This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
skiingmadman
Employee
Employee
8 hours ago

Best Practices Securing GenAI Applications with Check Point Firewalls and WAF

Securing GenAI Applications with Check Point Firewalls and WAF

The rapid adoption of Generative AI (GenAI) including chatbots, autonomous agents, and multi-step agentic workflows with access to sensitive systems, code execution, and web resources has introduced new risks that challenge current security systems. This post summarizes key solutions to these risks from the recent Check Point whitepaper Securing GenAI Applications.

Pretty much all organizations adopting GenAI must rely on multi cloud and/or hybrid cloud deployments to control costs and accelerate innovation. In these architectures, infrastructure agnostic, "IP free firewalls" become essential to delivering consistent NAT, access control, Zero Trust enforcement, and micro and macro network segmentation. Extending proven security solutions to GenAI workloads requires both deeper cloud native integration and GenAI specific controls.

AI is expanding attack surfaces from packets to LLM prompts

It’s common for modern enterprises to manage hundreds or even thousands of virtual cloud networks, connected through network overlays such as SD-WAN, VPNs, virtual WANs, and direct inter-cloud connectivity. This distributed topology historically produced fragmented firewall estates across hardware, software/virtual, and application firewalls that ended up driving the creation of centrally managed, infrastructure agnostic firewalls. These are now increasingly referred to as Hybrid Mesh Firewalls. In parallel, WAF capabilities have expanded too, from traditional HTTP protection into API discovery, schema enforcement, and automated intrusion prevention. "Times they are a changing...." and if you don't adjust now you will pay the hard way later. 

GenAI increases security complexity creating new threat categories:

  • Direct and indirect LLM jailbreaks via crafted prompts
  • Prompt injection through poisoned inputs or RAG sources
  • Agentic misuse leading to unintended code execution or data modification, like updating with fake data
  • API abuse initiated by AI systems rather than humans
  • Model-driven data exfiltration resistant to standard DLP patterns

Equally important, emerging agentic frameworks and MCP tool ecosystems increase CVE exposure on internet-accessible systems connected to highly privileged assets. So it's critical to prevent threats created by open source and the OWASP Top 10. 

Hybrid mesh firewalls Secure GenAI

To keep up with new cyber threats it's best to start with securing all network layer traffic. Whether prompt exploitation or high volume evasion techniques, they target both traditional applications and LLM-powered bots/agents as malicious packets traversing networks. So modern firewalls with machine learning and deep packet inspection are mandatory, they aren't optional anymore. Hybrid Mesh Firewalls provide gateway enforcement across branches, data centers, private and public cloud environments, enabling unified deep packet inspection, threat prevention, and segmentation. Check Point provides hybrid mesh firewalls that are engineered for dynamic public and private cloud virtual environments that secure AI-based workloads and applications. Check Point firewalls enable dynamic policies based on cloud-native object group names and deliver firewall auto-scaling based on network load to ensure optimal security services are deployed at all times reducing organization risk and costs.

                    Hybrid Mesh Firewalls Protect GenAI Apps

gen ai firewall.pngFig 1. Check Point cloud firewalls secure layers 3-7 with East-West inspection and micro and macro network segmentation to prevent data leakage and unauthorized intrusion.

The rise of GenAI accelerates the need for hybrid cloud network security to ensure data accessibility, security, and scale:

  • Managed GenAI platforms requiring cloud proximity and high performance networks
  • RAG data governance constraints demanding regional or on-premises residency
  • Private cloud networks are often integrated with public cloud AI services

The outcome is complex network topologies where consistent, policy driven segmentation is essential to prevent excessive lateral movement by agents, MCP tools, or compromised AI pipelines. Luckily Check Point firewalls are engineering for on premises, private, and public cloud to ensure optimal security while providing the network performance demanded by GenAI workloads and applications. Check Point cloud firewalls provide dynamic policies to reduce manual policy changes while autoscaling up and down with leading public and private cloud virtual network environments.

Securing LLM data exchange with WAFs

For the most part GenAI powered applications remain web applications. They expose HTTP and API interfaces and therefore inherit classic network security risks. Traditional WAFs already block a significant portion of GenAI-adjacent threats through:

  • Schema enforcement on LLM facing APIs
  • ML first anomaly detection
  • IPS coverage for zero day and CVEs
  • Rate limiting for token expensive endpoints
  • API discovery to prevent schema drift and Bot mitigation for automated credential attacks and scraping

Where traditional controls fall short

GenAI introduces classes of risk that operate inside LLM reasoning and agent decision chains that are missed by traditional WAFs:

  • Jailbreak instructions are embedded in user or retrieved content
  • Tool misuse triggered by model hallucination or error
  • Cross system injection via auto-generated output
  • Data exfiltration hidden by IP packet stuffing or obfuscated formats
  • Off policy content generation or behavioral drift

These behaviors may never violate API schemas or network controls, yet they produce operational and data security failures. Securing GenAI requires bidirectional, model-aware inspection of prompts and responses in addition to traditional secjrity.

Building a GenAI ready WAF

To close these gaps, Check Point has extended WAF with low latency, AI-powered protections that evaluate both inputs to and outputs from LLMs. These controls integrate directly into existing hybrid mesh and WAF policy frameworks.
check point WAF secures LLM prompts.jpgFig 2. Check Point WAF provides 2 machine learning engines to inspect and either approve or block LLM input/output for schema enforcement and drift reduction.

Key GenAI focused WAF capabilities include:

  • Prompt injection and jailbreak prevention
    Real-time evaluation detects manipulation attempts that override system instructions across 100+ languages and obfuscation strategies.
  • GenAI-aware data loss prevention
    Detection and masking of PII, credentials, secrets, system prompts, and proprietary data in both inbound and outbound model data exchanges.
  • Malicious and unknown link defense
    Identification of untrusted URLs to prevent RAG poisoning and retrieval based phishing.
  • Content policy moderation
    Enforcement against generation of harmful, abusive, or policy-violating output including crime, hate, illegal drugs, violence, sexual content, and weapons.
  • Agentic/tool overreach control
    Verification that AI initiated API actions remain in contract, combined with rate limiting for looping or cascading agent behavior.
  • Output sanitization
    This one is tough, but protection of downstream systems from consuming insecure LLM output, like containing SQL, XSS, command injection, or embedded code fragments.
  • Custom detectors
    Regex driven policies for organization specific identifiers or sensitive terminology.

These capabilities remain centrally managed, cloud agnostic, and integrated with existing enforcement architectures. They operate regardless of whether organizations use hosted foundation models, open-source self-hosted models, or CSP native offerings.

Learn more about securing GenAI

GenAI redefines application risk boundaries. The security perimeter now extends from packets and APIs to prompts, agentic reasoning steps, and LLM outputs. Hybrid Mesh Firewalls and advanced WAFs remain foundational, but they must be extended with GenAI specific controls to prevent jailbreaks, tool abuse, data leakage, and poisoned retrieval flows.

By integrating innovative GenAI aware detection with proven hybrid cloud network and application security architectures, organizations can secure heterogeneous multi-cloud environments without redesigning their security blueprint delivering consistent, policy enforcement from network packets to APIs to LLM prompts. 

Get smarter on GenAI security risks and how to mitigate them by reading the Securing GenAI Applications whitepaper and learn how one vendor is leading the industry and already doing this today.

 

1 Reply
the_rock
MVP Platinum
MVP Platinum
6 hours ago

Amazing!

Best,
Andy
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events