Web application firewalls (WAFs) help secure your web applications and APIs, but traditional WAFs can be complex to configure and maintain. When looking to deploy a WAF, it is important to understand the requirements and considerations needed for that individual WAF. Traditional WAF deployments must take performance, sizing, network architecture, and other issues into consideration. With CloudGuard WAF-as-a-Service (WAFaaS), those considerations have been preset, making deployment easy. Additionally, CloudGuard WAF-as-a-Service does not require the manual tuning that traditional WAFs need.

Check Point CloudGuard WAF, formerly known as AppSec, is a web application and API security solution available in the AWS Marketplace that simplifies WAF deployment and management with its AI-based approach. In this post, we demonstrate how to deploy WAF as a service in minutes.

Analyst recognition for CloudGuard WAF

The GigaOm Radar report, which examines 13 top application and API security solutions, has named CloudGuard WAF a leader for the second consecutive year.

Independent testing by the Open Worldwide Application Security Project (OWASP) shows that CloudGuard WAF has a 98.6 percent threat detection rate and a 0.81 percent false positive rate, making it the only WAF solution in their tests to achieve the ninety-fifth percentile for both quality metrics.

Continuous AI learning and automatic policy management

CloudGuard WAF’s AI engine trains itself on web traffic, analyzing API transactions, detecting deviations from normal, and automatically taking remediation actions. This continuous AI learning eliminates the need for complex firewall rule rewriting because CloudGuard WAF performs policy management automatically with minimal effort from administrators.

CloudGuard WAF also protects APIs by detecting every API route and endpoint across cloud, hybrid, and on-premises environments, providing context on the data present. CloudGuard’s recommendations for schema revisions help improve security over time.

CloudGuard WAF as a service

While the powerful features of CloudGuard WAF have been available for years in AWS Marketplace, CloudGuard WAF is now offered as a service. This new model significantly reduces the time to deployment and supports monthly payments. With four straightforward steps that only take  minutes, any organization can protect their web applications and APIs with the power of CloudGuard WAF-as-a-Service, resulting in close to zero impact on the AWS customer’s environment and removing the need to install and maintain an infrastructure-as-a-service solution.

Solution overview

In this section, we demonstrate how to set up CloudGuard WAF-as-a-Service to protect your web applications using the following easy steps.

  1. Login to your Infinity Portal account.
  2. Create a web asset and prove ownership of the domain.
  3. Connect your web domain to CloudGuard WAF-as-a-Service.
  4. Allow access from CloudGuard WAF-as-a-Service IP addresses.
  5. Test access to your site.

Prerequisites

To perform the solution, you need to complete the following prerequisites.

  • Have or create an Infinity Portal account.
  • Purchase and activate CloudGuard WAF-as-a-Service from the AWS Marketplace.
  • Verify ownership of the DNS configuration for the protected domain.
  • Have or create an internal web address for the asset.

Solution walkthrough: Add AI-powered WAF-as-a-Service security on AWS in minutes

To secure your traffic for each domain in each asset protected by CloudGuard WAFas-a-Service, you need to perform the following four steps.

Login to your Infinity Portal account and navigate to CloudGuard WAF

If you do not have an Infinity Portal account follow the steps located at the Getting Started with the Infitnity Portal guide to create one.

Figure 1 – WAF on Check Point Console

Create web asset and prove ownership of domain

1. Create a new web asset by navigating to New Asset > Web Application.

Figure 2 – Create a new Web Asset

2. In the Policy tab, choose Profiles and select the WAF-as-a-Service profile that was automatically created during the New Web Application wizard in Step 1.

Figure 3 – Select WebApp SaaS Profile

3. For each web domain pending validation, choose the web domain and follow the instructions to prove ownership by adding a CNAME record with the provided name and value in your DNS configuration, as shown in Figure 4

Figure 4 – Proving web domain ownership

You need to perform this action for each web domain. For example, if you are protecting both www.<insert your domain>.net and api.<insert your domain>.net you need to prove ownership for each web domain separately, as shown in Figure 5

Figure 5 – Example domain configuration for www..net

Connect your web domain to CloudGuard WAF-as-a-Service

Important: Before performing this step, disable any existing Amazon CloudFront configuration for your website’s address.

  1. Once domain ownership is verified (which can take up to 30 minutes), a CNAME record will be issued.
  2. Change the existing DNS CNAME record for the domain you want to protect, updating its value to the provided string.

After DNS propagation worldwide, traffic will pass through CloudGuard WAF-as-a-Service and then be routed to your internal web server.

Figure 6 -Successful domain validation and updating existing DNS to new CNAME

Allow Access from CloudGuard WAF-as-a-Service IP addresses

In this step, you add IP addresses to the access list allowed by your internal web server and you may need to remove IP addresses that are no longer needed.

Because DNS propagation can take up to 72 hours, we recommend only adding IP addresses as needed but not removing any access from the web server until 72 hours have passed and you have tested your connectivity through WAF-as-a-Service.

  1. For each asset protected by CloudGuard WAF-as-a-Service, configure the upstream URL for the reverse proxy function to allow access from the IP addresses provided in the CloudGuard WAF UI deployment form. Allow access only from those addresses.
  2. If the domain was previously exposed publicly, reduce accessibility and allow traffic only from those IP addresses.
  3. If the domain was previously accessible only from a configured reverse proxy, add the WAF-as-a-Service IP addresses to the access list and consider removing irrelevant IP addresses from the previous reverse proxy.

Figure 7 – IPs allow listed and domain ready to test access

Test access to your site

After completing the previous steps, test access to your site. Changing DNS records typically takes a few hours to propagate worldwide, but it can take up to 72 hours.

Make sure you verify that you have not left a publicly exposed domain in your previous environment.

Ready to get started?

Contact Check Point, request a demo, or find Check Point CloudGuard WAF-as-a-Service in AWS Marketplace today!

About the authors:

Tyler Carrigan is a communicator, plain and simple. He has been breaking down technical topics for over a decade, from the US Navy Submarine force to leading a community of Linux administrators. He now specializes in cloud security.

Vinit Anshuman is a technology partner leader in AWS Marektplace specializing in integration and innovation of security and AI solutions. He has three patents and spearheads strategic initiatives to deliver cutting-edge, scalable and secure AI driven solutions to customers and partners. Outside of work Vinit likes hiking in nature and mentoring young students

Dhanil Parwani is a Senior Partner Solutions Architect at AWS. He works closely with networking partners to build solutions and capabilities to enable and simplify their migrations and operations in the cloud. He holds a MS in Telecommunications from the University of Colorado Boulder and has a passion for computer networking. Outside of work, Dhanil is an avid traveler and enjoys cheering Liverpool FC.

You may also like