Imperva Cyber Community

Expand all | Collapse all

Config a website in Imperva with GTM (F5)

  • 1.  Config a website in Imperva with GTM (F5)

    Posted 03-31-2020 10:55
    What is the best practice to configure the website in Imperva Cloud WAF when the website at the sime time is configure in GTM (Global traffic Manager F5)?

    I modified the origin server by the FQDN that responds the GTM but when the traffic begins to flow through Imperva it detects that some IP of the original servers are down.


    victor pinzon

  • 2.  RE: Config a website in Imperva with GTM (F5)

    Imperva Employee
    Posted 04-02-2020 09:36
    Hi Victor,

    It's an interesting question.
    Is load balancing configured on Imperva Cloud WAF side?
    Usually we recommend persistency for this kind of deployments.

    Ira Miga
    Knowledge Engineer

  • 3.  RE: Config a website in Imperva with GTM (F5)

    Imperva Employee
    Posted 05-08-2020 12:41

    Hi Victor,

     Great question and thanks for adding the Real-time Server screenshot. I will summarize some high level details here.  

    Few considerations can help you configure Cloud WAF with GTM solutions easily.

    -  Please review the GTM policy, if the site is Active-Passive GTM should be fine.

    -  If the GTM has multiple Active IP than Geo-based or proximity-based options may have a delay problem for any CDN to failover quickly in case the   
       Active site is down even with short TTL to match your failure expectations.

    -  The Geo DB in GTM may not have the correct  Imperva POP IP location that can end up DNS for client ending on the wrong origin that is a bad user
       experience and concerns data locality needs for compliance needs. 

    - It is preferred to have either multiple DC in Imperva ( requires Load balancing subscription) so the Cloud WAF knows which origin to choose based
      on Imperva preferred policy and use DNS resolution from GTM which has your preferred health checks for services.

    - Please review Imperva GSLB solution that can reduce this DNS hop with GTM ( requires Load balancing subscription that includes origin monitoring
      and content rewriting)

    Now coming to LTM

    - Please review if load balancing is based on IP or session tracking ( like a cookie ).  If traffic distribution is based on IP, then disable "Origin Connection Reuse" for that site in a delivery setting in Imperva services to prevent same session from sent to multiple servers in LTM Pool. The function of "Origin Connection Reuse" is re-used existing available TCP connections that are opened for a client and LTM may fast forward to the first client-server based on LTM policy.


    Now coming to the screenshot

    -  The details on the screenshot are based on monitoring config that cannot be changed if your account does not have a load balancing subscription.

    -  The Passive health check is indicating 501-599 HTTP code responses from the origin. SIEM is the best option to review or add an incaprule to alert
       for these responses to review in events without needing SIEM. 

    Abhishek Gupta
    Customer Success team