Imperva Cyber Community

 View Only
  • 1.  WAF and mTLS

    Posted 08-05-2021 05:16
    Do Cloud WAF and WAF Gateway support mTLS?
    If so, can it be used as a hybrid with TRP of WAF Gateway?

    #CloudWAF(formerlyIncapsula)
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Kim Mirae
    Engineer
    Seoul
    ------------------------------


  • 2.  RE: WAF and mTLS

    Community Manager
    Posted 08-09-2021 06:35
    Hi Kim,

    Thanks for posting. I touched base with a couple of our product managers for the inside scoop!

    For WAF Gateway: MTLS for TRP is coming in V14.5 (planned to be released in Q4). It's already supported in NGRP.

    For Cloud WAF: MTLS is not currently supported but is high on the priority list. Watch this space.

    Our product teams are always keen to hear from users, so remember to note any feature requests on uservoice  You can list your request and also vote for other feature requests to help push them up the priority list. 

    Thanks,

    ------------------------------
    Sarah Lamont
    Digital Community Manager
    ------------------------------



  • 3.  RE: WAF and mTLS

    Posted 08-10-2021 07:57
    Thank you for answer.

    Additionally, I know that TLSv1.3 is supported in V14.4.
    You said that mTLS will be supported in V14.5 this time.

    Our customers are interested in the above two things.
    Are there any restrictions on TLSv1.3 and mTLS? Are there only differences in versions?

    Example: In the case of TLSv1.3, V14.4 is supported, and only 6th generation(X4520, X6520, X8520, etc.) is supported.
    Also, it can be set only in Revese Proxy Mode

    Are there any restrictions and considerations for the above two for future response?


    ------------------------------
    Kim Mirae
    Engineer
    Seoul
    ------------------------------



  • 4.  RE: WAF and mTLS

    Imperva Employee
    Posted 08-10-2021 10:41
    HI Kim,


    I hope this helps.

    Thanks,

    ------------------------------
    Eyal Gur
    Not Provided
    Tel Aviv CA
    ------------------------------



  • 5.  RE: WAF and mTLS

    Posted 11-08-2021 07:35
    Hi,

    we are searching for more details and a proper documentation on this.

    - link to the WAF User guide points to a page regarding Adv. Bot Protection?
    - the release notes link points to another thread, I did not find details about MTLS here.
    - I searched the 14.4 admin guide for the term "MTLS" - no success
    - I searched the documentation library for "MTLS" - no success

    Customer asks for MTLS and mentioned RSASSA-PSS-Signature-algorithmus and 4096 Bits Key lenghts. Is that supported? What are the steps required to set this up?

    Thanks

    Martin

    ------------------------------
    Martin Schmitz
    Owner
    Martin Schmitz IT Security Consulting
    Korschenbroich
    ------------------------------



  • 6.  RE: WAF and mTLS

    Community Manager
    Posted 11-08-2021 08:39
    Hi Martin,

    Thanks for posting. You can find the full user guide here.

    In this instance, you may be best to raise your query with support, so that they can best advise you. 

    It would be great if you could share info here whenever the case is resolved. 

    Thanks,

    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 7.  RE: WAF and mTLS

    Posted 12-07-2021 23:00
    Even we have a requirement whether Cloud WAF can support MTLS

    ------------------------------
    Nikhil Chodankar
    Assistant Manager (Application Security Specialist)
    Prudential Services Asia
    Central
    ------------------------------



  • 8.  RE: WAF and mTLS

    Community Manager
    Posted 12-08-2021 03:27

    Hi Nikhil,

    Thanks for posting.

    @Martin Schmitz - Did you receive any feedback from support that you could share here?

    Thanks,

    Sarah​



    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 9.  RE: WAF and mTLS
    Best Answer

    Posted 12-08-2021 04:08
    Hi,

    yes we talked to support and received some documents.

    In all the documents I have, it seems Imperva is avoiding the term "MTLS" which is a standard on the market, IMPV only refers to Certificate Authentication which has been around on Imperva WAF for a couple of years now. (maybe it's worth checking the docs again, as now it seems an IMPV admin guides etc are no longer a fixed documents, the content may vary depending the time you download it)

    However, we seem to have "woken up" some people, in the night of my request (Nov 8th), Imperva added the required Signature Alorithm RSASSA-PSS to the list which is used by MTLS (check the date, November 9th :-)
     

    https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/76813.htm


    So in the end, we still have no solid information on this. The plan is now that we'll have to test it ourselfs.... I would have done it in my lab, but I do not have the correct application to test with. So we are currently setting up a test-lab in the customer's network. Customer is a very (!) big company, so that is a project that takes a couple of weeks. Then I hope we can can convice the "customers customer" who requested this to provide us with a copy of the application.

    Btw, here is the answer I received from support:

    Thank you for contacting Imperva Support.

    I understand you have a query regarding the implementation of mTLS in your environment.

    MTLS is supported in v13.6 for KRP and v14.x for NGRP.

    From v14.5 it will be supported in TRP/ABR.

     

    mTLS still a new feature and we have limited documentation available at the moment.

    However, I can provide additional information on this in the form of FAQ's which have been copied below, along with links to the relevant documentation:

      

    Is there any special configuration needed?

    • Yes. Please see user guide for GW <--> Client side

            https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/59388.htm    

            https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/2622.htm

     

    And documentation for Client/GW side (CA needs to be configured):

            https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/2618.htm

            https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/2620.htm

            https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/2622.htm

     

    Are there any limitations?

    • We have different signature algorithms support for KRP and NGRP, see here:

    https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/76813.htm  (This list is not complete – it should be updated)

     

    Do we need to have MTLS on both sides of the proxy or can we only have it on the GW/server side?

    Both sides

     

    Are there any TLS version requirements?

    – this is version dependent. V13.6 – v14.3 supports TLS 1.0 1.1 1.2  and  v14.4 supports TLS 1.0 1.1 1.2 1.3. v14.5 will support TLS 1.2 & 1.3 only.


    So if anyone has managed to set this up and test it successfully I'd be happy if that person could share the experience! Maybe even someone at Imperva has implemented this at some point? Or is there a new version of SuperVeda available that makes use of MTLS so we can use to test it?

    Thanks

    Martin

    ------------------------------
    Martin Schmitz
    Owner
    Martin Schmitz IT Security Consulting
    Korschenbroich
    ------------------------------



  • 10.  RE: WAF and mTLS

    Imperva Employee
    Posted 12-09-2021 09:35
    Yes.  In CloudWAF it is referred to as Client Certificates.  See https://docs.imperva.com/bundle/cloud-application-security/page/more/client-certificate-support.htm

    ------------------------------
    Jim Burtoft (Prm)
    SE
    Imperva
    State College PA
    ------------------------------