Imperva Cyber Community

  • 1.  Can not limit API/URL using Number of Occurences

    Posted 10 days ago
    Hi all,
    I try to limit URL request using Number of Occurrences like below but WAF can not block.
    1
    Another policy, i set Followed Action is Long IP Block instead set Action is Block => sometime OK, sometime NOT.
    1
    I checked GW log and see this one: 
    <div id="NOTIFICATION">25/11/2021 16:11:27.752429 <b>[NOTIFICATION] ActionProcessor.cpp:369</b> ActionProcessor::processAction - received Block action from Mx, for source 14.171.202.228 with duration 3600</div>

    So, What should i do to fix this issue? Anybody know counter on MX or on GW?
    MX: verison 13.5
    GW: version 13.5 (4510x) and version 14.3 (6520x) still the same

    Thanks a lot everyone.


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Tuan Nguyen Van
    Information Security and Compliance
    HA NOI
    ------------------------------


  • 2.  RE: Can not limit API/URL using Number of Occurences

    Posted 8 days ago
    up

    ------------------------------
    Tuan Nguyen Van
    Information Security and Compliance
    HA NOI
    ------------------------------



  • 3.  RE: Can not limit API/URL using Number of Occurences

    Posted 6 days ago
    Hi,
    Try to set Action : Block and valid Followed Action (ex: Long IP Block) in same policy .

    ------------------------------
    Elvin Mammadzada
    System Eng
    SmartIT
    Baku
    ------------------------------



  • 4.  RE: Can not limit API/URL using Number of Occurences

    Posted 6 days ago
    Hi,
    Thanks for your reply but i tried, still the same :(

    ------------------------------
    Tuan Nguyen Van
    Information Security and Compliance
    HA NOI
    ------------------------------



  • 5.  RE: Can not limit API/URL using Number of Occurences

    Community Manager
    Posted 6 days ago
    Hi @Tuan Nguyen Van,

    Thanks for posting and thanks @Elvin Mammadzada for your suggestion.

    I checked in with our internal support team and they recommend that you raise a ticket with support to get to the bottom of this query.

    Thanks,

    Sarah

    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 6.  RE: Can not limit API/URL using Number of Occurences

    Posted 6 days ago
    Hi Sarah,
    Of course i did but they support very slow. I opened case 7 days and they just ask about number of previous case, nothing else.
    And not only this case, another is the same :(

    ------------------------------
    Tuan Nguyen Van
    Information Security and Compliance
    HA NOI
    ------------------------------



  • 7.  RE: Can not limit API/URL using Number of Occurences

    Community Manager
    Posted 6 days ago

    Sorry to hear this Tuan. I will look into this for you.

    Thanks,

    Sarah



    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 8.  RE: Can not limit API/URL using Number of Occurences

    Posted 4 days ago
    Hi,

    Try this:
    1. Change match criteria HTTP Request to HTTP Request URL
    2. I think policy action should always be set up "block" and on "follow action" choose Long IP Block.

    And you have to remember that SITE must be in ACTION mode.


    ------------------------------
    Karol Gruszczynski
    IT SECURITY EXPERT
    Trafford IT
    Warsaw
    ------------------------------



  • 9.  RE: Can not limit API/URL using Number of Occurences

    Posted 4 days ago
    Hi Karol Gruszczynski,
    Thanks for your reply.
    1. Change match criteria HTTP Request to HTTP Request URL => i tried, but the same.
    2. I think policy action should always be set up "block" and on "follow action" choose Long IP Block. => as i know (and tested), it will prioritize Action first.
    In my case, i only want block IP request to URL that i limit, not block IP.
    And another policy that i set Number of Occurrences with Action = None, Follow Action = Long/Short IP Block, it is OK; Action = Block, Follow Action = None or anything else is not OK.


    ------------------------------
    Tuan Nguyen Van
    Information Security and Compliance
    HA NOI
    ------------------------------