unless it is Inactive. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fyt6TdvkeKl0aZosMyPpk%252Fappsec-assets-rate-limit-rule-actions.PNG%3Falt%3Dmedia%26token%3Df923b80a-21a3-449d-95b8-f68c2152d83d&width=768&dpr=4&quality=100&sign=d9269bb7&sv=2) * Match conditions: * **URI** - A string written in this field is concatenated as a suffix to all defined URLs of the Web Application or Web API asset. The concatenation result is considered the prefix for all requests that will match this rule. While the URI field does not accept a regular expression, it does support usage of '\*' wildcard character. _Example -_ If the Asset's defined URLs are "**http://www.myapp.com**" and "**https://www.mysecureapp.com**" and the URI in the rule is "**/docs**", it will be matched on all requests starting with either **http://www.myapp.com/docs** or **https://www.mysecureapp.com/docs**. Use "**/**" to match all requests to the asset's domains. * **Additional Conditions** - An optional logical expression in addition to the main URI regular expression. The logical expression can use AND/OR/NOT between matching key-value pairs to decide what traffic should be counted to determine if rate of requests has exceeded. There are several keys that can be used: * **URI** - A regular expression that is matched on the URI field. Since the main URI field already creates an initial prefix match of the URI path, the regular expression is usually used to match specific states if a wildcard was used, or strings in the full URI beyond the prefix. * **Source Identifier** - A regular expression matching the source identifier values according to Source Identity configuration of the asset. If source identifier is not detected in traffic according to configuration, the value will be matched vs the source IP address. * **Source IP** - A network IP address in X.X.X.X format or CIDR (e.g. 11.22.33.44/24). ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F7hd6uRWtkMfbrzrXa6mK%252Fappsec-assets-rate-limit-rule-additional-conditions-keys.PNG%3Falt%3Dmedia%26token%3Ddb8b5991-3495-4a07-8f85-9a2e1ac36bab&width=768&dpr=4&quality=100&sign=1f16cb2e&sv=2) * Limit configuration: * **Limit** - the maximum number of requests in a specific time scope. * **Time Unit** - the time scope in which the limit is enforced. If **Limit** is set to 7000 and **Unit** is set to "Minute" then an Active Rate Limit practice will prevent requests to the matched URI if they exceed 7000 requests from the same source identifier, in a single minute. * Trigger configuration: Configure the trigger (usually the log trigger) that will activate when a Rate Limit rule is fully matched by URI as well as requests rate. In **Detect/Learn** mode, the Trigger is the only action that will occur if the rate of matched URIs from the same source identifier has exceeded configured limits. After clicking OK, you will see the full rule: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fk1RHMHXPmeidtTCocYdf%252FRateLimit2.png%3Falt%3Dmedia%26token%3D9fcd98d8-ed55-41dd-b33b-b3201de8ae86&width=768&dpr=4&quality=100&sign=d11178c7&sv=2) **Match priority** - The rate is enforced according to a single matched rule. When the URI of the request matches multiple URIs in multiple rules, the longest match takes precedence and determines the rate limit count. _Example_ \- if there are 2 rules - one limiting the URI "/docs" for 10000 requests from the same source identifier in one minute, and the second limiting "/docs/external" for 3000 requests from the same source identifier in one minute, then requests to /docs/external/latest will be blocked if they exceed 3000 requests from the same source identifier in one minute, as this rule creates a longer match. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/rate-limit#step-4-enforce-policy) Step 4: Enforce Policy Click **Enforce** on the top banner of the Infinity Portal. ### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/rate-limit#advanced-option-in-cloudguard-wafs-appsec-gateways-limit-only-according-to-ip-addresses) Advanced option in CloudGuard WAF's AppSec Gateways - Limit only according to IP addresses CloudGuard WAF's [AppSec Gateway](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine) deployments provide a Check Point-managed reverse proxy as part of the deployment. It is possible to configure a CloudGuard WAF AppSec Gateway to enforce rate limit by using the reverse proxy settings. As the Reverse Proxy server does not have access to the agent's parsing capabilities, the rate limit in this case is done only using source IP addresses as the key to count requests. To configure rate limit using this enforcement method, go to your CloudGuard WAF AppSec Gateway profile in **Policy**\->**Profiles** and open the Advanced tab. In the Advanced Settings table add the following key-value: **agent.rpmanager.enableNginxRateLimit** : **true** Click "Enforce Policy". ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FyEiuUgqPqXDmhtiXW3KH%252Frate-limit-profiles-advanced-setting.PNG%3Falt%3Dmedia%26token%3D5d6cc563-b2e2-45ad-9829-1c174adfd2f2&width=768&dpr=4&quality=100&sign=d5db0333&sv=2) [PreviousIntrusion Prevention System (IPS)](https://waf-doc.inext.checkpoint.com/additional-security-engines/intrusion-prevention-system-ips) [NextSnort Rules](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules) Last updated 8 months ago Was this helpful? --- # Snort Rules | CloudGuard WAF Snort is a commonly used format for writing IPS signatures that is very poplar in the industry. CloudGuard WAF provides the option for an administrator to provide a set of Snort signatures and have them enforced in the same way that CloudGuard WAF enforces the regular IPS signatures update from Check Point. Enforcement of IPS and Snort signatures (if configured) happens in parallel on all HTTP/S traffic. [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#why-import-snort-rules-to-ips) Why import Snort rules to IPS? -------------------------------------------------------------------------------------------------------------------------------------------------- * It allows a security administrator to write their own signatures: * To block specific unique traffic that they see in their network and wish to prevent it. * As part of the testing of the product without running actual malicious attacks inside their environments. * A security administrator might want to deploy rules from 3rd party sources such as National/Governmental CERTs. [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#how-to-import-snort-signatures-and-configure-a-cloudguard-waf-practice-to-use-them) How to import Snort Signatures and configure a CloudGuard WAF practice to use them ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#step-1-browse-to-policy-greater-than-assets-and-edit-the-web-application-api-asset) Step 1: Browse to Policy->Assets and edit the Web Application / API asset Once the asset edit window opens, select the **Web Attacks** tab and scroll to the **Snort Signatures** sub-practice. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FIrmgTHqZ2rataYjJsR8J%252FSnortSignatures.png%3Falt%3Dmedia%26token%3Da791737b-1751-4005-87b2-8cad6ed384a9&width=768&dpr=4&quality=100&sign=4e4c4514&sv=2) #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#step-2-make-sure-the-mode-of-the-snort-signatures-sub-practice-is-as-desired) Step 2: Make sure the Mode of the Snort Signatures sub-practice is as desired Setting the Mode to **As Top Level** means inheriting the primary mode of the practice. Otherwise you can override it only for this specific sub-practice to **Detect**/**Prevent**/**Disable**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FEOkJWo0nqlUKbh2TlvCk%252Fappsec-snort-subpractice-as-top-level.PNG%3Falt%3Dmedia%26token%3Db0ccce5f-c024-4e24-a235-74250bfd0ade&width=768&dpr=4&quality=100&sign=e353c39b&sv=2) When making the first change to the default Web Application/API Best Practice's configuration such as uploading your unique Snort signatures file, you will be prompted to change the name of the Practice to your own custom practice name. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fhu2Vump3xc5w8hiIAUcC%252Fappsec-assets-practice-custom-practice-message.PNG%3Falt%3Dmedia%26token%3Df53efb3f-faa9-4d08-8aa9-5802a2066c5f&width=768&dpr=4&quality=100&sign=63d14cf7&sv=2) #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#step-3-upload-a-snort-signature-file) Step 3: Upload a Snort signature file Press the **Upload** button to add a new Snort signatures file and the file selection window will appear: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F6UwaeCi6NpLGLwsUgOL4%252Fappsec-assets-file-selector-snort.png%3Falt%3Dmedia%26token%3D7f73a05d-6619-441d-a315-3b3615420a59&width=768&dpr=4&quality=100&sign=e65925cf&sv=2) * Click the "Add File" icon to add a new file. * Optionally - you can click the "Download" icon to verify an existing file's content. * Select the file containing the SNORT signatures you wish to enforce. * Click OK. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#step-4-enforce-policy) Step 4: Enforce Policy Click **Enforce** on the top banner of the Infinity Portal. [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#how-to-poc-the-snort-signatures-feature) How to PoC the Snort Signatures feature? ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#step-1-create-an-example-signature-file) Step 1: Create an example Signature file Create a test file with a simple Snort rule. For example: Copy alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"Testing CloudGuard WAF Snort"; flow:to_server,established; http_header; content:"Testing: CloudGuard WAF Snort"; service:http; sid: 99999; rev: 1; ) #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#step-2-import-the-signature-file-into-your-policy) Step 2: Import the signature file into your policy Save the file and use the above instructions to enforce policy using this file #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#step-3-trigger-the-signature) Step 3: Trigger the signature Trigger the signature that you have just written. For example by using a `curl` command: Copy curl -H "Testing: CloudGuard WAF Snort" Browse to **Monitor** -> **All Events** and make sure you see a log issued for this traffic [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#faq) FAQ --------------------------------------------------------------------------------------------- ### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#cloudguardappsecsnortpractice-ea-canyougetmestartedwithafewsignatures) Can you help me get started with a few signatures? Of course, here are a couple of them: Copy alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Strictor variant outbound connection"; flow:to_server,established; http_uri; bufferlen:>19; content:"/mod/lookfashon.jpg",fast_pattern,nocase; http_header; content:!"Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0fe413704c85751b060546ebfd428d57726d8fd002ca95ec8deb76f5f37ed9c4/analysis/1389125202/; classtype:trojan-activity; sid:29220; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp"; flow:to_server,established; http_uri; content:"/jlnp.html",fast_pattern,nocase; pcre:"/\/jlnp\.html$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jovf"; flow:to_server,established; http_uri; content:"/jovf.html",fast_pattern,nocase; pcre:"/\/jovf\.html$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bancos variant outbound connection SQL query POST data"; flow:to_server,established; http_client_body; content:"a=select CAMPO from PAGINA where CODIGO = ",fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/88efcb549a52e3fb6359a3888e72726aac00c730edcd5280e0248d11306a645d/analysis/; classtype:trojan-activity; sid:26075; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rovnix variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/vbulletin/post.php?qu=",fast_pattern,nocase; http_header; content:!"User-Agent:"; content:!"Accept"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a184775757cf30f9593977ee0344cd6c54deb4b14a012a7af8e3a2cdbb85a749/analysis/; classtype:trojan-activity; sid:34868; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Prok variant outbound connection"; flow:to_server,established; http_uri; content:"/prok/"; http_header; content:"Content-Type: multipart/form-data, boundary=7DF051D",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/ada4a63abae42266f9d472f1d4ebd0bd22702270f8b38ad7a824a16ce449ea2b/analysis/; classtype:trojan-activity; sid:34950; rev:1; ) ### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#cloudguardappsecsnortpractice-ea-caniuseanyavailablesnortsignatures) Can I use any available Snort Signatures? You can use version 3 Snort signatures from any source, however please be mindful of the list known limitations below. If you load a file containing unsupported signatures, then the unsupported signatures will be ignored (with warnings) but they will not stop the loading of those signatures that are valid. ### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#cloudguardappsecsnortpractice-ea-howcaniwritemyownsignatures) How can I write my own signatures? See our links and guide here: [Writing Snort Signatures](https://waf-doc.inext.checkpoint.com/references/writing-snort-signatures) ### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#cloudguardappsecsnortpractice-ea-whatwillbetheperformanceimpactifiaddmanysnortsignatures) What will be the performance impact if I add many Snort signatures? Enforcing Snort signatures uses the same mechanisms as other CloudGuard WAF security apps, so just adding the Snort security app doesn't have any performance impact. There is also the performance impact that each additional signature generates. This differs from one signature to the next, but as a rule-of-thumb Snort signatures typically have a performance rating equivalent to IPS "Medium" performance. ### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#cloudguardappsecsnortpractice-ea-isthereamaximumnumberofsnortsignaturesthatcanbeadded) Is there a maximum number of Snort signatures that can be added? In the this EA version, we support up to 1500 active signatures. ### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#cloudguardappsecsnortpractice-ea-isthereanapiavailable) Is there an API available? Will be published soon. ### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#cloudguardappsecsnortpractice-ea-wouldanytypeofexistingsnortsignaturesbecompatible) Would any type of existing Snort signatures be compatible? Unfortunately, no. Snort version 3 has made some significant changes from previous versions. This means that Snort signatures from older versions may not work as intended. ### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules#cloudguardappsecsnortpractice-ea-whataretheknownlimitations) What are the known limitations? 1. Explicit context must be provided 2. The following keywords are not fully supported: 1. "**flow**" - only supports "to\_server" (see above). 2. Low level keywords ("**flags**", "**ack**", etc.) - not supported (see above). 3. "**file\_data**" - not supported. 4. "**flowbits**" - not supported. 5. "**byte\_test**" - not supported. 6. "**dsize**" - not supported. 7. "**isdataat**" - not supported. 8. "**byte\_jump**" - not supported. 9. "**base64\_data**" - not supported. 10. "**base64\_encode**" - not supported. 11. "**detection\_filter**" - not supported. [PreviousRate Limit](https://waf-doc.inext.checkpoint.com/additional-security-engines/rate-limit) [NextSetup Custom Rules and Exceptions](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions) Last updated 8 months ago Was this helpful? --- # Protect an existing production site with CloudGuard WAF's Gateway | CloudGuard WAF When a production site already exists, the deployment of a CloudGuard WAF AppSec Gateway in front of it can be done in a gradual manner, so that the actual change of all traffic to go through the CloudGuard WAF AppSec Gateway, thus protecting the production web server, is done after testing. ### [](https://waf-doc.inext.checkpoint.com/how-to/protect-an-existing-production-site-with-cloudguard-wafs-gateway#preparation) Preparation The starting position is a **production web server**, that has an **interface** that can be reached through the internet using a **URL** (or multiple URLs). In our example it will be _my-website.com_. The URL/s are translated via DNS to either the IP address of the web server, or to an IP address which is translated and/or routed to the web server. The CloudGuard WAF AppSec gateway deployed will need to be connected to the same exposed network on one hand, and have access to the production server. Decide beforehand what should be the Layer 4 networking configuration that allows the CloudGuard WAF AppSec Gateway to reach the production server. **The production web server cannot be accessed from the CloudGuard WAF AppSec Gateway through its existing URL/s**. Either create a secondary **internal URL** for the web server and add DNS configuration for it, or use its **IP address** if it is a static address. ### [](https://waf-doc.inext.checkpoint.com/how-to/protect-an-existing-production-site-with-cloudguard-wafs-gateway#configure-and-deploy-the-cloudguard-waf-appsec-gateway) Configure and Deploy the CloudGuard WAF AppSec Gateway By the end of this stage - the traffic to the site's URL/s won't be protected yet. Use the instructions to deploy and configure CloudGuard WAF's AppSec Gateway where your production web server is deployed, be it [AWS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws) , [Azure](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure) or [VMWare](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware) . When configuring your assets, make sure to configure the URL (or all URLs) used by the production site as the Web Application/API URL/s. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FZbNDBDNfnoPu6n2y3Qww%252Fappsec-assets-web-urls.PNG%3Falt%3Dmedia%26token%3Dbacd4e87-e2ae-4205-8dc3-2f2f3c68642d&width=768&dpr=4&quality=100&sign=f1a96d19&sv=2) Make sure to configure the web server's **internal URL or IP address** as the URL under the "Reverse Proxy" section for each of your web assets, if you have more than one. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FdJ9TCQHVG5FW23MWFO1p%252Fappsec-assets-reverse-proxy-url.PNG%3Falt%3Dmedia%26token%3D3ba47daf-8956-4d05-8021-1ac4524bdee6&width=768&dpr=4&quality=100&sign=c2ef96a1&sv=2) For the purposes of a quick test you can use an IP address and later add an internal URL for the protected web server. If you do that, do not forget to change the asset/s configuration so the CloudGuard WAF's reverse proxy functionality will use this URL. Despite this deployment, users browsing to the site's URL (in our example _my-website.com_) will continue to reach the production web server directly without CloudGuard WAF's protection, because we made no change preventing the production server from being accessible through the same URL. It is recommended that before moving forward you will verify that in the CloudGuard WAF UI there are no evidence of error notifications in regards to the deployment. In each HTTPS-based asset you should also see green "V" check marks for each HTTPS-based URL noting the certificate installation for it was successful. ### [](https://waf-doc.inext.checkpoint.com/how-to/protect-an-existing-production-site-with-cloudguard-wafs-gateway#testing-cloudguard-wafs-appsec-gateways-configuration-and-deployment) Testing CloudGuard WAF's AppSec Gateway's configuration and deployment #### [](https://waf-doc.inext.checkpoint.com/how-to/protect-an-existing-production-site-with-cloudguard-wafs-gateway#step-1-preparing-a-test-client) Step 1: Preparing a test client Use a machine that has network connectivity to the exposed interface of CloudGuard WAF's AppSec Gateway. To clarify - the test client machine should be able to reach CloudGuard WAF's AppSec Gateway via its IP address. #### [](https://waf-doc.inext.checkpoint.com/how-to/protect-an-existing-production-site-with-cloudguard-wafs-gateway#step-2-allow-browsing-from-the-test-client-to-the-cloudguard-waf-appsec-gateway) Step 2: Allow browsing from the test client to the CloudGuard WAF AppSec Gateway Modify the **local** hosts file on the client so that the URL used for the production site (in our example _my-website.com_) will be translated for this client only, to the exposed IP address of CloudGuard WAF's AppSec Gateway, which is determined according to your deployment. #### [](https://waf-doc.inext.checkpoint.com/how-to/protect-an-existing-production-site-with-cloudguard-wafs-gateway#step-3-browse-from-the-test-client-to-the-production-sites-url) Step 3: Browse from the test client to the production site's URL Browse to your production site from the test client as if you are browsing to it from the internet and verify the web site operates normally. In the CloudGuard WAF Administration Web Portal you can look at events issued according to your [logging configuration](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers) . #### [](https://waf-doc.inext.checkpoint.com/how-to/protect-an-existing-production-site-with-cloudguard-wafs-gateway#step-4-make-the-actual-change-of-detaching-the-url-from-the-production-server-and-move-to-cloudguard) Step 4: Make the actual change of detaching the URL from the production server and move to CloudGuard WAF's AppSec Gateway Once testing is done and you are ready, make the necessary change so that browsing to the website's public URL/s (in our example _my-website.com_) will reach CloudGuard WAF's AppSec Gateway instead of the production web server. This may involve one of the following: 1. Changing the DNS configuration for your URL to use a different IP address. 2. Changing Static NAT configuration so that the exposed static IP address of your public URL will be translated into CloudGuard WAF's AppSec Gateway's IP address. #### [](https://waf-doc.inext.checkpoint.com/how-to/protect-an-existing-production-site-with-cloudguard-wafs-gateway#step-5-cleanup-optional) Step 5: Cleanup (optional) If the interface through which the production server formerly accepted requests is no longer in use (for example, if a secondary interface was created for the traffic between CloudGuard WAF's AppSec Gateway and the production web server) - consider removing it. The benefit of removing it is avoiding accidental exposure without CloudGuard WAF's protection. The benefit of keeping it is for troubleshooting purposes if you want to temporarily allow traffic to the web server without going through CloudGuard WAF's AppSec Gateway. [PreviousEdit Reverse Proxy Advanced Settings for a Web Asset](https://waf-doc.inext.checkpoint.com/how-to/edit-reverse-proxy-advanced-settings-for-a-web-asset) [NextView Policy of all your Web Applications/APIs](https://waf-doc.inext.checkpoint.com/how-to/view-policy-of-all-your-web-applications-apis) Last updated 9 months ago Was this helpful? --- # Setup Web User Response Pages | CloudGuard WAF CloudGuard WAF protects web servers from attacks when set to **Prevent** mode. It is possible to determine the response returned to the client who initiated the blocked traffic. The response can be a simple HTTP error code, an HTTP redirect message, or a Block page that a user can view in their browser. [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-web-user-response-pages#setup-a-web-user-response-object) Setup a Web User Response Object ---------------------------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-web-user-response-pages#step-1-go-to-policy-greater-than-behaviors-and-create-a-new-web-user-response) Step 1: Go to Policy->Behaviors and create a new Web User Response If no behavior objects were configured yet you will see the following screen: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FmCrC2Xbf61ww9qrc60uM%252Fappsec-behaviors-new-behavior.PNG%3Falt%3Dmedia%26token%3D200b1343-5e5a-4129-951c-04d5cb3b0d1f&width=768&dpr=4&quality=100&sign=29fa159e&sv=2) Alternatively the following screen with a "New" button at the top is shown: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fepbw0dtc2dsFRQTPQZAK%252Fappsec-behaviors-new-behavior-when-one-exists.PNG%3Falt%3Dmedia%26token%3Dd67f74cf-2fea-44c0-b791-3107bc08e3fc&width=768&dpr=4&quality=100&sign=3dc1e93d&sv=2) #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-web-user-response-pages#step-2-select-the-type-of-the-web-user-response-and-fill-the-form) Step 2: Select the type of the Web User Response and fill the form Create a unique name for your Web User Response object and select a Type. There are 3 types of Web User Response objects: Block Page Redirect Response Code Only This option is not a recommended option for CloudGuard WAF protecting Web API assets as it is designed to be seen by human users. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FfnU53ut7hKukNyJmxgzC%252Fappsec-web-response-block-page.PNG%3Falt%3Dmedia%26token%3Ddd031850-5023-4a37-bf08-41ba7947f76a&width=768&dpr=4&quality=100&sign=8b43ece&sv=2) * **Message title:** The title of the web page to be shown to the user sending the malicious traffic * **Message body:** The Body of the message to be shown to the user. * **HTTP Response Code:** It is recommended to use a 403 (Forbidden) as a response code. Different browsers behave differently upon receiving different error codes. Using the Response code 444 will in fact reset the connection and the Message title and body will not be seen by the user. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fl6ylHOPkpJwdYHpnW059%252Fappsec-web-response-redirect.PNG%3Falt%3Dmedia%26token%3D35630d23-5246-4d21-81ae-55a916441a42&width=768&dpr=4&quality=100&sign=eaf84f6&sv=2) * **Redirect URL:** the client will be redirected to the provided URL where you can provide any customized web page. * **Add X-Event-Id to header**: When selected the redirect message will include this header with a value that provides an internal reference ID that will match a security log generated by the incident, if log triggers are configured. This option is recommended for CloudGuard WAF protecting Web API assets. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FX2QUXuiHBCewGBmGS6cM%252Fappsec-web-response-response-code-only.PNG%3Falt%3Dmedia%26token%3Dad9639b5-bd7b-4dcc-bfbe-2a05660b3d27&width=768&dpr=4&quality=100&sign=a5eac2a&sv=2) * **HTTP Response Code:** It is recommended to use a 403 (Forbidden) as a response code. Different clients may behave differently upon receiving different error codes. [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-web-user-response-pages#configure-your-cloudguard-waf-practice-to-use-the-new-web-user-response) Configure your CloudGuard WAF practice to use the new Web User Response ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-web-user-response-pages#step-1-select-the-assets-you-wish-to-use-this-web-user-response-upon-event-detection) Step 1: Select the assets you wish to use this Web User Response upon event detection Go to **Policy->Assets** and edit the asset you wish to modify. Select the **relevant practice** tab and scroll to the bottom. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FRUhX5rQW2fNrogQhPLSA%252FUserResponsePage.png%3Falt%3Dmedia%26token%3Dc028d198-0997-4976-9ed1-d1483688bf43&width=768&dpr=4&quality=100&sign=5a1e938c&sv=2) #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-web-user-response-pages#step-2-select-the-web-user-response-object) Step 2: Select the Web User Response object Once selected, you will see the object shown as part of CloudGuard WAF Security Practice configuration: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FEyne7TlV2kzkZdVBQRQV%252Fappsec-assets-practice-web-user-response-configured.PNG%3Falt%3Dmedia%26token%3D425fc17f-669b-4113-b2bf-4660ce9b7fd5&width=768&dpr=4&quality=100&sign=b66602dd&sv=2) #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-web-user-response-pages#step-3-enforce-policy) Step 3: Enforce Policy Policy is enforced after clicking Enforce in the top banner of the portal. [PreviousSetup Custom Rules and Exceptions](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions) [NextSetup Log Triggers](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers) Last updated 8 months ago Was this helpful? --- # Setup Behavior Upon Failure | CloudGuard WAF CloudGuard WAF implements a Fail-Open mechanism designed to allow no interruption to traffic in case of load or errors. The mechanism is **enabled by default** and can be configured separately for each agent profile through the profile page. [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-behavior-upon-failure#setup) Setup -------------------------------------------------------------------------------------------------------- This configuration is available on the Agents' Profile level and will apply to all agents using this profile's authentication token for initial registration. To configure the behavior upon failure, navigate to **Policy->Profiles->\[select your profile\].** See the **Behavior Upon Failure** section: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FLNb7KMcFzrTarNRk4Mmd%252Fappsec-profiles-behavior-upon-failure.PNG%3Falt%3Dmedia%26token%3D3a4469f1-b0cc-467f-86e2-0bb96635de8c&width=768&dpr=4&quality=100&sign=80ec6fa9&sv=2) [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-behavior-upon-failure#how-does-it-work) How does it work? ------------------------------------------------------------------------------------------------------------------------------- ### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-behavior-upon-failure#traffic-based-fail-open) Traffic based-Fail-Open * For each client request and server response, the attachment waits for a total of 3000 milliseconds for a benign/malicious verdict (the wait time for each portion, such as headers, URL, etc.) is up to 150 milliseconds). If a a verdict doesn't arrive, the request/response is allowed to pass. This state is called fail-open. * In case of consecutive fail-opens the system enters a state called transparency mode in order not to damage connectivity to the upstream server. * There are three levels of transparency mode fail-open: * Level 1: If there is failure to inspect 5 http requests in 20 seconds interval, system enters global fail-open mode for 1 minute and moves the threshold to level 2. * Level 2: If there is failure to inspect 5 http requests in 20 seconds interval, system enters fail-open mode for 5 minutes and moves the threshold to level 3. In any other case system falls back to level 1. * Level 3: If there is failure to inspect 5 http requests in 20 seconds interval, system enters global fail-open mode for 10 minutes. In any other case system falls back to level 1. ### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-behavior-upon-failure#agent-cpu-based-fail-open) **Agent CPU based Fail-Open** In addition to the above traffic based mechanism, the system also monitors the Agent CPU level. The CPU utilization is sampled every 5 seconds, if 6 consecutive samples (30 seconds) were above 85% we enter fail open mode until we identify 6 consecutive samples below 60%. ### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-behavior-upon-failure#critical-errors) **Critical Errors** In case of any internal error in the attachment or agent during http inspection traffic will be allowed by default. Notification logs about critical alerts will be shown in a [Notifications logs view](file:///o/NmlxbSkVNQHTmh0JtAB1/s/EWA4nfgNrSRL8dA6Kap7/~/changes/TgrwpxFKfFk1imI4ck0a/getting-started/monitor-events) . [PreviousSetup Notification Triggers](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-notification-triggers) [NextSetup Agent Upgrade Schedule](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-agent-upgrade-schedule) Last updated 9 months ago Was this helpful? --- # Setup Report Triggers | CloudGuard WAF CloudGuard WAF protects web servers from attacks. It is possible to configure objects called Trigger objects to determine what will occur when attacks are detected. One of those Trigger objects is of type "Report" and allows a graphical summary report to be sent by email to multiple addresses on a daily or weekly schedule. [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-report-triggers#setting-up-a-report-trigger) Setting up a Report Trigger ---------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-report-triggers#step-1-create-a-new-report-trigger) Step 1: Create a new "Report" trigger Browse to **Policy->Triggers** and create a new Trigger object of type **Report**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FrpFAi2FqrCTVLgKoFkfu%252Fwaf-triggers-new-trigger.PNG%3Falt%3Dmedia%26token%3D40d5f2a1-c2b5-4875-94cd-348923e92082&width=768&dpr=4&quality=100&sign=b376b6d5&sv=2) Configure a new name to the new trigger object: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FpYdwzySxEmh2qbXOahSo%252Fwaf-triggers-new-report-trigger.PNG%3Falt%3Dmedia%26token%3Dece7bdee-f713-4566-bcce-2a7664db8362&width=768&dpr=4&quality=100&sign=2e5ec7e6&sv=2) #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-report-triggers#step-2-configure-schedule-and-email-addresses) Step 2: Configure schedule and email addresses 1. **Schedule** - Set up the hour in a daily schedule in which you wish the report to be sent. Or change the schedule to be a weekly schedule and add the day/s of the week in which you want the report to be sent: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fk74BnmAayK2HEyv5Yyzl%252Fwaf-triggers-report-weekly-schedule.PNG%3Falt%3Dmedia%26token%3Dd6f46738-f283-4ed3-9a9a-115df3f5cefc&width=768&dpr=4&quality=100&sign=5e4eae34&sv=2) 1. **Email recipients** - Add all email addresses to which the report should be sent. #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-report-triggers#step-3-setup-your-security-practice-to-use-the-new-log-trigger-object-s) Step 3: Setup your security practice to use the new Log Trigger object/s Browse to **Policy**\->**Assets** and edit the asset you wish to modify. Go to the **relevant practice** tab and scroll to the bottom. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FRUhX5rQW2fNrogQhPLSA%252FUserResponsePage.png%3Falt%3Dmedia%26token%3Dc028d198-0997-4976-9ed1-d1483688bf43&width=768&dpr=4&quality=100&sign=5a1e938c&sv=2) Click on the '**+**' icon next to **Triggers** and add your new Report Trigger object. [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-report-triggers#waf-report) WAF Report ------------------------------------------------------------------------------------------------------------ According to the configured schedule an email report will be sent for each asset that uses the Report Trigger object and will include a PDF attachment that contains the actual report. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FEndkJdMmxduyprxn2BKF%252Fwaf-email-report-body.PNG%3Falt%3Dmedia%26token%3D5ec37bd5-2ad8-4e16-8c7a-00433c4c4552&width=768&dpr=4&quality=100&sign=45a91802&sv=2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FNomfsWNeCOeCSzaReU4F%252Fwaf-email-report-example-content.png%3Falt%3Dmedia%26token%3Da83c22e6-9c41-4761-8943-297173a068f8&width=768&dpr=4&quality=100&sign=34e6340b&sv=2) (In this example, the top countries are shown due to being used in example attacks from various locations, not by real attackers) The email report contains several sections: 1. The **domains of the protected asset** (Top 3 in case the asset contains more). 2. **Statistics and traffic** information: 1. [Learning](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent) status and number of suggestions pending for fine tuning. 2. Numbers of sources, suspected requests and benign/prevented events. 3. Numbers of total requests, as well as breakdown by method and response code for the past day, week and month. 3. **Graphical representation of the top valuable security data**: 1. Top countries and the number of malicious requests coming from them. 2. Top attack types and sources. 3. Top URLs being attacked. [PreviousSetup Log Triggers](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers) [NextSetup Notification Triggers](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-notification-triggers) Last updated 8 months ago Was this helpful? --- # Edit Web Application/API Settings | CloudGuard WAF Configuring [Web Application / API](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api) is easily done via the configuration wizard, and in the vast majority of the cases, is enough to fully protect the web assets without additional manual changes. There are, however, advanced options that a security administrator can configure to modify the security to his specific requirements. When making the first change to the default Web Application Best Practice's configuration such as configuring the advanced settings in this page, you will be prompted to change the name of the Practice to your own custom practice name. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fhu2Vump3xc5w8hiIAUcC%252Fappsec-assets-practice-custom-practice-message.PNG%3Falt%3Dmedia%26token%3Df53efb3f-faa9-4d08-8aa9-5802a2066c5f&width=768&dpr=4&quality=100&sign=63d14cf7&sv=2) [](https://waf-doc.inext.checkpoint.com/how-to/edit-web-application-api-settings#web-application-protection-advanced-settings) Web Application Protection Advanced Settings -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://waf-doc.inext.checkpoint.com/how-to/edit-web-application-api-settings#threat-prevention-settings) Threat Prevention Settings Browse to **Policy->Assets**, edit the web application asset object you have created and click on the "e "**Web Attacks**" tab configuration. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fs2mfqkovWUa81deFA4AX%252FWebAttacks.png%3Falt%3Dmedia%26token%3Df2e1e477-0e9e-4c3e-8a35-3d1d3ae48be4&width=768&dpr=4&quality=100&sign=1a3866e7&sv=2) ### [](https://waf-doc.inext.checkpoint.com/how-to/edit-web-application-api-settings#configuration-options) Configuration Options #### [](https://waf-doc.inext.checkpoint.com/how-to/edit-web-application-api-settings#mode-override) Mode override Setting the Mode to **As Top Level** means inheriting the primary mode of the practice. Otherwise you can override it only for this specific sub-practice to **Detect**/**Prevent**/**Disable**. #### [](https://waf-doc.inext.checkpoint.com/how-to/edit-web-application-api-settings#confidence-dependent-prevent-mode) Confidence-dependent Prevent Mode The option **Activate when confidence is** becomes available if practice or sub-practice are set to **Prevent**. The value determines the threshold in which CloudGuard WAF will block attacks and prevent them, rather than just send a log according to Log Trigger configuration. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FKzKfVldQ97tH9RU3s4yC%252Fappsec-assets-web-attacks-activate-dependent-on-confidence.PNG%3Falt%3Dmedia%26token%3De7fcf097-9281-46bb-b406-ec6240a6b5a0&width=768&dpr=4&quality=100&sign=ff98a487&sv=2) #### [](https://waf-doc.inext.checkpoint.com/how-to/edit-web-application-api-settings#advanced-settings-window) Advanced settings window When clicking on **Advanced** additional advanced settings appear: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FD5FnRCSNV2qxfrgDvmPj%252Fappsec-assets-web-attacks-advanced-settings.PNG%3Falt%3Dmedia%26token%3D7f3f53ec-5a22-4f4b-aff8-ba728bc25763&width=768&dpr=4&quality=100&sign=e6d66465&sv=2) For all Size Limits - CloudGuard WAF Web Attacks engine will accept traffic that exceeds the limits if set to **Detect/Learn** mode (and that traffic will bypass inspection), or block traffic that exceeds the limits if set to **Prevent** mode. Advanced Setting Meaning URL Size (Bytes) Determines the URL size limit for inspection Max Object Depth Determines the depth limit of a JSON/XML object inspected in the HTTP request. This includes embedded XML in JSON and the opposite. Body Size (Kilobytes) Determines the HTTP body size limit for inspection Header Size (Bytes) Determines the HTTP header size limit for inspection CSRF Protection Determines the mode for the advanced CSRF protection, which blocks [CSRF attacks](https://owasp.org/www-community/attacks/csrf) . **Important** - This protection has a performance impact. Error Disclosure Determines the mode for the advanced Error Disclosure protection, which replaces [internal error codes in the response](https://owasp.org/www-community/Improper_Error_Handling) and injects a different response instead. **Important** - This protection has a performance impact. Open Redirect Determines the mode for the advanced Open Redirect protection, which prevents [client side redirection to other domains](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect) (e.g. as used by Phishing attacks) **Important** - This protection has a performance impact. Non-Valid HTTP methods When set to **No** and practice is set to **Prevent**, non-valid HTTP methods are blocked. Valid HTTP methods are: * GET, POST, DELETE, PATCH, PUT, CONNECT, OPTIONS, HEAD, TRACE * MKCOL, COPY, MOVE, PROPFIND, PROPPATCH, LOCK, UNLOCK, VERSION-CONTROL, REPORT, INDEX, CHECKOUT, CHECKIN, UNCHECK, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, ORDERPATCH, ACL, SEARCH, MKREDIRECTREF, BIND, UNBIND [](https://waf-doc.inext.checkpoint.com/how-to/edit-web-application-api-settings#web-api-protection-advanced-settings) Web API Protection Advanced Settings ---------------------------------------------------------------------------------------------------------------------------------------------------------------- The advanced configuration for API Attacks is very similar to Web Attacks. The differences being: * The sub-practice is named **API Attacks** and not Web **Attacks**. * API attacks do not include the advanced options of CSRF Protection, Error Disclosure and Open Redirect. * See here how to configure the [**API Schema Enforcement Engine**](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema) [](https://waf-doc.inext.checkpoint.com/how-to/edit-web-application-api-settings#additional-security-engines) Additional Security Engines ---------------------------------------------------------------------------------------------------------------------------------------------- CloudGuard WAF includes additional security engines other in addition to the Machine Learning based-Web Attacks protection and API attacks protection: [Anti-Bot](https://waf-doc.inext.checkpoint.com/additional-security-engines/anti-bot) [Enforce API Schema](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema) [Intrusion Prevention System (IPS)](https://waf-doc.inext.checkpoint.com/additional-security-engines/intrusion-prevention-system-ips) [Snort Rules](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules) [PreviousSetup Agent Upgrade Schedule](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-agent-upgrade-schedule) [NextEdit Reverse Proxy Advanced Settings for a Web Asset](https://waf-doc.inext.checkpoint.com/how-to/edit-reverse-proxy-advanced-settings-for-a-web-asset) Last updated 6 months ago Was this helpful? --- # Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only | CloudGuard WAF ### [](https://waf-doc.inext.checkpoint.com/how-to/restrict-access-to-backend-servers-from-cloudguard-waf-as-a-service-ips-only#risks-of-not-restricting-backend-servers-to-receive-traffic-only-from-waf) Risks of Not Restricting Backend Servers to Receive Traffic Only from WAF Leaving backend servers open to traffic from sources other than Web Application Firewalls (WAF) exposes them to cyber threats. Without WAF protection, attackers can directly target these servers, leading to risks such as denial-of-service (DoS) attacks, ransomware infections, and full application compromises. ### [](https://waf-doc.inext.checkpoint.com/how-to/restrict-access-to-backend-servers-from-cloudguard-waf-as-a-service-ips-only#steps-to-restrict-backend-servers-to-receive-traffic-only-from-cloudguard-waf-saas-ips) Steps to Restrict Backend Servers to Receive Traffic Only from CloudGuard WAF SaaS IPs To ensure backend servers only receive traffic from CloudGuard WAF as a Service IPs, follow these steps: 1. **Identify CloudGuard WAF SaaS IPs**: Log in to your Infinity Portal account and navigate to the Profile page to find the list of authorized IP addresses. 2. **Update Firewall Rules**: Configure your network firewall to allow incoming traffic only from the identified CloudGuard WAF SaaS IPs. This can typically be done through your firewall’s management console. 3. **Modify Server Access Control Lists (ACLs)**: Update the ACLs on your backend servers to permit traffic exclusively from the CloudGuard WAF IP addresses. This ensures that any traffic not routed through the WAF is blocked. 4. **Test Configuration**: After updating the firewall rules and ACLs, conduct thorough testing to verify that only traffic from the CloudGuard WAF is reaching your backend servers. 5. **Monitor and Audit**: Continuously monitor network traffic and audit logs to ensure compliance with the new configuration and to detect any unauthorized access attempts. By implementing these steps, you can significantly enhance the security of your backend servers and protect them from potential cyber threats. [PreviousAuthorize Temporary Access for Check Point Support](https://waf-doc.inext.checkpoint.com/how-to/authorize-temporary-access-for-check-point-support) [NextIntegrate CloudGuard WAF with Prometheus](https://waf-doc.inext.checkpoint.com/how-to/integrate-cloudguard-waf-with-prometheus) Last updated 11 months ago Was this helpful? --- # Management & Automation | CloudGuard WAF CloudGuard WAF provides Enterprise grade SaaS management including ability to group changes and apply them together, ability for multiple admins to work in parallel with a sophisticated locking mechanism, audit-logs, undo/redo and other. Administration can be done using Web User Interface, GraphQL API or Infrastructure-as-code via Terraform. [](https://waf-doc.inext.checkpoint.com/concepts/management-and-automation#sessions) Sessions -------------------------------------------------------------------------------------------------- CloudGuard WAF management allows admins to make multiple changes, review them and then either Enforce them altogether or make them available to other administrators. When an administrator logs-in and upon API authentication, a new session starts. The changes that the administrator makes during the session are only available to that administrator. Other administrators see a lock icon on object and rules that are being edited. The changes are saved automatically. There is no need to manually save. ### [](https://waf-doc.inext.checkpoint.com/concepts/management-and-automation#publish-and-enforce) Publish and Enforce To make your changes available to other administrators, and to save the database before enforcing a policy, you must publish the session. When you publish a session, a new database version is created. You can do this by clicking the **Publish** button at the top menu. Before you publish the session, you can add some informative attributes to it. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FgN9WrjkvYYkLxA3uy624%252Fgeneral-top-banner-options.PNG%3Falt%3Dmedia%26token%3Df74ef819-4757-410d-9ef3-294bb4909c37&width=768&dpr=4&quality=100&sign=799a392a&sv=2) When you click the **Enforce**, button at the top menu, you also are prompted to publish all unpublished changes in the current session to the profiles of your choice. You cannot enforce a policy if the included changes in the session are not published. Unpublished changes from other sessions will not be included in the policy installation. There is no need to save changes when working on a session. Changes are saved automatically. You can also log-out without publishing your changes from the session. You will see the changes next time you log in. Upon clicking **Enforce** you can select between 2 options: * **Enforce policy on all profiles** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FVTvsU6lltDAOHEfb9vIw%252Fgeneral-enforce-all-profiles.PNG%3Falt%3Dmedia%26token%3D2883f565-d17d-4b73-a54b-02efa61bc648&width=768&dpr=4&quality=100&sign=83fbf5f7&sv=2) * **Enforce policy on specific profiles** - This option opens the list of your configured profiles and an option to select one or more of them. Only agents connected to those profiles will receive the new policy. If a profile object itself is new, or has changed, a purple marking will denote that. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FF3baCTGjY4StE2YuxvWm%252Fgeneral-enforce-select-profiles.PNG%3Falt%3Dmedia%26token%3D7d4e4093-d9c3-47d4-8c3a-36191364cd0b&width=768&dpr=4&quality=100&sign=a8855e9b&sv=2) ### [](https://waf-doc.inext.checkpoint.com/concepts/management-and-automation#object-locking) Object Locking Any object, changed during a session by a user with write permissions, becomes immediately locked for additional configuration changes by other users, until changes are either published or discarded. See [Discard](https://waf-doc.inext.checkpoint.com/concepts/management-and-automation#discard) section for more explanation regarding who can discard changes and how. A locked object will show a lock icon. Upon hovering over the lock icon a user can see which user locked this object and how long ago did this configuration change occur. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FH91DwBC7h0lw0VIrEqzB%252Fappsec-profiles-locked-message.jpg%3Falt%3Dmedia%26token%3D676d77df-637c-4b67-a874-3a3dc1f452d5&width=768&dpr=4&quality=100&sign=6c882fd7&sv=2) ### [](https://waf-doc.inext.checkpoint.com/concepts/management-and-automation#discard) Discard It is possible to discard all change in a session, by clicking on the **Publish** button and then clicking **Discard All**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FWytuGgCqLK141iFV2xnW%252Fgeneral-top-banner-publish-discard-all.PNG%3Falt%3Dmedia%26token%3D19f4ae32-c619-4937-9380-d37422dabc18&width=768&dpr=4&quality=100&sign=e41fb0ea&sv=2) An emergency way to **Discard All Sessions** is available under **Support->System.** This operation can become handy if an administrator leaves some objects locked and is not available to complete his session, thus preventing others from doing changes. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fj6VZmbm6Dw2HmbHlBC0l%252Fgeneral-support-system-discard-all.png%3Falt%3Dmedia%26token%3D22489f62-7eb3-4b8d-bb56-0e32e18663a8&width=768&dpr=4&quality=100&sign=da004e4d&sv=2) ### [](https://waf-doc.inext.checkpoint.com/concepts/management-and-automation#undo-redo) Undo/Redo It is possible to Undo/Redo any change until you publish a session by clicking the arrows in the top banner of the portal. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FgN9WrjkvYYkLxA3uy624%252Fgeneral-top-banner-options.PNG%3Falt%3Dmedia%26token%3Df74ef819-4757-410d-9ef3-294bb4909c37&width=768&dpr=4&quality=100&sign=799a392a&sv=2) [](https://waf-doc.inext.checkpoint.com/concepts/management-and-automation#audit-logs) Audit Logs ------------------------------------------------------------------------------------------------------ The system creates automatically an audit log for any configuration change. The log contains the details of the change, administrator and time stamp. You can view the Audit Logs through **Global Settings -> Audits**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FiN7yKYwdSyuchCfNMITa%252Fgeneral-settings-audits.PNG%3Falt%3Dmedia%26token%3D45f2cfc7-6a08-4c69-baa2-04d163888f50&width=768&dpr=4&quality=100&sign=40f183c5&sv=2) [](https://waf-doc.inext.checkpoint.com/concepts/management-and-automation#automation-and-apis) Automation & APIs ---------------------------------------------------------------------------------------------------------------------- CloudGuard WAF provides two automation methods: GraphQL API and Infrastructure-as-code using Terraform. Both allow to Create, Read, Update or Delete any object in the system. ### [](https://waf-doc.inext.checkpoint.com/concepts/management-and-automation#main-objects) Main Objects To do any kind of automation it is important to understand the main objects in CloudGuard WAF and their relations. The root objects are always Assets. Assets can refer to other objects according to the following hierarchy: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FN4xTkVkurN2IX6PScFR7%252Fgeneral-management-objects-reference-hierarchy.PNG%3Falt%3Dmedia%26token%3D07aa68f0-9668-4917-9242-46945a5f7960&width=768&dpr=4&quality=100&sign=9487e152&sv=2) * Asset - Web Application or Web API asset that you wish to protect. * Asset Behaviors - Trusted Sources used by the Machine Learning Engine. * Profile - defines shared settings of agents. * Practices - Web Application Protection Practice or Web API Protection Practice. * Triggers - Logging settings. * Behaviors - Web User Response and Exceptions. ### [](https://waf-doc.inext.checkpoint.com/concepts/management-and-automation#graphql-api) GraphQL API CloudGuard WAF provides a collection of GraphQL APIs that allows to Authenticate, Create, Read, Update or Delete any object in the system as well as Publish or Enforce a set of changes. GraphQL is a strongly typed API query language. It allows clients to define the structure of the data required, and exactly the same structure of the data is returned from the server. This avoids both the problems of over and under-fetching data, while also allowing for a powerful and flexible API. See here more about about the API: [Management API](https://waf-doc.inext.checkpoint.com/references/management-api) [GitHub](https://waf-doc.inext.checkpoint.com/resources/github) To learn more about GraphQL see [here](https://graphql.org/learn/) ### [](https://waf-doc.inext.checkpoint.com/concepts/management-and-automation#infrastructure-as-code-using-terraform) Infrastructure-as-code using Terraform Provisioning and managing infrastructure is a critical task in DevOps. To accomplish this, modern practices rely on Infrastructure as Code (IaC). By storing your infrastructure configuration in version control systems, you can standardize configuration across your organization, and simplify infrastructure updates. CloudGuard WAF Terraform provider allows configuration of all aspects of CloudGuard WAF using HCL Infrastructure as Code (IaC). Terraform uses the concept of Providers to provide an open source feature-rich plugin system. Providers adopt specific conventions programmatically that allow them to express the CRUD lifecycle of individual resources and how to maintain and verify the state of existing deployed resources. For more information see: [Use Terraform to Manage CloudGuard WAF](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf) [PreviousGateways & Agents](https://waf-doc.inext.checkpoint.com/concepts/gateways-and-agents) [NextSecurity Practices](https://waf-doc.inext.checkpoint.com/concepts/security-practices) Last updated 9 months ago Was this helpful? --- # Edit Reverse Proxy Advanced Settings for a Web Asset | CloudGuard WAF When configuring a Web API or a Web Application asset to be protected by CloudGuard WAF's AppSec Gateway, the wizard already configures the required reverse proxy settings of an upstream URL (the Protected web server's URL) and downstream URL (the exposed URL/s) for each asset. However, there are additional advanced reverse proxy settings that can be set for the CloudGuard WAF per web asset. [](https://waf-doc.inext.checkpoint.com/how-to/edit-reverse-proxy-advanced-settings-for-a-web-asset#reverse-proxy-advanced-settings-location) Reverse Proxy Advanced Settings Location ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/how-to/edit-reverse-proxy-advanced-settings-for-a-web-asset#step-1-edit-the-web-api-application-asset-through-policy-greater-than-assets) Step 1: Edit the web API/application asset through Policy->Assets ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F5SCyYWYFaabRXW2MmrrS%252FAssetPage.png%3Falt%3Dmedia%26token%3D6db97154-b45f-4b20-a307-1765ae0b2108&width=768&dpr=4&quality=100&sign=eb2909fc&sv=2) #### [](https://waf-doc.inext.checkpoint.com/how-to/edit-reverse-proxy-advanced-settings-for-a-web-asset#step-2-click-advanced...-under-reverse-proxy-in-general-tab) Step 2: Click 'Advanced...' under Reverse Proxy in General tab The following window will appear: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FRhD8y2LlNWE53iduUh9A%252Fappsec-assets-general-reverse-proxy-settings-advanced.PNG%3Falt%3Dmedia%26token%3Df74b89df-ae43-4831-b713-68b50e35aac3&width=768&dpr=4&quality=100&sign=16948c36&sv=2) [](https://waf-doc.inext.checkpoint.com/how-to/edit-reverse-proxy-advanced-settings-for-a-web-asset#validating-the-certificate-of-the-internal-server) Validating the certificate of the internal server ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The reverse proxy takes incoming HTTP/S requests and forwards them to an internal server. When using HTTPS, the forwarded request to the internal server returns with a certificate which the best practice is to validate. The below advanced proxy settings include the configuration option for "**Trusted CA chain for protected server SSL verification**". Use this option to configure the trusted CA chain that will validate the certificate presented by the internal server for enhanced security. [](https://waf-doc.inext.checkpoint.com/how-to/edit-reverse-proxy-advanced-settings-for-a-web-asset#advanced-proxy-settings) Advanced Proxy Settings --------------------------------------------------------------------------------------------------------------------------------------------------------- Setting Explanation and comments Redirect incoming HTTP requests to the same URL using HTTPS **Note** - to use this option both an HTTP **and** a parallel HTTPS version of each web URL, used by this asset, need to be configured. A user using an HTTP wil always get a redirection to the parallel HTTPS URL before handling the request. Activate access log on gateway The reverse proxy logs every request through it after it is processed. Add custom headers When selecting this, the form will expand to show a table where you can redefine or append fields to the request header passed to the proxied server. Use text, variables, or a combination of both. The table will contain key:value records. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FR5krTjRt8RnFUfs8TJpx%252Fappsec-assets-general-reverse-proxy-settings-customer-headers.PNG%3Falt%3Dmedia%26token%3D11065b04-c6dd-4a55-b45b-1d1a4b2566d6&width=768&dpr=4&quality=100&sign=70d7e0a5&sv=2) ### [](https://waf-doc.inext.checkpoint.com/how-to/edit-reverse-proxy-advanced-settings-for-a-web-asset#additional-settings) Additional Settings ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FiKr3JLiI9sMRbQHs1WNQ%252Fappsec-assets-general-reverse-proxy-settings-additional-settings.PNG%3Falt%3Dmedia%26token%3Dbff93bdb-eea5-40cc-b876-e1dcf4e7118c&width=768&dpr=4&quality=100&sign=7ce59f7d&sv=2) Setting Explanation and comments Allowed Values Additional location block instructions Allows to upload a file with a set of instruction to be inserted into the location blocks of underlying NGINX configuration of the CloudGuard WAF AppSec Gateway N/A Additional server block instructions Allows to upload g a file with a set of instruction to be inserted into the server blocks of the underlying NGINX configuration of the CloudGuard WAF AppSec Gateway N/A Trusted CA chain for protected server SSL verification Provides the reverse proxy with a custom CA chain for SSL verification of the protected server URL. N/A Connect Timeout Defines a timeout to establish a connection with a proxied server. Positive number Read Timeout Defines a timeout to read a response from the proxied server. The timeout is set only between two successive read operations, not for the transmission of the whole response. If the proxied server does not transmit anything within this time, the connection is closed. Positive number Proxy Send Timeout Sets a timeout to transmit a request to the proxied server. The timeout is set only between two successive write operations, not for the transmission of the whole request. If the proxied server does not receive anything within this time, the connection is closed. Positive number Proxy SSL Name Allows overriding the server name used to verify the certificate of the proxied HTTPS server, and, allows it to pass through SNI when you establish a connection with the proxied HTTPS server Server Name Proxy SSL Verify Enables or disables verification of the proxied HTTPS server certificate. on/off Keep Alive Timeout Sets a timeout in which a keep-alive client connection stays open on the server side. The zero value disables keep-alive client connections. Positive number Health Check Controls periodic health checks to verify NGINX is running (true by default). true/false DNS Server Configures a domain name server's IP address used to resolve names of upstream URLs (the backend servers’ URL) into addresses. IP address Enable HSTS Controls the activation of [Strict Transport Securit](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/) y Response header on all responses coming from the CloudGuard WAF AppSec Gateway (false by default). true/false Enable Failed request Logging When set to "true", the CloudGuard WAF AppSec Gateway will also log all blocked traffic due to Reverse Proxy configuration (false by default). true/false Enable Web Socket Proxying Controls the activation of a proxy tunnel for web socket requests through the CloudGuard WAF AppSec gateway (true by default). true/false SSL Ciphers Allows the definition of an additional SSL ciphers' list that will be allowed by the CloudGuard WAF AppSec Gateway for HTTPS traffic. String of SSL ciphers delimited by ':' Health Check Path for SaaS **Note:** This setting is effective for CloudGuard WAF as a Service only. Set the URL path for the health check request. This path verifies the service's availability and responsiveness. string starting with Health Check Interval for SaaS **Note:** This setting is effective for CloudGuard WAF as a Service only. Indicates how often (in seconds) the health check request is sent to the specified path. A lower number means more frequent monitoring, while a higher number reduces the check frequency. number between 30 to 3600 [PreviousEdit Web Application/API Settings](https://waf-doc.inext.checkpoint.com/how-to/edit-web-application-api-settings) [NextProtect an existing production site with CloudGuard WAF's Gateway](https://waf-doc.inext.checkpoint.com/how-to/protect-an-existing-production-site-with-cloudguard-wafs-gateway) Last updated 7 months ago Was this helpful? --- # Deployment using 'docker' command | CloudGuard WAF Use this option to deploy a single docker image containing CloudGuard WAF with a managed reverse proxy. It is possible to manage the reverse proxy server by yourself. Read the [instructions](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command#how-can-i-manage-nginx-myself) further in this document to see the changes in deployment instructions. [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command#prerequisites) Prerequisites ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Linux machine with: * Docker installed (or similar, compatible container runtime) * Root permissions [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command#configuration) Configuration ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Note** \- package file and folder names contain the name appsec - short for "Application Security" provided by CloudGuard WAF. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command#step-1-pull-agent-container-image) Step 1: Pull agent container image As part of your CI, use the [checkpoint/cloudguard-appsec-standalone](https://hub.docker.com/r/checkpoint/cloudguard-appsec-standalone) registry to pull the unified NGINX and Nano-Agent image or use the following command: Copy docker pull checkpoint/cloudguard-appsec-standalone #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command#step-2-obtain-the-registration-token) Step 2: Obtain the registration token Make sure you obtain the from the [Enforcement **Profile**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page, **Authentication** section. you will need it during agent deployment. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FodEuUgaIWcxkuTtYrJ2n%252Fappsec-profiles-authentication-token.PNG%3Falt%3Dmedia%26token%3Daaa5d4ad-7a5b-4986-9378-7ec39b22aadd&width=300&dpr=4&quality=100&sign=372cae61&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command#step-3-run-the-agent) Step 3: Run the agent Run the agent with this command after replacing with the copied token from previous step and removing unneeded optional parameters: Copy docker run -d --name=agent-container [-v=:/etc/cp/conf] [-v=:/etc/cp/data] [-v=:/var/log/nano_agent] [-v=:/etc/nginx/conf.d/] [-v=/appsec/etc/certs:/etc/certs/] [-e https_proxy=] [-p :443] [-p :80] [-p :8117] -it checkpoint/cloudguard-appsec-standalone /cloudguard-appsec-standalone --token Unique Parameters explanation: Parameter Description Required? `-v=/appsec/etc/certs:/etc/certs/` Map persistent storage path for certificates to /etc/certs of the container. **Note**: We recommend using /appsec/etc/certs and refer to it in our [documentation for storing certificates](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command/store-certificates-locally-on-docker) . Yes for managed Reverse Proxy. If the web server uses only HTTP there is no need for this parameter. When managing Reverse Proxy by yourself, map the certificates according to your own deployment design. `-v=:/etc/nginx/conf.d/` Map persistent storage path for NGINX configuration files. Yes when using the "unmanaged option". In this option the external persistent path is the means to locally manage the NGINX. `-v=:/etc/cp/conf -v=:/etc/cp/data -v=:/var/log/nano_agent` Map persistent storage path for agent files. Can be useful for debugging purposes if a container is no longer available. No `-e https_proxy` Configure a proxy server for outbound traffic, if applicable. No. Needed only in the specific case of outbound traffic through a proxy server. `-p :8117` Expose an external port for health checks Yes `-p :80` Expose an external port for incoming HTTP traffic Yes `-p --ssh-hash ` The hash of you password can be calculated like this: `_openssl passwd -6 -salt ClearTextPassword_` 1. _\-6 indicates SHA-512_ 2. is to randomize the encryption #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command#step-4-deploy-the-container) Step 4: Deploy the container Deploy the unified container. To make sure that it is running, run: `docker ps`. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command#step-5-verify-installation) Step 5: Verify installation Following the steps above, the agent will install and connect automatically. Run the following command to check the status: Copy docker exec -it cpnano -s CloudGuard AppSec web portal should also display a successful connection message: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FzrhFNuIBv6uIUGnQsqIw%252Fappsec-agents-agent-connected-banner-notification.PNG%3Falt%3Dmedia%26token%3D47ad548e-bf80-4619-9ebf-c93fb736257f&width=768&dpr=4&quality=100&sign=ec2edfa6&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command#step-6-certificates-deployment-if-the-traffic-is-encrypted-via-http) Step 6: Certificates deployment (if the traffic is encrypted via HTTP) [Store Certificates Locally on Docker](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command/store-certificates-locally-on-docker) [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command#how-can-i-manage-nginx-myself) How can I manage NGINX myself? -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- It is possible to have only security aspects managed centrally and manage nginx.conf and other config files by yourself. ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command#configuration-1) Configuration * There is no need to add the upsteam URL for each Web application asset, because you will configure it yourself. * When creating a new Docker profile, make sure to select the option "**I want to manage NGINX myself not via this management**" ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F5OgVwck4Ij5TMU32cgOX%252FCapture.PNG%3Falt%3Dmedia%26token%3Debf91ba3-cea9-481d-9dd1-e396f6224139&width=768&dpr=4&quality=100&sign=7607657e&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command#running-the-agent-step-3) Running the agent (Step 3) Run the agent with this command after replacing with the copied token from previous step and removing unneeded optional parameters: Copy docker run -d --name=agent-container [-v=:/etc/cp/conf] [-v=:/etc/cp/data] [-v=:/var/log/nano_agent] -v=:/etc/nginx/conf.d/ [-e https_proxy=] -it checkpoint/cloudguard-appsec-standalone /cloudguard-appsec-standalone --token --nginx-self-managed Note the addition of the `**--nginx-self-managed**` parameter in the end of the command. Similar to managed Reverse proxy installation, almost all `"-v"` parameters and the `–e https_proxy` parameter are optional, **except for the path to persistent location for nginx server conf files**. For more info on each parameter see table above. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command#certificate-management-step-6) Certificate management (Step 6) To configure SSL certificates follow this guide for [NGINX](https://nginx.org/en/docs/http/configuring_https_servers.html) . [PreviousSingle Docker](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker) [NextStore Certificates Locally on Docker](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command/store-certificates-locally-on-docker) Last updated 11 months ago Was this helpful? --- # Upgrade your Reverse Proxy when a Linux/NGINX agent is installed | CloudGuard WAF One of the possible deployments for CloudGuard WAF is a Linux agent installed on top over a [supported Reverse Proxy](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong) . If you wish to upgrade the Reverse Proxy while the agent is installed, follow the steps described in this documentation page. [](https://waf-doc.inext.checkpoint.com/how-to/upgrade-your-reverse-proxy-when-a-linux-nginx-agent-is-installed#nginx) NGINX --------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/how-to/upgrade-your-reverse-proxy-when-a-linux-nginx-agent-is-installed#step-1-delete-the-agent-modules-load_module-line) Step 1: **Delete the agent module's load\_module line** * Locate your nginx _modules_ folder path by running: nginx -V and look for the value of the "--modules-path" parameter. It is usually /usr/share/nginx/modules or /usr/lib/nginx/modules * Via command line access to the machine with the NGINX server and the agent, edit the following file: _/etc/nginx/nginx.conf_ * **Delete** the following line (look for the path located previously): _load\_module //ngx\_cp\_attachment\_module.so;_ #### [](https://waf-doc.inext.checkpoint.com/how-to/upgrade-your-reverse-proxy-when-a-linux-nginx-agent-is-installed#step-2-comment-out-the-agent-modules-configuration-lines) Step 2: Comment out the agent module's configuration lines * Edit all files in the paths _/etc/nginx/conf.d/\*_ or _/etc/nginx/sites\_enabled/\*_ * Comment out (add '#' in the beginning of the line) all the lines, if exist, that begin with: _cp-nano-nginx-attachment_ * If you added manually additional lines in other server configuration files - comment them out as well. #### [](https://waf-doc.inext.checkpoint.com/how-to/upgrade-your-reverse-proxy-when-a-linux-nginx-agent-is-installed#step-3-run-a-test-command) Step 3: Run a test command Run the command '_nginx -t_'. You should see it print out "_test is successful_". #### [](https://waf-doc.inext.checkpoint.com/how-to/upgrade-your-reverse-proxy-when-a-linux-nginx-agent-is-installed#step-4-upgrade-the-nginxs-software-version) Step 4: Upgrade the NGINX's software version Run any commands you intended to run in order to upgrade the NGINX's software version #### [](https://waf-doc.inext.checkpoint.com/how-to/upgrade-your-reverse-proxy-when-a-linux-nginx-agent-is-installed#step-5-stop-and-start-the-agent-while-triggering-deployment-of-a-new-attachment) Step 5: Stop and start the agent, while triggering deployment of a new attachment Run the following commands: _cpnano -q rm -rf /etc/cp/packages rm /etc/cp/conf/manifest.json cpnano -r_ #### [](https://waf-doc.inext.checkpoint.com/how-to/upgrade-your-reverse-proxy-when-a-linux-nginx-agent-is-installed#step-6-verify-the-agent-has-restarted) Step 6: Verify the agent has restarted After one minute that the agent has restarted successfully using the following command: _cpnano -s_ Last update status should state “Succeeded” and Last update should show a time in the scope of the last few minutes. #### [](https://waf-doc.inext.checkpoint.com/how-to/upgrade-your-reverse-proxy-when-a-linux-nginx-agent-is-installed#step-7-undo-the-changes-done-in-step-2) Step 7: Undo the changes done in step 2 Remove the "comment out" character ('#') from all the lines it was added to in step 2 (In the paths _/etc/nginx/conf.d/\*_ or _/etc/nginx/sites\_enabled/\*_ ) #### [](https://waf-doc.inext.checkpoint.com/how-to/upgrade-your-reverse-proxy-when-a-linux-nginx-agent-is-installed#step-8-nginx-reload) Step 8: NGINX reload Run the following commands: _nginx -s reload systemctl restart nginx_ [PreviousRotate profile authentication token](https://waf-doc.inext.checkpoint.com/how-to/rotate-profile-authentication-token) [NextUse Terraform to Manage CloudGuard WAF](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf) Last updated 9 months ago Was this helpful? --- # Enable Mutual TLS (mTLS) Authentication in Gateway / Virtual Machine and Single Docker | CloudGuard WAF ### [](https://waf-doc.inext.checkpoint.com/how-to/enable-mutual-tls-mtls-authentication-in-gateway-virtual-machine-and-single-docker#overview) Overview Mutual TLS (mTLS) enhances security by requiring both the server and the client to authenticate each other using digital certificates. When mTLS is enabled, only clients presenting valid certificates signed by a trusted Certificate Authority (CA) can successfully establish a connection, This guide explains how to upload a trusted CA list, apply the configuration, and enforce the mTLS policy through the asset’s Advanced Settings interface, in in Gateway / Virtual Machine and Single Docker. #### [](https://waf-doc.inext.checkpoint.com/how-to/enable-mutual-tls-mtls-authentication-in-gateway-virtual-machine-and-single-docker#prerequisite) Prerequisite * Ensure you have a valid CA certificate (_.pem_) file used to sign client certificates. * Ensure you have one of the following profile types: * Docker Agents: Single Container - CloudGuard WAF (With Reverse Proxy) * AppSec Gateway Profile #### [](https://waf-doc.inext.checkpoint.com/how-to/enable-mutual-tls-mtls-authentication-in-gateway-virtual-machine-and-single-docker#instructions-to-configure-mtls-on) Instructions to Configure mTLS on 1. Navigate to the asset you wish to protect. 2. Open the Advanced Settings section. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FcGiEZEAlbWUNIzDpr2Ub%252Fimage.png%3Falt%3Dmedia%26token%3D507f9cce-d435-469a-8ff6-ec2b69ff6203&width=768&dpr=4&quality=100&sign=b89690b9&sv=2) 1. Locate the Client SSL Verification configuration option. 2. Select the checkbox labeled Trusted CA list for client SSL verification. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FPgmXY88ODktdnySLlvqv%252Fimage.png%3Falt%3Dmedia%26token%3Dbdb016a8-2a3f-4259-b0c4-3f8042a5034f&width=768&dpr=4&quality=100&sign=d429c826&sv=2) 1. Click Upload, then select and upload your CA certificate (_.pem_) file. 2. The uploaded CA list defines which client certificates are trusted for authentication. 3. Verify that the file name appears in the upload field once the upload completes. 4. Save and Apply Configuration 5. Click OK to save your changes. 6. Click Enforce to synchronize the updated configuration to your agents. 7. Once enforced, clients will be required to present valid certificates during connection attempts. #### [](https://waf-doc.inext.checkpoint.com/how-to/enable-mutual-tls-mtls-authentication-in-gateway-virtual-machine-and-single-docker#configuring-multiple-ca-certificates) Configuring Multiple CA Certificates If you need to trust more than one Certificate Authority, you can combine multiple CA certificates into a single .pem file. To do this * Open a text editor. * Paste each CA certificate one after another, ensuring each retains its own _\-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers._ * Save the combined file (for example, trusted-cas.pem), example structure: _\-----BEGIN CERTIFICATE-----_ _(CA Certificate #1 contents)_ _\-----END CERTIFICATE-----_ _\-----BEGIN CERTIFICATE-----_ _(CA Certificate #2 contents)_ _\-----END CERTIFICATE-----_ * Upload this single .pem file as your Trusted CA list. * All included CAs will be recognized as valid signing authorities for client certificates. [PreviousIntegrate CloudGuard WAF with Prometheus](https://waf-doc.inext.checkpoint.com/how-to/integrate-cloudguard-waf-with-prometheus) [NextWAF Gateway / Virtual Machine](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine) Last updated 16 days ago Was this helpful? --- # API Protection | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection#api-security-overview) API Security Overview ------------------------------------------------------------------------------------------------------------------------------------ APIs are the backbone of modern applications, but their rapid evolution—new endpoints, changing parameters, and frequent updates—makes them a prime target for attacks. Without proper controls, these changes can expose security gaps and sensitive data. **CloudGuard WAF secures APIs by:** * Allowing only traffic that matches approved API definitions. * Validating schemas to block unreviewed or deprecated endpoints. * Enforcing authentication to ensure only legitimate clients can access APIs (coming soon). * Detecting and controlling sensitive data exposure. **CloudGuard WAF delivers this through the following core capabilities:** * [API Discovery](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/api-discovery) – Automatically maps APIs in use, providing visibility into changes. * [API Schema Validation](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema) – Enforces approved schemas to prevent unauthorized calls * [Authentication Enforcement](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/authentication-enforcement) (coming soon) – Validates client identity to stop unauthorized access. Together, these ensure APIs stay secure while adapting to constant change. Terminology[](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection#terminology) **Endpoints** The Endpoint in REST APIs is the URI without the domain. i.e. "**/api/my-assets**" in "https://myapp.com/api/my-assets". However, REST-based endpoint can contain "path parameters" which essentially combine different endpoints to a single one with the same meaning. For example, joining /api/my-assets/asset-id-4af4, and /api/my-assets/asset-id-8d2a into a single **/api/my-assets/{asset-id}** that represents all the potential APIs that have this format, have different asset IDs, yet serve the same purpose in terms of security configuration, and request body structure. In GraphQL the endpoint is the function being called. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection#methods) Methods In REST APIs the method is the HTTP protocol method. i.e. **GET**, **POST**, **PUT**, etc. When using GraphQL there are 2 main methods - **query** (indicating a read-only endpoint) and **mutation**. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection#apis) APIs An API is the combination of a method and an endpoint. i.e. **POST /api/my-assets/{asset-id}**. An API can have additional query parameters with certain value formats, unique headers with certain value formats, and body with a specific structure - usually a JSON format. The API's additional/optional query parameters, and the request body's structure, is learned as well the more usage of the same API is seen, and its accepted structure is also built as part of the schema. The API Discovery engine looks at the requests alone for the purpose of building schemas. It will not learn the response body and will not create a schema that validates the traffic from the server, as the aim is to focus on traffic from the clients, and protecting the server. The responses are inspected for their status code which discerns accepted APIs by the web server, from APIs it does not support, and for existence of sensitive data in them. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection#sensitive-data) Sensitive Data Sensitive Data types whose usage is detected by API discovery include: * UUIDs. * Emails. * Credit Card Numbers. * IP and MAC addresses. * Social Security Numbers. * Phone Numbers. * IBAN. * SSH Keys. * Certificates. * Vehicle Identification Numbers. [API Discovery](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/api-discovery) [Track API Discovery Learning](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/track-api-discovery-learning) [Enforce API Schema](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema) [Authentication Enforcement](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/authentication-enforcement) [PreviousAnti-Bot](https://waf-doc.inext.checkpoint.com/additional-security-engines/anti-bot) [NextAPI Discovery](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/api-discovery) Last updated 2 months ago Was this helpful? --- # Track API Discovery Learning | CloudGuard WAF When [a new Web API asset is added](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api) and API Discovery is activated, the underlying Machine Learning engine starts to gradually build a suggested schema of the web server's accepted APIs, as explained here: [API Discovery](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/api-discovery) API Discovery also generates visibiity of your API usage in a dashboard that shows data for all your defined assets that use API Discovery, as explained here: [Monitor Events](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events) As time passes, and depending on the size of traffic, variance of request sources, the learning level will gradually increase. When a certain maturity level is reached (Master and above, after a minimum of 10 days), it is recommended to perform a final review of the suggested schema, and use it in the [Schema Validation enforcement](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema) configuration. Following a certain maturity level, the learning engine will constantly continue to look at the traffic and discover potential suggested changes to the schema. However, at this stage changes will not be suggested until sufficient time has passed (several days, depending on the learn level it has reached) to make sure the changes detected are indeed consistent and required. At times, the learning engine will request answers to questions about API where fine tuning is needed. Answering those questions improves the accuracy of the suggested schema. [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/track-api-discovery-learning#understand-the-learning-level) Understand The Learning Level --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- When HTTP requests are inspected API Discovery learning agent will reach different learning levels. Each level represents the maturity of the learning model and helps to understand what it needs to reach the next level. It will also indicate when it is time to use the suggested schema and activate [Schema Validation enforcement](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema) . The model progresses through the following learning levels: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FFaOKPwvQzSSB40hSymLF%252Fappsec-track-learning-learning-levels.png%3Falt%3Dmedia%26token%3Dbaaccf0c-6497-4d0e-bbcc-1127bc7fcc7c&width=768&dpr=4&quality=100&sign=eff8fe9&sv=2) When the learning level becomes **Master,** it is recommended to use the suggested schema, after answering all fine tuning questions to achieve the highest accuracy of the suggested schema, review it, and enforce [Schema Validation](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema) using it. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/track-api-discovery-learning#step-1-track-the-learning-level) Step 1: Track the learning level ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FvY4l1WX8G9QwaLQvpkd6%252FAPIDiscoveryLearn.png%3Falt%3Dmedia%26token%3Dd2ade115-d561-4042-91fb-a23c11300796&width=768&dpr=4&quality=100&sign=fa57dd1b&sv=2) * Go to **Policy->Assets** and select the Asset you want to track. * Select the **Learn** tab. This tab shows the learning **statistics of the last 7 days**, the **Elapsed Time**, the **Learning Level** and the **Recommendation** at this level. * Below the summary you will find the detected schema and below that, the suggestions to the user that will help fine-tune the learning data (Tuning Suggestions). * Hover over the **Learning Level** tooltipℹ️ to learn the current learning level and the next level. It will also indicate what is required to reach the next level in the '**Watch next?'** section. Positive contributing factors to the learning process are: Time elapsed, amount of traffic inspected, amount of supervised learning suggestions and some other model parameters. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/track-api-discovery-learning#step-2-address-the-recommended-action) Step 2: Address the recommended action 1. Hover over the **Recommendation** tooltipℹ️ to learn what the current recommended action is for the asset. Recommendations include: Recommendation Action Required Send Traffic Verify agent installation Keep Learning No action required. The machine learning model requires additional HTTP requests (and additional time). Enforce Schema It is now recommended to use Schema Validation in Prevent mode. The suggested schema to use is the recommended schema to be used by Schema Validation. Activate Schema Validation with the latest suggested schema following a review. A recommended good practice is to activate Schema Validation in Detect mode for a few days, review the logs regarding traffic that would've been blocked by it, and then moving to Prevent. Review Schema Schema Validation is active and set to Prevent. It is recommended to replace the schema used by Schema Validation with the latest schema suggestion. Schema is Enforced No action required. Well Done! The asset is protected and the latest learned schema is enforced. The are no further suggested changes. Review Tuning Suggestions Improve the accuracy of the suggested schema by answering the Tuning suggestions generated by the learning mechanism. In the example below the **Recommendation** is to start enforcing the detected schema. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fp3B3GwUtV4JvJf3vgF9P%252Fappsec-api-discovery-assets-learn-recommendation.png%3Falt%3Dmedia%26token%3D82aefa36-2c46-4fb0-b4c6-f9d7217cc192&width=768&dpr=4&quality=100&sign=c6f321eb&sv=2) [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/track-api-discovery-learning#viewing-suggested-schema) Viewing Suggested Schema ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- As the iterative learning model sees more and more traffic, a schema is built. This learning process never stops, even after reaching the most mature level of the learning model, corresponding with the ever-changing life cycle of a web server, as new APIs are added and sometimes deprecated, causing a need to change the enforced schema. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FRL1fDVBTHRJo8PIF7UI7%252FAPIDiscoveryLearn3.png%3Falt%3Dmedia%26token%3D8dee3659-7957-4684-a934-53fb4f4df4e1&width=768&dpr=4&quality=100&sign=fd19bfe&sv=2) * It is possible to view the schema in a similar way to the view within the know API exploration UI tool Swagger. Click **Open Schema**: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FN6CzxKn8sWBfUNhqbba1%252Fappsec-api-discovery-assets-learn-show-schema.png%3Falt%3Dmedia%26token%3D483a8bae-70ac-442c-9dbb-adce8079851d&width=768&dpr=4&quality=100&sign=9415ff4f&sv=2) * It is possible to download the schema in YAML format. Click **Download Schema.** * Data for each endpoint includes: * Change status compared to the previously learned schema version. * Usage of sensitive data in requests to this endpoint. * Counts for requests and unique sources that use this endpoint. * Indication of public API (if it was accessed from other public addresses) * First and Last seen dates (this data is saved beyond 7 days). [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/track-api-discovery-learning#tuning-suggestions) Tuning Suggestions ----------------------------------------------------------------------------------------------------------------------------------------------------------- The [Contextual Machine Learning](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning) model may ask to review certain events, also called **Tuning Suggestions**. Providing feedback to these suggestions is not mandatory as the engine is capable of learning by itself. However doing this, allows the machine learning engine to reach a higher maturity level and therefore a better accuracy faster based on human guidance. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/track-api-discovery-learning#step-1-review-tuning-suggestions) Step 1: Review Tuning Suggestions 1. Go to **Cloud->Assets** and select the Asset you want to review. 2. Select the **Learn** tab. This tab, at its bottom, shows **Tuning Suggestions** and **Tuning Decisions**. 3. Review the proposed **Tuning Suggestions**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FtDGQlZkI7hYxCb1mWjYu%252FAPIDiscoveryLearn2.png%3Falt%3Dmedia%26token%3D85cbb8c7-751c-4728-975a-5b734fb823ab&width=768&dpr=4&quality=100&sign=53cc1664&sv=2) #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/track-api-discovery-learning#step-2-provide-feedback-to-the-proposed-tuning-suggestions) Step 2: Provide feedback to the proposed Tuning Suggestions 1. Click on the **Yes** or **No** button next to the line of the Tuning Suggestion. Your Tuning Suggestion now moves to the **Tuning Decisions** list, where it is also possible to undo the decision. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FPWYF0lLvXqHVrkVq3V2b%252Fappsec-api-discovery-assets-learn-tuning-decisions.png%3Falt%3Dmedia%26token%3D38871438-4832-4259-814a-e02d06cca871&width=768&dpr=4&quality=100&sign=671b791c&sv=2) #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/track-api-discovery-learning#step-3-review-the-new-recommended-action-if-exists) Step 3: Review the new recommended action if exists 1. Go to [Step 2: Learn the recommended action](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/track-api-discovery-learning#step-2-address-the-recommended-action) of the previous section to learn what to do next to improve the learning process. [PreviousAPI Discovery](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/api-discovery) [NextEnforce API Schema](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema) Last updated 8 months ago Was this helpful? --- # Setup Notification Triggers | CloudGuard WAF CloudGuard WAF safeguards web servers against attacks. You can set up Trigger objects to specify actions when an event occurs. One type of Trigger object, "Notification", allows sending email notifications to multiple addresses for events related to your agents [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-notification-triggers#setting-up-a-notification-trigger) Setting up a Notification Trigger ---------------------------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-notification-triggers#step-1-create-a-new-notification-trigger) Step 1: Create a new "Notification" trigger Browse to **Policy -> Triggers** and create a new Trigger object of type **Notification**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FWHVBx1KdJhMjBxNKMPV7%252FCapture.PNG%3Falt%3Dmedia%26token%3D38718a07-6e48-440f-a46b-25352a8d47a7&width=768&dpr=4&quality=100&sign=5ff1b21b&sv=2) Configure a new name to the new trigger object: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FHkfs3YG2e7E75YW4kUT4%252FCapture1.PNG%3Falt%3Dmedia%26token%3D5ff4246a-4414-4b2a-90d9-cbc15f2ea70d&width=768&dpr=4&quality=100&sign=d187d802&sv=2) #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-notification-triggers#step-2-configure-intervals-and-email-addresses) Step 2: Configure intervals and email addresses 1. **Intervals in hours** - Specify the interval in hours for receiving notifications. You will receive an email at each set interval (e.g., every 2 hours) if any events occurred. 2. **Emails recipients** - You can choose one of the following options: 1. **Send all admins in the tenant** - According to the Admins listed under **Account** \-> **Users**. 2. **Send all users in the tenant** - According to the list of users listed under **Account** \-> **Users**. 3. **Custom Emails -** Send to a customize list of email addresses ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FRu71dPZ5eYzxQgNIvgQ0%252FCapture2.PNG%3Falt%3Dmedia%26token%3D2d0d52e8-cbb7-4c24-b93f-9d4ba99849f6&width=768&dpr=4&quality=100&sign=8320e7fd&sv=2) #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-notification-triggers#step-3-choose-the-events-you-wish-to-get-notified-about) Step 3: Choose the Events you wish to get notified about Select the checkboxes for events you want to be notified about. You can also choose all the events. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fp9XlAam1b3tqrQFEKSw0%252FCapture3.PNG%3Falt%3Dmedia%26token%3Dc6d7cf80-cb2e-4208-b375-8a2417a5be20&width=768&dpr=4&quality=100&sign=d8c47b45&sv=2) #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-notification-triggers#step-3-setup-your-threat-prevention-policy-to-use-the-new-log-trigger-object-s) Step 3: Setup your Threat Prevention policy to use the new Log Trigger object/s Browse to **Policy**\->**Assets** and edit the asset you wish to modify. Go to the **relevant practice** tab and scroll to the bottom. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FRUhX5rQW2fNrogQhPLSA%252FUserResponsePage.png%3Falt%3Dmedia%26token%3Dc028d198-0997-4976-9ed1-d1483688bf43&width=768&dpr=4&quality=100&sign=5a1e938c&sv=2) Click on the 'Add triggers' lint and add your new Notification Trigger object. The trigger must be connected to an asset, published, and enforced to be activated. [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-notification-triggers#notification-email-example) Notification Email Example -------------------------------------------------------------------------------------------------------------------------------------------------- The screenshot below illustrates a sample notification email that you will receive after configuring the notification trigger. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FHIhpWXnwd0an7u88fuJW%252FNotificaionTriggerExample.png%3Falt%3Dmedia%26token%3Dd47dd7a3-4b5e-4071-9d04-e5e0320ce451&width=768&dpr=4&quality=100&sign=c43e44c2&sv=2) [PreviousSetup Report Triggers](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-report-triggers) [NextSetup Behavior Upon Failure](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-behavior-upon-failure) Last updated 8 months ago Was this helpful? --- # Intrusion Prevention System (IPS) | CloudGuard WAF In addition to the Contextual Machine-Learning based engine, CloudGuard WAF provides traditional signature-based protections for over 2800 web-based CVEs (Common Vulnerabilities and Exposures). The signatures arrive automatically to agents/gateways as soon as Check Point Security Research team releases them. One specific benefit of these signatures is the ability to see logs that indicate a specific CVE number. [](https://waf-doc.inext.checkpoint.com/additional-security-engines/intrusion-prevention-system-ips#how-to-change-intrusion-prevention-settings) How to change Intrusion Prevention settings ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- When defining a new [Web Application / API](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api) asset to protect, IPS was already defined to enforce its security as part of step 3 of the wizard. However - a security administrator may choose to fine tune the default behavior of the IPS engine. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/intrusion-prevention-system-ips#step-1-browse-to-policy-greater-than-assets-and-edit-the-web-application-api-asset) Step 1: Browse to Policy->Assets and edit the Web Application / API asset Once the asset edit window opens, select the **Web Attacks** tab and scroll to the **Intrusion Prevention** sub-practice. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FPU3TOtkHHNqoySfQpwKb%252FIPS.png%3Falt%3Dmedia%26token%3D9d9c4793-9335-4eb7-823f-161a0a5174ba&width=768&dpr=4&quality=100&sign=c0f077c4&sv=2) #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/intrusion-prevention-system-ips#step-2-edit-the-settings-of-the-intrusion-prevention-sub-practice) Step 2: Edit the settings of the Intrusion Prevention sub-practice The settings allow: * Changing which protections will be active according to their: * **Performance Impact** * **Severity** * **Year** of the [CVE](https://cve.mitre.org/) they protect against * Changing the exact behavior upon detection of signature according to its **confidence level** (**Prevent**/**Detect**/**Inactive,** or, **According to Practice** when there is no unique behavior to the group of protections) When making the first change to the default Web Application/API Best Practice's configuration such as making changes to the default configuration of the IPS engine settings, you will be prompted to change the name of the Practice to your own custom practice name ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fhu2Vump3xc5w8hiIAUcC%252Fappsec-assets-practice-custom-practice-message.PNG%3Falt%3Dmedia%26token%3Df53efb3f-faa9-4d08-8aa9-5802a2066c5f&width=768&dpr=4&quality=100&sign=63d14cf7&sv=2) #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/intrusion-prevention-system-ips#step-4-make-sure-the-mode-of-the-intrusion-prevention-sub-practice-is-as-desired) Step 4: Make sure the Mode of the Intrusion Prevention sub-practice is as desired Setting the Mode to **As Top Level** means inheriting the primary mode of the practice. Otherwise you can override it only for this specific sub-practice to **Detect**/**Prevent**/**Disable**. You can also set up a specific action per confidence level of the the protection that caught the attack. **According to Practice** mode means the sub-practice's mode determines the action. But you can set up **Detect/Prevent/Disable** specifically for that group of protections per confidence level. For example - the default configuration of the IPS sub-practice configures that Low confidence protections will be set to "Detect" mode, unrelated to the general IPS mode. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/intrusion-prevention-system-ips#step-5-enforce-policy) Step 5: Enforce Policy Click **Enforce** on the top banner of the Infinity Portal. [PreviousFile Security](https://waf-doc.inext.checkpoint.com/additional-security-engines/file-security) [NextRate Limit](https://waf-doc.inext.checkpoint.com/additional-security-engines/rate-limit) Last updated 6 months ago Was this helpful? --- # NGINX Application Security | CloudGuard WAF The NGINX Ingress controller and CloudGuard WAF for Kubernetes agent are deployed together with a single Helm chart. The configuration of the NGINX Ingress controller is done with common methods for configuring Ingress using both Kubernetes Ingress resources or NGINX Ingress resources. This diagram shows an example of a Kubernetes service exposed outside the Kubernetes cluster with an Ingress controller protected with CloudGuard WAF. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FieVqE78veX0Xl332kOzx%252Fappsec-assets-k8s-deployment.png%3Falt%3Dmedia%26token%3Dcf045c7c-4934-43e9-aadd-f11a3b18034c&width=768&dpr=4&quality=100&sign=b698ff3a&sv=2) [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/nginx-application-security#prerequisites) Prerequisites -------------------------------------------------------------------------------------------------------------------------------------------------------- * AWS Elastic Kubernetes Service (EKS) or Azure Kubernetes Service (AKS) * For an NGINX-based ingress controller: Kubernetes 1.16.0+ cluster with [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) enabled with Cluster admin permissions * [Helm 3 Package Manager](https://helm.sh/docs/intro/install/) installed on your local machine * The `kubectl` and `wget` command-line tools installed on your bastion or platform that you use to access the Kubernetes cluster [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/nginx-application-security#installation) Installation ------------------------------------------------------------------------------------------------------------------------------------------------------ #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/nginx-application-security#step-1-download-helm-chart) Step 1: Download Helm chart Run the following command depending on your Kubernetes version: 1.19.0 and above 1.16.0 - 1.18.20 `wget https://cloudguard-waf.i2.checkpoint.com/downloads/helm/ingress-nginx/cp-k8s-appsec-nginx-ingress-4.12.1.tgz -O cp-k8s-appsec-nginx-ingress-4.12.1.tgz` `wget https://cloudguard-waf.i2.checkpoint.com/downloads/helm/ingress-nginx/cp-k8s-appsec-nginx-ingress-3.35.0.tgz -O cp-k8s-appsec-nginx-ingress-3.35.0.tgz` #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/nginx-application-security#step-2-install-helm-chart) Step 2: Install Helm chart Make sure you obtained the token from the [Enforcement Profile](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page first, you will need it in the command to deploy the Helm chart. Obtain the from the **Profile** page, **Authentication** section. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FodEuUgaIWcxkuTtYrJ2n%252Fappsec-profiles-authentication-token.PNG%3Falt%3Dmedia%26token%3Daaa5d4ad-7a5b-4986-9378-7ec39b22aadd&width=300&dpr=4&quality=100&sign=372cae61&sv=2) Run the following command depending on your Kubernetes version (**Note** - package file names contain the name appsec - short for "Application Security" provided by CloudGuard WAF): 1.19.0 and above 1.16.0 - 1.18.20 `helm install cp-k8s-appsec-nginx-ingress-4.12.1.tgz --name-template cp-appsec --set appsec.agentToken=""` `helm install cp-k8s-appsec-nginx-ingress-3.35.0.tgz --name-template cp-appsec --set appsec.agentToken=""` #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/nginx-application-security#step-3-create-ssl-tls-secret-optional-if-the-servers-do-not-use-https) Step 3: Create SSL/TLS Secret (optional if the servers do not use HTTPS) Kubernetes Secrets are used for TLS termination of the Ingress resource. The public/private key pair must already exist before creating the Secret. Read more about Kubernetes TLS Secrets in the [Official Kubernetes Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) . Create a Kubernetes SSL/TLS Secret using the following command with the public key certificate for `--cert` .PEM-encoded and matching the private key for `--key`: `kubectl create secret tls --key --cert $` #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/nginx-application-security#step-4-configure-the-ingress-resource) Step 4: Configure the Ingress resource 1. Edit your ingress.yaml with your favorite editor 2. If needed add the following annotation: `kubernetes.io/ingress.class: "nginx"` ingress.yaml example[](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/nginx-application-security#ingress.yaml-example) The ingress.yaml in this example exposes two Kubernetes Services in the 'applications-ns' namespace: * portal-svc (port 8080) exposed through portal.acme.com on port 443 * api-svc (port 80) exposed through api.acme.com on port 80 Copy apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: example-ingress namespace: applications-ns annotations: kubernetes.io/ingress.class: "nginx" spec: tls: - hosts: - portal.acme.com secretName: tls rules: - host: portal.acme.com http: paths: - path: / pathType: Prefix backend: service: name: portal-svc port: number: 8080 - host: api.acme.com http: paths: - path: / pathType: Prefix backend: service: name: api-svc port: number: 80 #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/nginx-application-security#step-5-deploy-the-ingress) Step 5: Deploy the Ingress In environments that can allow short downtime, uninstall the older ingress and install the new one. `kubectl apply -f ingress.yaml` In environments that require zero-downtime: 1. Redirect your DNS traffic from the old ingress to the new ingress 2. Log traffic from both controllers during this changeover 3. Uninstall the old ingress once traffic has fully drained from it [PreviousIstio Application Security](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/istio-application-security) [NextDocker](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker) Last updated 3 months ago Was this helpful? --- # Dual Docker: NGINX/Kong/Envoy + Security Agent | CloudGuard WAF In this option you will deploy two docker images: * NGINX/Kong/Envoy - managed locally by you * CloudGuard WAF Agent - centrally managed via WebUI or API The benefit of this mode is that you can upgrade each docker separately. NGINX Kong Envoy #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-1-pull-agent-container-image) Step 1: Pull agent container image As part of your CI, use the [checkpoint/infinity-next-nano-agent](https://hub.docker.com/r/checkpoint/infinity-next-nano-agent) registry to pull the Nano-Agent image. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-2-obtain-the-registration-token) Step 2: Obtain the registration token Make sure you obtain the from the [Enforcement **Profile**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page, **Authentication** section. you will need it during agent deployment. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FodEuUgaIWcxkuTtYrJ2n%252Fappsec-profiles-authentication-token.PNG%3Falt%3Dmedia%26token%3Daaa5d4ad-7a5b-4986-9378-7ec39b22aadd&width=300&dpr=4&quality=100&sign=372cae61&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-3-run-the-agent) Step 3: Run the agent Run the agent with this command: Copy docker run -d --name=agent-container --ipc=host -v=:/etc/cp/conf -v=:/etc/cp/data -v=:/var/log/nano_agent –e https_proxy= -it /cp-nano-agent --token `–e https_proxy` parameter is optional and used only in case the outbound traffic reaches the internet through a proxy server. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-4-replace-the-nginx-container-with-the-check-point-nginx-container) Step 4: Replace the NGINX container with the Check Point NGINX container Replace the NGINX container using the following registry to pull the image for this deployment: [checkpoint/infinity-next-nginx](https://hub.docker.com/r/checkpoint/infinity-next-nginx) As part of creating your reverse proxy for this environment, make sure that the reverse proxy is deployed with the correct downstream and upstream routing. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-5-modify-the-run-command) Step 5: Modify the run command Change your existing NGINX/Kong docker run command and add the `--ipc=host` parameter. If you are installing a reverse proxy for the first time and have no prior knowledge of deployment methods, an example of simple deployment instructions using NGINX can be found in [the official NGINX docker hub repository](https://hub.docker.com/_/nginx) . #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-6-deploy-the-two-containers) Step 6: Deploy the two containers Deploy the two containers. To make sure that it is running, run: `docker ps`. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-7-configure-ssl-certificates-optional-if-the-servers-do-not-use-https) Step 7: Configure SSL certificates (optional if the servers do not use HTTPS) To configure SSL certificates in **NGINX** follow these guides: * [NGINX](https://nginx.org/en/docs/http/configuring_https_servers.html) * [NGINX PLUS](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-8-verify-installation) Step 8: Verify installation Following the steps above, the agent will install and connect automatically. CloudGuard WAF web portal should display a successful connection message: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FzrhFNuIBv6uIUGnQsqIw%252Fappsec-agents-agent-connected-banner-notification.PNG%3Falt%3Dmedia%26token%3D47ad548e-bf80-4619-9ebf-c93fb736257f&width=768&dpr=4&quality=100&sign=ec2edfa6&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-1-pull-agent-container-image-1) Step 1: Pull agent container image As part of your CI, use the [checkpoint/infinity-next-nano-agent](https://hub.docker.com/r/checkpoint/infinity-next-nano-agent) registry to pull the Nano-Agent image. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-2-obtain-the-registration-token-1) Step 2: Obtain the registration token Make sure you obtain the from the [Enforcement **Profile**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page, **Authentication** section. you will need it during agent deployment. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FodEuUgaIWcxkuTtYrJ2n%252Fappsec-profiles-authentication-token.PNG%3Falt%3Dmedia%26token%3Daaa5d4ad-7a5b-4986-9378-7ec39b22aadd&width=300&dpr=4&quality=100&sign=372cae61&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-3-run-the-agent-1) Step 3: Run the agent Run the agent with this command: Copy docker run -d --name=agent-container --ipc=host -v=:/etc/cp/conf -v=:/etc/cp/data -v=:/var/log/nano_agent –e https_proxy= -it /cp-nano-agent --token `–e https_proxy` parameter is optional and used only in case the outbound traffic reaches the internet through a proxy server. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-4-replace-the-kong-container-with-the-check-point-kong-container) Step 4: Replace the Kong container with the Check Point Kong container Replace the NGINX container using the following registry to pull the image for this deployment: [checkpoint/infinity-next-kong](https://hub.docker.com/r/checkpoint/infinity-next-kong) As part of creating your reverse proxy for this environment, make sure that the reverse proxy is deployed with the correct downstream and upstream routing. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-5-modify-the-run-command-1) Step 5: Modify the run command Change your existing NGINX/Kong docker run command and add the `--ipc=host` parameter. If you are installing a reverse proxy for the first time and have no prior knowledge of deployment methods, an example of simple deployment instructions using NGINX can be found in [the official NGINX docker hub repository](https://hub.docker.com/_/nginx) . #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-6-deploy-the-two-containers-1) Step 6: Deploy the two containers Deploy the two containers. To make sure that it is running, run: `docker ps`. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-7-configure-ssl-certificates-optional-if-the-servers-do-not-use-https-1) Step 7: Configure SSL certificates (optional if the servers do not use HTTPS) To configure SSL certificates in **Kong** follow the guide in the following [link](https://docs.konghq.com/gateway/latest/how-kong-works/routing-traffic/#configuring-tls-for-a-route) . #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-8-verify-installation-1) Step 8: Verify installation Following the steps above, the agent will install and connect automatically. CloudGuard WAF web portal should display a successful connection message: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FzrhFNuIBv6uIUGnQsqIw%252Fappsec-agents-agent-connected-banner-notification.PNG%3Falt%3Dmedia%26token%3D47ad548e-bf80-4619-9ebf-c93fb736257f&width=768&dpr=4&quality=100&sign=ec2edfa6&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-1-pull-agent-container-image-2) Step 1: Pull agent container image As part of your CI, use the [checkpoint/infinity-next-nano-agent](https://hub.docker.com/r/checkpoint/infinity-next-nano-agent) registry to pull the Nano-Agent image. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-2-obtain-the-registration-token-2) Step 2: Obtain the registration token Make sure you obtain the from the [Enforcement **Profile**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page, **Authentication** section. you will need it during agent deployment. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FodEuUgaIWcxkuTtYrJ2n%252Fappsec-profiles-authentication-token.PNG%3Falt%3Dmedia%26token%3Daaa5d4ad-7a5b-4986-9378-7ec39b22aadd&width=300&dpr=4&quality=100&sign=372cae61&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-3-run-the-agent-2) Step 3: Run the agent Run the agent with this command: Copy docker run -d --name=agent-container --ipc=host -v=:/etc/cp/conf -v=:/etc/cp/data -v=:/var/log/nano_agent –e https_proxy= -it /cp-nano-agent --token `–e https_proxy` parameter is optional and used only in case the outbound traffic reaches the internet through a proxy server. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-4-replace-the-envoy-container-with-the-check-point-envoy-container) Step 4: Replace the Envoy container with the Check Point Envoy container Replace the NGINX container using the following registry to pull the image for this deployment:  [checkpoint/cloudguard-waf-envoy](https://hub.docker.com/r/checkpoint/cloudguard-waf-envoy) As part of creating your reverse proxy for this environment, make sure that the reverse proxy is deployed with the correct downstream and upstream routing. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-5-load-the-cloudguard-waf-attachment-in-the-proxy-configuration) Step 5: Load the CloudGuard WAF attachment in the proxy configuration When installing Envoy on Docker: As an `envoy.yaml` configuration file is not included in the Envoy container make sure to have the above configuration added yourself to that file! In the Envoy configuration file, which is typically called `envoy.yaml` make sure to have the CloudGuard WAF attachment loaded as a filter for HTTP traffic. The CloudGuard WAF attachment is usually located here: `/usr/lib/libenvoy_attachment.so` #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-6-deploy-the-two-containers-2) Step 6: Deploy the two containers Deploy the two containers. To make sure that it is running, run: `docker ps`. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-7-configure-ssl-certificates-optional-if-the-servers-do-not-use-https-2) Step 7: Configure SSL certificates (optional if the servers do not use HTTPS) To configure SSL certificates in **Envoy** follow the guide in the following [link](https://www.envoyproxy.io/docs/envoy/latest/operations/certificates) . #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent#step-8-verify-installation-2) Step 8: Verify installation Following the steps above, the agent will install and connect automatically. CloudGuard WAF web portal should display a successful connection message: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FzrhFNuIBv6uIUGnQsqIw%252Fappsec-agents-agent-connected-banner-notification.PNG%3Falt%3Dmedia%26token%3D47ad548e-bf80-4619-9ebf-c93fb736257f&width=768&dpr=4&quality=100&sign=ec2edfa6&sv=2) [PreviousDeployment in Azure App Services](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-in-azure-app-services) [NextLinux / NGINX / Kong](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux-nginx-kong) Last updated 7 months ago Was this helpful? --- # Certificate Validation Failed: Adjusting CAA Record | CloudGuard WAF CloudGuard WAF as a Service provides managed certificate issuance and maintenance. We use AWS Certificate Manager to issue certificates for domains onboarded to the service. While onboarding your Web Application or Web API to WAF SaaS, you may encounter the following error: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FP06jXLKvIl98ZuBjXIlQ%252Fimage.png%3Falt%3Dmedia%26token%3Dd1313870-e1d0-4094-8a8f-be2f050c4eac&width=768&dpr=4&quality=100&sign=89573c70&sv=2) This means that one or more domain names have failed validation due to a Certification Authority Authorization (CAA) error, and you must update your CAA records and request a certificate again. The value field in your CAA record must contain one of the following domain names: * amazon.com * amazontrust.com * awstrust.com * amazonaws.com Source: [https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-caa.html](https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-caa.html) [PreviousWAF as a Service](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service) [NextHow To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-redirect-a-root-domain-to-a-subdomain-protected-by-waf-saas) Last updated 11 months ago Was this helpful? --- # Enforce API Schema | CloudGuard WAF CloudGuard WAF's **Schema Validation** engine validates that API input conforms to the schema provided by the admin. The admin provides the schema (using the OpenAPI specification, or OAS in short) and enhances the ability of CloudGuard WAF to detect and prevent illegal requests that do not comply. [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema#what-is-openapi-specifiction-oas) What is OpenAPI Specifiction (OAS) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The [OpenAPI Specification (OAS)](https://spec.openapis.org/oas/latest.html) defines a standard, language-agnostic interface to RESTful APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection. When properly defined, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. An OpenAPI definition can then be used by documentation generation tools to display the API, code generation tools to generate servers and clients in various programming languages, testing tools, and many other use cases. [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema#api-discovery-behavior-change-after-activating-schema-validation) API Discovery behavior change after activating Schema Validation --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- As long as schema validation is not active yet, API discovery can differentiate real APIs from requests by online scanners, by disregarding all APIs that do not receive a 200 OK HTTP response code. Once schema validation is active in prevent mode, it will block all responses that do not conform to the schema. For this reason, the only way to detect new APIs that are missing from the schema is to use data from requests that are blocked by schema validation as well. Once schema validation is active in Prevent mode, the need to carefully review new API changes in the following versions of the detected schema becomes much more important. The user must not accept changes of new APIs that are not used by the web server. Use the multi-select option explained below to remove new APIs that are not supported by your server. [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema#how-to-set-up-cloudguard-waf-schema-validation) How to set up CloudGuard WAF Schema Validation --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema#step-1-follow-api-discovery-until-it-is-recommended-to-enforce-the-detected-schema-or-create-an-open) Step 1: Follow API discovery until it is recommended to enforce the detected schema (or create an OpenAPI YAML file of your API manually) The recommended flow, even if you already had a highly maintained openAPI schema file of your APIs, is to allow API discovery learning mechanism to detect the actually used APIs in your server. Follow the instructions for [configuring API discovery](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/api-discovery) and [tracking its learning results](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/track-api-discovery-learning) , to see when it is recommended to enforce the detected schema. If you did have a highly maintained openAPI schema file, it is recommended to compare teh detected schema by CloudGuard WAF's API discovery and your own schema, and review the differences. After merging the 2 schemas, and enforcing the new schema using the configuration described below, continue maintaining the schema through CloudGuard WAF which will track changes based on the uploaded schema file. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema#step-2-browse-to-policy-greater-than-assets-and-edit-the-web-application-api-asset) Step 2: Browse to Policy->Assets and edit the Web Application / API asset Once the asset edit window opens, select the **API Protection** tab, choose the Mode you would like this practice will work on, and scroll to the **Schema Validation** sub-practice. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FlM3Vvidv92OD8RMXXmU7%252FAPIProtection.png%3Falt%3Dmedia%26token%3D3aae0c14-73e2-4829-9393-e95a4f6584e8&width=768&dpr=4&quality=100&sign=1d9c0c48&sv=2) #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema#step-3-use-the-discovered-schema-or-less-recommended-upload-a-manually-created-schema-file) Step 3: Use the discovered schema (or, less recommended, upload a manually created schema file) The recommended option is to select **Use Discovered Schema** and click **Select**. The schema selection window will appear: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FRSCl6VcCBoj1gIXvqQwv%252Fappsec-schema-validation-select-discovered-schema.png%3Falt%3Dmedia%26token%3D018b3491-9dd6-42d8-85ab-a4e058da8136&width=768&dpr=4&quality=100&sign=d0a84b20&sv=2) The top will show the Currently enforced scheme name (or "No revision" upon the first time activating the schema validation feature). Select: * Which detected revision of the schema to select. Use the ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FHim9B1dcbCC0Dsq8aEra%252Fimage.png%3Falt%3Dmedia%26token%3D59ee5a34-ab7b-4c61-b9b8-738a6b34de40&width=300&dpr=4&quality=100&sign=69c0d0ee&sv=2)icon to change the table view to a multi-selection table. This will allow you to pick and choose which APIs will be enforced. You will be asked to provide a new name if you choose this option. * Whether the "Changes" column will show APIs that have changed in any of their parameters and configuration, or just compare the endpoints (HTTP Method and URI) without query parameters, request body structure, etc. The less recommended option is to select **Use Custom Schema** and Click on the **Upload** button the file selection window will appear: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FiT790quBxUwIpVv8Xc6c%252Fappsec-assets-file-selector.png%3Falt%3Dmedia%26token%3D4eeede9b-19af-46ca-83fb-ad9adeeecea4&width=768&dpr=4&quality=100&sign=9a644629&sv=2) * Click the "Add File" icon to add a new file. * Optionally - you can click the "Download" icon to verify an existing file's content. * Select the file you wish to be used for schema validation. * Click OK. When making the first change to the default Web API Best Practice's configuration such as uploading your unique OpenAPI schema file for Schema Validation purposes, you will be prompted to change the name of the Practice to your own custom practice name. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fhu2Vump3xc5w8hiIAUcC%252Fappsec-assets-practice-custom-practice-message.PNG%3Falt%3Dmedia%26token%3Df53efb3f-faa9-4d08-8aa9-5802a2066c5f&width=768&dpr=4&quality=100&sign=63d14cf7&sv=2) #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema#step-4-select-if-to-enforce-the-schema-according-to-the-entire-file-or-just-api-endpoints) Step 4: Select if to enforce the schema according to the entire file or just API endpoints ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FAAKBkBkukAxLEA5MaPkM%252Fappsec-schema-validation-select-enforcement.png%3Falt%3Dmedia%26token%3D89964b4b-709f-4b19-a14c-8cfcf7c644b4&width=768&dpr=4&quality=100&sign=a345965a&sv=2) It possible to enforce the schema at 2 levels: * **Full schema** - The entire schema file is enforced * **API endpoints only** - everything in the schema file, except the HTTP methods and URIs is disregarded. Requests are being compared to the schema for enforcement solely based on their HTTP method and URI. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema#step-5-make-sure-the-mode-of-the-schema-validation-sub-practice-is-as-desired) Step 5: Make sure the Mode of the Schema Validation sub-practice is as desired Setting the Mode to **As Top Level** means inheriting the primary mode of the practice. Otherwise you can override it only for this specific sub-practice to **Detect**/**Prevent**/**Disable**. It is recommended to initially set the mode to "Detect" to verify the input schema file is correct by looking at the logs created by this capability. Afterwards, restore the mode to the desired state. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema#step-6-enforce-policy) Step 6: Enforce Policy Click **Enforce** on the top banner of the Infinity Portal. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema#activating-schema-validation-if-you-already-have-a-trusted-schema-file) Activating schema validation if you already have a trusted schema file Important reminder - The API discovery engine was designed to learn what API is actually being used. **Even if you have a well-maintained schema file for your API, it is still recommended to wait before activating the Schema Validation Security engine, until the API discovery practice has learned the actual API usage in your system and suggested a schema**. At that point we recommend comparing the suggested schema with the schema file you had, and deciding on the exact schema to enforce accordingly. Once there is a well-maintained schema file, such as the schema the API discovery engine provides once it learned traffic to a high enough level, adding a schema file and activating the Schema Validation enforcement engine can further increase the security level by adding an [openAPI](https://swagger.io/docs/specification/about/) schema file for your API. CloudGuard WAF will enforce the different unique applicative validations described in the schema file and alert upon attempts to use APIs in a way that does not match your schema. If you decide to skip API discovery (not recommended) and move directly to schema validation with your own well-maintained schema file, skip directly to the following documentation and use the option of uploading your own schema file: [PreviousTrack API Discovery Learning](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/track-api-discovery-learning) [NextFile Security](https://waf-doc.inext.checkpoint.com/additional-security-engines/file-security) Last updated 8 months ago Was this helpful? --- # CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical) | CloudGuard WAF ### [](https://waf-doc.inext.checkpoint.com/references/cve-2025-1097-cve-2025-1098-cve-2025-24514-cve-2025-1974-ingress-nginx-controller-rce-critical#background) Background On March 24, 2025, WIZ Research disclosed critical vulnerabilities in the Kubernetes Ingress NGINX Controller that allow unsensitized user input to be injected into the temporary NGINX configuration file during validation. This unsensitized input, when processed by the nginx -t command, can lead to remote code execution (RCE) on the pod running the controller. Additional information can be found in [this blog](https://www.openappsec.io/post/remediation-for-ingress-nginx-controller-vulnerability) . **Important Note:** In order to exploit this vulnerability, the attacker must have network access to the ingress controller’s pod to send arbitrary AdmissionReview requests. While such access is not available by default in many environments, it can be achieved if the attacker gains a foothold within the cluster - such as through compromising another pod - or by leveraging SSRF vulnerabilities. This requirement raises the barrier for exploitation, although it does not eliminate the risk. ### [](https://waf-doc.inext.checkpoint.com/references/cve-2025-1097-cve-2025-1098-cve-2025-24514-cve-2025-1974-ingress-nginx-controller-rce-critical#updates-to-cloudguard-waf-nano-agent-for-kubernetes-k8s) Updates to CloudGuard WAF Nano Agent for Kubernetes (K8s) Our security team verified that our Helm chart deployment of open-appsec / Check Point CloudGuard WAF - which uses the Ingress NGINX Controller - was affected by these vulnerabilities. To address this issue, within 24 hours, we provided the fix by updating the controller to version **1.21.1**, which includes all the necessary patches and improvements to ensure proper sanitization of user inputs during configuration generation. To keep your systems safe, we recommend updating your NGINX helm. **You can find all detailed deployment steps with updated Helm chart versions here:** [Kubernetes](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes) We highly recommend updating your deployment as soon as possible to ensure everything stays secure. [PreviousCVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)](https://waf-doc.inext.checkpoint.com/references/cve-2022-3786-and-cve-2022-3602-openssl-x.509-email-address-buffer-overflows-high) [NextGitHub](https://waf-doc.inext.checkpoint.com/resources/github) Last updated 7 months ago Was this helpful? --- # Linux | CloudGuard WAF **List of troubleshooting guides under this section:** [SELinux: Checking Status and Disabling](https://waf-doc.inext.checkpoint.com/troubleshooting/linux/selinux-checking-status-and-disabling) [PreviousHow To: Compare Between the Gateway's Certificate and the Upstream Certificate](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/how-to-compare-between-the-gateways-certificate-and-the-upstream-certificate) [NextSELinux: Checking Status and Disabling](https://waf-doc.inext.checkpoint.com/troubleshooting/linux/selinux-checking-status-and-disabling) Last updated 1 year ago Was this helpful? --- # Event Advisor | CloudGuard WAF ### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-advisor#overview) Overview The **Event Adviser** helps you get detailed insight into CloudGuard WAF Security Events and is divided into three easy-to-read sections: * What Happened? * Why Was It Blocked? * What Should You Do? **Tech Preview Feature** This feature is currently is only visible with **Tech Preview** enabled. Functionality behavior could change in future releases. ### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-advisor#how-to-enable) How to Enable * Navigate to "Monitor" Section and Enable Tech Preview on the Left Bottom side of the Menu Pane ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FRVxdBcw4kZ4tOj9THI8m%252Fimage.png%3Falt%3Dmedia%26token%3D76501e26-f412-435e-b813-b66fd79f23ba&width=768&dpr=4&quality=100&sign=7ff89040&sv=2) * Navigate to your CloudGuard WAF Security Logs. * Right-click on any individual log entry. * Select “Event Adviser” from the context menu. * A panel opens on the right-hand side of the screen, showing the event analysis. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F4AWPK7h9Uhldfba5olZ0%252Fimage.png%3Falt%3Dmedia%26token%3D5304bdd1-5064-4ac3-8cf2-f500773306a6&width=768&dpr=4&quality=100&sign=56ce8dd0&sv=2) ### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-advisor#the-adviser-output) The Adviser Output ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FsqC2VYKLunydJ72VGIWd%252Fimage.png%3Falt%3Dmedia%26token%3Dbf642b15-2d6a-4c74-ad21-4a4cf1e71199&width=768&dpr=4&quality=100&sign=e0f80b90&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-advisor#what-happened) What Happened? This section gives a short, clear summary of the event. * It shows the request method (GET, POST, etc.), the source IP, the destination host/path, and whether the request was blocked or detected. * Example: “_A POST request from 192.168.0.1 to the root path of "example.com" was blocked due to missing authentication token_.” #### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-advisor#why-was-it-blocked) Why Was It Blocked? This section explains why CloudGuard WAF took action. * It describes what was missing, suspicious, or malicious in the request. * Example: “_The request contained patterns matching Java JNDI injection attempts in the URL path. The presence of 'jndi:' in the URI is a strong indicator of an attempt to exploit Log4j vulnerabilities (Log4Shell) or similar Java deserialization attacks. The request also matched XPath injection patterns. These attacks could allow remote code execution or unauthorized data access on the target system_._”_ #### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-advisor#what-should-you-do) What Should You Do? This section provides recommended next steps. The guidance here always starts with the verdict sentence, then adds 2–3 hardening steps relevant to the detected attack type(s): * **If malicious (blocked/detected):** No action is required. * **If likely a false positive (blocked/detected but looks legitimate)**: create a narrow Custom Rule/Exception for the specific URL and parameter or click ‘Report misclassification’ #### [](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-advisor#reporting-misclassification) Reporting Misclassification If you believe the log classification is incorrect (for example, a false positive), you can click Report misclassification. [PreviousEmail Reports](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/email-reports) [NextWAF-as-a Service (WAF SaaS)](https://waf-doc.inext.checkpoint.com/concepts/waf-as-a-service-waf-saas) Last updated 2 months ago Was this helpful? --- # CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH) | CloudGuard WAF ### [](https://waf-doc.inext.checkpoint.com/references/cve-2022-3786-and-cve-2022-3602-openssl-x.509-email-address-buffer-overflows-high#background) Background In an official [statement](https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html) , the OpenSSL project team announced the forthcoming release of their next version which was released on Tuesday November 1st 2022. This release includes a fix for a security vulnerability, originally marked as critical but lowered to HIGH. Additional information can be found in [this blog](https://blog.checkpoint.com/2022/10/30/openssl-gives-heads-up-to-critical-vulnerability-disclosure-check-point-alerts-organizations-to-prepare-now/) . ### [](https://waf-doc.inext.checkpoint.com/references/cve-2022-3786-and-cve-2022-3602-openssl-x.509-email-address-buffer-overflows-high#protecting-your-application) Protecting your application #### [](https://waf-doc.inext.checkpoint.com/references/cve-2022-3786-and-cve-2022-3602-openssl-x.509-email-address-buffer-overflows-high#cloudguard-wafs-appsec-gateway-and-cloudguard-waf-deployments-for-docker-and-kubernetes) CloudGuard WAF's AppSec Gateway and CloudGuard WAF deployments for docker and Kubernetes If all traffic to your application is routed through CloudGuard WAF, your application is secure even when your protected web server uses a vulnerable OpenSSL library, without any updates. You do need to follow the instructions below to ensure that communication between CloudGuard WAF and Check Point cloud is using a patched OpenSSL version. #### [](https://waf-doc.inext.checkpoint.com/references/cve-2022-3786-and-cve-2022-3602-openssl-x.509-email-address-buffer-overflows-high#cloudguard-waf-for-linux-embedded-agent) CloudGuard WAF for Linux (Embedded Agent) Make sure that OpenSSL version used by a Server to which you added an Embedded Agent is using a non-vulnerable version of OpenSSL. ### [](https://waf-doc.inext.checkpoint.com/references/cve-2022-3786-and-cve-2022-3602-openssl-x.509-email-address-buffer-overflows-high#updates-to-cloudguard-waf) Updates to CloudGuard WAF Please see as follows regarding required actions items when using CloudGuard WAF. #### [](https://waf-doc.inext.checkpoint.com/references/cve-2022-3786-and-cve-2022-3602-openssl-x.509-email-address-buffer-overflows-high#cloudguard-wafs-gateways-vmware-aws-azure-and-cloudguard-waf-for-linux-embedded-agent) **CloudGuard WAF's Gateways (VMWare, AWS, Azure) and CloudGuard WAF for Linux (Embedded Agent)** We released a new agent version with the patched OpenSSL version. The new agent version is **432762** (**v1.2244.432762-hotfix-01-11-22).** **Important to note** \- The vulnerable openSSL version is used by the CloudGuard WAF agent as an SSL client, whereas the vulnerability mainly impacts server-side SSL. * **If your agent upgrade Mode is set to Automatic, you will get the fix automatically.** To validate that your agents are upgraded, browse to Cloud->Agents and verify the “Latest Version” Column is checked - see example below. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FEEgZAekHrcClYV2fPKfB%252FPicture1.png%3Falt%3Dmedia%26token%3Df510644d-b46e-4192-9749-ec0113d98cee&width=768&dpr=4&quality=100&sign=55501a1a&sv=2) * **If your agent upgrade Mode is set to Manual**, **you need to browse to Cloud->Profiles, edit your profile objects and click on “Upgrade Now”** (there is no expected downtime when doing this upgrade). It will appear like this: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FDmmuXstKPkKrvhwB6j2Z%252Fappsec-profiles-agent-upgrade-manual.jpg%3Falt%3Dmedia%26token%3D2176dfa3-ef38-473d-8f68-ab4a9abbbec1&width=300&dpr=4&quality=100&sign=578865de&sv=2) CloudGuard WAF's AppSec Gateway's pre-packaged NGINX is using an OpenSSL version **which is not vulnerable**. #### [](https://waf-doc.inext.checkpoint.com/references/cve-2022-3786-and-cve-2022-3602-openssl-x.509-email-address-buffer-overflows-high#cloudguard-waf-docker) **CloudGuard WAF Docker** CloudGuard WAF Docker and pre-packaged NGINX with Attachment are using an OpenSSL version **which is not vulnerable**. #### [](https://waf-doc.inext.checkpoint.com/references/cve-2022-3786-and-cve-2022-3602-openssl-x.509-email-address-buffer-overflows-high#cloudguard-waf-for-kubernetes-ingress) **CloudGuard WAF for Kubernetes Ingress** CloudGuard WAF deployment package does not bring OpenSSL, but rather installs one during setup. Unless manual changes were done, the default OpenSSL library installed during deployment will be 1.1.1, **which is not vulnerable**. ### [](https://waf-doc.inext.checkpoint.com/references/cve-2022-3786-and-cve-2022-3602-openssl-x.509-email-address-buffer-overflows-high#cloudguard-waf) **CloudGuard WAF** Check Point is working with our public cloud providers to make sure that all cloud components are properly patched as well as our own software running in the cloud. [PreviousEvents/Logs Schema](https://waf-doc.inext.checkpoint.com/references/events-logs-schema) [NextCVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)](https://waf-doc.inext.checkpoint.com/references/cve-2025-1097-cve-2025-1098-cve-2025-24514-cve-2025-1974-ingress-nginx-controller-rce-critical) Last updated 11 months ago Was this helpful? --- # Authorize Temporary Access for Check Point Support | CloudGuard WAF When working with Check Point Support, it is sometimes efficient, pending on customer approval, to provide temporary access to your account for Check Point Support. This can allow Support Personnel to quickly detect misconfigurations or understand the exact context of the reported issue. [](https://waf-doc.inext.checkpoint.com/how-to/authorize-temporary-access-for-check-point-support#how-to-authorize-temporary-access-for-check-point-support) How to authorize temporary access for Check Point Support --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/how-to/authorize-temporary-access-for-check-point-support#step-1-browse-to-support-greater-than-contact-us) Step 1: Browse to Support->Contact Us ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FJCThePyTkyew3ekhleCA%252Fgeneral-support-contact-us.PNG%3Falt%3Dmedia%26token%3Dce28121f-0e99-40f4-a8b3-489cf104b5d4&width=768&dpr=4&quality=100&sign=279d5604&sv=2) #### [](https://waf-doc.inext.checkpoint.com/how-to/authorize-temporary-access-for-check-point-support#step-2-select-the-relevant-authorization-s-under-support-authorizations) Step 2: Select the relevant authorization/s under "Support Authorizations" ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F61qiqTbzU56BVDrxCW7y%252Fgeneral-support-authorizations.PNG%3Falt%3Dmedia%26token%3D8e1b1636-6d3e-4205-bb8e-1641b4557525&width=768&dpr=4&quality=100&sign=5f03bcf2&sv=2) Check Point Support might ask for either temporary read-only access to your policy and configuration, or access to information driven from agents and gateways, or both. Make sure to approve the expiration date as well for the time period requested by Check Point Support and approved by you #### [](https://waf-doc.inext.checkpoint.com/how-to/authorize-temporary-access-for-check-point-support#step-3-click-apply) Step 3: Click Apply [PreviousUse Terraform to Manage CloudGuard WAF](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf) [NextRestrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only](https://waf-doc.inext.checkpoint.com/how-to/restrict-access-to-backend-servers-from-cloudguard-waf-as-a-service-ips-only) Last updated 11 months ago Was this helpful? --- # SELinux: Checking Status and Disabling | CloudGuard WAF **Checking if SELinux is enabled:** 1. **Using Command Line:** * Open a terminal or SSH session. * Run the following command: Copy sestatus * If SELinux is enabled, you will see output similar to: Copy SELinux status: enabled * If SELinux is disabled, you will see output similar to: Copy SELinux status: disabled 2. **Checking Configuration File:** * SELinux configuration file is usually located at `/etc/selinux/config`. * Open the configuration file using a text editor like `nano` or `vi`. * Look for the line: Copy codeSELINUX=enforcing If it's set to `enforcing`, SELinux is enabled. If set to `disabled`, it's disabled. **Disabling SELinux:** 1. **Temporary Disable:** * To temporarily disable SELinux until the next system reboot, run: Copy sudo setenforce 0 2. **Permanently Disable:** * Open the SELinux configuration file `/etc/selinux/config`. * Change the `SELINUX` parameter to `disabled`: Copy SELINUX=disabled * Save the changes and exit the text editor. * Reboot the system for the changes to take effect. **Important Notes:** * Always ensure appropriate backups before making significant changes to system configurations. [PreviousLinux](https://waf-doc.inext.checkpoint.com/troubleshooting/linux) [NextWAF as a Service](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service) Last updated 1 year ago Was this helpful? --- # Event Query Language | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/references/event-query-language#query-language-overview) **Query Language Overview** --------------------------------------------------------------------------------------------------------------------------------- A powerful query language lets you show only selected records from the log files, according to your criteria. To create complex queries, use Boolean operators, wildcards, fields, and ranges. This section refers in detail to the query language. The basic query syntax is `[:] .` To put together many criteria in one query, use Boolean operators: `[:] {AND|OR|NOT} [:] ` ... Most query keywords and filter criteria are not case sensitive, but there are some exceptions. For example, "_sourceip:_" is case sensitive ("`SourceIP:`" does not match). If your query results do not show the expected results, change the case of your query criteria, or try upper and lower case. When you use queries with more than one criteria value, an `AND` is implied automatically, so there is no need to add it. Enter `OR` or other boolean operators if needed. [](https://waf-doc.inext.checkpoint.com/references/event-query-language#query-language-usage) Query Language Usage ----------------------------------------------------------------------------------------------------------------------- **Criteria Values** Criteria values are written as one or more text strings. You can enter one text string, such as a word, IP address, or URL, without delimiters. Phrases or text strings that contain more than one word must be surrounded by quotation marks. One word string examples: * `Accept` * `Medium` * `192.168.2.1` * `www.urlexample.com` * `4a6ad969-398c-4075-bba6-e30f931d0a4f` Phrase examples * `"My Asset"` * `"Schema Validation"` * `"SQL Injection"` **IP Addresses** IPv4 and IPv6 addresses used in log queries are counted as one word. Enter IPv4 address with dotted decimal notation and IPv6 addresses with colons. Examples: * `192.0.2.1` * `2001:db8::f00:d` You can also use the '\*' wildcard character with IP addresses, as well as the standard network suffix, to look for all logs that match IP addresses within a range. Examples: * `192.168.0.0/16` - shows all records for the source IP 192.168.0.0 to 192.168.255.255 inclusive. * `192.168.1.0/24` - shows all records for the source IP 192.168.1.0 to 192.168.1.255 inclusive. * `192.168.2.*` - shows all records for the source IP 192.168.2.0 to 192.168.2.255 inclusive. * `192.168.*` - shows all records for 192.168.0.0 to 192.168.255.255 inclusive. **NOT Values** You can use NOT values with Field Keywords in log queries to find logs for which the value of the field is not the value in the query. Syntax: `NOT : ` Example `NOT src:10.0.4.10` **Wildcards** You can use the standard wildcard characters (\* and ?) in queries to match variable characters or strings in log records. You can use more than the wildcard character. Wildcard syntax: * The ? (question mark) matches one character. * The \* (asterisk) matches a character string. Examples: * MyAsset? - shows MyAsset1 and MyAsset2, but not MyAsset12. * MyAsset\* - shows MyAsset1, MyAsset12, and MyAsset209-d. If your criteria value contains more than one word, you can use the wildcard in each word. For example, “Asset\* AZ\*” - shows “Asset1 AZ45”, “Asset23 AZ90”, and so on. Using a single ‘\*’ creates a search for a non-empty value string. For example `_assetname:*_` **Infinity Next Events Field Keywords** You can use predefined field names as keywords in filter criteria. The query result only shows log records that match the criteria in the specified field. If you do not use field names, the query result shows records that match the criteria in all fields. For a list of all field names that can be used as filter keywords, visit the [Events/Logs Schema](https://waf-doc.inext.checkpoint.com/references/events-logs-schema) documentation Syntax for a field name query: `:` * `` - One of the predefined field names * `` - One or more filters Examples: * `sourceip:192.168.2.1` * `securityaction:(Prevent OR Drop)` You can use the OR Boolean operator in parentheses to include multiple criteria values. **Important** \- When you search in fields for multiple values, you must: * Write the Boolean operator, for example OR. * Use parentheses. **Boolean Operators** You can use the Boolean operators **AND** , **OR** , and **NOT** to create filters with many different criteria. You can put multiple Boolean expressions in parentheses. If you enter more than one criteria without a Boolean operator, the **AND** operator is implied. When you use multiple criteria without parentheses, the **OR** operator is applied before the **AND** operator. Examples: * `practicetype:"Threat Prevention" AND securityaction:Prevent` Shows log records caused by “Threat Prevention” type security practices where traffic was blocked. * `192.168.2.133 10.19.136.101` Shows log entries that match the two IP addresses. The AND operator is presumed. * `192.168.2.133 OR 10.19.136.101` Shows log entries that match one of the IP addresses. * `(assetname: "MyAsset1" OR assetname: "MyAsset2" AND NOT securityaction:PreventAccept` Shows all log entries for assets “MyAsset1” and “MyAsset2” that are without the “Accept” security action. The criteria in the parentheses is applied before the AND NOT criterion. * `sourceip:(192.168.2.1 OR 192.168.2.2) AND destinationip:17.168.8.2` Shows log entries from the two source IP addresses if the destination IP address is 17.168.8.2. This example also shows how you can use Boolean operators with field criteria. [PreviousManagement API](https://waf-doc.inext.checkpoint.com/references/management-api) [NextWriting Snort Signatures](https://waf-doc.inext.checkpoint.com/references/writing-snort-signatures) Last updated 9 months ago Was this helpful? --- # Agent CLI | CloudGuard WAF You can view and control the agent locally via SSH. [](https://waf-doc.inext.checkpoint.com/references/agent-cli#reference-guide) Reference Guide -------------------------------------------------------------------------------------------------- ### [](https://waf-doc.inext.checkpoint.com/references/agent-cli#cpnano-command) cpnano command The following options are available for usage of the cpnano command: Options Action Comments \-s, --status \[--extended\] Print agent status and versions \-u, --uninstall Uninstall agent Less relevant to a CloudGuard WAF Deployment \-q, --stop-agent Stop the agent functions \-r, --start-agent Start the agent functions \-sp, --set-proxy Set proxy Relevant when the agent is located behind a proxy and a manual override of the proxy settings is required for troubleshooting purposes. Proxy settings are usually automatically set from the OS configuration The cpnano command also includes additional options for the rare case of Support requiring advanced information via command line access. It is not recommended to use options that are not explained in this reference guide. [PreviousWAF SaaS Certificate Expiration](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/waf-saas-certificate-expiration) [NextManagement API](https://waf-doc.inext.checkpoint.com/references/management-api) Last updated 1 year ago Was this helpful? --- # Configure Contextual Machine Learning for Best Accuracy | CloudGuard WAF The [Contextual Machine Learning](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning) reaches a verdict more accurately when it can differentiate between users or sources of HTTP requests. CloudGuard WAF allows to configure how to identify the source of a web request, per web application or API. Once CloudGuard WAF knows how to identify the source, you can also configure **trusted sources**. Understanding the behavior of multiple trusted sources helps the contextual machine learning engine to learn faster what is considered a benign or malicious request for a specific web application or API. Configuration of the below items can accelerate the learning process and allow reaching more accurate decision by the Machine Learning Engine. Configuring trusted sources is **not** a method of exclusion. It is a method to enhance the learning capabilities of the contextual machine learning. [Exclusions are configured separately](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions) . [](https://waf-doc.inext.checkpoint.com/how-to/configure-contextual-machine-learning-for-best-accuracy#source-identity-and-trusted-sources) Source Identity and Trusted Sources ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ The instructions below can refer to configuring trusted sources during step 4 of the wizard during creation of a [Web Application asset](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-application-api) or a [Web API asset](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api) . They can also be found when browsing to **Policy->Assets** and editing an asset under **Source Identity** and **Trusted Sources**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F5SCyYWYFaabRXW2MmrrS%252FAssetPage.png%3Falt%3Dmedia%26token%3D6db97154-b45f-4b20-a307-1765ae0b2108&width=768&dpr=4&quality=100&sign=eb2909fc&sv=2) #### [](https://waf-doc.inext.checkpoint.com/how-to/configure-contextual-machine-learning-for-best-accuracy#step-1-identify-the-source-of-the-web-request) Step 1: Identify the source of the web request The source of an HTTP web request can be identified in a number of ways. Use the below table to select the appropriate identifier for the sources of your web application. Definition Parameter View Source IP This is the HTTP request source IP or CIDR. No additional parameters are necessary. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FE2nl43yFiqZmrbGllSqP%252Fappsec-assets-source-identity-source-ip.PNG%3Falt%3Dmedia%26token%3Dc1f72405-0d25-4a0d-a0da-ff382d9c0da7&width=300&dpr=4&quality=100&sign=f66059fb&sv=2) X-Forwarded-For Header in HTTP requests IP address or CIDR of the trusted source is received in the X-Forwarded-For header. If you select this option, you must add the IP addresses of previous reverse proxy/ALB hops to distinguish the unique IP address of the source from them. For example:![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FsTWkxtWLg3KbF41kSoMp%252Fimage.png%3Falt%3Dmedia%26token%3Da445bc1c-3dc9-4abe-9e26-16b98391c1a4&width=300&dpr=4&quality=100&sign=a4b7d79b&sv=2) **Note** - Adding the address of previous hops is required when there is more than 1 reverse proxy and/or ALB before Reverse Proxy with CloudGuard WAF installation. If there is only one, it is not required. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FrB8h7OfrD1fse2G072mi%252Fappsec-assets-source-identity-x-forwarded-for.PNG%3Falt%3Dmedia%26token%3D41046c89-c8e4-4139-a471-5cd46d3265eb&width=300&dpr=4&quality=100&sign=71477fce&sv=2) Header Key If you select this option, it is necessary to add the header field name. This value is used for identification. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FlKjyrEPqUqWpQL1kq3IQ%252Fappsec-assets-source-identity-field-value.PNG%3Falt%3Dmedia%26token%3D3eec2424-c8cd-405b-bb5c-332bd0e8ac87&width=300&dpr=4&quality=100&sign=ac4bd0e5&sv=2) JWT Key If you select this option, it is necessary to add the key within the JWT. This value is used for identification. **This option is recommended.** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FlKjyrEPqUqWpQL1kq3IQ%252Fappsec-assets-source-identity-field-value.PNG%3Falt%3Dmedia%26token%3D3eec2424-c8cd-405b-bb5c-332bd0e8ac87&width=300&dpr=4&quality=100&sign=ac4bd0e5&sv=2) Cookie When you select this option, it is necessary to add the key within the cookie. This value is used for identification. A recommended key is `oauth2_proxy` ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FlKjyrEPqUqWpQL1kq3IQ%252Fappsec-assets-source-identity-field-value.PNG%3Falt%3Dmedia%26token%3D3eec2424-c8cd-405b-bb5c-332bd0e8ac87&width=300&dpr=4&quality=100&sign=ac4bd0e5&sv=2) 1. Go to **Cloud->Assets** and select the Asset you want to configure. 2. Select a method to distinguish the sources according to the above table. 3. (Optional) Add the name of field that uniquely identifies the user. #### [](https://waf-doc.inext.checkpoint.com/how-to/configure-contextual-machine-learning-for-best-accuracy#step-2-configure-trusted-sources) Step 2: Configure Trusted Sources 1. Add specific IP addresses (incase of Source IP or X-Forward-For) or specific user identifiers (incase of Header/JWT/Cookie) of trusted sources to the list 2. **Minimum Users To Trust** \- You may change the default from 3 to a lower (not recommended) number or higher. If we take the example of "3", the learning mechanism will not learn about "benign" behavior from the trusted sources until at least 3 of them created similar traffic patterns. This is to avoid one source becoming a "malicious source of truth". The number of trusted sources in the table has to be at least that minimum number, to allow the machine learning engine to have a good indication of "benign behavior". 3. Click **Publish** to publish the changes to the management. 4. Click **Enforce** to deploy the changes to the enforcement points. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FvO7XqRs5zQflDWDvcZHR%252Fappsec-assets-trusted-sources.png%3Falt%3Dmedia%26token%3D569f4ed8-9a1f-4e8e-9bed-500597770708&width=768&dpr=4&quality=100&sign=4e74066&sv=2) [](https://waf-doc.inext.checkpoint.com/how-to/configure-contextual-machine-learning-for-best-accuracy#whats-next) What's Next? ------------------------------------------------------------------------------------------------------------------------------------ Depending on amount and variance of traffic, after some time, the machine learning engine will reach a stage where it has observed a sufficient amount of web requests to understand how the application is used. The faster this stage is reached, the faster detection is accurate and it is recommended to move to prevent mode. Read more about how you can optimize and tune the Machine Learning process in the [Track Learning and Move from Detect to Prevent](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent) section of this documentation. [PreviousAdd Data Loss Prevention (DLP) rules](https://waf-doc.inext.checkpoint.com/how-to/add-data-loss-prevention-dlp-rules) [NextTrack Agent Status](https://waf-doc.inext.checkpoint.com/how-to/track-agent-status) Last updated 8 months ago Was this helpful? --- # "Unable to find a tag containing the vault's name in the VMSS" Error | CloudGuard WAF When using CloudGuard WAF Gateway in Azure, deploying a VMSS required the certificates to be hosted in a Key Vault. This guide explains the steps needs to be taken when a critical error on monitoring stating: "Unable to find a tag containing the vault's name in the VMSS". **WHAT TO DO?** 1. Navigate to [portal.azure.com](http://portal.azure.com/) 2. Click on **Subscriptions** → Choose the relevant Subscription in which the CloudGuard WAF VMSS deployment is using. 3. Choose the relevant CloudGuard WAF VMSS (Virtual Machine Scale Set) and **click** on it. 4. Click on **Tags** on the right-side menu ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FiHBGZknBxLbrwfHhi7rp%252Fimage.png%3Falt%3Dmedia%26token%3Dc389e6bf-2edb-4758-a95d-d0e4a1b1de3b&width=300&dpr=4&quality=100&sign=43c0657&sv=2) 5. Create a new tag → Name: vault, Value: key vault name (can be found on Azure Key Vault) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FaVAg5ccV289Oat34dCNV%252Fimage.png%3Falt%3Dmedia%26token%3D909f3ed5-76ec-46fd-b257-69049471aaab&width=768&dpr=4&quality=100&sign=eb8d3b25&sv=2) 6. Click **Apply** 7. Go back to Infinity Portal → **Enforce Policy and Publish**. [PreviousAzure](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/azure) [NextHow To: Configure Key Vault for a Single Gateway](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/azure/how-to-configure-key-vault-for-a-single-gateway) Last updated 1 year ago Was this helpful? --- # WAF SaaS Certificate Expiration | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/waf-saas-certificate-expiration#certificate-expiration-notifications) Certificate Expiration Notifications ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- CloudGuard WAF now provides daily notifications and email alerts for certificates that are about to expire or have already expired. These notifications help ensure your application traffic is not disrupted due to expired SSL/TLS certificates. #### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/waf-saas-certificate-expiration#in-portal-notifications) In-Portal Notifications You’ll see certificate expiration alerts directly in the WAF portal: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F5Q8y6uqvS6UZICKT70Ea%252Fcertificate_page_1.png%3Falt%3Dmedia%26token%3Daa888f26-2c11-4e0c-ab02-da8f219d6e80&width=768&dpr=4&quality=100&sign=a350c758&sv=2) * **Yellow Warning Notification** – Appears when one or more certificates will expire within the next **14 days**. * Displays up to **two affected domains** and indicates how many additional domains are impacted (e.g., “+3 more”). * The notification shows the **minimum number of days left** until expiration among all affected certificates. * **Red Critical Notification** – Appears when one or more certificates have **already expired**. * Displays up to **two expired domains** and indicates how many more are affected. #### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/waf-saas-certificate-expiration#email-alerts) Email Alerts In addition to UI notifications, CloudGuard WAF sends **daily email alerts** listing all affected domains: * Each email includes the domain names and their exact expiration dates. * Emails are sent once per day until the certificates are renewed. When Notifications Are Triggered Notifications and emails are sent in the following cases: 1. **Customer-Uploaded Certificates** — The certificate was manually uploaded and must be renewed before it expires. 2. **Managed Certificates with Missing DNS Validation** — The DNS validation record (challenge) is missing or invalid, preventing automatic renewal. Once the missing DNS record is restored or the certificate is renewed manually, the notifications will automatically clear. [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/waf-saas-certificate-expiration#how-to-update-expired-certificates) How To: Update Expired Certificates ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The UI will alert you about certificates nearing expiration and recommend replacing them beforehand: * Indicator on the domain card (currently shown only for manually uploaded certificates) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F2PT7cLi1aa2aqnQ2M7L3%252Fcertificate_page_3.png%3Falt%3Dmedia%26token%3De096d07e-c653-4ccc-b4f3-3d0d9c107a02&width=768&dpr=4&quality=100&sign=f30fc52a&sv=2) * UI banner as described above in In-Portal Notifications section **How to identify which certificate method is being used** In the relevant profile, select the domain and click on it to open the side panel. In the **Certificates & Domain Management** section, the selected **radio button** indicates the certificate method: * **Upload Certificate** – A manually uploaded certificate that must be renewed by the user. * **Managed Certificate** – A certificate automatically issued and renewed by the system (requires valid DNS validation records). ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FYMnQsmpHnvhO6LVdTVNC%252Fcertificate_page_2.png%3Falt%3Dmedia%26token%3D631e9b7c-1276-4648-bd68-7ed5c3d3adee&width=768&dpr=4&quality=100&sign=7d2004ca&sv=2) ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/waf-saas-certificate-expiration#choose-the-certificate-method-you-are-using) Choose the certificate method you are using: Check Point's Managed Certificates Bring Your Own Certificate If you use Check Point's Managed Certificate with CloudGuard WAF as a Service, your certificates will renew automatically. However, they won't renew if the DNS ownership CNAME value has been removed from the DNS records. #### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/waf-saas-certificate-expiration#what-to-do) What To Do? You need to add the DNA ownership CNAME record provided. 1. Log in to the Infinity Portal. 2. Open the WAF application from the application menu. 3. Navigate to the **Profile** page and choose the relevant **SaaS Profile**. 4. Choose the domain you would like to replace the certificate to. 5. Navigate to the **Certificates & Domain Management** section at the top of the menu. 6. Add the CNAME record's name and value in the DNS records management in the DNS provider portal. 7. Click **Enforce**. When using BYOC with CloudGuard WAF as a Service, the WAF admin should manually replace certificates that are about to expire. #### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/waf-saas-certificate-expiration#what-to-do-1) What To Do? To change the certificate being used, follow these steps: 1. Log in to the Infinity Portal. 2. Open the WAF application from the application menu. 3. Navigate to the **Profile** page and choose the relevant **SaaS Profile**. 4. Choose the domain you would like to replace the certificate to. 5. Start by uploading the certificate - click on **Upload Certificate**. 6. Continue by uploading the private key - click on **Upload Private Key**. 7. Click **Save**. 8. Click **Enforce**. [PreviousHow To: Extend Connection Timeout to Upstream](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-extend-connection-timeout-to-upstream) [NextAgent CLI](https://waf-doc.inext.checkpoint.com/references/agent-cli) Last updated 1 minute ago Was this helpful? --- # WAF as a Service | CloudGuard WAF [Certificate Validation Failed: Adjusting CAA Record](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/certificate-validation-failed-adjusting-caa-record) [How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-redirect-a-root-domain-to-a-subdomain-protected-by-waf-saas) [How To: Extend Connection Timeout to Upstream](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-extend-connection-timeout-to-upstream) [WAF SaaS Certificate Expiration](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/waf-saas-certificate-expiration) [PreviousSELinux: Checking Status and Disabling](https://waf-doc.inext.checkpoint.com/troubleshooting/linux/selinux-checking-status-and-disabling) [NextCertificate Validation Failed: Adjusting CAA Record](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/certificate-validation-failed-adjusting-caa-record) Was this helpful? --- # How To: Configure Key Vault for a Single Gateway | CloudGuard WAF When using CloudGuard WAF Gateway in Azure, deploying a VMSS requires the certificates to be hosted in a Key Vault, while a Single Gateway does not. This guide explains the steps that need to be taken in order to configure using Azure Key Vault with a CloudGuard WAF Single Gateway deployment and / or attaching it to an existing VMSS deployment. **WHAT TO DO?** ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/azure/how-to-configure-key-vault-for-a-single-gateway#on-the-waf-vmss-virtual-machine) On the WAF VMSS / Virtual Machine: 1. Click on **Identity** on the left menu 2. Click on System Assigned tab → Turn **On** the Status bar. 3. Click **Save** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FFqRKkzBq26TixH1SlOxe%252Fimage.png%3Falt%3Dmedia%26token%3D1b78803d-61c4-409c-9832-3d87e29b805c&width=768&dpr=4&quality=100&sign=44aff9e9&sv=2) ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/azure/how-to-configure-key-vault-for-a-single-gateway#on-the-key-vault) On the Key Vault: 1. Click on **Access Policy** 2. Click on **Create** 3. Choose permissions: Secret permissions → Get, List; Certificate Permissions: Get, List ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FZC7Y3vHZsjVxXhhWOc81%252Fimage.png%3Falt%3Dmedia%26token%3D2b728cc2-92f8-480e-830b-28f78e59756b&width=300&dpr=4&quality=100&sign=486a1dfa&sv=2) 4. Click Next 5. On Principal tab, search for the VMSS name and choose it 6. Click Next twice 7. Click Create ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/azure/how-to-configure-key-vault-for-a-single-gateway#on-the-waf-vmss-virtual-machine-1) On the WAF VMSS / Virtual Machine: 1. Click on **Tags** 2. Add a new tag → Name: vault; Value: Key Vault name 3. Click **Apply** [Previous"Unable to find a tag containing the vault's name in the VMSS" Error](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/azure/unable-to-find-a-tag-containing-the-vaults-name-in-the-vmss-error) [NextNGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/nginx-error-upstream-sent-too-big-header-while-reading-response-header-from-upstream) Last updated 9 months ago Was this helpful? --- # WAF Gateway / Virtual Machine | CloudGuard WAF **List of troubleshooting guides under this section:** CloudGuard WAF Gateway in Azure Troubleshooting Guides: [Azure](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/azure) General CloudGuard WAF Gateway Troubleshooting Guides: [NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/nginx-error-upstream-sent-too-big-header-while-reading-response-header-from-upstream) [How To: Compare Between the Gateway's Certificate and the Upstream Certificate](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/how-to-compare-between-the-gateways-certificate-and-the-upstream-certificate) [PreviousEnable Mutual TLS (mTLS) Authentication in Gateway / Virtual Machine and Single Docker](https://waf-doc.inext.checkpoint.com/how-to/enable-mutual-tls-mtls-authentication-in-gateway-virtual-machine-and-single-docker) [NextAzure](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/azure) Last updated 1 year ago Was this helpful? --- # Writing Snort Signatures | CloudGuard WAF [](https://waf-doc.inext.checkpoint.com/references/writing-snort-signatures#snort-usage-in-cloudguard-waf) Snort usage in CloudGuard WAF --------------------------------------------------------------------------------------------------------------------------------------------- It is possible to use a signature language called Snort to create or download custom signatures to be enforced by CloudGuard WAF. For exact details how to configure: [Snort Rules](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules) There are many guides and video tutorials online on how to write Snort rules, and you can read the full documentation in [https://www.snort.org/](https://www.snort.org/) . This page will provide a short guide on top of those links. [](https://waf-doc.inext.checkpoint.com/references/writing-snort-signatures#cloudguardappsecsnortpractice-ea-snortrulesoverview) Snort rules overview ---------------------------------------------------------------------------------------------------------------------------------------------------------- Each Snort rule is written in a single line and is made up of two parts: the header and the keywords. The header section has a fixed format made up of seven distinct elements, and answers the questions: What action to take (detect or drop), and on which connections (remember that Snort was originally conceived as a layer 3 IDS) is should apply to. The keywords section is made of parenthesis that holds a variable set of distinct instructions called keywords, and each keyword is terminated by a semi-colon. [](https://waf-doc.inext.checkpoint.com/references/writing-snort-signatures#cloudguardappsecsnortpractice-ea-thesnortheader) The Snort header -------------------------------------------------------------------------------------------------------------------------------------------------- The Snort header is made of seven parts: 1. Action. 2. Protocol. 3. IP address or addresses. 4. Port number or set of numbers. 5. Direction operator. 6. IP address or addresses. 7. Port number or set of numbers. The header is intended to answer the questions: What action to take (detect or drop), and on which connections (remember that Snort was originally conceived as a layer 3 IDS) it should apply to. However, in our setting these definitions will be overridden by what the user definitions in the system. Since that is the case, the simplest thing to do is just copy a standard header for any rule that you write, like this one: Copy alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS [](https://waf-doc.inext.checkpoint.com/references/writing-snort-signatures#cloudguardappsecsnortpractice-ea-thesnortkeywordssection) The Snort keywords section --------------------------------------------------------------------------------------------------------------------------------------------------------------------- The Snort keywords section contains a variable number of keywords - each one of them represent one "thing" that the rule should do. We can divide the keywords into three categories: 1. Metadata keywords - these keywords provides general information on the rule, the log that will be produced, etc.. 2. Context keywords - these keywords express on which part of the traffic (in our case, which part of the HTTP protocol) will the inspection keywords will apply. 3. Inspection keywords - these keywords test the traffic for certain conditions. They are the ones that determine if the rule is matched and an action should be taken. ### [](https://waf-doc.inext.checkpoint.com/references/writing-snort-signatures#cloudguardappsecsnortpractice-ea-metadatakeywords) Metadata keywords Metadata-type keywords can be divide into three categories: * Must-have keywords need to be present in the rule, or the rule won't be enforced. * Recommended keywords can be absent from the rule, but we suggest they will be added for ease of operational use of the feature: managing signatures, tracking them, etc.. * Optional keywords won't effect any operational aspect of the system, but may contribute to the user-experience. **Must-have metadata keywords** * "**msg**" keyword: This keyword determine the text that will appear in the log as the protection name. The name itself should be inside a quotation marks, for example: > msg: "Testing CloudGuard WAF Snort"; * "**flow**" keyword: This keyword determine which side of the communication should the rule inspect. In CloudGuard WAF we protect servers so the keyword should read: > flow: to\_server,established; * "**service**" keyword: This keyword marks which parser should apply for the rule. In CloudGuard WAF we protect HTTP traffic so the keyword should read: > service: http; **Recommended metadata keywords** * "**sid**" keyword: The "signature id" keywords provides a unique numerical value that identify the signature. These allows you to have the same log message for different rules and still distinguish between them. It should have a "random" numerical value, for example: > sid: 12345; * "**rev**" keyword: The "revision" keywords is meant to distinguish between different iterations of the same signature, so you can tell for example if a false-positive is from an old version that is already fixed or not. It should start with the number 1 and increase with each version, for example: > rev: 1; **Optional metadata keywords** * "**reference**" keyword: This keywords allows you to add links that will appear in the log and will provide more information. There can be multiple instances of this keyword in a single rule. The easiest way to use it is to write the word "url", followed by comma, followed by the URL itself. For example: > reference: url,www.acunetix.com; ### [](https://waf-doc.inext.checkpoint.com/references/writing-snort-signatures#cloudguardappsecsnortpractice-ea-contextkeywords) Context keywords Context-type keywords define which section of the HTTP protocol the following inspection keywords will refer to. So when wanting to check the URI, you need to first mention the appropriate keyword and then all the following inspection keyword will apply to the URI - until another context keyword will appear. By default Snort scan the raw packet, not parsed HTTP. Since we are working in Layer 7 only, this is not possible for us to do. **So you must use a context keyword before using any inspection keywords.** The main context keywords you want to know are: * "**http\_raw\_uri**" - This holds the URI as it appears "on the wire" without decoding. So if we send '/W%41F' the context will be '/W%41F'. * "**http\_uri**" - This holds the URI after decoding any encoding in the URI (only, we don't resolve directory traversal for example. So if we send '/W%41F' the context will be '/WAF'. * "**http\_header**" - This holds the headers section of the HTTP (request in our case). * "**http\_client\_body**" - This holds the body of an HTTP request. ### [](https://waf-doc.inext.checkpoint.com/references/writing-snort-signatures#cloudguardappsecsnortpractice-ea-inspectionkeywords) Inspection keywords Inspection-type keywords determine if the request's data (in the section specified by the previous context keyword) meets a certain condition. If it does, than the keywords are said to be matched. If all the inspection keywords match then the rule is said to be matched and the appropriate action (drop and\\or send log) will take place. There are several inspection keywords, and each of them usually have several options. Here we are going to present only the basic syntax of two inspection keywords - this is sufficient for most proposes. * "**content**" keyword - This keyword checks whether a specific content (i.e. a simple string) appears in the context. The string itself appears within quotation marks. For example, if we want to search for the string "attack data" we can write: > content: "attack data"; * "**pcre**" keyword - This keywords checks whether a specific [**P**erl **C**ompatible **R**egular **E**xpression](https://learnxinyminutes.com/docs/pcre/) is found in the context (For a full description of the syntax see [here](https://www.pcre.org/current/doc/html/) ). The expression is placed with forward-slashes within quotation marks. For example, if we want to search for "hello" followed any number of spaces followed by "world", we can write: > pcre: "/hello\\s\*world/"; [PreviousEvent Query Language](https://waf-doc.inext.checkpoint.com/references/event-query-language) [NextEvents/Logs Schema](https://waf-doc.inext.checkpoint.com/references/events-logs-schema) Last updated 1 year ago Was this helpful? --- # How To: Extend Connection Timeout to Upstream | CloudGuard WAF ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-extend-connection-timeout-to-upstream#overview) Overview: In CloudGuard WAF as a Service, the default connection timeout for both NGINX and CloudFront is set to 60 seconds. To extend the timeout for specific assets, adjust the settings in the asset's advanced options. Adjusting the NGINX timeout configuration will automatically update CloudFront's settings ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-extend-connection-timeout-to-upstream#what-to-do) What To Do? To configure the extended timeout for a specific asset, follow these steps: 1. Log in to the Infinity Portal. 2. Open the WAF application from the application menu. 3. Navigate to the **Assets** page under the **Policy** tab. 4. Select the desired asset. 5. Click on **Advanced...** proxy field to access the extended timeout configuration. 6. Click on **Advanced Settings**. 7. **Add the following fields** with the desired timeout configuration needed: Key Value Read Timeout Numeric Number (up to 180) Proxy Send Timeout Numeric Number (up to 180) Keep Alive Timeout Numeric Number (up to 180) 1. Click **OK** 2. Click **Enforce**. Extended Timeout configuration is supported up to 180 seconds. For longer timeouts, please contact Check Point Support. [PreviousHow To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-redirect-a-root-domain-to-a-subdomain-protected-by-waf-saas) [NextWAF SaaS Certificate Expiration](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/waf-saas-certificate-expiration) Last updated 9 months ago Was this helpful? --- # Azure | CloudGuard WAF **List of troubleshooting guides under this section:** ["Unable to find a tag containing the vault's name in the VMSS" Error](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/azure/unable-to-find-a-tag-containing-the-vaults-name-in-the-vmss-error) [How To: Configure Key Vault for a Single Gateway](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/azure/how-to-configure-key-vault-for-a-single-gateway) [PreviousWAF Gateway / Virtual Machine](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine) [Next"Unable to find a tag containing the vault's name in the VMSS" Error](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/azure/unable-to-find-a-tag-containing-the-vaults-name-in-the-vmss-error) Last updated 1 year ago Was this helpful? --- # Use Terraform to Manage CloudGuard WAF | CloudGuard WAF The CloudGuard WAF Terraform provider allows configuration of all aspects of CloudGuard WAF using Infrastructure as Code (IaC). Terraform uses the concept of Providers to provide an open-source feature-rich plugin system. Providers adopt specific conventions programmatically that allow them to express the CRUD lifecycle of individual resources and how to maintain and verify the state of existing deployed resources. The deployment option for WAF SaaS is currently not available. We are actively working on developing a Terraform provider for our WAF SaaS deployment option and will notify our users once it becomes available. [](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf#terraform-resources) Terraform Resources ----------------------------------------------------------------------------------------------------------------------------------- The terraform files and usage examples are available in 2 locations: 1. The [Terraform registry](https://registry.terraform.io/providers/CheckPointSW/infinity-next/latest/docs) . 2. The origin [GitHub repository](https://github.com/CheckPointSW/terraform-provider-infinity-next) for the Terraform registry. [](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf#api-keys-for-terraform-provider-access) API Keys For Terraform Provider Access ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf#step-1-get-api-keys) Step 1: Get API Keys Follow the "**Create an API Key**" action in the [Management API reference guide](https://waf-doc.inext.checkpoint.com/references/management-api) . We strongly recommend that you store the credentials in a secured and authenticated location, like HashiCorp's vault or other vault. #### [](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf#step-2-use-the-api-keys-in-terraform-provider) Step 2: Use the API Keys in Terraform Provider The API Keys' credentials can be used by the provider in 3 different methods: 1. Saved in the environment variables **INEXT\_CLIENT\_ID** and **INEXT\_ACCESS\_KEY.** 2. (Less secure) Explicitly set within the terraform file using the **client\_id** and **access\_key** fields in the provider block, as seen in the example tf files in this documentation. 3. Terraform input variables. When keys are stored in a vault, make sure to have a protected process to inject the keys from the vault into Terraform Provider, without additional systems being able to access them. [](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf#using-the-terraform-provider) Using the Terraform Provider ----------------------------------------------------------------------------------------------------------------------------------------------------- A terraform file includes a list of the terraform providers to use. Make sure the following is added to the beginning of each of your terraform files: Copy terraform { required_providers { inext = { version = "~> 1.0.0" source = "CheckPointSW/infinity-next" } } } provider "inext" { region = "" # client_id = "" # optional method for sending API Keys # access_key = "" # optional method for sending API Keys } ### [](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf#terraform-input-variables-for-the-inext-provider) **Terraform Input Variables for the "inext" provider** #### [](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf#region) **Region** According to your tenant's data residency as can be seen in **Global Settings->Account Settings**. Data Residency Value for "region" parameter Ireland eu United States us #### [](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf#api-keys) **API Keys** **client\_id** and **access\_key** - optional variables, as explained above, providing another method of sending the API keys. [](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf#enforce-tool) Enforce Tool --------------------------------------------------------------------------------------------------------------------- A unique aspect to using CloudGuard WAF is the "Enforce" action. Terraform is used to configure the system and create a configuration state that can be changed when required. However, "Enforce" is not a state but a single action that tells CloudGuard WAF to pass the configured security to the agents. In essence, all changes that are made when running `**terraform apply**` are done under a session of the configured API key. In CloudGuard WAF, each session must be published to be able to enforce your configured policies on your assets. Think of it as committing your changes to be able to make a release. It is normally performed after every configuration change, but it is not an inherent action to configuration changes. For this reason there is a separate tool provided to processes to enforce the policy configuration. ### [](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf#enforce-tool-download) Enforce Tool Download The "Enforce" CLI tool is available through our [GitHub repository](https://github.com/CheckPointSW/infinity-next-terraform-cli) . This repository includes a CLI utility for this exact use case, which includes 2 commands: `**publish**` and `**enforce**`. ### [](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf#enforce-tool-usage) Enforce Tool Usage There are three options to pass the client ID, access key and region when publishing or enforcing a policy using the CLI: 1. **Option 1:** Set the environment variables: `**INEXT_REGION**`, `**INEXT_CLIENT_ID**` and `**INEXT_ACCESS_KEY**` and run `**inext **` Using this method right after `terraform apply` will use the same environment variables that were already injected in the method of your choosing. 2. **Option 2:** Set credentials using command line parameters`**--client-id**` (shorthand `**-c**`) for client ID,`**--access-key**` (shorthand `**-k**`) for the access key, and **\-r** for region. Copy inext -c $INEXT_CLIENT_ID -k $INEXT_ACCESS_KEY -r us 3. **Option 3:** Create a yaml file at `**~/.inext.yaml**` with the following content: Copy client-id: access-key: region: eu Run `**inext **`and the CLI would use the file **~/.inext.yaml** by default, you could also configure a different path for this configuration file using: `inext --config enforce` [](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf#example-terraform-files) Example Terraform Files ------------------------------------------------------------------------------------------------------------------------------------------- We are providing example Terraform files to both test and use as a baseline for your configurations. ### [](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf#download) Download See the links to the _**Terraform Resources**_ at the top of the page. Each option also includes the example files. ### [](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf#usage) Usage 1. Make sure you install Terraform according to the instructions in the [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) website. 2. Open a command line to the folder where the example file was unzipped. 3. For the example, set the environment variables using the _export_ command to your API keys. Otherwise, as noted in the API Keys section, create a secure process to transfer the API Keys from a secure location like a vault to the terraform deployment process. 4. Edit the Terraform files if you wish to adjust the example. 5. Run: `_terraform init_` 6. Run `_terraform apply_`, verify that the resource is planned for creation, enter **yes**, and press Enter. 7. You can verify the configuration was applied by [browsing to Infinity Portal](https://waf-doc.inext.checkpoint.com/getting-started/log-in-to-the-infinity-portal) and watching the objects in the Web UI. [PreviousUpgrade your Reverse Proxy when a Linux/NGINX agent is installed](https://waf-doc.inext.checkpoint.com/how-to/upgrade-your-reverse-proxy-when-a-linux-nginx-agent-is-installed) [NextAuthorize Temporary Access for Check Point Support](https://waf-doc.inext.checkpoint.com/how-to/authorize-temporary-access-for-check-point-support) Last updated 9 months ago Was this helpful? --- # GitHub | CloudGuard WAF ### [](https://waf-doc.inext.checkpoint.com/resources/github#management-resources) Management Resources The GitHub repository [infinitynext-mgmt-api-resources](https://github.com/CheckPointSW/infinitynext-mgmt-api-resources) - includes the following: 1. JSON file of the [management GraphQL](https://waf-doc.inext.checkpoint.com/references/management-api) API postman collection to import. 2. Example usage of the GraphQL API. For more information see here: [Management API](https://waf-doc.inext.checkpoint.com/references/management-api) ### [](https://waf-doc.inext.checkpoint.com/resources/github#terraform-files-and-usage-examples) Terraform files and usage examples The GitHub repository [terraform-provider-infinity-next](https://github.com/CheckPointSW/terraform-provider-infinity-next) includes: 1. Documentation how to use Terraform Provider to manage CloudGuard WAF and relevant files. 2. Usage examples. The GitHub repository [infinity-next-terraform-cli](https://github.com/CheckPointSW/infinity-next-terraform-cli) includes the "Enforce" tool - a unique management action that requires an external CLI tool and cannot be done through Terraform files. For more information see here: [Use Terraform to Manage CloudGuard WAF](https://waf-doc.inext.checkpoint.com/how-to/use-terraform-to-manage-cloudguard-waf) [PreviousCVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)](https://waf-doc.inext.checkpoint.com/references/cve-2025-1097-cve-2025-1098-cve-2025-24514-cve-2025-1974-ingress-nginx-controller-rce-critical) [NextDocker Hub](https://waf-doc.inext.checkpoint.com/resources/docker-hub) Last updated 5 months ago Was this helpful? --- # Docker Hub | CloudGuard WAF ### [](https://waf-doc.inext.checkpoint.com/resources/docker-hub#checkpoint-infinity-next-nginx) checkpoint/infinity-next-nginx Latest NGINX plus an attachment (plugin) that connects to _checkpoint/infinity-next-nano-agent_ [![Logo](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2Fhub.docker.com%2Ffavicon.ico&width=20&dpr=4&quality=100&sign=631e1472&sv=2)https://hub.docker.com/r/checkpoint/infinity-next-nginxhub.docker.com](https://hub.docker.com/r/checkpoint/infinity-next-nginx) ### [](https://waf-doc.inext.checkpoint.com/resources/docker-hub#checkpoint-infinity-next-nano-agent) checkpoint/infinity-next-nano-agent Check Point Infinity Next Nano Agent Container with CloudGuard WAF [![Logo](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2Fhub.docker.com%2Ffavicon.ico&width=20&dpr=4&quality=100&sign=631e1472&sv=2)https://hub.docker.com/r/checkpoint/infinity-next-nano-agenthub.docker.com](https://hub.docker.com/r/checkpoint/infinity-next-nano-agent) ### [](https://waf-doc.inext.checkpoint.com/resources/docker-hub#checkpoint-infinity-next-nginx-ingress) checkpoint/infinity-next-nginx-ingress NGINX Ingress controller with Check Point Nano-Agent for CloudGuard WAF [![Logo](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2Fhub.docker.com%2Ffavicon.ico&width=20&dpr=4&quality=100&sign=631e1472&sv=2)https://hub.docker.com/r/checkpoint/infinity-next-nginx-ingresshub.docker.com](https://hub.docker.com/r/checkpoint/infinity-next-nginx-ingress) ### [](https://waf-doc.inext.checkpoint.com/resources/docker-hub#checkpoint-cp-nano-k8s-nginx-ingress) checkpoint/cp-nano-k8s-nginx-ingress Ingress controller based on Google's NGINX Ingress controller [![Logo](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2Fhub.docker.com%2Ffavicon.ico&width=20&dpr=4&quality=100&sign=631e1472&sv=2)https://hub.docker.com/r/checkpoint/cp-nano-k8s-nginx-ingresshub.docker.com](https://hub.docker.com/r/checkpoint/cp-nano-k8s-nginx-ingress) [PreviousGitHub](https://waf-doc.inext.checkpoint.com/resources/github) Last updated 1 year ago Was this helpful? --- # NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream | CloudGuard WAF NGINX is not able to read the header that is sent from the upstream as it is bigger than the configured size and the request is failing. In the NGINX error log (locating in: /var/log/nano\_agent/rpmanager/nginx\_log/error.log): "...\*1435367 upstream sent too big header while reading response header from upstream ..." The configured buffer that caches the responses is too small. **WHAT TO DO?** 1. Open the Infinity Portal 2. Click on **Cloud** tab → **Assets** 3. Navigate to the relevant asset and click on it. 4. Click on **Advanced...** (Under the certificate section), and click on **Additional Settings** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FPNuXtk2AGNJitpNp1PZZ%252Fimage.png%3Falt%3Dmedia%26token%3D4bcfdbd0-b5a0-495e-ac0b-1b43842cb066&width=300&dpr=4&quality=100&sign=c2f8bfe6&sv=2) 5. Mark V on the **Additional Location Block** Instruction checkbox and upload a .txt file with these lines in it: `proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k;` ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FpK992KZpAjlFG2CqCCUH%252Fimage.png%3Falt%3Dmedia%26token%3D2e1d5646-0d67-4901-9624-4814c2407903&width=300&dpr=4&quality=100&sign=4b8cf8f2&sv=2) 6. Click **OK**. 7. **Enforce** the policy. [PreviousHow To: Configure Key Vault for a Single Gateway](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/azure/how-to-configure-key-vault-for-a-single-gateway) [NextHow To: Compare Between the Gateway's Certificate and the Upstream Certificate](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/how-to-compare-between-the-gateways-certificate-and-the-upstream-certificate) Last updated 9 months ago Was this helpful? --- # Track Learning and Move from Learn/Detect to Prevent | CloudGuard WAF When [a new asset is added](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-application-api) it is recommended that CloudGuard WAF runs in Learn/Detect mode to allow it to create an initial baseline. When the [Contextual Machine Learning](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning) is properly configured and the application receives a substantial amount of traffic, the learning period takes about 2-3 days. Depending on amount and variance of traffic the machine learning engine will reach a stage where it has observed a sufficient amount of web requests to understand how the application is used. The faster this stage is reached, the faster detection is accurate and it is recommended to move to Prevent mode. To speed up the learning period the [Contextual Machine Learning](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning) engine proposes **tuning suggestions**. The administrator can review the tuning suggestions and help the engine reach even better accuracy, a Machine Learning process also known as supervised learning. When a certain maturity level is reached, CloudGuard WAF will advice to move into **Prevent** mode. In this section you will understand how to track the learning level and how to optimize and tune the model for faster learning. [](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent#understand-the-learning-level) Understand The Learning Level --------------------------------------------------------------------------------------------------------------------------------------------------------------------- When HTTP requests are inspected the CloudGuard WAF [Contextual Machine Learning](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning) model will reach different learning levels. Each level represents the maturity of the learning model and helps to understand what it needs to reach the next level. It will also indicate when it is time to move from **Learn/Detect to Prevent** mode. The model progresses through the following learning levels: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FFaOKPwvQzSSB40hSymLF%252Fappsec-track-learning-learning-levels.png%3Falt%3Dmedia%26token%3Dbaaccf0c-6497-4d0e-bbcc-1127bc7fcc7c&width=768&dpr=4&quality=100&sign=eff8fe9&sv=2) When the learning level becomes **Graduate,** it is recommended to change the asset **Mode** to **Prevent** for either High confidence or above or Critical confidence events. Graduate level ensures very good level of accuracy (e.g. low amount of false positives). To reach **Master** or **PhD** level is is necessary to [configure Trusted Sources](https://waf-doc.inext.checkpoint.com/how-to/configure-contextual-machine-learning-for-best-accuracy) . The **Phd** level is the highest level, which means that more learning is less likely going to improve the model further. #### [](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent#step-1-track-the-learning-level) Step 1: Track the learning level ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FVeZXXYvfFjihZJ9VNXiI%252FLearning.png%3Falt%3Dmedia%26token%3D3b044605-4761-4d52-8075-8991611a898c&width=768&dpr=4&quality=100&sign=6abad9eb&sv=2) 1. Go to **Policy->Assets** and select the Asset you want to track. 2. Select the **Learn** tab. This tab shows the learning **statistics of the last 7 days**, the **Elapsed Time**, the **Learning Level** and the **Recommendation** at this level. 3. Hover over the **Learning Level** tooltipℹ️ to learn the current learning level and the next level. It will also indicate what is required to reach the next level in the '**Watch next?'** section. Positive contributing factors to the learning process are: number of [trusted sources](https://waf-doc.inext.checkpoint.com/how-to/configure-contextual-machine-learning-for-best-accuracy) defined by the admin, time elapsed, amount of traffic inspected, amount of supervised learning suggestions and some other model parameters. The example below shows that the machine learning is in **Kindergarten** level and needs 999 additional HTTP requests and 6 additional learning hours to reach **Primary School** level. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FHE1iqn9ALzdMhMBVtaNZ%252Fappsec-assets-edit-learn-learning-level.png%3Falt%3Dmedia%26token%3Dcab8ddf9-dfab-43d2-83b1-36559924a8df&width=768&dpr=4&quality=100&sign=d8a9f860&sv=2) When an agent enforcing CloudGuard WAF first sees a connection to a web application/web API defined URL, a banner will also show at the top of the management web application to denote that "Learning has started": ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fa9fHpe7gw3cHHSAh7CQP%252Fappsec-banner-learning-started.PNG%3Falt%3Dmedia%26token%3D31012627-ee1c-4e2b-8b11-a2fa2455b5a3&width=768&dpr=4&quality=100&sign=1c79c94b&sv=2) #### [](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent#step-2-learn-the-recommended-action) Step 2: Learn the recommended action 1. Hover over the **Recommendation** tooltipℹ️ to learn what the current recommended action is for the asset. Recommendations include: Recommendation Action Required Keep Learning No action required. The machine learning model requires additional HTTP requests (and additional time). Review Tuning Suggestions The learning mechanism generated tuning suggestions. Go to the [**Optimize Learning And Tuning**](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent#optimize-learning-and-tuning) section in this documentation to learn how to review them and decide whether the events are malicious or benign. Prevent Critical Severity Events The system is ready to prevent critical severity events. Navigate to the **Threat Prevention** tab and change the Web Attacks practice Mode to **Prevent** for Critical Severity events. Prevent High Severity And Above Events The system is ready to prevent high severity (and above) events. Navigate to the **Threat Prevention** tab and change the Web Attacks practice Mode to **Prevent** for High and above Severity events. In the example below the **Recommendation** is Keep Learning and additional HTTP requests are required to reach the next learning level. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FkumxMmAhkagAnovulWo6%252Fappsec-assets-edit-learn-recommendation-keep-learning.png%3Falt%3Dmedia%26token%3D4138e106-8346-492a-9f05-96a9a2ce7e9c&width=768&dpr=4&quality=100&sign=26b9a81e&sv=2) Another example shows sufficient learning is achieved and the **Recommendation** is to Prevent High Severity And Above events. Since the Web Attack Practice is already in **Prevent** mode the tool tip shows a '**Well done!**' message. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FLOfWjHL4zJBYdDGPjk3c%252Fappsec-assets-edit-learn-recommendation-prevent.png%3Falt%3Dmedia%26token%3De47fe845-0d51-4de1-ab72-2478caf8afa5&width=768&dpr=4&quality=100&sign=da2a65c0&sv=2) [](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent#tuning-suggestions) Tuning Suggestions ----------------------------------------------------------------------------------------------------------------------------------------------- The [Contextual Machine Learning](https://waf-doc.inext.checkpoint.com/concepts/contextual-machine-learning) model may ask to review certain events, also called **Tuning Suggestions**. Providing feedback to these suggestions is not mandatory as the engine is capable of learning by itself. However doing this, allows the machine learning engine to reach a higher maturity level and therefore a better accuracy faster based on human guidance. #### [](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent#step-1-review-tuning-suggestions) Step 1: Review Tuning Suggestions 1. Go to **Policy->Assets** and select the Asset you want to review. 2. Select the **Learn** tab. This tab shows **Tuning Suggestions** and **Tuning Decisions**. 3. Review the proposed **Tuning Suggestions**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F8nvIpl0J6BaHCzW3dxAC%252Fappsec-assets-learn-tuning-suggestions.png%3Falt%3Dmedia%26token%3D980b3d4a-aeee-4769-8c8c-eabb1a2f2e31&width=768&dpr=4&quality=100&sign=c75728a6&sv=2) #### [](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent#step-2-provide-feedback-to-the-proposed-tuning-suggestions) Step 2: Provide feedback to the proposed Tuning Suggestions 1. Click on the **Malicious** or **Benign** button next to the line of the Tuning Suggestion. Your Tuning Suggestion now moves to the **Tuning Decisions** list. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FSMnQQVejaszHraXFEpoH%252Fappsec-assets-learn-tuning-decisions.png%3Falt%3Dmedia%26token%3Dc92c83fc-8d46-4ee5-b50f-0604c23c6921&width=768&dpr=4&quality=100&sign=82271195&sv=2) #### [](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent#step-3-review-the-new-recommended-action) Step 3: Review the new recommended action 1. Go to [Step 2: Learn the recommended action](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent#step-2-learn-the-recommended-action) of the previous section to learn what to do next to improve the learning process. [](https://waf-doc.inext.checkpoint.com/how-to/track-learning-and-move-from-learn-detect-to-prevent#moving_to_prevent_mode) Move To Prevent Mode ----------------------------------------------------------------------------------------------------------------------------------------------------- Follow these actions when it is time to change the Practice mode from **Learn/Detect** to **Prevent**. 1. Go to **Policy->Assets** and select the Asset you wish to Protect. 2. Select the **Learn** tab and examine the recommendation. 3. Select the **Events** tab and examine Critical and High Events for the asset from the last 1-2 days. 4. If needed, right-click on event and add **Exceptions** for traffic that the machine learning engine may have misclassified (exceptions can be added based on the `uri,` source identifier, parameter, and more). See more about this [here](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions) . 5. Select the **Threat Prevention** tab and change the mode to **Prevent** 6. You can further tune the sensitivity to block either **High or above** or just **Critical** events. * Set the level based on the recommendation in the **Learn** tab as well as your impression when looking at the events during the last day of the learning period. * You can also start with **Critical** for few days, examine the events and then move to **High or above**. 7. **Enforce** policy. [PreviousTrack Agent Status](https://waf-doc.inext.checkpoint.com/how-to/track-agent-status) [NextRotate profile authentication token](https://waf-doc.inext.checkpoint.com/how-to/rotate-profile-authentication-token) Last updated 8 months ago Was this helpful? --- # Deployment in Azure App Services | CloudGuard WAF A convenient way to run CloudGuard WAF Docker is using Azure App Services providing: * Managed Docker Environment * Secure Certificate Store * Scalability ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-in-azure-app-services#prerequisites) Prerequisites When configuring CloudGuard WAF Docker Image in Azure App Service you will need to provide an [Azure Integration Subnet](https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration) (a new subnet in your VNet), that allow access to the protected asset. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FzIRPpQ8KtL8wnN70IzaC%252Fappsec-docker-azure-diagram-paas.png%3Falt%3Dmedia%26token%3D307ec503-8efc-4a06-a6d9-14d4a0f0f859&width=768&dpr=4&quality=100&sign=c0872bb4&sv=2) To create an Azure Integration Subnet follow these steps: **Step 1:** Login to [portal.azure.com](https://portal.azure.com/) , and search for Virtual Networks **Step 2:** Select the Virtual Network where the protected asset is residing **Step 3:** From the menu on left choose **Subnets** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F15XVRabnEQhRDDmKqeFr%252Fimage.png%3Falt%3Dmedia%26token%3D6858afed-b369-49f8-952b-c0089582daec&width=300&dpr=4&quality=100&sign=8da78a52&sv=2) **Step 4:** Create a new Subnet * **Name**: enter a unique name for your subnet * **Subnet address range**: it is recommended to assign at least /24. For more details see [Azure documentation](https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration) . Click **Save** ### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-in-azure-app-services#configuration) Configuration #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-in-azure-app-services#step-1-obtain-the-registration-token-from-cloudguard-waf-profile) Step 1: Obtain the registration token from CloudGuard WAF profile Make sure you obtain the from the [Enforcement **Profile**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page, **Authentication** section. you will need it during agent deployment. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FodEuUgaIWcxkuTtYrJ2n%252Fappsec-profiles-authentication-token.PNG%3Falt%3Dmedia%26token%3Daaa5d4ad-7a5b-4986-9378-7ec39b22aadd&width=300&dpr=4&quality=100&sign=372cae61&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-in-azure-app-services#step-2-log-into-app-service-in-azure) Step 2: Log into App service in Azure Login to [portal.azure.com](https://portal.azure.com/) , and search for App Services. #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-in-azure-app-services#step-3-create-a-new-web-app) Step 3: Create a new Web App Click on Create->Web App ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FIsbXJm3Ll9pi9Ftumvng%252Fappsec-docker-azure-new-web-app.png%3Falt%3Dmedia%26token%3D7abb009a-4d71-46fd-ac15-3d96bfb4e8f1&width=768&dpr=4&quality=100&sign=31d2b283&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-in-azure-app-services#step-4-fill-basics-form-details) Step 4: Fill "Basics" form details Make sure to select under the **Instance Details** section: * **Name:** enter a uniuque instance name * **Publish:** choose **Docker Container** * **Operating System:** choose **Linux** * **Region:** choose relevant **Region** (where you application VNETs reside) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FGrwS8EFY4OXF3qzwmCdG%252Fappsec-docker-azure-basics-form-instance-details.png%3Falt%3Dmedia%26token%3D6d58f4d2-b0bb-418b-b0de-ad0e9708e09a&width=768&dpr=4&quality=100&sign=ed8007fb&sv=2) * **Pricing Plan:** choose relevant Pricing Plan * For Testing it is recommended to use **Basic B3** * For Production it is recommended to use **Premium V3 P1V3** (or stronger) * **Zone Redundancy**: Enable/Disable according to your needs Click **Next** #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-in-azure-app-services#step-5-fill-docker-form-details) Step 5: Fill "Docker" form details **Note** \- package file and folder names contain the name appsec - short for "Application Security" provided by CloudGuard WAF. Make sure to select: * **Options:** select **Single Container** * **Image Source:** select **Docker Hub** * **Access Type:** select **Public** * **Image and tag:** `**checkpoint/cloudguard-appsec-standalone:latest**` * **Startup Command:** `**/cloudguard-appsec-standalone --token **` **Note** \- The is the token that was retrieved in step 1. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FcSIXjpuMCXFqRhF4RStg%252Fappsec-docker-azure-docker-form.png%3Falt%3Dmedia%26token%3Dc1bef4af-a464-4f75-93f2-a3fb704d5590&width=768&dpr=4&quality=100&sign=963605ed&sv=2) Click **Next** #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-in-azure-app-services#step-6-fill-networking-form-details) **Step 6:** Fill "Networking" form details In order to allow access to the virtual network with the protected assets, change **Enable Network Injection** to **On** and select the **Virtual Network** where the protected asset reside. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FifQVZYkOYOn8AwM4AzeP%252Fimage.png%3Falt%3Dmedia%26token%3D3c9c1631-22f0-4834-b5d7-164e8d27d793&width=768&dpr=4&quality=100&sign=2092ac1b&sv=2) In the **Outbound Access** section, select the **Outbound subnet** to be the Integration Subnet that you created in the Prerequisites section of this page. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FGPGd1pMUQHeu22mGtFGh%252Fimage.png%3Falt%3Dmedia%26token%3D0fb366b3-d197-4670-a77c-939491415c01&width=768&dpr=4&quality=100&sign=25f5c46b&sv=2) Click **Review + Create** or if you like to change some of the other defaults click **Next** #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-in-azure-app-services#step-7-complete-the-web-app-deployment-and-verify-an-agent-was-connected-successfully) Step 7: Complete the Web App Deployment and verify an agent was connected successfully Azure App Services will now launch the Docker image and it will connect to the Check Point Cloud. You will get a notification in the Infinity Portal. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FzrhFNuIBv6uIUGnQsqIw%252Fappsec-agents-agent-connected-banner-notification.PNG%3Falt%3Dmedia%26token%3D47ad548e-bf80-4619-9ebf-c93fb736257f&width=768&dpr=4&quality=100&sign=ec2edfa6&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-in-azure-app-services#step-8-certificates-configuration) Step 8: Certificates Configuration Azure provides a variety of options to use a certificate. Browse to **App Services**, select the newly created CloudGuard App Service. In the **Overview** Page, **Properties** Tab, click **Add Custom Domain** and in the next screen click again **Add Custom Domain**. You can now choose among the various options. For example to have a Certificate issued automatically by Azure, select **All other domain services,** enter a domain name and follow the instructions. **Step 9: Auto-Scaling (Optional)** Azure App Services provides both **Scale-up** (more CPU/memory) and **Scale-Out** (additional instances) options. It is highly recommended to setup Scale-Out if you have a Production environment which is likely to grow or have traffic bursts. To enable scaling Browse to **App Services**, select the newly created CloudGuard App Service and choose **Scale-up** or **Scale-Out** in the menu. See also [Azure Documentation about Automatic Scaling](https://learn.microsoft.com/en-us/azure/app-service/manage-automatic-scaling?tabs=azure-portal) . **Step 10: Health-check (Optional)** Azure App Services allow to check the health of an application. It increases your application's availability by rerouting requests away from unhealthy instances and replacing instances if they remain unhealthy. It does that by accessing every minute a path of your web application of your choice. To enable it, Browse to **App Services**, select the newly created CloudGuard App Service and choose Health-check in the menu. [See also Azure Documentation about Health-check](https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check?tabs=dotnet) . ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FQ9zoXKU7KP26xy3BXvNE%252Fimage.png%3Falt%3Dmedia%26token%3D1592b22b-7595-4a3b-bada-5de008a682d3&width=768&dpr=4&quality=100&sign=d954e272&sv=2) **Troubleshooting** For debugging purpose it is possible to activate an SSH server within the docker container by using the following parameters when running the docker. **For security reasons, it is NOT recommended to use this option in production.** `--ssh-enable --ssh-user --ssh-hash ` The hash of you password can be calculated like this: `_openssl passwd -6 -salt ClearTextPassword_` 1. _\-6 indicates SHA-512_ 2. is to randomize the encryption Note: Azure App Services allows access to the dockers via SSH, but requires that the username must be: **root** and the password must be **Docker!** [PreviousStore Certificates Locally on Docker](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-using-docker-command/store-certificates-locally-on-docker) [NextDual Docker: NGINX/Kong/Envoy + Security Agent](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/dual-docker-nginx-kong-envoy-+-security-agent) Last updated 1 year ago Was this helpful? --- # Management API | CloudGuard WAF CloudGuard WAF provides a collection of GraphQL APIs that allows to Authenticate, Create, Read, Update Delete any object in the system as well as Publish or Enforce a set of changes. GraphQL is a strongly typed API query language. It allows clients to define the structure of the data required, and exactly the same structure of the data is returned from the server. This avoids both the problems of over and under-fetching data, while also allowing for a powerful and flexible API. See here the [official GraphQL documentation](https://graphql.org/learn/) . [](https://waf-doc.inext.checkpoint.com/references/management-api#authentication) Authentication ----------------------------------------------------------------------------------------------------- ### [](https://waf-doc.inext.checkpoint.com/references/management-api#creating-an-api-key) Creating an API Key Go to **Account Settings -> API Keys** and create a new API Key for the 'CloudGuard WAF' service. Configure the Expiration date. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fe7wNhY1vo2MfnEPkEYxP%252Fgeneral-settings-api-keys-new-api.png%3Falt%3Dmedia%26token%3Df7d4ba2e-dc0c-4135-ae4b-3f86d0782d59&width=768&dpr=4&quality=100&sign=67fe21f&sv=2) After clicking on Create your Client ID and Secret Key will be shown for a single time. Copy it to a secure location as they are not retrievable once the window will be closed. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FF53njjkd6Xzf7qBsjK65%252Fgeneral-settings-new-api-key-created.PNG%3Falt%3Dmedia%26token%3D0f66c7dd-6c9f-4bf1-ab29-cfb584d7416d&width=768&dpr=4&quality=100&sign=e268b600&sv=2) The ID and Key provide access to your account from the Internet. Secure your keys very carefully. We strongly recommend to use a vault solution for holding your keys and to rotate them periodically. ### [](https://waf-doc.inext.checkpoint.com/references/management-api#using-an-api-key-to-authenticate) Using an API Key to authenticate Before using the specific GraphQL API, you first need to create a valid token to Infinity Portal. Infinity Portal uses REST API. Use the following REST API: `POST /auth/external` Use the relevant server address as documented [here](https://app.swaggerhub.com/apis-docs/Check-Point/infinity-portal-api/1.0.0#/User%20Control/post_auth_external) , to generate a JSON Web Token (JWT). This token allows temporary usage of the application API using Bearer Authentication (as explained in [RFC 6750](https://datatracker.ietf.org/doc/html/rfc6750) ) until token expiration or revocation. It should be used as Authorization: Bearer \[token\] header for each API call. Example of adding the authorization bearer token "abcde-f12345f" to an API call using curl: `curl -H "Authorization: Bearer abcde-f12345f" https:///app/waf/graphql/v1` [](https://waf-doc.inext.checkpoint.com/references/management-api#api-reference) API Reference --------------------------------------------------------------------------------------------------- ### [](https://waf-doc.inext.checkpoint.com/references/management-api#view-and-usage-without-an-external-client-using-graphql) **View and usage without an external client (using GraphQL)** Under Support->API we provide a GraphQL-based interface for: 1. Viewing all available functions, divided into query functions that are available for Read-Only users as well, and mutations functions which change configuration and are not available for Read-only Users. 2. Running custom requests and seeing the result received from the backend. Configuration changes (mutation functions) done using this API will still require clicking on the **Publish** button in order to be saved in the database and unlocked for usage of other administrators, or by running the **publishChanges** API request. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FqV0i4Jr15FE3qOY94DFM%252FPicture1.png%3Falt%3Dmedia%26token%3D84abd50e-c92d-4959-85df-334ad27f73d7&width=768&dpr=4&quality=100&sign=7f7e8bf6&sv=2) The left hand screen allows you to modify GraphQL JSON queries. The middle screen shows the response upon clicking the play button. The right hand screen is the GraphQL documentation of all available functions. ### [](https://waf-doc.inext.checkpoint.com/references/management-api#sending-graphql-requests-from-external-sources) **Sending GraphQL requests from external sources** If you have a JWT temporary token using the authentication API described above, and you are familiar with creating a query or a mutation operation JSON body, then you can post such a JSON to the following URL with the JSON as the request body: `POST https:///app/waf/graphql/v1` The infinity portal address depends on the region you are working with, and can be seen in the [Infinity Portal REST API documentation](https://app.swaggerhub.com/apis-docs/Check-Point/infinity-portal-api/) . Several clients (e.g. Postman) have a GraphQL mode that allows easily constructing the exact request body from the GraphQL JSON. ### [](https://waf-doc.inext.checkpoint.com/references/management-api#graphql-methods) **GraphQL methods** Most methods documented are about CRUD operations vs object in the database. Read operations (queries) usually start with get\* prefix, and GraphQL allows you to modify what exact fields you are interested in viewing. There are also read operations with the suffix \*UsedBy which allow you to check for an object if it used by other objects (for example, a practice that is used by multiple assets and zones). All non-Read operations are methods that are called **mutations** (as opposed to queries). For Create, Update and Delete operations on objects, the prefixes are usually **new\***, **update\*** and **delete\***. **add\***, **move\*** and **remove\*** are parallel prefixes for connecting between existing objects (for example, adding a practice to an asset). **share\*** methods are explained better in the objects structure overview – they are used for taking an existing object, which up until now has been used and owned by a single other object, and making them available to be used and shared by other objects as well (for example, taking an existing practice owned by a specific asset object, and making it globally available to be reused by additional assets and zones). There are also additional special actions: * Agent revocation – revoke\* methods * Publish configuration – A critical method to activate when the changes are completed, otherwise the objects will be locked for other administrators. There is also a method for discarding all changes. * Policy enforce operations – Sending a request to enforce the latest published policy by agents. The query method isEnforcePolicy provides information if a published policy is waiting to be enforced. ### [](https://waf-doc.inext.checkpoint.com/references/management-api#object-structure-overview) **Object structure overview** The main hierarchy of objects in Infinity Next Management starts with an asset object (which can come in a variety of types) or a zone object (which represents a usually-dynamic group of assets according to a query). This object can own other objects according to the following hierarchy: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FN4xTkVkurN2IX6PScFR7%252Fgeneral-management-objects-reference-hierarchy.PNG%3Falt%3Dmedia%26token%3D07aa68f0-9668-4917-9242-46945a5f7960&width=768&dpr=4&quality=100&sign=9487e152&sv=2) In CloudGuard WAF's usage of GraphQL, an object can be owned by another object, or can be owned by a connection between 2 objects (and then it will have 2 owning IDs). When creating an object that should be owned by a parent object, run the relevant **get\*** method on the owning object to get its ID value prior to the object creation method call. There are several objects in the behavior family. Some can be owned by an asset/zone object and some can be owned by the connection between an asset/zone and a practice. * The connection between an Asset/Zone and a Practice can own the following behavior object types: _WebUserResponseBehavior_ _ExceptionBehavior_ * A Web API or a Web Application asset can own the following behavior object type: _TrustedSourceBehavior_ ### [](https://waf-doc.inext.checkpoint.com/references/management-api#object-sharing-visibility-field) **Object sharing (visibility field)** Practices and behavior objects also have a visibility field that can have either the value of “Local” or “Shared”. A “Local” visibility object must contain an owning object ID and cannot be used by any other object in parallel. It will be deleted when the parent object is deleted as it is wholly owned by it. However, through the share\* methods you can make a “Local” visibility object into a “Shared” one which can be owned by multiple objects – Basically you are turning it into a globally used object which will not be deleted if any of the parent objects are deleted. The “Share” action is irreversible – A Shared object cannot be turned into a “Local” visibility object. When creating a practice or a behavior object make sure you have IDs of the parent object/s by using the relevant get\* method/s if the visibility is set to “Local”. An empty owning ID can only exist if the visibility is set to “Shared” during the object creation. When getting all objects, that can be either local or shared, the default behavior is to return only shared objects. A specific parameter is needed to be added to request to see the local objects as well. Specifically: getPractices will require includePrivatePractices to return local practice objects. getBehaviors will require includePrivateBehaviors to retun local behavior objects. [](https://waf-doc.inext.checkpoint.com/references/management-api#api-tester) API tester --------------------------------------------------------------------------------------------- The GitHub repository [infinitynext-mgmt-api-resources](https://github.com/CheckPointSW/infinitynext-mgmt-api-resources) - includes the following: 1. JSON file of the [management GraphQL](https://waf-doc.inext.checkpoint.com/references/management-api) API postman collection to import. 2. Example usage of the GraphQL API. [PreviousAgent CLI](https://waf-doc.inext.checkpoint.com/references/agent-cli) [NextEvent Query Language](https://waf-doc.inext.checkpoint.com/references/event-query-language) Last updated 11 months ago Was this helpful? --- # How To: Compare Between the Gateway's Certificate and the Upstream Certificate | CloudGuard WAF The issue related to traffic validation between the gateway certificate and the upstream certificate. Usually, it is reflected by an asset not working via Android but is working through iOS and web browsers. ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/how-to-compare-between-the-gateways-certificate-and-the-upstream-certificate#first-option) First Option 1. **Surf** to the protected asset via Chrome browser. 2. Click on the **lock icon** → **Certificate is valid** (to see the full certificate). 3. Move to the **Details** **tab** → choose the lowest hierarchy and click **Export**. Save the file on the local machine. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FrO4btsNchimvd5xhOH9h%252Fimage.png%3Falt%3Dmedia%26token%3D09c96599-85db-4986-891d-cec02eb27750&width=300&dpr=4&quality=100&sign=de12c044&sv=2) 4. **Login** with SSH access to the AppSec Gateway machine 5. **Browse** the /etc/cp/rpmanager/manualCerts and get the private key file, **save** it locally in the same folder as the file from section 3. 6. **Run** both files with CertVerify according to the manual: [Store Certificates on Gateway - CloudGuard AppSec (checkpoint.com)](https://appsec-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway) 7. **Place** the exported .pkg file under /etc/certs 8. **Login** to the Infinity Portal and click **Enforce**. ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/how-to-compare-between-the-gateways-certificate-and-the-upstream-certificate#second-option) Second Option 1. **Login** with SSH to the AppSec Gateway machine 2. **Run** `echo | openssl s_client -showcerts -servername` [`<`](http://crm.jaloma.com.mx/) `Protected URI> -connect 127.0.0.1:443 > proxy_certs.txt` 3. **Run** `echo | openssl s_client -showcerts -servername` [`<`](http://crm.jaloma.com.mx/) `Protected URI> -connect :443 > upstream_certs.txt` 4. Check the difference between proxy\_certs.txt and upstream\_certs.txt 5. In case they are different, fix it manually: 1. **Copy** the certs from upstream\_certs.txt file into /etc/cp/rpmanager/manualCerts/.pem 2. **Copy** the certs from upstream\_certs.txt file into /etc/certs/.pem 6. **Run** `docker exec nginx -s reload` To avoid this from happening again after changing the certificates, we advise to use the CertVerify tool and adding the full chain to the certificate. [PreviousNGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/nginx-error-upstream-sent-too-big-header-while-reading-response-header-from-upstream) [NextLinux](https://waf-doc.inext.checkpoint.com/troubleshooting/linux) Last updated 9 months ago Was this helpful? --- # Integrate CloudGuard WAF with Prometheus | CloudGuard WAF Integrate CloudGuard WAF with [Prometheus](https://prometheus.io/) to collect and monitor key metrics related to WAF performance and behavior. Prometheus integration is currently in **beta**. Features and behavior may change in future releases. ### [](https://waf-doc.inext.checkpoint.com/how-to/integrate-cloudguard-waf-with-prometheus#configuration) Configuration Note that enabling Prometheus integration is currently only supported for Embedded, Docker and Single GW deployments **Prerequisites** * An Cloud Guard Agent connected to a supported Profile * If you don't have an agent see instructions on how to get started [here](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) . * If the agent is running as a container, ensure Prometheus port `7465` is open. * Prometheus Server **Instructions:** 1. In the Web UI, go to the **Profiles** page 2. Click the profile assigned to your agent and switch to **Advanced** tab 3. Under **Advanced Settings**, add: * **Key:** `prometheus` * **Value:** `true` 4. Click **Enforce Policy** to apply changes ![](https://docs.openappsec.io/~gitbook/image?url=https%3A%2F%2F1225393248-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FNcZmX14M2KdTBrq9EOnI%252Fuploads%252FgpIlgmc9xdMOds373dCI%252Fimage.png%3Falt%3Dmedia%26token%3Dd7bffbf8-8ac4-460c-99cc-224040dbbc16&width=768&dpr=4&quality=100&sign=151cc6f0&sv=2) 1. Add a Job in your Prometheus Server configure the agent IP and Port, see example: Copy Copy scrape_configs: - job_name: 'openappsec' static_configs: - targets: [':7465'] ### [](https://waf-doc.inext.checkpoint.com/how-to/integrate-cloudguard-waf-with-prometheus#supported-parameters) Supported Parameters Display Name Type Description nano\_service\_restarts\_counter LastReportedValue watchdog process restart counter total\_requests\_counter Counter total requests unique\_sources\_counter Counter sources requests\_blocked\_by\_force\_and\_exception\_counter Counter override: force exception and force block requests\_blocked\_by\_waf\_counter Counter WAF blocked requests requests\_blocked\_by\_open\_api\_counter Counter API blocked requests requests\_blocked\_by\_bot\_protection\_counter Counter bot protection blocked requests requests\_threat\_level\_info\_and\_no\_threat\_counter Counter requests identified as info threat + none threat requests\_threat\_level\_low\_counter Counter request identified as low threat requests\_threat\_level\_medium\_counter Counter request identified as medium threat requests\_threat\_level\_high\_counter Average request identified as high threat post\_requests\_counter Counter post requests get\_requests\_counter Counter get requests put\_requests\_counter Counter put requests patch\_requests\_counter Counter patch requests delete\_requests\_counter Counter delete requests other\_requests\_counter Counter other requests 2xx\_status\_code\_responses\_counter Counter response 2xx 4xx\_status\_code\_responses\_counter Counter response 4xx 5xx\_status\_code\_responses\_counter Counter response 5xx requests\_time\_latency\_average Average average latency sql\_injection\_attacks\_type\_counter Counter SQL Injection vulnerability\_scanning\_attacks\_type\_counter Counter Vulnerability Scanning path\_traversal\_attacks\_type\_counter Counter Path Traversal ldap\_injection\_attacks\_type\_counter Counter LDAP Injection evasion\_techniques\_attacks\_type\_counter Counter Evasion Techniques remote\_code\_execution\_attacks\_type\_counter Counter Remote Code Execution xml\_extern\_entity\_attacks\_type\_counter Counter XML External Entity cross\_site\_scripting\_attacks\_type\_counter Counter Cross Site Scripting general\_attacks\_type\_counter Counter General all\_assets\_counter LastReportedValue number of protected assets prevent\_action\_matches\_counter Counter prevent engine matches detect\_action\_matches\_counter Counter detect engine matches ignore\_action\_matches\_counter Counter ignore engine matches cpu\_usage\_percentage\_max Max Max CPU usage cpu\_usage\_percentage\_average Average Average CPU usage cpu\_usage\_percentage\_last\_value LastReportedValue last CPU usage reported service\_virtual\_memory\_size\_kb\_max Max max service virtual memory size service\_virtual\_memory\_size\_kb\_min Min min service virtual memory size service\_virtual\_memory\_size\_kb\_average Average average service virtual memory size service\_physical\_memory\_size\_kb\_max Max max service RSS memory size service\_physical\_memory\_size\_kb\_min Min min service RSS memory size service\_physical\_memory\_size\_kb\_average Average average service RSS memory size general\_total\_used\_memory\_max Max max general total memory size general\_total\_used\_memory\_min Min min general total memory size general\_total\_used\_memory\_average Average average general total memory size [PreviousRestrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only](https://waf-doc.inext.checkpoint.com/how-to/restrict-access-to-backend-servers-from-cloudguard-waf-as-a-service-ips-only) [NextEnable Mutual TLS (mTLS) Authentication in Gateway / Virtual Machine and Single Docker](https://waf-doc.inext.checkpoint.com/how-to/enable-mutual-tls-mtls-authentication-in-gateway-virtual-machine-and-single-docker) Last updated 1 month ago Was this helpful? --- # Setup Custom Rules and Exceptions | CloudGuard WAF Configuring [Web Application / API](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api) is easily done via the configuration wizard, and in the vast majority of the cases, is enough to fully protect the web assets without additional manual changes. However, as event logs appear, a security administrator might want to make specific exceptions to the default behavior of the system, regardless of the [automatic learning mechanism](https://waf-doc.inext.checkpoint.com/how-to/configure-contextual-machine-learning-for-best-accuracy) . [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#configuring-custom-rules-and-exceptions-upon-log) Configuring Custom Rules and Exceptions Upon Log ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The most common use case of custom rules and exception configuration is when a log is issued and as a security administrator decided that traffic matching one of the log fields (for example, the URI field) should not be detected or blocked by the CloudGuard WAF engine. #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#step-1-from-the-events-view-perform-a-right-click-on-the-relevant-parameter-in-the-log-according-to) Step 1: From the events view, perform a "Right Click" on the relevant parameter in the log according to which the exclusion should occur and select "Add Exception" ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FiUnB7KYwlXBduLTb2BUB%252Fappsec-monitor-events-add-exception.png%3Falt%3Dmedia%26token%3D1947cbc3-ab4a-481c-a7f0-626d40d213b5&width=768&dpr=4&quality=100&sign=50c3893e&sv=2) #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#step-2-review-the-custom-rule-exception-details-and-click-ok) Step 2: Review the custom rule / exception details and click OK ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FXenDmKewKaDzxwkIkhTJ%252Fappsec-monitor-events-add-exception-popup.PNG%3Falt%3Dmedia%26token%3D38695cef-b3cb-45c0-bb2d-a3238388d0e7&width=768&dpr=4&quality=100&sign=9791c590&sv=2) A common change might be to generalize the exception to all sources by deleting the condition for "**Source Identifier**", or to change the action from "Skip" (relevant only for the "Matched Parameter" field) to "Accept". A custum rule/exception configured this way applies to the combination of the specific CloudGuard WAF security practice that caught the original event and the Asset relevant for the same traffic. For further information on how to configure exceptions from asset view and the full options an exception can provide, please read further. [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#possible-actions-for-custom-rules-and-exceptions) Possible actions for custom rules and exceptions ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * **Accept** - Traffic matching the exception's conditions will be accepted. * **Drop** - Traffic matching the exception's conditions will be blocked. * **Skip** - Relevant only for specific keys like "Parameter Name", "Parameter Value" and "Indicator". Allows skipping the value of the matching parameter from being inspected by the CloudGuard WAF engines. The rest of the traffic will be inspected for malicious behavior. Skip action is not supported with Scheme Validation. * **Suppress Log** - Traffic matching the exception's condition will not activate their Log Trigger object/s upon event. [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#possible-conditions-for-custome-rules-and-exceptions) Possible conditions for custome rules and exceptions ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#keys) Keys There are several keys allowed to be set in custom rules and exceptions, each of them may be relevant to a different security practice or sub-practice. For CloudGuard WAF: Exception Key Value String Search Location Relevant for Skip Action Relevant Practices Host Regular expression of the HTTP Host name Not on it own All CloudGuard WAF Security URI HTTP full URI in request Not on it own All CloudGuard WAF Security Source Identifier Regular Expression the identifier, according to the definition of [Source Identifier in the Asset's configuration](https://waf-doc.inext.checkpoint.com/how-to/configure-contextual-machine-learning-for-best-accuracy) Not on it own All CloudGuard WAF Security Source IP IP address of the request's source in IP address or CIDR format (e.g. "/") Not on it own All CloudGuard WAF Security Parameter Name Regular Expression of a parameter name is a key in the HTTP request body's XML or JSON file Yes Web and API attacks, and Schema Validation Parameter Value Regular Expression of a parameter value is the value to a key in the HTTP request body's XML or JSON file Yes Web and API attacks, and Schema Validation Parameter Location A value that matches the "Matched Location" field values in a CloudGuard WAF Log (e.g. "body", "cookie", "url", etc.) Yes Web and API attacks Indicator Regular expression of indicator/s to be be used with the "Skip" action. Allows exclusion of desired indicators while continuing to provide security for all other traffic. Yes All CloudGuard WAF Security Protection Name The protection name used by the security sub-practice No IPS and Snort Rules only Country Code For Geolocation-based exceptions. Country is resolved according to the source IP address. Code is the recommended use for country-based exceptions and can be searched [here](https://www.iso.org/obp/ui/#home) according to the **Alpha-2 code** of ISO-3166. Not on it own All CloudGuard WAF Security Country Name For Geolocation-based exceptions. Country is resolved according to the source IP address. Name is less recommended for country-based exceptions, but is more readable. Exact names can be searched [here](https://www.iso.org/obp/ui/#home) according to ISO-3166. Not on it own All CloudGuard WAF Security File Hash MD5 string of the file the exception should apply to. No File Security only File Name The file name to match the configured exception. No File Security only Response Body **Note** \- Scanning response traffic adds a performance impact. Regular expression of a pattern within the HTTP Response Body Not on it own All CloudGuard WAF Security. In addition, this key allows [adding manually Data Loss Prevention (DLP) rules](https://waf-doc.inext.checkpoint.com/how-to/add-data-loss-prevention-dlp-rules) HTTP Method The relevant HTTP method: GET, POST, PUT, DELETE, PATC Not on it own All CloudGuard WAF Security Header Value Regular expression of the HTTP header value Not on its own All CloudGuard WAF Security Header Name Regular expression of the HTTP header name Not on its own All CloudGuard WAF Security **NOTE:** The policy installation lowers raw values (not Regex), and the agent is case-sensitive while matching to the inspected traffic. ### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#regular-expression-values) Regular Expression Values The following is only relevant for keys where the table states their value is a regular expression. When an exception key expects a regular expression value (regex), it should be configured according to [PCRE 2.0](https://www.pcre.org/current/doc/html/) , which will undergo a partial search unless the '^' or '$' regular expression operators are used. For a nicer tutorial about PCRE regular expression crafting, visit [here](https://learnxinyminutes.com/docs/pcre/) . ### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#operators) Operators A complex logical expression with "**AND**" and "**OR**" between conditions can be created. In addition - the following operators are available for each condition: * **Equals** * **Not Equals** * **Key Exists** [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#view-and-configure-custom-rules-and-exceptions-in-assets) View And Configure Custom Rules and Exceptions In Assets -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#configuring-custom-rules-and-exceptions) Configuring custom rules and exceptions #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#step-1-browse-to-policy-greater-than-assets-edit-an-existing-asset-and-click-on-the-custom-rules-and) Step 1: Browse to Policy->Assets, edit an existing asset and click on the "Custom Rules and Exceptions" tab ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FzRSfs4UQ5hJeFzh6nKGl%252FCustomRulesAndExceptions.png%3Falt%3Dmedia%26token%3D05f85884-5d6f-44dd-a789-9d38eb231455&width=768&dpr=4&quality=100&sign=59ccd466&sv=2) #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#step-2-click-to-add-a-new-custom-rule-exception) Step 2: Click to add a new custom rule / exception ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FNA7Z3Aw04PTr98ODBKi9%252Fappsec-assets-exceptions-new-exception.PNG%3Falt%3Dmedia%26token%3D01523a66-c5df-4d09-9ff4-961baf1b80c8&width=768&dpr=4&quality=100&sign=64a8ec2b&sv=2) #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#step-3-create-the-exclusion-according-to-the-options-described-in-this-page) Step 3: Create the exclusion according to the options described in this page When clicking the 3 dotted lines you will see the logical operators available for multiple conditions: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FNNFHIbLIua7kQApSu5fJ%252Fappsec-assets-exceptions-condition-operators.PNG%3Falt%3Dmedia%26token%3Da1c66628-d59a-4182-8038-6519d6aca8a4&width=768&dpr=4&quality=100&sign=1d14f3f5&sv=2) When clicking on the ':' between key and value you will see the additional value-based operators for a single condition: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F0u6pul85d13HA7eU3FVV%252Fappsec-assets-exceptions-value-operators.PNG%3Falt%3Dmedia%26token%3D0be15c4c-b55b-4b08-8929-7d6f2b8ea00b&width=768&dpr=4&quality=100&sign=2255c771&sv=2) Add a comment for view purposes and click OK. ### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#viewing-custom-rules-and-exceptions) Viewing Custom Rules and Exceptions When custom rules and exceptions are configured, the same location in the asset provides a view of the exceptions for the practice used by the asset. The view shows the comment and the last administrator that edited the exception: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FzRSfs4UQ5hJeFzh6nKGl%252FCustomRulesAndExceptions.png%3Falt%3Dmedia%26token%3D05f85884-5d6f-44dd-a789-9d38eb231455&width=768&dpr=4&quality=100&sign=59ccd466&sv=2) All rules that are shown under the Custom Rules and Exceptions tab are being enforced. The order does not matter. [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#save-custom-rules-and-exceptions-for-reuse-in-additional-assets-practices) Save Custom Rules and Exceptions for Reuse In Additional Assets/Practices ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ It is possible to save a group of exception rules under a global name, and then use the same object by multiple assets and practices. ### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#configure-an-existing-custom-rule-exception-as-global) Configure an Existing Custom Rule/Exception as Global #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#step-1-click-on-the-3-dots-in-the-top-right-corner-of-the-custom-rules-and-exceptions-view) Step 1: Click on the 3 dots in the top right corner of the custom rules and exceptions view ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FRMd5sGPNMuRZT8Kh7h7Y%252FCustomRulesAndExceptions2.png%3Falt%3Dmedia%26token%3D1ea9e37a-88e0-4fb7-acea-4b4b4c71609c&width=768&dpr=4&quality=100&sign=93ba9584&sv=2) #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#step-2-click-save-and-give-a-name-to-the-new-global-exceptions-object) Step 2: Click Save and give a name to the new global "Exceptions" object ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FmLX04VGa95O3RVcYs0bE%252Fappsec-assets-exceptions-save-exceptions.PNG%3Falt%3Dmedia%26token%3D51f33f66-606f-4243-bb95-17ac18c6e4db&width=768&dpr=4&quality=100&sign=7154f469&sv=2) #### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#step-3-in-additional-assets-you-can-now-click-load-in-the-same-location-and-select-an-existing-custo) Step 3: In additional assets you can now click "Load" in the same location and select an existing "Custom Rules/Exceptions" object ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FQFD0que06JyQPmCNBUna%252FCustomRulesAndExceptions3.png%3Falt%3Dmedia%26token%3De81bb074-3fd4-4690-acb8-f02441c5f1ff&width=768&dpr=4&quality=100&sign=9fd70e25&sv=2) ### [](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-custom-rules-and-exceptions#view-and-manage-global-custom-rules-and-exceptions-objects) View and Manage Global Custom Rules and Exceptions Objects The global custom rules/exceptions objects can be viewed and edited under **Policy->Behaviors**: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FArs7SSko7hhY3AwPufbD%252Fappsec-behaviors-exceptions-edit.png%3Falt%3Dmedia%26token%3D93100492-17e0-4987-8ce8-e308b44c7391&width=768&dpr=4&quality=100&sign=d84887ad&sv=2) [PreviousSnort Rules](https://waf-doc.inext.checkpoint.com/additional-security-engines/snort-rules) [NextSetup Web User Response Pages](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-web-user-response-pages) Last updated 5 months ago Was this helpful? --- # Events/Logs Schema | CloudGuard WAF When events are sent from CloudGuard WAF agents to be viewed in the cloud application and/or to a Syslog/CEF server, they are sent in a specific field structure. This page will document the fields being sent. This will allow [filter queries](https://waf-doc.inext.checkpoint.com/references/event-query-language) in the cloud application and log parsing to be done on the Syslog/CEF side (see configuration of [Trigger objects](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers) for more info). [](https://waf-doc.inext.checkpoint.com/references/events-logs-schema#schema-in-openapi-format) Schema in openAPI format ----------------------------------------------------------------------------------------------------------------------------- See below the security logs schema in openAPI format. 28KB [agents-security-logs-openapi-schema-v1.0.4.json](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FEzUeIPcHdpHy9zcCArtw%2Fagents-security-logs-openapi-schema-v1.0.4.json?alt=media&token=6a1c5d87-2000-4697-8d0e-ec61527a47b6) Download[Open](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FEzUeIPcHdpHy9zcCArtw%2Fagents-security-logs-openapi-schema-v1.0.4.json?alt=media&token=6a1c5d87-2000-4697-8d0e-ec61527a47b6) The definitions per field are relevant even when the logs aren't sent in JSON format. [](https://waf-doc.inext.checkpoint.com/references/events-logs-schema#log-fields) Log fields ------------------------------------------------------------------------------------------------- This table shows the predefined field keywords alongside their view name in the logs table and log cards. in brackets for each field name is the name when sent to syslog/CEF. Usually the difference is simply an all-lowercase format vs lowerCamelCase Field Name in Log View Field Name Description `Time` `eventtime (sent as part of the protocol in syslog/CEF)` Time of the event in UTC. `Event Name` `eventname (title - for syslog only)` This field describes the event in text. `Severity` `eventseverity (eventSeverity)` Info, Low, Medium, High, Critical `Priority` `eventpriority (eventPriority)` Low, Medium, High, Urgent `Confidence Level` `eventconfidence (eventConfidence)` Low, Medium, High, Very High (The higher the confidence level, the less likely it is the event is a false-positive) `Event Reference Id` e`ventreferenceid (eventReferenceId)` Some events result in showing the user a reference ID (for example when showing an HTTP response page upon prevention). This reference ID will correlate to this field in the log. `Agent UUID` `agentid (agentId)` UUID of the agent creating the log, if applicable. `Issuing Engine Version` `issuingengineversion (issuingEngineVersion)` The agent's and service's version sending reporting this event. `Security Action` `securityaction (securityAction)` The action taken by the security practice upon this event. `Asset Name` `assetname (assetName)` The name of the asset, protected by the security practice that found a match and issued this log. `Asset ID` `assetid (assetId)` The object ID of the asset, protected by the security practice that found a match and issued this log. `Zone Name` `zonename (zoneName)` The name of the zone, protected by the security practice that found a match and issued this log. `Zone ID` `zoneid (zoneId)` The object ID of the zone, protected by the security practice that found a match and issued this log. This can be used unique searches when given names are similar. `Practice Type` `practicetype (practiceType)` The type of the security practice that found a match and issued this log (e.g. "Threat Prevention"). `Practice SubType` `practicesubtype (practiceSubType)` The subtype of the security practice that found a match and issued this log (e.g. "Web Application"). `Practice Name` `practicename (practiceName)` The name of the security practice that found a match and issued this log. `Practice ID` `practiceid (practiceId)` The object UUID of the security practice that found a match and issued this log. This can be used unique searches when given names are similar. `Source IP` `sourceip (sourceIp)` Source IP address of the network traffic that caused the matched event. `Source Port` `sourceport (sourcePort)` Source TCP/UDP Port of the network traffic that caused the matched event. `Source Country` `sourcecountryname (sourceCountryName)` Source country name of the network traffic that caused the matched event, if applicable. `Destination IP` `destinationip (destinationIp)` Destination IP address of the network traffic that caused the matched event. `Destination Port` `destinationport (destinationPort)` Destination TCP/UDP Port of the network traffic that caused the matched event. `Destination Country` `destinationcountryname (destinationCountryName)` Destination country of the network traffic that caused the matched event, if applicable. `IP Protocol` `ipprotocol (ipProtocol)` IP Protocol of the network traffic that caused the matched event. `Source Identifier` `httpsourceid (httpSourceId)` The source identifier as determined from the HTTP traffic according to configuration (according to the X-Forwarded-For header, a cookie, source IP address, etc.). `HTTP Host` `httphostname (httpHostName)` The source identifier as determined from the HTTP traffic according to configuration (according to the X-Forwarded-For header, a cookie, source IP address, etc.). `HTTP Method` `httpmethod (httpMethod)` HTTP Method as determined from the HTTP traffic (e.g. GET, POST, etc.). `HTTP URI Path` `httpuripath (httpUriPath)` HTTP URI path as determined from the HTTP traffic. `HTTP URI Query` `httpuriquery (httpUriQuery)` HTTP URI query as determined from the HTTP traffic. `HTTP Request Headers` `httprequestheaders (httpRequestHeaders)` HTTP Request Headers (Sent only if relevant additional logging is configured on the [trigger](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers) object that was used). `HTTP Request Body` `httprequestbody (httpRequestBody)` HTTP Request Body (Sent only if relevant additional logging is configured on the [trigger](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-log-triggers) object that was used). Body will be truncated if too long. `Incident Type` `waapincidenttype (waapIncidentType)` CloudGuard WAF incident types (e.g. LDAP injection, SQL injection, etc.). `Incident Details` `waapincidentdetails (waapIncidentDetails)` A more granular description of the event caught by CloudGuard WAF. `User Reputation` `waapuserreputation (waapUserReputation)` CloudGuard WAF user reputation for the identified source. `Matched Location` `matchedlocation (matchedLocation)` The location within the HTTP traffic where an indicator, causing this event, was detected (e.g. "referer parameter"). `Matched Parameter` `matchedparameter (matchedParameter)` The parameter name within the HTTP traffic, where an indicator, causing this event, was detected (e.g. "uuid"). `Matched Sample` `matchedsample (matchedSample)` The traffic data where the indicators were detected and created the event. `Match Reason` `matchreason (matchReason)` An additional elaboration for the reason the event was detected (For example, when Web API Schema validation fails, this field will detail what exactly failed). `Found Indicators` `waapfoundindicators (waapFoundIndicators)` The detected indicators which created the event. `Practice Override` `waapoverride (waapOverride)` Override configuration for this event. `Event Audience (Hidden)` `eventaudience` Constant value of 'Security' for events sent to user. `Tags (Hidden)` `eventtags` For future use. [PreviousWriting Snort Signatures](https://waf-doc.inext.checkpoint.com/references/writing-snort-signatures) [NextCVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)](https://waf-doc.inext.checkpoint.com/references/cve-2022-3786-and-cve-2022-3602-openssl-x.509-email-address-buffer-overflows-high) Last updated 9 months ago Was this helpful? --- # How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS | CloudGuard WAF ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-redirect-a-root-domain-to-a-subdomain-protected-by-waf-saas#overview) Overview: Setup a Network Load Balancer (NLB) with two static IPs: * Static\_IP\_1 (e.g., 192.0.2.10) * Static\_IP\_2 (e.g., 192.0.2.20) The NLB redirects the traffic to ALB This guide will walk you through obtaining a certificate for your root domain, configuring an Application Load Balancer (ALB) rule for the redirect, and verifying the setup. AWS Azure ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-redirect-a-root-domain-to-a-subdomain-protected-by-waf-saas#step-1-request-a-certificate-for-the-root-domain) Step 1: Request a Certificate for the Root Domain 1. Navigate to AWS Certificate Manager (ACM). 2. **Request a new certificate** for your root domain (e.g., [example.com](http://example.com/) ). 1. Click on **"Request a certificate"**, then select **"Request a public certificate"** and follow the prompts. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FtXgqqrIqsOGKLqnYqJVW%252Fimage.png%3Falt%3Dmedia%26token%3D2ed1483f-0b82-4c0f-a656-b8cd12cbbf2a&width=768&dpr=4&quality=100&sign=204fa310&sv=2) 2. For **Domain name**, enter your root domain. 3. Choose **DNS validation** for the validation method. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FkGnGWxkVQ9bcRafQF6Jv%252Fimage.png%3Falt%3Dmedia%26token%3D61213be9-c19b-45a3-8874-ed15caa4902d&width=768&dpr=4&quality=100&sign=462e8330&sv=2) 3. Find your Validation Challenge: Add the DNS validation record provided by ACM to your DNS configuration to complete the validation process. (CNAME name and CNAME value). You can find this in ACM -> Certificates -> : ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FWOUxw2nodpkYQmMrPfhi%252Fimage.png%3Falt%3Dmedia%26token%3Da115b64e-2039-48ba-9ef8-1f51508cea50&width=768&dpr=4&quality=100&sign=55b811d6&sv=2) 4. Wait until the Certificate is Validate It may take some time for DNS changes to propagate and for ACM to validate the certificate. Monitor the certificate status in ACM. ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-redirect-a-root-domain-to-a-subdomain-protected-by-waf-saas#step-2-add-a-rule-in-the-alb) Step 2: Add a Rule in the ALB 1. Navigate to your ALB in the EC2 Management Console. 2. Select the listener that handles incoming requests for your domain. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F4FHTaFau5DsSMq2si7BI%252Fimage.png%3Falt%3Dmedia%26token%3D7f8fbebd-c7cc-40c7-ad7a-31a98c2e2d4b&width=768&dpr=4&quality=100&sign=17f9c8&sv=2) 3. Add a new rule to redirect requests from the root domain to the subdomain. 1. Condition: host header match to your root domain 2. Action: Redirect to the subdomain with appropriate protocol (HTTP or HTTPS), port and path. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FxlLEelIO7Q0TIW5ZfTKX%252Fimage.png%3Falt%3Dmedia%26token%3D7990e967-7b22-477c-9bf3-d33b914a7656&width=768&dpr=4&quality=100&sign=2203bb38&sv=2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FrDn2PqeGF3oQOczSy9aj%252Fimage.png%3Falt%3Dmedia%26token%3D8ff83741-40b3-42dc-91ee-f3874f22fc99&width=768&dpr=4&quality=100&sign=4617f59b&sv=2) ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-redirect-a-root-domain-to-a-subdomain-protected-by-waf-saas#step-3-add-certificate) Step 3: Add certificate In the ALB screen click on certificates tab and then add certificate: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fmd3TlMzHYC4QuUoJCJo2%252Fimage.png%3Falt%3Dmedia%26token%3Ddcd346e1-252d-41a7-a1f9-169de123b0f5&width=768&dpr=4&quality=100&sign=1dd05c01&sv=2) Then find the certificate you have added in step 1. ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-redirect-a-root-domain-to-a-subdomain-protected-by-waf-saas#step-4-add-relevant-tags-in-rule) Step 4: Add Relevant Tags in Rule * Tagging rules can help with organization and billing. Add any relevant tags as per your organization's tagging strategy. * add the relevant tags as the other rules ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-redirect-a-root-domain-to-a-subdomain-protected-by-waf-saas#step-5-test) Step 5: Test To test the redirect, use the following curl commands: * curl --resolve example.com:443:Static\_IP\_1 https://example.com -v * curl --resolve example.com:443:Static\_IP\_2 https://example.com -v Replace example.com with your actual root domain and Static\_IP\_1 and Static\_IP\_2 with the static IP addresses of your Network Load Balancer (e.g., 192.0.2.10 and 192.0.2.20). The expected result is a **301 redirect** response pointing to the subdomain. ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-redirect-a-root-domain-to-a-subdomain-protected-by-waf-saas#step-1-create-a-sub-domain-that-will-be-protected-by-cloudguard-waf) Step 1: Create a sub-domain that will be protected by CloudGuard WAF 1. Navigate to Azure DNS Zones. 2. In the DNS zone, click on "**\+ Record set**" to create a new record set. 1. Set the name field to the desired sub-domain (in this example it is 'www'): ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FUbt643tNV5dwh4yZwSwb%252Fimage.png%3Falt%3Dmedia%26token%3Df4ed23a3-4f20-4c46-b757-fc48a1b5d85d&width=768&dpr=4&quality=100&sign=ed383eba&sv=2) 2. Set the Type field to be CNAME 3. Click **Add**. ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-redirect-a-root-domain-to-a-subdomain-protected-by-waf-saas#step-2-onboard-the-sub-domain-to-cloudguard-waf-as-a-service) Step 2: Onboard the sub-domain to CloudGuard WAF as a Service Follow the instructions on the Infinity Portal ### [](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-redirect-a-root-domain-to-a-subdomain-protected-by-waf-saas#step-3-create-an-alias-record-for-the-root-domain) Step 3: Create an Alias Record for the root domain 1. In the DNS zone, click on "+ Record set" to create a new record set. 2. Set the Name field to "@" to indicate the root domain. Set the Type to "A" or "CNAME" depending on your setup. 3. In the Alias record set section, toggle the switch to "Yes". 4. In the Alias type dropdown, select "Zone record set". 5. In the zone record set dropdown, select the subdomain you have created and onboarded to CloudGuard WAF as a Service in stages 1 and 2. 6. Save the Record. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FsUJ7ctanTZyky6BkKnui%252Fimage.png%3Falt%3Dmedia%26token%3D2beb7c74-8f9e-489e-b7bc-0540f3b9bf20&width=768&dpr=4&quality=100&sign=1a13e30e&sv=2) [PreviousCertificate Validation Failed: Adjusting CAA Record](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/certificate-validation-failed-adjusting-caa-record) [NextHow To: Extend Connection Timeout to Upstream](https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-extend-connection-timeout-to-upstream) Last updated 9 months ago Was this helpful? --- # Protect a Web API | CloudGuard WAF CloudGuard WAF provides a configuration wizard that allows you to set up everything you need for basic protection of your web API, as well as the ability to automatically detect your API usage and schema, providing an extra layer of security via visibility. Once you completed the wizard you can set up a CloudGuard WAF's AppSec Gateway or Agent to enforce security. [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api#web-api-wizard) Web API Wizard ------------------------------------------------------------------------------------------------------------- #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api#step-1-launch-the-configuration-wizard) Step 1: launch the configuration Wizard: 1. When logged in to the management portal, click the **Policy** option in the main navigation menu on the left. You should see the **Cloud Getting Started** page. 2. In the **Policy -> Getting Started** page, click **New Asset**, then Select **Web API.** The configuration wizard should open. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FGHBapsNQhSD55Nl2ZADx%252Fappsec-policy-getting-started.PNG%3Falt%3Dmedia%26token%3D733795d4-dcbd-4b52-837e-9d28823dc895&width=768&dpr=4&quality=100&sign=5f5bfeda&sv=2) Follow these configuration steps in the **New Web API** wizard: #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api#step-2-api-server-details) Step 2: API Server Details ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FjbSf8Coir8BXwy7MNb9b%252FWAF-Web_API-Step1.PNG%3Falt%3Dmedia%26token%3D3d9c64b5-06a7-431a-938a-8201f4c1a06f&width=768&dpr=4&quality=100&sign=7b0ee1fd&sv=2) Complete the following details (which you have [prepared before](https://waf-doc.inext.checkpoint.com/getting-started/prepare-key-information) ): * Name - choose a clear distinguishable name for your API * Tags (Optional) - can be used for searches * API URLs for users - configure at least one host address with optional port. CloudGuard WAF will protect these hosts. Examples: * `https://www.acme.com` (listen to inbound traffic to this address on all ports) * `http://www.acme.com:80` (only listen to inbound traffic to this address on port 80) * `https://www.acme.com/api` * `https://sales.acme.com/api` * `https://172.20.20.4:3000` * Single application URL for the reverse proxy function - This URL is required, if the asset is secured by a CloudGuard WAF deployment in which the reverse proxy function is configured through the WAF Management. The Reverse Proxy translates the external URL, used by users, into an internal URL and forwards the request to it. This internal URL should be written here (See diagram). #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api#step-3-practices) Step 3: Practices Select the Practices that you want to enable and their Mode: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F8LwNUaITqzmVtt4UO3C3%252FWAF-Web_API-Step2.PNG%3Falt%3Dmedia%26token%3D828fac55-efaf-45cb-8046-13f8c4296611&width=768&dpr=4&quality=100&sign=f2abff72&sv=2) Activated modes for API Security: * **Learn/Detect** - we recommend starting with this mode as it allows the Machine Learning engine to train and you can examine the system behavior, all while traffic is not affected. * **Prevent** \- in this mode traffic will be blocked if malicious traffic is found. Activated modes for API Discovery: * **Active** - API discovery does not block traffic, hence it only has a single "Active" mode. #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api#step-4-platform-and-deployment-configuration) Step 4: Platform and Deployment configuration 1. Choose a deployment method: ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F8Hi0freIxJruoyYWVhNd%252FWAF-Web_API-Step3.PNG%3Falt%3Dmedia%26token%3D4cbae545-59f1-479a-9ef7-1af160d6f633&width=768&dpr=4&quality=100&sign=17927149&sv=2) CloudGuard WAF can be deployed as: * A pre-packaged Gateway (Virtual Machine for secure managed reverse proxy): * In AWS * In Azure * In VMware vSphere * WAF as a Service - in supported regions world-wide (DNS configuration for your domain will change to its location) * A pre-packaged docker containing a secure managed reverse proxy. **Note** - a user can opt to manage the reverse proxy settings locally. * A separate Reverse Proxy/API server Docker + WAF Agent Docker * An add-on to an existing/new NGINX Kubernetes Ingress * An add-on to an existing/new supported Reverse Proxy/API Server. If you choose the option of a **Virtual Machine (VM)**, the option of **SaaS** or the option of a **managed docker**, you must also enter the internal URL of the application or API or internal load balancer so the reverse proxy function will know to which URL should these asset's external URL be forwarded. This URL must be accessible to the managed Reverse Proxy server but will not be exposed to the outside. This URL was configured in step 1 of the wizard. #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api#step-5-learning) Step 5: Learning Define how the Machine Learning engine should distinguish between different API sources and who the sources are that can be trusted. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F0Jiur4EuVtWq28CUFfRj%252FWAF-Web_API-Step4.PNG%3Falt%3Dmedia%26token%3D0347fab5-3570-4cc5-be88-5730525f9b67&width=768&dpr=4&quality=100&sign=464f0c4b&sv=2) 1. Select the method by which different sources will be distinguished from one another: * **X-Forwarded-For** **Header** - When there is a Reverse Proxy or ALB between the Reverse Proxy the agent is running on, and the internet - the original source IP address cannot be seen on the networking level. This option allows the Nano-Agent to identify the original source IP inside the X-Forwarded-For header. No additional parameters are required in the common case where a single Reverse Proxy/ALB is found before the agent's deployment. In the less common case, where there are more than 1 reverse proxy and/or ALB deployments before the reverse proxy with CloudGuard WAF: * After the wizard is completed you must edit the created Web Application/API asset object. * Add the IP addresses of the previous hops, to allow the distinction between them and the original source address. This is explained in more details [here](https://waf-doc.inext.checkpoint.com/how-to/configure-contextual-machine-learning-for-best-accuracy) . * **Source IP** Address- The Nano-Agent uses the source IP address as the identifier. No additional parameters are required. Additional methods can be defined later by editing the Web Application/API asset object. These include: * **Cookie Key** - when you select this option, you need to add the key name within the cookie whose value is used as the unique identifier of the original source. * **HTTP Header** - when you select this option, you need to add the HTTP header name whose value is used as the unique identifier of the original source. * **JWT Key** - Authenticated API calls send a JSON Web Token (JWT) received by authentication API. This JWT usually contains identifying field. When you select this option, the value of one of the JWT keys can be used as the unique identifier of the original source. 2\. If you do not intend to use additional methods, you may already define trusted sources that serve as a baseline for comparison for _benign behavior_, and how many sources/Addresses must exhibit similar activity for it to really be considered benign by the learning model (Otherwise it is recommended to perform this step after the wizard has been completed by editing the asset and after changing the method by which sources are distinguished). ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FyUStjxBhOeqStCVMa4n1%252Fimage.png%3Falt%3Dmedia%26token%3D3f8b3996-f76c-42d0-900d-17808b6e2bf5&width=768&dpr=4&quality=100&sign=73adb2ff&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api#step-6-certificate-storage-configuration-and-deployment-instructions) Step 6: Certificate storage configuration and deployment instructions If, during the previous step, a "New Profile" option was selected, then the "Certificates" page will also prompt a decision, relevant for all CloudGuard WAF's AppSec Gateways that will connect to this profile, regarding where the certificates for HTTPS traffic will be stored. For the [WAF SaaS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas) option - Using your own issued certificates will be available in the future. This decision is only relevant for the pre-packaged Gateway (Virtual Machine) option in AWS and Azure. In those cases it is possible to either select a secure vault in the relevant public cloud, or local storage. This configuration can be later changed by editing the created profile via **Cloud->Profiles.** If the "Existing Profile" option was selected, then it will not be possible to choose a different configuration from what is already set in this profile. Exact setup instructions for certificates will be available in the profile page. For CloudGuard WAF on AWS or Azure, there are two methods for storing certificates and private keys. For all other deployments only the first is available: * [On the WAF Gateway itself](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware/store-certificates-on-gateway) - a simple procedure allows you to upload the certificates and private keys directly to your gateway(s) using Secure Copy Protocol (SCP/SSH). No further configuration is required - CloudGuard WAF will locate the local files automatically. * **Advantage**: you have full control of your secrets * **Disadvantage**: does not support automatic scaling * If you are using CloudGuard WAF on [AWS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws) or [Azure](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure) you can store secrets in secured vaults of these platforms and CloudGuard WAF's AppSec Gateway can fetch it from there. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252Fp65drHU1TNlA0sAFTWaz%252Fappsec-assets-wizard-05-certificates-aws.PNG%3Falt%3Dmedia%26token%3D17b2784c-a2a3-4d39-8061-d2ae77a7079b&width=768&dpr=4&quality=100&sign=b1fc44b5&sv=2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FBWmdNsU8BStd53CiAQUM%252Fappsec-assets-wizard-05-certificates-azure.PNG%3Falt%3Dmedia%26token%3D89fee689-2f31-4fe0-bf33-a6efcfbd51a5&width=768&dpr=4&quality=100&sign=71b5d056&sv=2) For [WAF SaaS](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas) deployment this page will support in the future the option of certificates provided by you. The available option is for WAF SaaS to provide the certificates. Completing the deployment and providing certificates requires actions after the wizard has ended, for each domain configured on the new asset: 1. Proving ownership of each domain to allow issuing the certificates for it on WAF SaaS side. 2. Configuring the DNS record for each domain so traffic to it will be routed to WAF SaaS. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FXj8KVxmQSHZuA9DBK38i%252FWAF-Web_API-Step5.PNG%3Falt%3Dmedia%26token%3Da9dd8631-7948-40e5-a510-ca57288c0c27&width=768&dpr=4&quality=100&sign=ed70c470&sv=2) For all other deployment options there is no configuration required WAF web management. However, instructions on how to install the certificates for each deployment appear in both wizard and later on when editing the profile in **Policy->Profiles**. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FFSaUYEji2pUXCddm4nfV%252Fappsec-assets-wizard-05-certificates-embedded.PNG%3Falt%3Dmedia%26token%3D0375cc49-f1ba-4347-8fa8-da83909c2c4e&width=768&dpr=4&quality=100&sign=1136e41&sv=2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FVUiuofe0OdbaCliVb4fy%252Fappsec-assets-wizard-05-certificates-k8s-ingress.PNG%3Falt%3Dmedia%26token%3D4d8362e0-48b6-44c3-a8f1-188f16417632&width=768&dpr=4&quality=100&sign=b2c1c59&sv=2) ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F02NcdyRAI6l2div0xrWT%252Fappsec-assets-wizard-05-certificates-vmware.PNG%3Falt%3Dmedia%26token%3D0a33b860-bb53-4003-b79f-67fd5cd838fc&width=768&dpr=4&quality=100&sign=5f2174cf&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api#step-7-reporting) Step 7: Reporting During the Web Application onboarding it is possible to configure a new Report Trigger to send a summary report, based on your preferences to a list of email addresses or use an existing, pre-configured Report Trigger. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FLyzZkd9UWhWd02Y57iPY%252FWAF-Web_API-Step6-6.PNG%3Falt%3Dmedia%26token%3Dc04336b3-978f-4901-87e8-a728b07669b3&width=768&dpr=4&quality=100&sign=ea837eba&sv=2) #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api#step-8-summary) Step 8: Summary Review the configuration summary and choose how you would like to proceed. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FVjE3RDamvYwuBJvYQLKi%252FWAF-Web_API-Step6.PNG%3Falt%3Dmedia%26token%3Df50a3904-c70e-4fb7-85ac-7b71302d49e1&width=768&dpr=4&quality=100&sign=aea122c2&sv=2) By keeping the default selections and clicking **Done**, you can Publish & Enforce your settings and proceed to the **Profile** page, which includes instructions for deployment of a CloudGuard WAF's AppSec Gateway, WAF SaaS or Agent. You can also choose Advanced Settings to explore additional features (such as in Step 6 below) and later proceed with enforcement point deployment. ### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api#deploy-enforcement-point-gateway-or-agent) Deploy Enforcement Point - Gateway or Agent You are minutes away from protecting your Web API. The last step is to deploy an Enforcement Point. See instructions here: [Deploy Enforcement Point](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) ### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api#api-discovery-and-api-schema-validation) API Discovery and API Schema Validation #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api#api-security) API Security CloudGuard WAF protects your API from malicious attacks, and if provided with a schema file, it can enforce it. However, this is not the only manner of security for API use. Maintaining and enforcing a secure schema file is a difficult task for a security officer. The developers of the web server add and change APIs, and even with a well-defined, well-reviewed and well-maintained schema file, an API can allow access of sensitive data in a way the schema file will not show. The frequency of changes to APIs can also cause much difficulty in keeping such a schema file well-reviewed and well-maintained. API discovery provides **security by visibility:** 1. Discovery of the initial schema. 2. Discovery of API additions/deletions, and changes to existing APIs. 3. Discovery of APIs with sensitive data. API discovery is the recommended way to maintain the schema file you can eventually, after a sufficient leaning period, use for Schema Validation. The flow of working with API discovery is explained in detail in this documentation: [API Protection](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection) #### [](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api#activating-schema-validation-if-you-already-have-a-trusted-schema-file) Activating schema validation if you already have a trusted schema file Important reminder - The API discovery engine was designed to learn what API is actually being used. **Even if you have a well-maintained schema file for your API, it is still recommended to wait before activating the Schema Validation Security engine, until the API discovery practice has learned the actual API usage in your system and suggested a schema**. At that point we recommend comparing the suggested schema with the schema file you had, and deciding on the exact schema to enforce accordingly. Once there is a well-maintained schema file, such as the schema the API discovery engine provides once it learned traffic to a high enough level, adding a schema file and activating the Schema Validation enforcement engine can further increase the security level by adding an [openAPI](https://swagger.io/docs/specification/about/) schema file for your API. CloudGuard WAF will enforce the different unique applicative validations described in the schema file and alert upon attempts to use APIs in a way that does not match your schema. If you decide to skip API discovery (not recommended) and move directly to schema validation with your own well-maintained schema file, skip directly to the following documentation and use the option of uploading your own schema file: [Enforce API Schema](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/enforce-api-schema) Last updated 10 months ago Was this helpful? --- # Authentication Enforcement | CloudGuard WAF CloudGuard WAF’s Authentication Enforcement ensures that only authorized requests can access your protected web application. It validates incoming requests against the configured authentication type and can detect/block unauthenticated or improperly authenticated traffic. **⚠️ Beta Feature** This feature is currently in **beta** and may be subject to changes. Functionality, configuration options, and behavior could change in future releases. We recommend testing in a non-production environment before deploying to live systems. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/authentication-enforcement#configuration-options) **Configuration Options** ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FnmuJPdHbdp9vT0R3jcw4%252Fimage.png%3Falt%3Dmedia%26token%3Dc6588122-ce1b-475d-935c-0ee74e396cdd&width=768&dpr=4&quality=100&sign=a4990646&sv=2) * **Authentication Type** Currently, only **JWT (JSON Web Token)** is supported. * **Existence Verification** Ensures that an authentication token is present. * **Authentication Expiration** Validates that the token has not expired. A default tolerance period of 5 minutes is applied to the expiration time. * **Signature Verification** Verifies the JWT using the uploaded public key. Signature Verification supports the following **asymmetric algorithms**: RS256, RS512, ES256, ES385, ES512. **Unauthenticated Endpoints** By default, this protection applies to the entire asset. * If you want to **exclude specific URIs**, you can define them here. #### [](https://waf-doc.inext.checkpoint.com/additional-security-engines/api-protection/authentication-enforcement#response-code-for-unauthorized-access) **Response Code for Unauthorized Access** The default response status code is 403 when a request is blocked, which might cause unexpected behavior, the following section explains how to configure 401 response code to align with authentication best practices. To return a `401 Unauthorized` response for blocked requests follow the steps bellow: 1. create a dedicated [Web User Response](https://waf-doc.inext.checkpoint.com/setup-instructions/setup-web-user-response-pages) , with the following configurations: * Mode: `Response Code Only` * HTTP Response Code: `401` ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FGSfMMkcjeWhKurKoLVGI%252Fimage.png%3Falt%3Dmedia%26token%3D3911f0c3-971a-4869-a20c-91167ad217d1&width=768&dpr=4&quality=100&sign=d68296bc&sv=2) 1. Assign the Web User Response to the practice. ![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FJnGeFDbeGZqqYqtkRLDN%252Fimage.png%3Falt%3Dmedia%26token%3Dd6e10702-776a-47e3-a3b3-6b9ad0c839d0&width=768&dpr=4&quality=100&sign=271e9c41&sv=2) 1. Enforce Policy. Last updated 3 months ago Was this helpful? ---