No, it can't as the certificate and private key can't be exported from Azure Paas.
So if AppSec doesn't have the private key, it can't intercept the traffic, also it can only protect web services.
If you are using PaaS DB or Storage service, AppSec is not the relevant product.
The same for CloudGuard Network Security. you can protect your PaaS service up to the transport layer (4), the GW won't be able to catch many of the IPS signatures for example.
In order to use CloudGuard Network security with PaaS, you will need to use a private endpoint and UDR.
We will have an SK that explains exactly how to do that in a few days.
Thanks for your response. Follow-up question since you brought up certs. For every application we want protected by appsec we would need to upload the cert to appsec correct? Also, when it comes to renewing the certs we would have to upload it again. Is there a more efficient way to handle certificate management if we had 100s of web apps to protect?
No, the certificates are being managed on the cloud provider, it's explained in the admin guide.
You just need to associate the AppSec instances with a role that provides access to the certificate on the certificate manager and the private key on the secret manager.