Imperva Cyber Community

Expand all | Collapse all

Forwarded Connections - Handling CDN Services

  • 1.  Forwarded Connections - Handling CDN Services

    Posted 06-15-2021 15:10

    We have deployed On-premises WAF. We also have CDN services for our websites.
    We are configuring "Forwarded Connections" in order to let WAF capture the real client IP address from HTTP header. But we have some questions for the "Proxy IP Group" setting.

    It is understood that we should keep this "Forwarded Connections" settings to the known IP address group of the authorized CDN service provider. We have obtained a list from the service provider for their exiting IPs.
    However, the list contains over 800 different IP segments and over 180,000 IP addresses. And we are told by the CDN service provider that there may be changes to the IP ranges day-by-day.

    It seems to be an unsuitable way to manually maintain this list in the "Proxy IP Group" setting every day with update from the CDN service provider. And therefore, we have a few questions:

    1. Is there any known limitations or maximum number of rows to be added under a single "IP Group" object in Global Object?

    2. Is there any concern (e.g. performance degrade) if we use an IP group with over 800 IP segments of over 180,000 IP addresses in total as the "Proxy IP Group" list of the "Forwarded Connections" configuration?

    3. What would be the general practice to handle similar cases? E.g. If a customer uses both On-premises WAF and Cloud WAF of Imperva, how should they configure "Forwarded Connections" under On-premises WAF to handle the changing list of exit IP addresses of the Cloud WAF?


    Louis Tsoi
    Associate Consultant
    Cyberforce Limited

  • 2.  RE: Forwarded Connections - Handling CDN Services

    Posted 06-16-2021 05:36
    Hi Louis,

    We have similar deployment for our some web sites. I configured Forwarded Connections setting to use "All IPs" list instead of "Proxy IP Group" under On-premises WAF.

    As I observe, there is no problem with this configuration and it works well but I am not sure whether this is a best practice configuration or not.

    Cezmi Cal
    technical support engineer
    Barikat Cyber Security