Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Migrate Imperva WAF from old to new Imperva WAF

    Posted 12-08-2021 03:24
    Hello All,

    I have some questioned regarding Imperva WAF Migration POA. Can any one help me with proper POA for the same.

    I have already running Imperva WAF in production. which is going to expire soon. 
    we have purchase new Imperva WAF for the same. What steps or procedures  should we perform for migrate old imperva waf to new imeprva waf. below is the scenario .

    1- Copy MX MGMT config to new MX MGMT and replace new imperva WAF with old Imperva WAF.
    2- Fresh and manually configure new imperva WAF with help of old Imperva WAF configuration.

    If any other way is available kindly suggest.
    #CloudWAF(formerlyIncapsula)

    ------------------------------
    Prashant Alhat
    Technical Consultant
    Mumbai
    ------------------------------


  • 2.  RE: Migrate Imperva WAF from old to new Imperva WAF

    Posted 12-09-2021 15:07
    Hi,

    you have two ways.
    First - you can do everything from scratch. But If you want to keep the current configuration you should migrate WAF, and it is the second option.
    So if you bought the new MX and you want to keep the existing configuration you have to have the same IMPERVA version on both MX.
    Next, on the old one, you have to do "a full export system" ( https://docs.imperva.com/howto/75769035   https://docs.imperva.com/howto/d86af6cc  ) and recover it on the new one.
    When MX will be working well then you can connect the new gateways to the new MX. Please remember that the IMPERVA version has to be the same on all gateways - new and old ones.
    Next, you have to use the replacement mode in the gateway wizard. You HAVE TO USE the same name, IP, and rest of the settings from old to new.  https://docs.imperva.com/bundle/v14.3-administration-guide/page/7234.htm

    what should you choose?
    It depends on you. If your web profiles are big, old, and cluttered you can do everything from scratch.
    But if you have the perfect existing configuration then migrate the WAF.




    good luck!
    KAROL







    ------------------------------
    Karol Gruszczynski
    IT SECURITY EXPERT
    Trafford IT
    Warsaw
    ------------------------------



  • 3.  RE: Migrate Imperva WAF from old to new Imperva WAF
    Best Answer

    Posted 08-18-2022 06:07

    Hi Prashant,

    To answer your question,

    1)First make sure the firmware version is same on both the devices (old and new device)
    2)Once you have dine with the FTL with the new device, you can go ahead and import the mx config.
    3)Hhile Importing the MX export on the new device make sure the old device is not connected to the internet, or else you may have duplicate ip address issue.
    Sharing the steps for exporting the MX config, in case if you dont have the login access to the docs.imperva.com,

    1. SSH to the MX.
    2. Run the following commands:

      cd /opt/SecureSphere/server/bin

      ./full_expimp.sh

      The following screen appears:

      Select operation:

      1. Export

      2. Import

      3. List schemas in an existing export file

      operation:

    3. Type 1 and hit Enter. The following screen appears:

      Please enter system password:

    4. Type the SSH password of this MX and hit Enter. The following screen appears.

      Please select export type:

      1. Full export

      2. Exclude alert data

      export type [1]:

    5. Type 1 and hit Enter. The following screen appears:

      Would you like to export failed archives data? [y/n] (default is n)

    6. Type n and hit Enter. The following screen appears:

      Please enter password for dump file encryption (leave blank to use system's password):

    7. Type any desired password and hit Enter. Make a note of the password. It is required for the import stage. The following screen appears:

      Please enter password for verification:

    8. Retype the password and hit Enter. The following screen appears:

      Enter a file name for operation:

      file name [/var/tmp/SecureSphere_2021xxxx_xxxx]:

    9. Type the name of the file and hit Enter. The following screen appears.

      You are about to perform the following:

      Export all schemas (SECURE, SECURE_DA and all ODM)

      The dump file will be encrypted

      Are you sure? [Y/N]

    10. Type Y and hit Enter. The following screen appears:

      full_expimp (version 13.1.0) started on Wed Feb 3 15:58:17 IST 2021

      This may take a while, log file is written to /var/tmp/SecureSphere_2021xxxx_xxxxxx.log

      Creating TAR file

      Encrypting TAR file (if no password was specified, encryption will use system's password)

      full_expimp completed successfully on Wed Feb 3 15:59:45 IST 2021



    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------



  • 4.  RE: Migrate Imperva WAF from old to new Imperva WAF

    Posted 10-10-2022 04:42
    Hi Syed

    Hope you are doing well.

    I want to know from your post in step 3:
    - Could I setup the new MX (virtual) have difference IP as old MX ?
    - After the import config successfully, manually re-register ImpGW to new MX (virtual) => Have any interrupt service when GW re-register to new VM ?

    Note for my situation:
    - We have hardware MX working well.
    - But for some reason, we want to build the new MX (VM150) to backup with hardware MX or maybe switch all GW to new MX for management.

    So just want verify again some confuse information above.

    Hope you can help

    Thanks

    ------------------------------
    Khoa Anh Le
    Security Engineer
    M.Tech Holdings Pte Ltd
    Ho Chi Minh
    ------------------------------



  • 5.  RE: Migrate Imperva WAF from old to new Imperva WAF

    Posted 10-10-2022 13:23
    Edited by Syed Noor Fazal 10-10-2022 13:24
    Hello Khoa Anh Le,

    I am good thank you, hope you are doing well too.

    Regarding the ip address, step 3 mentioned above is for MX export and in the export file does not contain interface ip address, hence you can export it on a new machine(which will have new ip address) but with the same firmware version it should be(new Virtual machine firmware and the machine from which MX export has been taken, it should be same).

    Regarding the service interruption, when you move the gateway from one MX to another MX, technically it should not because, GW is responsible for handling the traffic where as MX for configuration but for safer side would suggest to make any major changes in a maintenance window.

    Hope this answers your query.


    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------



  • 6.  RE: Migrate Imperva WAF from old to new Imperva WAF

    Posted 10-25-2022 11:49
    Hi Syed

    Thank you for your valuable answer :).

    Khoa

    ------------------------------
    Khoa Anh Le
    Security Engineer
    M.Tech Holdings Pte Ltd
    Ho Chi Minh
    ------------------------------