Showing results for 
Search instead for 
Did you mean: 
Create a Post

How to configure Check Point as WAF?


We have heard that the Check Point can work as simple WAF.
We are thinking that it is a part of IPS. Becasue there is no WAF blade.

However we couldn't find any documents and information about it in SK or this check mate site.

Could you inform me of how to configure Check Point as WAF?

We know that OWASP Top 10 is renewed in 2017 as below.
A2:2017-Broken Authentication
A3:2017-Sensitive Data Exposure
A4:2017-XML External Entities (XXE)
A5:2017-Broken Access Control
A6:2017-Security Misconfiguration
A7:2017-Cross-Site Scripting
A8:2017-Insecure Deserialization
A9:2017-Using Components with Known Vulnerabilities
A10:2017-Insufficient Logging&Monitoring

We are thinking that the above each item is corresponded to a signature of IPS.


14 Replies

Re: How to configure Check Point as WAF?

I would rather say that CP is more than a WAF - so to configure a CP GW as a WAF only you would have to disable FW, VPN and MOB as well as part of TP Smiley Happy...

0 Kudos

Re: How to configure Check Point as WAF?

Thank you for your comment.

I also think CP is better than WAF in a sense.

I'm concerned if it is necessary for us to customize some IPS signatures to address the OWASP Top 10.

I'd like to know concrete settings for WAF against the OWASP Top 10.

Re: How to configure Check Point as WAF?

I would talk that over with your local CP SE - OWASP Top 10 includes e.g. Authentication Broken, this can not be adressed by IPS signatures only 😉 Customizing IPS signatures themselves is not possible afaik, rather you can customize the IPS profile to fit your needs.

0 Kudos

Re: How to configure Check Point as WAF?

Just check this

Document released 2015, maybe there is a more recent one. Don't know.

and now to something completely different

Re: How to configure Check Point as WAF?

That is a good answer !

Re: How to configure Check Point as WAF?

Thank you for your information.

It is really helpful for me.


Re: How to configure Check Point as WAF?

Re: How to configure Check Point as WAF?

This applies more on the IPS part but I do agree that to get the full benefits of total security all Blades on and on prevent!

Now as far as a Web Application Firewall the actual application needs to be learned in terms of values and variables. Only then you can lock down the application. For this there are specialised vendors offering solutions. But as said above it is a combination of everything.

From CP I just wanted to see some more customisation on IPS signatures like DNS and SSH tunneling... 



0 Kudos

Re: How to configure Check Point as WAF?

Indeed, using a cp is quiet different than using F5 ASM for instance, where you are able to allow/block all details like entry points of an application to parameters, cookies and so on.

But cp is much more secure than nothing 

and now to something completely different
0 Kudos

Re: How to configure Check Point as WAF?

Thank you for all.

I suppose that there are some differences than appliance designed for WAF.

So I'd like to exactly know that cp can not address which vulnerabilities and also which signatures I need to change to prevent/detect. That is why I posted this question into this community.

The best solution is to use both CP and WAF(dedicated product).

This means better leave it to the specialist...

Everyone know that, however due to budget, resource, strategy etc, there is a case customer can not buy both products. At that case, I want to say CP can address OWASP 10 of WAF area and recommend CP rather than WAF because CP has also other functions. 

But I don't know how to exactly set IPS signatures currently.Unfortunately, local SEs don't know that. 

I appreciate if someone inform me of the information.


0 Kudos

Re: How to configure Check Point as WAF?

This is an updated version of something I put together previously for OWASP 2013.

It's accurate to the best of my knowledge and feedback is appreciated.

Note that to cover the majority of the Top 10, other Software Blades than IPS must also be used.

The exact name of the IPS protection will vary, but searching through the IPS signatures should identify the relevant signatures.


OWASP Top 10 (2017)

Description of Check Point Protection

A1 Injection

Check Point IPS Software Blade provides SQL injection, Command/Script injection and LDAP injection protection.

A2 Broken Authentication and Session Management

Check Point IPS blade offers protections against some known attacks on specific servers which exploit known authentication and session management vulnerabilities. Identity Awareness features can also be used for organizational applications intended for internal users.

A3 Sensitive Data Exposure

Check Point DLP and Content Awareness can be used to prevent sensitive data from 

A4 XML External Entities (XXE)

Check Point IPS Software Blade provides IPS protections that protect against attempts to exploit vulnerabilities in XML parsing of XML external entities.

A5 Broken Access Control

Check Point Identity Awareness can restrict access to specific URL.

A6 Security Misconfiguration

Check Point IPS Software Blade provides multiple signatures to address known PHP, ASP and other web engine exploits. Check Point also include signature that can limit the allowed HTTP methods to safe methods only and prevent unsafe methods such as WebDAV and others

A7 Cross-Site Scripting

Check Point IPS Software Blade provides XSS scripting protection.

A8 Insecure Deserialization

Check Point IPS Software Blade provides a number of signatures to protect against deserialization bugs in various implementations

A9 Using Components with Known Vulnerabilities

Network security products may only inspect the traffic that passes over the network. If the use of the vulnerable component results in unique traffic for that component, it may be identified regardless of the application that uses that component. However, if the vulnerable component is an infrastructure used in different ways by different applications, and does not result in distinct traffic that can be identified, it is outside the scope of a network security device.

A10 Insufficient Logging and Monitoring

Check Point SandBlast Agent on managed endpoints can aggregate logs and generate forensic reports when endpoints are compromised. Check Point Security Management exports security logs via industry-standard syslog to other log management solutions. Check Point SmartEvent can be used as an effective monitoring and alerting tool, including automated actions that occur in response to events.


Re: How to configure Check Point as WAF?

Generally in scenarios like this, I have tended to use an open source / Check Point blend i.e. Apache/Nginx with mod_security as a reverse proxy and make sure that the traffic traverses the Check Point gateway after decryption (or use SSL interception).  This allows you to enforce IPS policies on the traffic and use mod_security for what it is good at i.e. web specific protocol enforcement.

You would need to be comfortable with open source for this to be effective.


You might be able to get a lightweight version of this using the Reverse Proxy functionality that is part of MAB depending on how complex your app is ... 

Re: How to configure Check Point as WAF?


At the CPX in Vienna a WAF cooperation with RADWARE was presented.  Unfortunately I don't hear anything about it here.

With Check Point you can currently check some OWASP points.
I've been working with WAFˋs for years. From my point of view it is not a full WAF solution.

Here I miss a lot what other WAF manufacturers offer.

For example:
- Learning mode for web applications
- ways to manipulate web traffic (http redirects, rewrite urls,...)
- transparent proxy layer 2 solution
- proxy based load balancing

I think Check Point should provide a WAF blade in the future.

Tags (1)

Re: How to configure Check Point as WAF?

Tags (1)
0 Kudos