Gateway/Virtual Machine
CloudGuard AppSec can be deployed as a VM on different platforms. Select your platform type below to see the corresponding deployment instructions:
CloudGuard AppSec Gateways implement a reverse proxy that can serve pages to users over HTTPS. To use this capability, you need to provide a Certificate and Private keys that correspond to the site name(s) that users will access (e.g. https://www.acme.com, https://api.acme.com).
There are two methods for storing certificates and private keys when deploying on AWS or Azure. When deploying on VMWare, only the first option is available:
- On the AppSec Gateway itself - a simple procedure allows you to upload the certificates and private keys directly to your gateway(s) using Secure Copy Protocol (SCP/SSH). No further configuration is required - CloudGuard AppSec will locate the local files automatically.
- Advantage: you have full control of your secrets
- Disadvantage: does not support automatic scaling
The certificates are fetched when AppSec Gateway first loads and checked again for updates every time you Enforce policy.
When deploying on Azure/AWS, storage selection occurs during the asset configuration wizard if a new profile is created. It is also available via Cloud->Profiles for CloudGuard AppSec Gateway profiles that enforce assets with HTTPS URLs.
For all other deployment options, the same location still contains "Setup Instructions" for the method to deploy certificates for HTTPS traffic.
When there are multiple Web Applications APIs, CloudGuard AppSec Gateway can automatically fetch the relevant certificates and private keys.
Example: you have two applications and one API end-point to protect:
- www.acme.com
- www.acme.com/sales
- products.acme.com/catalog
Consider two possible cases:
- 1.You have one wildcard certificate for *.acme.com
- Place the certificate on your gateway by following the instructions in the next section. AppSec will use it for all relevant applications.
- 2.You have two certificates: (1) for www.acme.com and (2) for products.acme.com
- Place both certificates on your gateway by following the instructions in the next section. AppSec will automatically use certificate 1 for the first two Applications/APIs and certificate 2 for the last Application.
The reverse proxy takes incoming HTTP/S requests and forwards them to an internal server.
When using HTTPS, the forwarded request to the internal server returns with a certificate which the best practice is to validate.
Advanced Reverse Proxy settings include the configuration option for "Trusted CA chain for protected server SSL verification". Use this option to configure the trusted CA chain that will validate the certificate presented by the internal server for enhanced security.
Last modified 1yr ago