BlockIP solution optionsBlacklist IP - Site ACL policy has block IP config
Old UI view -
https://docs.imperva.com/bundle/cloud-application-security/page/settings/security-settings.htmNew UI view -
https://docs.imperva.com/bundle/cloud-application-security/page/policies.htmdefault allow unless added to Block
However can be added as block all mode as default action but allow only for exception matches
Allow max 64k bytes limit for all Security ACL per site
Allow multiple policy ACl per site in Policy ACL framework
Incaprule to block IP - A clientip filter to block IP from access
https://docs.imperva.com/bundle/cloud-application-security/page/rules/rules.htmdefault allow unless action has block/challenge for clientip=filter
max 63 values per filter or 2048 character limit per rule filter
Action
Blacklist IP has default http code 403 resposne and error code 16 , SIEM act=REQ_BLOCKED_ACL, Block IP tag in dashboard.
Incaprule for IP based filter has default http code 403 resposne and error code 15 for block request action, SIEM act=REQ_BLOCKED_SECURITY
Incaprule for IP based filter has default http code 403 resposne and error code 14 for block session or Block IP action , SIEM act=REQ_BLOCKED_SESSION
Incaprule for IP based filter will alert action can help some testing for reviewing events matching filter for troubleshooting.
Dashboard and Reporting
Security dashboard provides Visitors from blacklisted IPs count under Threats table
Security dashboard provides Visitors from rule based incidents under Rule table.
SIEM sends all security incidents with All Logs and Security logs level per site
Now that we know what these features are and how to report and review them lets talk about use cases
Security based BlockIP is helpful to allow only specifc say B2B or QA users to sites with specific to path exception if required like block /allow except VPN IP.
The Rule can be configured block all IP and add exception for IP that can access site ( combined with add and or rules that can be added in Site ACL)
Incaprule has benefit for being tested before action is aggressive for blocking or challenge action
Incaprule blocking for IP can combine IP or session based rate limiting
ADR rule can redirect to origin error/home page than ending as custom or default block page for blockIP action to not disclose protected paths.
Incaprule can be combined with may other filter with client IP to improve simple block like Firewall style rule match for block use cases.
If you have any more questions please share the specific use case.
------------------------------
Abhishek Gupta
Customer Success team
Imperva
------------------------------
Original Message:
Sent: 08-09-2020 11:35
From: Christopher Detzel
Subject: Which is processed first a blacklisted IP, or a rule that was created to block an IP?
Is one method more efficient than another?
In a recent webinar, Five Real-World Cloud WAF Rules - Community Webinar customers asked several questions. I will have Imperva's very own @Abhishek Gupta answer it.
#ImpervaInsights
#CloudWAF(formerlyIncapsula)
------------------------------
Christopher Detzel
Community Manager
Imperva
------------------------------