Imperva Cyber Community

communities_1.jpg
 View Only
Expand all | Collapse all

KRP Questions

  • 1.  KRP Questions

    Posted 09-02-2020 23:23

    Hi guys,

    We deploy our WAF in KRP mode. So i was planning to create server group with several services since each of our services has its own certificate and we have lots of services. 

    1. Is there any limitation in creating server group?
    2. How does server group works?
    3. How many services we can create in a server group?
    5. Is there any requirement for faster process?
    5. If we created lots of services in a server group, can this hamper each others process?
    6. Is there other way so lessen the services in a server group? 

    If you guys have article to read about Kernel Reverse Proxy that would be a great help.

    Thank you


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Clydie Oliamot

    ------------------------------


  • 2.  RE: KRP Questions

    Posted 09-03-2020 08:26
    Hello Clydie,

    Most of the answers to your questions can be found in our Docs sites at docs.imperva.com

    I have included a few URLs that address your questions, you'll find them below.

    To answer some of your questions directly... 
    -Yes there are limits to the number of Server Groups (SG) you can create per MX.
    -The SG allows you to group 1 or more IPs for web/DB servers that should be protected the same way.
    -By default, you can only create one service type per SG.  e.g. you can have one HTTP, Oracle, MsSQL, DB2, etc... per SG.  However, you can create more than one HTTP service in the same SG if you define a unique port number for each HTTP service.  Same goes for the other service types.

    SG Basics
    https://docs.imperva.com/bundle/v12.6-web-application-firewall-user-guide/page/454.htm

    SG Best Practices
    https://docs.imperva.com/bundle/v12.6-web-application-firewall-user-guide/page/455.htm

    Recommended Limits
    https://docs.imperva.com/bundle/v12.6-web-application-firewall-user-guide/page/431.htm

    ------------------------------
    Rich Blais
    ------------------------------



  • 3.  RE: KRP Questions

    Posted 09-04-2020 15:04
      |   view attached
    Hi,

    To add to @Rich Blais's response, I wanted to share examples (please see attached) of how to create the site tree, services, and krp rules via API.  Also, please see a tool on github that will help come up to speed using our APIs.  This may help to streamline the process for you as well.

    https://github.com/imperva/imperva-web-api-composer

    https://docs.imperva.com/bundle/v13.6-web-application-firewall-user-guide/page/522.htm


    ------------------------------
    Brian Anderson
    ------------------------------

    Attachment(s)



  • 4.  RE: KRP Questions

    Posted 09-10-2020 23:38
    Edited by Clydie Oliamot 09-22-2020 22:41


    Thank you for answering my questions.

    I got an issue in which my services will not work whenever i add another service or server group in a site tree. I tried removing or delete the newly add service then it will work again. By the way we are deploying KRP in one arm device model X2500.
    Could this be that the gateway can't handle too much traffic or gateway takes time to establish handshake with the origin server cause i notice that this issue only occur in https or the mx server need time to process the changes? 

    I am actually lost. Thank you in advance.



    ------------------------------
    Clydie Oliamot
    ------------------------------



  • 5.  RE: KRP Questions

    Posted 09-11-2020 11:14
    Edited by Jason Park 09-11-2020 11:17
    @Clydie Oliamot

    You are not adding the same service to the same server group multiple times are you? ​I am not sure if this is the issue, but you know you cannot have two services with the same ports under one server group (at least not the last time I tried it)?

    Make sure you you have one server group and one service containing each port number (e.g. that HTTPS on TCP 443 is not in two different services in the same server group). One service can handle multiple certificates and multiple ports. If you need to separate the services in order to contain multiple instances of the same port number, then it is probably best to separate the server groups, keeping in mind the limitation on server groups in the documentation @Rich Blais and @Brian Anderson provided.​​​​

    If that is not the issue you are running into please ignore this post :)

    ------------------------------
    Jason Park
    County of Los Angeles
    CA
    ------------------------------



  • 6.  RE: KRP Questions

    Posted 09-14-2020 00:43
    Edited by Clydie Oliamot 09-22-2020 22:40

    @Jason Park

    Each of our origin server has different certificates so i separate them in services, so each service in our server group has different certificate and gateway port.



    ------------------------------
    Clydie Oliamot
    ------------------------------



  • 7.  RE: KRP Questions

    Posted 09-22-2020 03:30
    Edited by Clydie Oliamot 09-22-2020 04:13

    Hi guys,

    If license is already expired can we still be able to add or create new service in a site tree?

    Thank you.



    ------------------------------
    Clydie Oliamot

    ------------------------------



  • 8.  RE: KRP Questions

    Posted 09-22-2020 10:49
    Hi Clydie,

       If you have a perpetual (on-prem) license, then yes, you can continue to login to the GUI and make any changes you need.  However, your maintenance license expiring will keep you from pulling updates (security policies, ThreatRadar, etc...) from Imperva, applying patches and doing upgrades.  So, you'll want to get your maintenance renewed as soon as possible so your critical policies don't become stale, and critical product updates can be applied as needed.  Keeping your security products at the cutting edge is how you stay ahead of the bad guys.  :-)

    ------------------------------
    Rich Blais
    ------------------------------



  • 9.  RE: KRP Questions

    Posted 09-22-2020 21:10
    Edited by Clydie Oliamot 09-22-2020 21:11


    Thank you

    So it's ok if I change my deployment mode to KRP even if my license expired right?
    And I can still make any changes after changing the deployment mode?

    I had perpetual license.

    ------------------------------
    Clydie Oliamot
    ------------------------------



  • 10.  RE: KRP Questions

    Posted 09-22-2020 21:52
    Yes you can.  But please keep in mind, if you run into a problem or it doesn't work as expected, you won't have support to lean on and help resolve the issue.  So please be careful about the changes you're making if this is a production appliance.  

    Kindest Regards,
    Rich Blais | Sr. Sales Engineer
    Rich.Blais@imperva.com | m: +1 469-348-8950
    imperva.com | facebook | linkedin | twitter





  • 11.  RE: KRP Questions

    Posted 09-22-2020 22:00
    Edited by Clydie Oliamot 09-22-2020 22:40

    Thank you so much @Rich Blais

    I guess my current issue is not related to expired license.


    ------------------------------
    Clydie Oliamot
    ------------------------------