Protect a Web API

CloudGuard WAF provides a configuration wizard that allows you to set up everything you need for basic protection of your web API. Once you completed the wizard you can set up a CloudGuard WAF's AppSec Gateway or Agent to enforce security.

Web API Wizard

Step 1: launch the configuration Wizard:

  1. When logged in to the management portal, click the Policy option in the main navigation menu on the left. You should see the Cloud Getting Started page.

  2. In the Policy -> Getting Started page, click New Asset, then Select Web API. The configuration wizard should open.

Follow these configuration steps in the New Web API wizard:

Step 2: API Details

Complete the following details (which you have prepared before):

  • Name - choose a clear distinguishable name for your API

  • Tags (Optional) - can be used for searches

  • API URLs for users - configure at least one host address with optional port. CloudGuard WAF will protect these hosts. Examples:

    • https://www.acme.com (listen to inbound traffic to this address on all ports)

    • http://www.acme.com:80 (only listen to inbound traffic to this address on port 80)

    • https://www.acme.com/api

    • https://sales.acme.com/api

    • https://172.20.20.4:3000

  • Single application URL for the reverse proxy function - This URL is required, if the asset is secured by a CloudGuard WAF deployment in which the reverse proxy function is configured through the WAF Management. The Reverse Proxy translates the external URL, used by users, into an internal URL and forwards the request to it. This internal URL should be written here (See diagram).

Step 3: Practices

Select the Practices that you want to enable and their Mode:

Modes:

  • Learn/Detect - we recommend starting with this mode as it allows the Machine Learning engine to train and you can examine the system behavior, all while traffic is not affected.

  • Prevent - in this mode traffic will be blocked if malicious traffic is found.

Step 4: Learning

Define how the Machine Learning engine should distinguish between different API sources and who the sources are that can be trusted.

  1. Select the method by which different sources will be distinguished from one another:

  • X-Forwarded-For Header - When there is a Reverse Proxy or ALB between the Reverse Proxy the agent is running on, and the internet - the original source IP address cannot be seen on the networking level. This option allows the Nano-Agent to identify the original source IP inside the X-Forwarded-For header. No additional parameters are required in the common case where a single Reverse Proxy/ALB is found before the agent's deployment.

In the less common case, where there are more than 1 reverse proxy and/or ALB deployments before the reverse proxy with CloudGuard WAF:

  • After the wizard is completed you must edit the created Web Application/API asset object.

  • Add the IP addresses of the previous hops, to allow the distinction between them and the original source address.

This is explained in more details here.

  • Source IP Address- The Nano-Agent uses the source IP address as the identifier. No additional parameters are required.

Additional methods can be defined later by editing the Web Application/API asset object. These include:

  • Cookie Key - when you select this option, you need to add the key name within the cookie whose value is used as the unique identifier of the original source.

  • HTTP Header - when you select this option, you need to add the HTTP header name whose value is used as the unique identifier of the original source.

  • JWT Key - Authenticated API calls send a JSON Web Token (JWT) received by authentication API. This JWT usually contains identifying field. When you select this option, the value of one of the JWT keys can be used as the unique identifier of the original source.

2. If you do not intend to use additional methods, you may already define trusted sources that serve as a baseline for comparison for benign behavior, and how many sources/Addresses must exhibit similar activity for it to really be considered benign by the learning model (Otherwise it is recommended to perform this step after the wizard has been completed by editing the asset and after changing the method by which sources are distinguished).

Step 5: Platform and Deployment configuration

  1. Choose a deployment method:

CloudGuard WAF can be deployed as:

  • A pre-packaged Gateway (Virtual Machine for secure managed reverse proxy):

    • In AWS

    • In Azure

    • In VMware vSphere

  • Early Availability - SaaS WAF service in supported regions world-wide (DNS configuration for your domain will change to its location)

  • A pre-packaged docker containing a secure managed reverse proxy. Note - a user can opt to manage the reverse proxy settings locally.

  • A separate Reverse Proxy/API server Docker + WAF Agent Docker

  • An add-on to an existing/new NGINX Kubernetes Ingress

  • An add-on to an existing/new supported Reverse Proxy/API Server.

If you choose the option of a Virtual Machine (VM), the option of SaaS or the option of a managed docker, you must also enter the internal URL of the application or API or internal load balancer so the reverse proxy function will know to which URL should these asset's external URL be forwarded. This URL must be accessible to the managed Reverse Proxy server but will not be exposed to the outside. This URL was configured in step 1 of the wizard.

Step 6: Certificate storage configuration and deployment instructions

If, during the previous step, a "New Profile" option was selected, then the "Certificates" page will also prompt a decision, relevant for all CloudGuard WAF's AppSec Gateways that will connect to this profile, regarding where the certificates for HTTPS traffic will be stored.

For the WAF SaaS option - the option of bringing your own SSL/TLS certificates will be available in the future.

This decision is only relevant for the pre-packaged Gateway (Virtual Machine) option in AWS and Azure. In those cases it is possible to either select a secure vault in the relevant public cloud, or local storage. This configuration can be later changed by editing the created profile via Cloud->Profiles.

If the "Existing Profile" option was selected, then it will not be possible to choose a different configuration from what is already set in this profile.

Exact setup instructions for certificates will be available in the profile page.

For CloudGuard WAF on AWS or Azure, there are two methods for storing certificates and private keys. For all other deployments only the first is available:

  • On the WAF Gateway itself - a simple procedure allows you to upload the certificates and private keys directly to your gateway(s) using Secure Copy Protocol (SCP/SSH). No further configuration is required - CloudGuard WAF will locate the local files automatically.

    • Advantage: you have full control of your secrets

    • Disadvantage: does not support automatic scaling

  • If you are using CloudGuard WAF on AWS or Azure you can store secrets in secured vaults of these platforms and CloudGuard WAF's AppSec Gateway can fetch it from there.

For WAF SaaS deployment this page will support in the future the option of certificates provided by you. The available option is for WAF SaaS to provide the certificates.

Completing the deployment and providing certificates requires actions after the wizard has ended, for each domain configured on the new asset:

  1. Proving ownership of each domain to allow issuing the certificates for it on WAF SaaS side.

  2. Configuring the DNS record for each domain so traffic to it will be routed to WAF SaaS.

For all other deployment options there is no configuration required WAF web management. However, instructions on how to install the certificates for each deployment appear in both wizard and later on when editing the profile in Policy->Profiles.

Step 7: Summary

Review the configuration summary and choose how you would like to proceed.

By keeping the default selections and clicking Done, you can Publish & Enforce your settings and proceed to the Profile page, which includes instructions for deployment of a CloudGuard WAF's AppSec Gateway, WAF SaaS or Agent.

You can also choose Advanced Settings to explore additional features (such as in Step 6 below) and later proceed with enforcement point deployment.

Step 8 (Optional): Add Schema Validation using your unique openAPI schema file

You can increase the security level by adding an openAPI schema file for your API. CloudGuard WAF will enforce the different unique applicative validations described in the schema file and alert upon attempts to use APIs in a way that does not match your schema.

To activate:

  • Browse to Policy->Assets and select your Web API asset.

  • Select the Threat Prevention tab:

  • Click Upload and select an openAPI schema file (in YAML format)

  • Change the Schema Validation sub-practice Mode from Disabled to As top Level

  • Click Enforce at the top banner

Deploy Enforcement Point - Gateway or Agent

You are minutes away from protecting your Web API. The last step is to deploy an Enforcement Point. See instructions here:

pageDeploy Enforcement Point
PreviousProtect a Web ApplicationNextDeploy Enforcement Point

Last updated