Imperva Cyber Community

Expand all | Collapse all

New to Imperva WAF looking for X-Forwarding feature at WAF level

  • 1.  New to Imperva WAF looking for X-Forwarding feature at WAF level

    Posted 08-22-2020 17:31
    We recently deployed a WAF for our environment. We have a client the has a security feature which blocks traffic unless it comes from a specific whitelisted IP. We used X-Forward feature on our load-balancer to allow for this. However, with the WAF as a proxy, the true client IP never gets to the application. I don't see this option anywhere on the dash board. A search provides a 10 year old document suggesting the application be coded to handle this. That is not an option. Does anyone have an alternate solution or recommendation?
    Thanks,
    Chris
    #CloudWAF(formerlyIncapsula)

    ------------------------------
    Christopher Olson
    WI
    ------------------------------


  • 2.  RE: New to Imperva WAF looking for X-Forwarding feature at WAF level

    Posted 08-23-2020 03:07

    Hi Christopher,

    To achieve what you describe you need to check the "Report forwarded client IP in HTTP header" box, 
    Under Setup -> Sites -> the relevant service -> "Reverse Proxy" tab.
    This will cause the gateway to WRITE an X-Forwarded-For header (or any header name you choose) in the outgoing traffic.

    Also note, that if you wish to READ an Existing XFF header sent to the gateway by a load balancer or another equipment, you need to go to: 
    Setup -> Sites -> the relevant service -> Operation -> Forwarded Connections ->
    Check the "Identify real client IP..." box and hit the + sign to set the relevant header name like " X-Forwarded-For".

    This will cause SecureSphere to use the XFF IP address in alerting and blocking (If an XFF header exists in the incoming traffic),
    rather than the load balancer's client IP.



    ------------------------------
    Roee Sharon
    RSECURE
    ------------------------------



  • 3.  RE: New to Imperva WAF looking for X-Forwarding feature at WAF level

    Posted 08-23-2020 11:24
    Thank you for that information. However, we are using the Cloud based WAF. There is no Tab or setting that I can find for that feature. I am new to this so perhaps missing it. Any other suggestions?

    ------------------------------
    Christopher Olson
    WI
    ------------------------------



  • 4.  RE: New to Imperva WAF looking for X-Forwarding feature at WAF level

    Imperva Employee
    Posted 08-24-2020 08:40
      |   view attached
    Hi Christopher,

    By default IMPERVA cloud WAF forward clients IPs using 2 HTTP headers:
    1. X-Forwarder-For
    2. incap-client-ip

    You can read more about it using the following link - https://docs.imperva.com/bundle/cloud-application-security/page/onboarding/setup-checklist.htm
    Please refer to item 6 under site checklist after the onboarding section.

    You can also modify the second header to a different HTTP header name with the client IP value. You can do it under site -> Delivery -> Advance Setting




    ------------------------------
    Danny Milshtein
    ------------------------------