Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  URL WAF enrolled

    Posted 12-30-2020 08:07

    URL WAF enrolled and also the firewall policy configured to only allow to access URL through WAF IP ranges.

    Still we can able to access the URL with it's Global IP address, Should be accessible with IP or not ? if you don't want to be accessible through IP address what i can do. 


    #CloudWAF(formerlyIncapsula)

    ------------------------------
    Gajendra Lowanshi
    Pune
    ------------------------------


  • 2.  RE: URL WAF enrolled
    Best Answer

    Posted 12-30-2020 23:06
    HI @Gajendra Lowanshi,

    Your description is not quite clear. So you mean to say, you enrolled an application URL in Incapsula and in your firewall you added our Incapsula IP ranges so that the application URL can be accessed only via our Incapsula and others will be blocked? That is the right way of doing it. Source should be our Incapsula IP ranges and destination should be the application webserver public IP and allow port 443.

    Then you are saying that you are still able to access the application URL via IP address? If that is the case, then it should configured correctly from your side. Maybe your network team? You need to ask, if i have a domain URL for the application, why i am still able to access via IP?​ You network team or any other relevant team who helped you create a domain can help you with that.

    Please correct me if i am wrong anywhere in understanding your query.

    ------------------------------
    Nikhil Chodankar
    Prudential Services Asia
    ------------------------------



  • 3.  RE: URL WAF enrolled

    Posted 12-31-2020 00:49
    Then you are saying that you are still able to access the application URL via IP address? If that is the case, then it should configured correctly from your side. Maybe your network team? You need to ask, if i have a domain URL for the application, why i am still able to access via IP?​ You network team or any other relevant team who helped you create a domain can help you with that.


    Yes you are correct in understanding , I am the one handling both firewall and WAF as well.

    What could i check on firewall side, I only allowed WAF IP Range on firewall to URL. what else can be check?

    DNS mapping has been done by other team , do  I need to check with them?
    IS not something that can be done on WAF?

    ------------------------------
    Gajendra Lowanshi
    Pune
    ------------------------------



  • 4.  RE: URL WAF enrolled

    Posted 12-31-2020 01:03
    Hi @Gajendra Lowanshi

    Usually the flow is like this:

    1. Once we have the public domain (external facing URL for the application. for example - www.test.com), we enroll this URL to Incapsula.
    2. On the firewall side, we restrict the traffic flow only through Incapsula Cloud WAF IPs. So, like i mentioned above, in firewall rule, source should be Incapsula IPs and destination should be the public IP of the application web server and port 443.
    3. Once you enroll the site to Incapsula, you will get the CNAME. That CNAME is added by the network team who usually manages the DNS (which you are correct where the DNS change is handled by different team of yours).
    4. If you want to access the URL from internal network also, then you need to update the Incapsula CNAME in your internal DNS also. Otherwise, the internal users (who do not go via Internet) wont be able to access the site.

    In your case, you are trying to access the site via Global IP which shouldn't be the case actually. You need to contact your team who gave you the domain URL for the application. ​​They need to configure in a way that application should be accessible only via domain and not IP. They are the best people to advice you. I never faced this issue and to the best of my knowledge, i dont think we can do anything at Incapsula level.

    ------------------------------
    Nikhil Chodankar
    Prudential Services Asia
    ------------------------------



  • 5.  RE: URL WAF enrolled

    Posted 12-31-2020 01:18
    Thanks for the answer , I will check with application team also to confirm at their end.

    ------------------------------
    Gajendra Lowanshi
    Pune
    ------------------------------