Hi Community,
Just want to share this insightful webinar with you all. The Cloud WAF Workshop provided a hands-on learning experience focused on the essential steps of onboarding a website to the Imperva Cloud Web Application Firewall (WAF) and implementing Transport Layer Security (TLS) for optimal protection. In this interactive session, Chaithra Ravichander guided participants through a step-by-step demonstration that simplified the onboarding process and showcased how to securely configure TLS to safeguard web applications against modern cyber threats. The session also detailed DNS record management, emphasized the importance of SSL certificate validation, and highlighted key steps for strengthening overall website security.
Throughout the workshop, attendees gained practical knowledge and actionable skills, including:
-
Efficient methods for onboarding websites to the Cloud WAF
-
Best practices for configuring and managing TLS certificates
-
Techniques for ensuring secure, encrypted communication between clients and applications
-
Troubleshooting strategies for common onboarding and TLS setup challenges
-
Tips for maintaining long-term security and compliance
Below are some questions that where not answered live:
1. Could you show me onboarding website in case migrate dns record to Imperva. Are similary step ?
Yes, the steps for updating the DNS records on the server are similar to what was demonstrated. Please refer to the recordings for reference.
2. On-Prem vs Cloud WAF, which is more secure
It depends on the customer business requirements.
3. Does Imperva support primary DNS configuration for domain? If yes, what changes are required?
I believe you are referring to dns prtection if yes below are the details.
https:// docs-cybersec.thalesgroup.com/bundle/cloud-application-security/page/dns-basic-managed.htm
4. Lets assume my website is hosted for example in Godaddy. What is the usual approch to make sure that attacker is not bypassing the imperva by adding a Local Host file if he already knows my website IP?
On the server allowlisting Imperva’s IP address ranges and configuring IP restriction policies to ensure secure and controlled access
https:// docs-cybersec.thalesgroup.com/bundle/z-kb-articles-knowledgebase-support/page/290228110.html?pk_vid=176231033264bb93
5.To expand the question, if my website is hosted inside my premise then i can make sure that only Imperva Ips are allowed to access my website through my firewall.
But when the website is hosted is hosted platform we dont have control to limit the access to the webiste to only allow imperva IPs.
In most cases, an externally hosted platform will offer some control options. If IP restriction isn’t supported, you can use a defense-in-depth strategy to protect against other external risks.
6. How do you automate renew SSL certs ?
Imperva supports automated SSL/TLS certificate provisioning and renewal for domains protected by its Cloud WAF service.
One of the available validation options is the CNAME-based domain validation method, which simplifies SSL management and removes the need for manual certificate handling.
7. In an Imperva WAF deployment, is it possible for the client-to-Imperva communication to be over HTTPS while the Imperva-to-origin server communication happens over HTTP?
If so, what are the security or configuration considerations for that setup?
Yes we can help to enable offloading from the backend configuration. However this is less secure due to unencrypted communication between Imperva and the origin.
http:// im-confluence.atlassian.net/wiki/spaces/KC/pages/19637061/Support+How-to+Using+the+Internal+API+to+enable+HTTPS+to+HTTP+from+PoP+to+origin+SSL+offloading
8. Maybe another question not related to this but what to do it there is CNAME limit is reached on the account?
There is no limit for cname. Ideally limit is for the number for sites based on subscription .
9. Hi team, we are new to Imperva. For SSL certs CNAME validation, how often are we expected to perform these validation? Is this a set and forget settings once the initial CNAME DNS value is added?
When you configure a top-level domain for automatic validation, Imperva provides you with a unique CNAME value. Once configured in your DNS, Imperva can automatically validate your domain ownership for the domain
To ensure seamless automatic re-validation of your domains for future certificate renewals, you must maintain the relevant CNAME records within your DNS configuration.
10. In this scenario you can configure a feature called "CNAME Reuse".
When you reuse a CNAME, Imperva proxies make a public DNS query to find the host and resolve it to the original site.
To reuse a CNAME, use the CNAME provided by Imperva for all relevant domains that you want to link under the same site configuration and policy used by the target record.
CNAME reuse can be used for domains hosted by the same origin server (same IP address).
SSL support:
Imperva-generated site certificate (valid for SNI clients only): Domains explicitly added to the Imperva website configuration can be covered by your site certificate. Domains that point to the CNAME but are not specifically added to the website configuration will not be included in the certificate and will not have SSL coverage. Site certificates support up to 50 domains per website.
Imperva-generated account certificate (valid for SNI and non-SNI clients): CNAME reuse requires the multiple domains to be under the same wildcard SAN (e.g. *.somedomain.com) configured on the Imperva-generated certificate for the website that is configured in Imperva. Otherwise, each domain should be registered as a separate website.
Custom certificate (valid for SNI Clients only): CNAME reuse requires the multiple domains to be listed in the custom certificate uploaded for the website that is configured in Imperva.
11. What's the expected wait time for validation (retry)? In my experience sometimes it's quick, some time it takes forever. Are there any mechanism so we can make it consistent?
SSL validation dependes on various factor such as global sign validation and certificate health. If the ssl validation is taking longer time you can reach to support team we can help to check further from backend.
12. Every Imperva Cloud WAF account have static network slide.? like if any specific A record i will get from imperva for DNS validation its unique for me.
Yes once the site is onboarded to us we can help to provide the A record entry .
As always if you have any questions feel free to reach out!
#CloudWAF(formerlyIncapsula)