Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
In this article, we will explain how to easily switch from Cloudflare to CloudGuard WAF as a Service without compromising security during the transition process.
Understanding the Transition Challenge
Suppose you have a web application that is currently protected by Cloudflare. You want to migrate to using CloudGuard WAF as a Service for your web application firewall protection. However, CloudGuard WAF requires an initial Learning Mode period to understand your application's typical traffic patterns before it can reliably block malicious activity in Prevent Mode.
The challenge is clear: how can you transition to CloudGuard WAF without exposing your application to potential threats during the learning phase?
The answer lies in keeping Cloudflare as the active protection layer while CloudGuard WAF operates in the background in Learning Mode. Once the learning phase is complete, you can safely switch CloudGuard WAF to Prevent Mode and phase out Cloudflare as needed.
Step-by-Step Migration Plan
1. Configure CloudGuard WAF in Learning Mode
Start by configuring a new asset in CloudGuard WAF to protect your web application in Learning mode.
If you are not familiar with setting up CloudGuard WAF as a Service for protecting your web application, follow this guide: WAF as a Service Tutorial | Complete Walkthrough & Deployment.
Create an exception rule that will drop traffic to the CloudGuard WAF that is not coming from CloudFlare ip ranges , for the most update list check this page
2. Maintain Cloudflare as a Security Layer
While CloudGuard WAF is in Learning Mode, continue using Cloudflare to protect your application. Do not remove or modify the existing Cloudflare DNS A/CNAME record at this stage.
3. Configure DNS Routing via CNAME
To maintain full protection during the transition:
- Keep Cloudflare DNS as your primary entry point for your application.
- Update the DNS configuration in Cloudflare to point to the CNAME record of the CloudGuard WAF instead of pointing directly to your frontend application server.
Edit the existing A record on CloudFalre , change it to CNAME record and replace the ip address of the frontend web server with the CNAME value step 1.
This setup ensures that Cloudflare continues to provide its protection layer while CloudGuard WAF learns the application traffic.
4. Transition to Prevent Mode and Final Switch
Once the CloudGuard WAF has completed its learning phase:
- Switch the WAF to Prevent Mode.
- Remove the exception rule from step 1 that allow access only from CloudFlare ip ranges.
- Disable the Cloudflare proxy settings in your DNS records.
At this point, your application will be fully protected by CloudGuard WAF in Prevent Mode, and Cloudflare will no longer act as an active intermediary.
Summary
Switching from Cloudflare to CloudGuard WAF should be done gradually and strategically to avoid exposure and service interruptions. By layering the WAF in Learning Mode behind Cloudflare and only making the final switch after sufficient learning, you ensure a secure, smooth transition.
