Main Objective:

The main objective of this document is provide a brief summary of Check Point CG WAF integration with HAProxy in high availability (HA) mode and why this is needed.

Why:
To prevent a single point of failure, most products incorporate some kind of built-in feature for high availability between a primary/active device and the secondary/standby device in the event that if the primary device were to go down, the secondary/active would assume the role of the primary/active device and therefore the traffic is uninterrupted.
With respect to CG WAF, a native HA feature is not available. This might change in the future. However, depending on how you deploy CG WAF, we can achieve HA and load sharing by using virtual machine scale set (VMSS) in Azure and AWS or by using a load balancer such as HAProxy or Netscalar or any other load balancers.

In our use case that follows with HAProxy, we have demonstrated how we can achieve HA and load sharing with CG WAF. 

Use Case 1 – CG WAF in HA using HAProxy as Frontend Load Balancer

Flow
Inbound/Ingress traffic is intercepted by CG WAF (multiple agents) in HA where the next hop is
a web application.

Use Case 2 - CG WAF in HA using HAProxy as Frontend Load balancer and a Backend load
balancer as the next hop.

Flow
Inbound/Ingress traffic is intercepted by CG WAF (multiple agents) in HA where the next hop is
a backend load balancer in HA and the web application.