Imperva Cyber Community

View Only

Back to discussions

Expand all | Collapse all

WAF and mTLS

Jump to Best Answer

1. WAF and mTLS

2 Like
Mirae Kim
Posted 08-05-2021 05:16
Edited by Sarah Lamont 08-05-2021 05:17
Do Cloud WAF and WAF Gateway support mTLS?
If so, can it be used as a hybrid with TRP of WAF Gateway?

#CloudWAF(formerlyIncapsula)
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Kim Mirae
Engineer
Seoul
------------------------------
2. RE: WAF and mTLS

2 Like
Sarah Lamont
Posted 08-09-2021 06:35
Hi Kim,

Thanks for posting. I touched base with a couple of our product managers for the inside scoop!

For WAF Gateway: MTLS for TRP is coming in V14.5 (planned to be released in Q4). It's already supported in NGRP.

For Cloud WAF: MTLS is not currently supported but is high on the priority list. Watch this space.

Our product teams are always keen to hear from users, so remember to note any feature requests on uservoice You can list your request and also vote for other feature requests to help push them up the priority list.

Thanks,

------------------------------
Sarah Lamont
Digital Community Manager
------------------------------

Original Message
3. RE: WAF and mTLS

0 Like
Mirae Kim
Posted 08-10-2021 07:57
Thank you for answer.

Additionally, I know that TLSv1.3 is supported in V14.4.
You said that mTLS will be supported in V14.5 this time.

Our customers are interested in the above two things.
Are there any restrictions on TLSv1.3 and mTLS? Are there only differences in versions?

Example: In the case of TLSv1.3, V14.4 is supported, and only 6th generation(X4520, X6520, X8520, etc.) is supported.
Also, it can be set only in Revese Proxy Mode

Are there any restrictions and considerations for the above two for future response?

------------------------------
Kim Mirae
Engineer
Seoul
------------------------------

Original Message
4. RE: WAF and mTLS

3 Like
Eyal Gur
Posted 08-10-2021 10:41
Edited by Eyal Gur 08-10-2021 10:43
HI Kim,

Thanks for the question.

Have a look at the release notes of V14.4 and at the user guide: https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/77926.htm .
Also - keep an eye on community for V14.5 release notes.

All restrictions appear in these release notes.

I hope this helps.

Thanks,

------------------------------
Eyal Gur
Not Provided
Tel Aviv CA
------------------------------

Original Message
5. RE: WAF and mTLS

1 Like
Martin Schmitz
Posted 11-08-2021 07:35
Hi,

we are searching for more details and a proper documentation on this.

- link to the WAF User guide points to a page regarding Adv. Bot Protection?
- the release notes link points to another thread, I did not find details about MTLS here.
- I searched the 14.4 admin guide for the term "MTLS" - no success
- I searched the documentation library for "MTLS" - no success

Customer asks for MTLS and mentioned RSASSA-PSS-Signature-algorithmus and 4096 Bits Key lenghts. Is that supported? What are the steps required to set this up?

Thanks

Martin

------------------------------
Martin Schmitz
Owner
Martin Schmitz IT Security Consulting
Korschenbroich
------------------------------

Original Message
6. RE: WAF and mTLS

0 Like
Sarah Lamont
Posted 11-08-2021 08:39
Hi Martin,

Thanks for posting. You can find the full user guide here.

In this instance, you may be best to raise your query with support, so that they can best advise you.

It would be great if you could share info here whenever the case is resolved.

Thanks,

------------------------------
Sarah Lamont(csp)
Digital Community Manager
------------------------------

Original Message
7. RE: WAF and mTLS

1 Like
Nikhil Chodankar
Posted 12-07-2021 23:00
Even we have a requirement whether Cloud WAF can support MTLS

------------------------------
Nikhil Chodankar
Assistant Manager (Application Security Specialist)
Prudential Services Asia
Central
------------------------------

Original Message
8. RE: WAF and mTLS

0 Like
Sarah Lamont
Posted 12-08-2021 03:27
Hi Nikhil,

Thanks for posting.

@Martin Schmitz - Did you receive any feedback from support that you could share here?

Thanks,

Sarah

------------------------------
Sarah Lamont(csp)
Digital Community Manager
------------------------------

Original Message
9. RE: WAF and mTLS
Best Answer

2 Like
Martin Schmitz
Posted 12-08-2021 04:08
Hi,

yes we talked to support and received some documents.

In all the documents I have, it seems Imperva is avoiding the term "MTLS" which is a standard on the market, IMPV only refers to Certificate Authentication which has been around on Imperva WAF for a couple of years now. (maybe it's worth checking the docs again, as now it seems an IMPV admin guides etc are no longer a fixed documents, the content may vary depending the time you download it)

However, we seem to have "woken up" some people, in the night of my request (Nov 8th), Imperva added the required Signature Alorithm RSASSA-PSS to the list which is used by MTLS (check the date, November 9th :-)

https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/76813.htm

So in the end, we still have no solid information on this. The plan is now that we'll have to test it ourselfs.... I would have done it in my lab, but I do not have the correct application to test with. So we are currently setting up a test-lab in the customer's network. Customer is a very (!) big company, so that is a project that takes a couple of weeks. Then I hope we can can convice the "customers customer" who requested this to provide us with a copy of the application.

Btw, here is the answer I received from support:

Thank you for contacting Imperva Support.

I understand you have a query regarding the implementation of mTLS in your environment.

MTLS is supported in v13.6 for KRP and v14.x for NGRP.

From v14.5 it will be supported in TRP/ABR.

mTLS still a new feature and we have limited documentation available at the moment.

However, I can provide additional information on this in the form of FAQ's which have been copied below, along with links to the relevant documentation:



Is there any special configuration needed?

Yes. Please see user guide for GW <--> Client side

        https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/59388.htm

        https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/2622.htm

And documentation for Client/GW side (CA needs to be configured):

        https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/2618.htm

        https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/2620.htm

        https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/2622.htm

Are there any limitations?

We have different signature algorithms support for KRP and NGRP, see here:

https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/76813.htm (This list is not complete – it should be updated)

Do we need to have MTLS on both sides of the proxy or can we only have it on the GW/server side?

Both sides

Are there any TLS version requirements?

– this is version dependent. V13.6 – v14.3 supports TLS 1.0 1.1 1.2 and v14.4 supports TLS 1.0 1.1 1.2 1.3. v14.5 will support TLS 1.2 & 1.3 only.

So if anyone has managed to set this up and test it successfully I'd be happy if that person could share the experience! Maybe even someone at Imperva has implemented this at some point? Or is there a new version of SuperVeda available that makes use of MTLS so we can use to test it?
Thanks

Martin

------------------------------
Martin Schmitz
Owner
Martin Schmitz IT Security Consulting
Korschenbroich
------------------------------

Original Message
10. RE: WAF and mTLS

0 Like
John Thompson
Posted 01-15-2024 17:38
You may also find this useful:

CWAF - Configure Client Certificate Support: https://docs.imperva.com/bundle/cloud-application-security/page/manage-client-certificate.htm

CWAF - Release Notes: https://docs.imperva.com/bundle/cloud-application-security/page/release-notes/2022-11-06.htm

------------------------------
John Thompson
Director, Channel Presales
Imperva
San Diego CA
------------------------------

Original Message
11. RE: WAF and mTLS

1 Like
Jim Burtoft
Posted 12-09-2021 09:35
Yes. In CloudWAF it is referred to as Client Certificates. See https://docs.imperva.com/bundle/cloud-application-security/page/more/client-certificate-support.htm

------------------------------
Jim Burtoft (Prm)
SE
Imperva
State College PA
------------------------------

Original Message

Imperva Cyber Community

WAF and mTLS

Mirae Kim08-05-2021 05:16

Sarah Lamont08-09-2021 06:35

Mirae Kim08-10-2021 07:57

Eyal Gur08-10-2021 10:41

Martin Schmitz11-08-2021 07:35

Sarah Lamont11-08-2021 08:39

Nikhil Chodankar12-07-2021 23:00

Sarah Lamont12-08-2021 03:27

Martin Schmitz12-08-2021 04:08Best Answer

John Thompson01-15-2024 17:38

Jim Burtoft12-09-2021 09:35

1. WAF and mTLS

2. RE: WAF and mTLS

3. RE: WAF and mTLS

4. RE: WAF and mTLS

5. RE: WAF and mTLS

6. RE: WAF and mTLS

7. RE: WAF and mTLS

8. RE: WAF and mTLS

9. RE: WAF and mTLS
Best Answer

10. RE: WAF and mTLS

11. RE: WAF and mTLS

Contact Us

Membership

Privacy & Terms

Imperva Cyber Community

WAF and mTLS

Mirae Kim08-05-2021 05:16

Sarah Lamont08-09-2021 06:35

Mirae Kim08-10-2021 07:57

Eyal Gur08-10-2021 10:41

Martin Schmitz11-08-2021 07:35

Sarah Lamont11-08-2021 08:39

Nikhil Chodankar12-07-2021 23:00

Sarah Lamont12-08-2021 03:27

Martin Schmitz12-08-2021 04:08Best Answer

John Thompson01-15-2024 17:38

Jim Burtoft12-09-2021 09:35

1. WAF and mTLS

2. RE: WAF and mTLS

3. RE: WAF and mTLS

4. RE: WAF and mTLS

5. RE: WAF and mTLS

6. RE: WAF and mTLS

7. RE: WAF and mTLS

8. RE: WAF and mTLS

9. RE: WAF and mTLS Best Answer

10. RE: WAF and mTLS

11. RE: WAF and mTLS

Contact Us

Membership

Privacy & Terms

9. RE: WAF and mTLS
Best Answer