Imperva Cyber Community

Expand all | Collapse all

Threat Radar Malicious IP Policy

  • 1.  Threat Radar Malicious IP Policy

    Posted 09-18-2020 10:23
    Hi Everyone,

    I would like to know why HTTP Protocol 1.x policy is hitting before the Threat radar Policy. As it does not make sense to open a packet if the IP seems to be found as malicious.

    can someone please comment on this?

    Nishanth Minikkaran
    Allianz technology

  • 2.  RE: Threat Radar Malicious IP Policy

    Imperva Employee
    Posted 09-21-2020 03:26
    Hi Nishanth,

    Imperva On-Premises WAF implements a multistage processing path, along which packets, streams and messages are assembled, parsed, normalized and analyzed.

    Along this path there are various "hookpoints", where the messages are matched against the various security policies, and where the policy actions are executed.

    These hookpoints are organized in a particular order:

    • Hookpoints with lower ordinals are processed before hookpoints with higher ones.
    • When a policy blocks a message, that message is not sent to the processing path further than that policy's hookpoint, which means that the message is not matched against policies that run at upstream hookpoints. 
    • However, if the message reaches a given hookpoint, all the policies that run at that hookpoint are applied to the message, regardless of those policies order and of each policy action.

    Hope this helps,


    Ira Miga
    Knowledge Engineer

  • 3.  RE: Threat Radar Malicious IP Policy

    Posted 12-17-2020 02:59

    Thank you for your reply,

    Can you please confirm whether the packets needs to be decrypted to apply the threat radar policies to detect the IP as malicious?

    Nishanth Minikkaran
    Allianz technology

  • 4.  RE: Threat Radar Malicious IP Policy

    Posted 12-18-2020 06:30

    For IPs to be detected as Malicious IP under Threatradar policy, shouldn't require (as far as I know) to decrypt the traffic as this database of malicious IPs is already updated by R&D team for threatradar policies and it should block them anyways.

    Nikhil Chodankar
    Prudential Services Asia