This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Using Azure Application Gateway as a WAF in front of CloudGuard IaaS

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chris_Beckett1
Employee Alumnus
Employee Alumnus
8 8 11K
‎2019-01-07 03:39 AM

I've been asked several times about if CloudGuard is a WAF product (that's another discussion!) and how best can a dedicated WAF service be placed in front of CloudGuard IaaS gateways. As all the requests came from customers using Microsoft Azure, I decided to look into the Application Gateway.

In short, the Application Gateway is basically a "load balancer on steroids" and provides much the same functionality as a standard SKU Azure Load Balancer, but with the added benefit of WAF capabilities. As our reference architecture in Azure uses a load balancer and one or more gateways, this seemed the obvious choice for the deployment.

I wrote a lab guide to deploying this solution, as with most cloud topics, it will age very quickly, but hopefully give you a good starting point if you have a project that has strict requirements on having a WAF service at the Azure perimeter. It's very much a first draft, so there will be mistakes and also outdated information, please provide any feedback below.

Note this is not official Check Point documentation or advice, deploy this solution at your own risk. No warranties implied, may contain nuts. Check Point are not responsible for any service charges accrued by this deployment. The value of investments may go down as well as up.

Tags (3)
8 Comments
Martin_Valenta
Advisor
‎2019-01-08 05:14 AM

How is it with traffic decryption between app gw and Check Point? 

0 Kudos
Chris_Beckett1
Employee Alumnus
Employee Alumnus
‎2019-01-29 05:10 AM

You can terminate SSL on the Application Gateway itself and reduce the load on the gateways, but that is optional.

Configure an application gateway with SSL termination - Azure portal | Microsoft Docs 

Rajesh_Sawant
Employee Alumnus
Employee Alumnus
‎2019-08-19 09:50 AM

Does it support the latest Cloudguard HA template ??

In standard ELB, it does heath probe on TCP & forwards the traffic to active GW. How it will work with AGW ??

0 Kudos
JeetJ
Explorer
‎2019-08-21 10:49 AM

Hello,

We have a customer requirement of implementing the WAG behind Checkpoint as NVA on Azure, can someone please guide on this configuration.It involves configuration of UDR on Azure

Kurt_Abela
Contributor
‎2019-11-06 05:00 AM

we have used the above recommendations and managed to configure WAF in front of Checkpoint Scale Set, thanks!

one question, if we need to add more inbound NAT rules to other hosted services not using WAF, I believe that similar to a more "traditional" IAAS setupm we would need the Azure Load Balancer acting as the 'front end load balancer'. How will this interact with WAF? Should it be deployed in front of WAF or side by side? 

0 Kudos
Prabulingam_N1
Advisor
‎2020-12-13 04:46 AM

Hello Chris,

Tried your setup and worked fine.

Now how can access 2nd Webserver if deployed?

 

Regards, Prabu

0 Kudos
Prabulingam_N1
Advisor
‎2020-12-13 10:44 PM

Hello Oded_Gonda,

Thanks for your inputs. (Yet to try Infinity/WAAF and will checkup)

Since customer using VMSS, I followed Chris document and able to secure 1 Web server.

But if I deploy 2nd Server or more how to use in HTTP Settings?

Im unable to use it.

 

@Chris - Any idea to use 2nd Web server as per your document please. (using Azure ApplicationGW)

 

Regards, Prabu

0 Kudos
Labels