Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Bridge groups

    Posted 03-02-2021 12:21
    Edited by Fred Percynski 03-02-2021 12:28
    I'm not a full-time administrator of the Securesphere WAF but am trying to help investigate an issue.  I have read through documentation and the Imperva knowledgebase but have two questions that I can't find answers to.  Feel free to send a link to a document and I will go read it.

    1)  The output from "impctl gateway show" is
    br0 = eth2 and eth3
    br1 = eth4 and eht5
    Is there a place I can add/modify/delete bridge groups?  Is there a place do to this in the MX web-interface or from the gateway's CLI ?

    2) In the MX when I add a new web site, lets call it https://prod.example.com, how does Securesphere know which bridge group the site belongs to?  In other words how does Securesphere know that traffic for this site should come across bridge group 0 ?  Or it doesn't matter to SecureSphere which interfaces the traffic uses - it will just monitor all the interfaces?

    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Thanks,
    Fred
    ------------------------------


  • 2.  RE: Bridge groups

    Posted 03-02-2021 12:27
      |   view attached
    Attaching a digram to help provide more information related to my questions.

    ------------------------------
    Thanks,
    Fred
    ------------------------------



  • 3.  RE: Bridge groups
    Best Answer

    Posted 03-02-2021 12:52
    Fred,

    1) The NICs themselves are bonded together to allow fail-open/fail close operations and shouldn't be broken. It allows the gateways to provide the fail-open functionality:

    https://docs.imperva.com/bundle/v14.3-administration-guide/page/69580.htm
    https://docs.imperva.com/bundle/v14.3-administration-guide/page/8575.htm

    Modifications to the bridge links is done with the impctl CLI on the gateway and the modification is done with the impcfg CLI configuration tool:

    https://docs.imperva.com/bundle/v14.3-administration-guide/page/8738.htm

    I believe the functionality to modify the bridge and tear them done is only there to enable reverse proxy and sniffing configurations though it's been a bit since I tried messing with the bridges.

    2) The gateway itself treats all traffic the same regardless of which interface it comes on, meaning that the configuration is applied system wide as all the traffic is sent to the same processing pipeline. The gateway has the capability to inspect etherchannels and such due to this without configuration needed on the gateway to support it.

    Adam Brown
    Rackspace Technology

    ------------------------------
    Adam Brown
    Network Security Architect
    Rackspace Hosting
    San Antonio TX
    ------------------------------