Deploy Enforcement Point
CloudGuard AppSec Enforcement Points are instances deployed in an environment that inspects traffic and enforce security policies. The Enforcement Points can have different form factors (Virtual Machine, Kubernetes Ingress, Docker container or Linux Agent) depending on the environment in which they are deployed. An enforcement point will be referred to as CloudGuard AppSec Gateway or Agent in this documentation. You can read more about the different enforcement points in the Gateways & Agents section.
While most deployment options below support a scalable solution behind a load balancer, there is no full sync High Availability (HA) option. The state between multiple instances within a single deployment is not synced.
Platform | Reverse Proxy / API Server | AppSec Agent |
---|---|---|
Provided by Check Point and managed via WebUI/API/Terraform | Provided by Check Point and managed via WebUI/API/Terraform | |
Provided and managed by Admin | Provided by Check Point and managed via WebUI/API/Terraform | |
Option 1: Provided by Check Point and managed via WebUI/API/Terraform (Alpha). Option 2: Managed by Admin while initial deployment can be provided by Check Point.
Initial deployment can be in th esame container as the AppSec agent or a separate one. | Provided by Check Point and managed via WebUI/API/Terraform | |
Provided and managed by Admin | Provided by Check Point and managed via WebUI/API/Terraform |
To deploy a CloudGuard AppSec Gateway or Agent you need an Enforcement Profile that determines the deployment type and other parameters related to the deployment.
If you completed the Web Application or Web API configuration wizard, an Enforcement Profile was created for you by the configuration wizard.
To view your profile, select Cloud, then Profiles in the menu on the left.
- If you have just one profile, the system will automatically present it.
- If you have more than one profile, you will be presented with a list of profiles and you can select the one you wish to use.
Profile Type cannot be changed but you can always create a new one by clicking Back to get the the Profiles selection screen and choosing New at the top toolbar.
To establish a secure communication between the CloudGuard AppSec Gateways or Agents and the Check Point Cloud an authentication token is required. You will be asked to enter this token during deployment either in CLI or in a web form. The token can be obtained by clicking the Copy button near the Token field.
If the profile object was just created, make sure to "Enforce" the new configuration prior to using the copied authentication token.
According to security best practices, it is recommended to periodically rotate the token for all future new installations.
Clicking on the
icon will invalidate the current token and create a new one that can be copied.
Existing agents that were already registered are not affected.
Note - Once rotated, in order to allow deployments of additional agents, replace all deployment scripts/configuration files/key vault entries that contain the now-invalid token.
On the right side of a Profile page you will find the Download & Deployment instructions per the profile type you selected.
You can follow the on-screen instructions or the more detailed instructions available in the next pages of the documentation.
Last modified 16d ago