Search Imperva Community for
Great question and thanks for adding the Real-time Server screenshot. I will summarize some high level details here.
Few considerations can help you configure Cloud WAF with GTM solutions easily.
- Please review the GTM policy, if the site is Active-Passive GTM should be fine.
- If the GTM has multiple Active IP than Geo-based or proximity-based options may have a delay problem for any CDN to failover quickly in case the Active site is down even with short TTL to match your failure expectations.
- The Geo DB in GTM may not have the correct Imperva POP IP location that can end up DNS for client ending on the wrong origin that is a bad user experience and concerns data locality needs for compliance needs.
- It is preferred to have either multiple DC in Imperva ( requires Load balancing subscription) so the Cloud WAF knows which origin to choose based on Imperva preferred policy and use DNS resolution from GTM which has your preferred health checks for services.
- Please review Imperva GSLB solution that can reduce this DNS hop with GTM ( requires Load balancing subscription that includes origin monitoring and content rewriting) https://docs.imperva.com/bundle/cloud-application-security/page/introducing/load-balancing-failover.htm
Now coming to LTM
- Please review if load balancing is based on IP or session tracking ( like a cookie ). If traffic distribution is based on IP, then disable "Origin Connection Reuse" for that site in a delivery setting in Imperva services to prevent same session from sent to multiple servers in LTM Pool. The function of "Origin Connection Reuse" is re-used existing available TCP connections that are opened for a client and LTM may fast forward to the first client-server based on LTM policy.
Now coming to the screenshot
- The details on the screenshot are based on monitoring config that cannot be changed if your account does not have a load balancing subscription. https://docs.imperva.com/bundle/cloud-application-security/page/settings/monitoring-settings.htm
- The Passive health check is indicating 501-599 HTTP code responses from the origin. SIEM is the best option to review or add an incaprule to alert for these responses to review in events without needing SIEM.
or Contact Us
Copyright @ 2019 Imperva. All rights reserved