Imperva Cyber Community

Expand all | Collapse all

Imperva blocking new certificate

  • 1.  Imperva blocking new certificate

    Posted 07-01-2020 07:48
    Imperva was the front end of our load balancers, we have since then disabled and removed some of the cert/applications from imperva, but we still have two URLS that are serving up old certificates that Imperva has. The admin said the applications were removed from Imperva, but when we check the URL it still shows the old certificate. We have verified with network that this VIP is still going through Imperva first but the Imperva admin refuses to listen.  Where can I have him check to see if Imperva is still in the front blocking the new cert?
    #ImpervaAgent
    #LoadBalancer

    ------------------------------
    Richard Burton
    Lexisnexis
    GA
    ------------------------------


  • 2.  RE: Imperva blocking new certificate

    Imperva Employee
    Posted 07-01-2020 09:02
    Hi Richard, 

    Can you confirm which product is in use? For example, is this the Cloud WAF or on-premises WAF?

    You post has the #ImpervaAgent tag, but agents are used only for Database Activity Monitoring. (DAM)


    Thanks.

    ------------------------------
    Jaired Anderson
    Principal Consultant
    Imperva
    Tulsa OK
    ------------------------------



  • 3.  RE: Imperva blocking new certificate

    Posted 07-01-2020 09:08
    Morning Jaried Anderson, it is the on-premises WAF.

    ------------------------------
    Richard Burton
    Lexisnexis
    GA
    ------------------------------



  • 4.  RE: Imperva blocking new certificate

    Imperva Employee
    Posted 07-01-2020 09:30
    Hi Richard,

    The SSL certificates are added at the HTTP service level, under the definitions tab.

    Please see for reference: https://docs.imperva.com/bundle/v14.2-web-application-firewall-user-guide/page/533.htm


    Important things to note:

    The WAF is often times deployed in Bridge mode which operates at Layer 2. In this mode, the WAF does not terminate the connection (which means it does not present the certificate to the client), unless Transparent Reverse Proxy (TRP) is in use. For more information on TRP, please see: https://docs.imperva.com/bundle/v14.2-web-application-firewall-user-guide/page/3097.htm TRP rules require the certificate to be defined.

    The other mode of deployment is Kernel Reverse Proxy, or KRP which operates at Layer 3. In this mode, traffic must be intentionally routed to a VIP that resides on the WAF. The certificates reside in the same place as they do for bridge mode, but are also defined in KRP routing rules.

    It is important to understand how the traffic is being routed.

    If traffic is currently still routed through the WAF, and it is operating in TRP or KRP mode, removing the certificate will cause the site to go down completely.

    ------------------------------
    Jaired Anderson
    Principal Consultant
    Imperva
    Tulsa OK
    ------------------------------