Imperva Cyber Community

Hi there,

When we want to protect OWA via WAF, we encounter many false-positive alarms. Too many profile and protocol policies are triggered. Moreover, this issue causes triggering of Web Correlation polices also.

Is there anyone fine tuned the OWA/provide good security about OWA that could share own experiences/best practices?

Thanks,
#On-PremisesWAF(formerlySecuresphere)

------------------------------
cezmi çal
technical expert
Barikat Cyber Security
------------------------------

Hi Cesmi,

Adding new application to WAF protection requires tuning, it is expected to be in Simulation mode for some time to allow tuning the false-positives alerts.
Web Correlation alerts also should be revised and tuned.
Usually we don't observe many customers complaining about OWA application specifically.
The issues we encountered a lot with OWA was out-growing of the profile, which can be solved by adding plugins (I can provide a link to an article about this issue).
Also we observed some message were blocked due to the use of special characters, which need to be tuned.
Hope this is helpful!
Best,

------------------------------
Ira Miga
------------------------------

Original Message:
Sent: 11-20-2019 02:45
From: cezmi çal
Subject: OWA Protection

Hi there,

When we want to protect OWA via WAF, we encounter many false-positive alarms. Too many profile and protocol policies are triggered. Moreover, this issue causes triggering of Web Correlation polices also.

Is there anyone fine tuned the OWA/provide good security about OWA that could share own experiences/best practices?

Thanks,
#On-PremisesWAF(formerlySecuresphere)

------------------------------
cezmi çal
technical expert
Barikat Cyber Security
------------------------------

Please, provide the link to others

------------------------------
Gregory Badin
Softprom
------------------------------

Original Message:
Sent: 11-24-2019 03:53
From: Ira Miga
Subject: OWA Protection

Hi Cesmi,

Adding new application to WAF protection requires tuning, it is expected to be in Simulation mode for some time to allow tuning the false-positives alerts.
Web Correlation alerts also should be revised and tuned.
Usually we don't observe many customers complaining about OWA application specifically.
The issues we encountered a lot with OWA was out-growing of the profile, which can be solved by adding plugins (I can provide a link to an article about this issue).
Also we observed some message were blocked due to the use of special characters, which need to be tuned.
Hope this is helpful!
Best,

------------------------------
Ira Miga

Original Message:
Sent: 11-20-2019 02:45
From: cezmi çal
Subject: OWA Protection

Hi there,

When we want to protect OWA via WAF, we encounter many false-positive alarms. Too many profile and protocol policies are triggered. Moreover, this issue causes triggering of Web Correlation polices also.

Is there anyone fine tuned the OWA/provide good security about OWA that could share own experiences/best practices?

Thanks,
#On-PremisesWAF(formerlySecuresphere)

------------------------------
cezmi çal
technical expert
Barikat Cyber Security
------------------------------

Hi Gregory,

Here's a step-by-step guide to adding the plugins we recommend:

1. Connect to Imperva MX GUI and in the Main workspace, click Setup > Sites.
2. Expand the Server Group and Service where you would like to configure the plugins.
3. Click the Definitions tab, then click Plugins.
4. Click the Add New button, then type hpl_u2p.
5. Click Save.
6. Click the plus sign (+) to the left of the plugin name and paste the following text/value:

path-regexp="(/exchange/)([^/]+/)(.*)", path-replace="$1$3", parameter-replace="$2", parameter-name="user"

7. Click Save.
8. Repeat above steps 3 & 4 for each of the three values below, in the exact order:

path-regexp="(/exchange/)([^/]+/)(.*)", path-replace="$1", parameter-replace="$2$3", parameter-name="folder"
path-regexp="(/exchange/)([^/]+\.[^/]+)", path-replace="$1", parameter-replace="$2", parameter-name="user"
path-regexp="(/public/)([^/]+/)(.*)", path-replace="$1", parameter-replace="$2$3", parameter-name="folder"

You should have 4 lines of plugins each one with the same name, but the Optional Configuration should be different.
The order should be exactly the order above.

9. Save and activate settings.

Adding these plugins will help prevent the profile from outgrowing due to the numerous folders that are part of the OWA URLs.

Hope it helps!

------------------------------
Ira Miga
Imperva
Knowledge Engineer
------------------------------

Original Message:
Sent: 12-29-2020 05:55
From: Gregory Badin
Subject: OWA Protection

Please, provide the link to others

------------------------------
Gregory Badin
Softprom

Original Message:
Sent: 11-24-2019 03:53
From: Ira Miga
Subject: OWA Protection

Hi Cesmi,

Adding new application to WAF protection requires tuning, it is expected to be in Simulation mode for some time to allow tuning the false-positives alerts.
Web Correlation alerts also should be revised and tuned.
Usually we don't observe many customers complaining about OWA application specifically.
The issues we encountered a lot with OWA was out-growing of the profile, which can be solved by adding plugins (I can provide a link to an article about this issue).
Also we observed some message were blocked due to the use of special characters, which need to be tuned.
Hope this is helpful!
Best,

------------------------------
Ira Miga

Original Message:
Sent: 11-20-2019 02:45
From: cezmi çal
Subject: OWA Protection

Hi there,

When we want to protect OWA via WAF, we encounter many false-positive alarms. Too many profile and protocol policies are triggered. Moreover, this issue causes triggering of Web Correlation polices also.

Is there anyone fine tuned the OWA/provide good security about OWA that could share own experiences/best practices?

Thanks,
#On-PremisesWAF(formerlySecuresphere)

------------------------------
cezmi çal
technical expert
Barikat Cyber Security
------------------------------