CloudGuard WAF provides two Security Best Practices that can be easily activated in Detect/Learn mode or Prevent Mode: Web Application Protection and Web API Protection.

The practices use multiple security engines to analyze HTTP web requests and to deliver accurate verdict whether the request is malicious or benign. The engines protect applications and APIs against unknown and advanced web attacks, validate the input of APIs, distinguish humans from bots and protects against industry's well known attacks and CVEs.

CloudGuard WAF Security Practices

• Web Application Protection Practice

  • Contextual Machine Learning based-WAF

  • Anti-Bot Protection

  • Intrusion Prevention

  • File Security

  • Custom Signatures (SNORT)

• Web API Protection Practice

  • Machine Learning based-WAF looks for malicious payload inside API requests

  • Schema Validation module ensure that API requests adhere to API schema

  • Intrusion Prevention

  • File Security

  • Custom Signatures (SNORT)

Security Engines

Contextual Machine Learning-based WAF: Prevent OWASP Top 10 and Advanced Attacks

This patented engine protect against advanced and zero-day web attacks. It executes a three-stage HTTP web request analysis and delivers an accurate verdict. It uses Contextual Machine Learning to identify if a web request is malicious or benign and provides:

1. Superior false-positive rate than traditional WAF (in traditional WAF decisions are mainly based on matches to signatures).

2. Provide zero-day protection by blocking different attack scenarios that are not blocked with a signature-only approach. For example, Log4Shell and Spring4Shell were blocked by CloudGuard WAF preemptively, without any software update.

3. Reduction in administration time because it is not constantly necessary to tune the engine, create exceptions, disable signatures, and more.

Learn more about the Contextual Machine Learning engines in the next section of this documentation.

API Security: Validate Schema and Prevent Attacks

Frequently, software developers do not include verification of API input in their code.

The CloudGuard WAF API security component provides two protection models: positive and negative. Administrators can enable one of them, or the two of them.

• The positive model delivers preemptive protection for possible API vulnerabilities through a schema validation procedure.

  API schemas in OpenAPI (such as used in "Swagger") are uploaded to CloudGuard WAF.

  Incoming API requests are validated against these schemas to block all invalid API requests.

• The negative model uses the WAF and automatically detects and blocks malicious payloads in the API.

Anti-Bot Protection: Distinguish Humans from Bots

CloudGuard WAF Anti-Bot protection component performs a three-step procedure:

1. Inject scripts into web application pages, such as login pages.

2. Collect data about input patterns and canalize key stroke sequences, mouse moves, and finger touches.

   Bots do not use such patterns. If a bot artificially creates such patterns, CloudGuard WAF identifies them.

3. Make a decision if the input is entered by a human or by an automatic script (such as a bot), and block this activity.

Intrusion Prevention (IPS) for HTTP/S

In addition to the Contextual Machine-Learning based engine, CloudGuard WAF provides traditional signature-based protections for over 2800 web-based CVEs (Common Vulnerabilities and Exposures). The signatures arrive automatically to agents/gateways as soon as Check Point Security Research team releases them. One of the benefit of these signatures is the ability to see logs that indicate specific CVE number.

File Security

Files being uploaded to the web server may contain malicious content. CloudGuard WAF's File security contains several engines that allow detection of those malicious files.

Custom Signatures (Snort Engine) - Early Availability

Admins can add signatures in Snort format and they will be enforced by CloudGuard WAF Security Engines.