Imperva Cyber Community

Expand all | Collapse all

Application move into Active mode and Alert Analysis.

  • 1.  Application move into Active mode and Alert Analysis.

    Posted 04-05-2020 07:03
    Hello All,

    Currently I have implemented the Imperva WAF (SecureSphere) in Bridge In-Line mode and integrated some applications. Need your suggestion on below queries.

    1. After how much time duration we have to move the application into Active mode from simulation mode.

    2. What alerts analysis I have to perform before application moved into Active mode so ligitmate traffic should not blocked by WAF.

    3. By default all policies are not applied to application, need to apply manually. So on what analysis and observations we have to apply for that before applying any policy.

    4. In system event I can see the throughput of the gateway on hourly basis. It is average of that particular 1 hour duration. Or what ??

    #Attack Analytics
    #Bot Management
    #On-PremisesWAF(formerlySecuresphere)
    #All Imperva

    ------------------------------
    Tushar Sawant
    Security Analyst
    IBM Security
    Pune, India.
    ------------------------------


  • 2.  RE: Application move into Active mode and Alert Analysis.

    Imperva Employee
    Posted 04-05-2020 09:53
    Hi Tushar,

    1. Recommended period of time in Simulation mode is two weeks, but this is not an exact number. It is important to monitor the application for false positives and check the profile that was learned by Imperva WAF and according to the situation decide when it is safe to move to Active mode.
    2. The alerts need to be analyzed for false positives and in case some of the alerts apply to the part of the application that doesn't need to be checked (under restriction of specific IP addresses) create an exception. In addition to the alerts, profile needs to be monitored to be optimized (not to grow too much) and make sure the parameters are learned correctly.
    3. Many basic policies are applied by default. You can see the applied policies under Setup --> Sites. On each level (Server Group/Service/Application) there is tab Applied Policies.
    4. You see these alerts in System Events since your GW has high CPU utilization during that hour. You can check the configuration at Admin --> System Definitions --> System Event Notifications.

    Let me know if you need more information about the process of moving your applications to Active mode, I will be happy to help.

    Ira

    ------------------------------
    Ira Miga
    Imperva
    Knowledge Engineer
    ------------------------------



  • 3.  RE: Application move into Active mode and Alert Analysis.

    Posted 04-06-2020 07:40
    Hello Ira,

    Thank you for response.

    Also want to know how many concurrent connections does appliance handled.

    Device model: 10k


    ------------------------------
    Tushar Sawant
    Security Analyst
    IBM Security
    Pune, India.
    ------------------------------



  • 4.  RE: Application move into Active mode and Alert Analysis.

    Imperva Employee
    Posted 04-06-2020 11:02
    Hi Tushar,

    For X10K it's 11000 connection/sec.
    Best,

    ------------------------------
    Ira Miga
    Imperva
    Knowledge Engineer
    ------------------------------