Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Automate Fail-mode configuration

    Posted 11-27-2019 08:20
    In a on-premise environment with Active-Passive setup, with two gateway per gateway group with "Fail Mode : Fail_Close" to failover while device run into issue or trouble in handling live traffic. 

    In exceptional scenario, If both gateways in a gateway group fails then live traffic will get stuck and all traffic may get dropped. 

    So our idea is to create some possible option to automate  "Fail Mode" configuration to "Fail_Open" (without any manual intervention) to make sure there is no disturbance to live traffic.

    Do anyone have idea or possible way to achieve it?


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Kabilan Senthamil Selvan
    ------------------------------


  • 2.  RE: Automate Fail-mode configuration

    Posted 11-27-2019 11:37
    If you are running in true GW-HA mode where you have a primary and secondary there is no way to force the GW to fail open.
    We have to do that  to ensure we do not cause a loop and to ensure HA works as designed.

    As you mention this would be an extreme situation - which we would expect to be very rare.

    You would need to route around the GW"s or in someway bypass them


  • 3.  RE: Automate Fail-mode configuration

    Posted 11-28-2019 01:31
    Thanks Phil,

    Yes I understand that, there is no option to force GW to fails open. 

    But, As per my understanding status of the gateways are already monitored by MX. with this If we get a small script It may be possible.

    You would need to route around the GW"s or in someway bypass them --> yes, you are correct.

    What's your view on this?

    ------------------------------
    Kabilan Senthamil Selvan
    Allianz
    ------------------------------



  • 4.  RE: Automate Fail-mode configuration

    Posted 12-04-2019 13:48
    Hi Kabilan,

    A work-around you can consider which is done by few of our customers is to setup your own "GW HA".
    If you have a Layer 7 load balancer that can generate periodic urls with basic attack, you can use it as a "healthcheck" for the gateways.
    As long as your device gets the blocking page, it knows that the gateway is up and running in "protected mode".
    If the device doesn't get the blocking page, it means that traffic is passing through unprotected and it should trigger traffic fail-over to the working device (the one who's blocking).

    Please note - this is something that should be done by your network team and not by Imperva.

    I hope it helps :)

    ------------------------------
    Zuki Derech
    ------------------------------