Hi,
yes we talked to support and received some documents.
In all the documents I have, it seems Imperva is avoiding the term "MTLS" which is a standard on the market, IMPV only refers to Certificate Authentication which has been around on Imperva WAF for a couple of years now. (maybe it's worth checking the docs again, as now it seems an IMPV admin guides etc are no longer a fixed documents, the content may vary depending the time you download it)
However, we seem to have "woken up" some people, in the night of my request (Nov 8th), Imperva added the required Signature Alorithm RSASSA-PSS to the list which is used by MTLS (check the date, November 9th :-)
https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/76813.htm
So in the end, we still have no solid information on this. The plan is now that we'll have to test it ourselfs.... I would have done it in my lab, but I do not have the correct application to test with. So we are currently setting up a test-lab in the customer's network. Customer is a very (!) big company, so that is a project that takes a couple of weeks. Then I hope we can can convice the "customers customer" who requested this to provide us with a copy of the application.
Btw, here is the answer I received from support:
Thank you for contacting Imperva Support.
I understand you have a query regarding the implementation of mTLS in your environment.
MTLS is supported in v13.6 for KRP and v14.x for NGRP.
From v14.5 it will be supported in TRP/ABR.
mTLS still a new feature and we have limited documentation available at the moment.
However, I can provide additional information on this in the form of FAQ's which have been copied below, along with links to the relevant documentation:
Is there any special configuration needed?
- Yes. Please see user guide for GW <--> Client side
https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/59388.htm
https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/2622.htm
And documentation for Client/GW side (CA needs to be configured):
https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/2618.htm
https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/2620.htm
https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/2622.htm
Are there any limitations?
- We have different signature algorithms support for KRP and NGRP, see here:
https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/76813.htm (This list is not complete – it should be updated)
Do we need to have MTLS on both sides of the proxy or can we only have it on the GW/server side?
Both sides
Are there any TLS version requirements?
– this is version dependent. V13.6 – v14.3 supports TLS 1.0 1.1 1.2 and v14.4 supports TLS 1.0 1.1 1.2 1.3. v14.5 will support TLS 1.2 & 1.3 only.
So if anyone has managed to set this up and test it successfully I'd be happy if that person could share the experience! Maybe even someone at Imperva has implemented this at some point? Or is there a new version of SuperVeda available that makes use of MTLS so we can use to test it?
Thanks
Martin
------------------------------
Martin Schmitz
Owner
Martin Schmitz IT Security Consulting
Korschenbroich
------------------------------
Original Message:
Sent: 12-08-2021 03:27
From: Sarah Lamont(csp)
Subject: WAF and mTLS
Hi Nikhil,
Thanks for posting.
@Martin Schmitz - Did you receive any feedback from support that you could share here?
Thanks,
Sarah
------------------------------
Sarah Lamont(csp)
Digital Community Manager
Original Message:
Sent: 12-07-2021 23:00
From: Nikhil Chodankar
Subject: WAF and mTLS
Even we have a requirement whether Cloud WAF can support MTLS
------------------------------
Nikhil Chodankar
Assistant Manager (Application Security Specialist)
Prudential Services Asia
Central
Original Message:
Sent: 08-04-2021 21:54
From: Mirae Kim
Subject: WAF and mTLS
Do Cloud WAF and WAF Gateway support mTLS?
If so, can it be used as a hybrid with TRP of WAF Gateway?
#CloudWAF(formerlyIncapsula)
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Kim Mirae
Engineer
Seoul
------------------------------