AWS Marketplace

Secure your applications using Check Point’s AI powered WAF-as-a-Service

Introduction

Web application firewalls (WAFs) help secure your web applications and APIs, but traditional WAFs can be complex to configure and maintain. In this post, we demonstrate how to deploy WAF-as-a-Service in minutes. When deploying a WAF, it is important to understand the requirements and considerations needed for that individual WAF. Traditional WAF deployments must take performance, sizing, network architecture, and other issues into consideration.

Check Point CloudGuard WAF, formerly known as AppSec, is a web application and API security solution available in the AWS Marketplace that simplifies WAF deployment and management with its AI-based approach. With WAF-as-a-Service (WAFaaS), those considerations have been preset, easing deployment. Additionally, WAFaaS does not require the manual tuning that traditional WAFs need.

Analyst recognition for CloudGuard WAF

The GigaOm Radar report, which examines 13 top application and API security solutions, has named CloudGuard WAF a leader for the second consecutive year.

The WAF Comparison Project 2024-2025, which also evaluated 13 WAF solutions, shows that CloudGuard WAF has a 99.3 percent threat detection rate and a 0.81 percent false positive rate, making it the only WAF solution in project testing to achieve the ninety-ninth percentile for both quality metrics.

Continuous AI learning and automatic policy management

CloudGuard WAF’s AI engine trains itself on web traffic, analyzing API transactions, detecting deviations from normal, and automatically taking remediation actions. This continuous AI learning eliminates the need for complex firewall rule rewriting because CloudGuard WAF performs policy management automatically with minimal effort from administrators.

CloudGuard WAF also protects APIs by detecting every API route and endpoint across cloud, hybrid, and on-premises environments, providing context on the data present. CloudGuard’s recommendations for schema revisions help improve security over time.

CloudGuard WAF-as-a-service

While the powerful features of CloudGuard WAF have been available for years in AWS Marketplace, CloudGuard WAF is now offered as a service. This new model significantly reduces the time to deployment and supports monthly payments. With just four steps, any organization can protect their web applications and APIs with the power of CloudGuard WAF-as-a-Service in a matter of minutes. The result is close to zero impact on the AWS customer’s environment and removing the need to install and maintain an infrastructure-as-a-service solution.

Solution overview

In this section, we demonstrate how to set up CloudGuard WAF-as-a-Service to protect your web applications using the following steps.

1. Login to your Infinity Portal account.
2. Create a web asset and prove ownership of the domain.
3. Connect your web domain to CloudGuard WAF-as-a-Service.
4. Allow access from CloudGuard WAF-as-a-Service IP addresses.
5. Test access to your site.

Prerequisites

To perform the solution, you need to complete the following prerequisites.

• Have or create an Infinity Portal account.
• Purchase and activate CloudGuard WAF-as-a-Service from the AWS Marketplace.
• Verify ownership of the DNS configuration for the protected domain.
• Have or create an internal web address for the asset.

Solution walkthrough: Add AI-powered WAF-as-a-Service security on AWS in minutes

To secure your traffic for each domain in each asset protected by CloudGuard WAFas-a-Service, you need to perform the following four steps.

Step 1 – Login to your Infinity Portal account and navigate to CloudGuard WAF as shown in Figure 1.

If you do not have an Infinity Portal account follow the steps located at the Getting Started with the Infinity Portal guide to create one.

This image shows the Check Point Infinity console and highlights their WAF solution under CloudGuard.

Figure 1 – WAF on Check Point console

Step 2 – Create web asset and prove ownership of domain

1. Create a new web asset by navigating to New Asset > Web Application as shown in Figure 2.

This image shows the welcome to CloudGuardWAF screen.

Figure 2 – Create a new Web Asset

2. As shown in Figure 3, in the Policy tab, choose Profiles and select the WAF-as-a-Service profile that was automatically created during the New Web Application wizard in Step 1.

This image shows how to create a SaaS profile for a WebApp

Figure 3 – Select WebApp SaaS Profile

3. For each web domain pending validation, choose the web domain and follow the instructions to prove ownership by adding a CNAME record with the provided name and value in your DNS configuration, as shown in Figure 4.

This image talks about following instructions to prove ownership by adding a CNAME record with the provided name and value in your DNS configuration.

Figure 4 – Proving web domain ownership

You need to perform this action shown in figure 4 for each web domain. For example, if you are protecting both www.<insert your domain>.net and api.<insert your domain>, you need to prove ownership for each web domain separately, as shown in Figure 5.

This image shares an example domain configuration for a domain that needs to be protected.

Figure 5 – Example domain configuration for www.<insert your domain>.net

Step 3 – Connect your web domain to CloudGuard WAF-as-a-Service

Important: Before performing this step, disable any existing Amazon CloudFront configuration for your website’s address.

1. Once domain ownership is verified (which can take up to 30 minutes), a CNAME record will be issued.

2. Change the existing DNS CNAME record for the domain you want to protect, updating its value to the provided string as shown in Figure 6.

After DNS propagation worldwide, traffic will pass through CloudGuard WAF-as-a-Service and then be routed to your internal web server.

Figure 6 -Successful domain validation and updating existing DNS to new CNAME

Allow Access from CloudGuard WAF-as-a-Service IP addresses

In this step, you add IP addresses to the access list allowed by your internal web server and you may need to remove IP addresses that are no longer needed.

Because DNS propagation can take up to 72 hours, we recommend only adding IP addresses as needed but not removing any access from the web server until 72 hours have passed and you have tested your connectivity through WAF-as-a-Service.

1. For each asset protected by CloudGuard WAF-as-a-Service, configure the upstream URL for the reverse proxy function to allow access from the IP addresses provided in the CloudGuard WAF UI deployment form. Allow access only from those addresses.

2. If the domain was previously exposed publicly, reduce accessibility and allow traffic only from those IP addresses.

3. If the domain was previously accessible only from a configured reverse proxy, add the WAF-as-a-Service IP addresses to the access list and consider removing irrelevant IP addresses from the previous reverse proxy as shown in Figure 7.

Figure 7 – IPs allowlisted and domain ready to test access

Step 4 – Test access to your site

After completing the previous steps, test access to your site. Changing DNS records typically takes a few hours to propagate worldwide, but it can take up to 72 hours.

Make sure you verify that you have not left a publicly exposed domain in your previous environment.

Conclusion

In this post we learned how Check Point’s CloudGuard WAF-as-a-Service represents a significant advancement in web application and API security by offering organizations a powerful yet simplified approach to protecting their digital assets. The four-step deployment process dramatically reduces implementation time while eliminating the complexities of infrastructure management. Whether you are looking to enhance your existing security posture or implement a new WAF solution, CloudGuard WAF-as-a-Service offers a compelling combination of advanced protection, ease of use, and cost-effectiveness through its flexible AWS Marketplace subscription model. Take the next step in securing your web applications and APIs by exploring a demo or connecting with Check Point’s team today.

 
Ready to get started?

Contact Check Point, request a demo, or find Check Point CloudGuard WAF-as-a-Service in AWS Marketplace today!

About the authors

Tyler Carrigan

Tyler Carrigan is a communicator, plain and simple. He has been breaking down technical topics for over a decade, from the US Navy Submarine force to leading a community of Linux administrators. He now specializes in cloud security.

Dhanil Parwani

Dhanil is a Senior Partner Solutions Architect at AWS. He works closely with networking, security and AI partners to build solutions and capabilities to enable and simplify their migrations and operations in the cloud. He holds a MS in Telecommunications from the University of Colorado Boulder and has a passion for computer networking. Outside of work, Dhanil is an avid traveler and enjoys cheering Liverpool, FC.

Vinit Anshuman

Vinit Anshuman is a technology partner leader in AWS Marketplace specializing in integration and innovation of security and AI solutions. He has three patents and spearheads strategic initiatives to deliver cutting-edge, scalable and secure AI driven solutions to customers and partners. Outside of work Vinit likes hiking in nature and mentoring students.

David Hill

David is a Technical Alliance Manager and Cloud Evangelist at Check Point. Working closely with AWS to find synergies for tighter integration around Cloud Security. You will typically find David on stage talking Cloud, racing Motor Cross with his son and daughter, or watching his hometown football club, Middlesbrough FC.