Imperva Cyber Community

Expand all | Collapse all

Which is processed first a blacklisted IP, or a rule that was created to block an IP?

  • 1.  Which is processed first a blacklisted IP, or a rule that was created to block an IP?

    Community Manager
    Posted 08-09-2020 11:35
    Is one method more efficient than another?

    In a recent webinar, Five Real-World Cloud WAF Rules - Community Webinar customers asked several questions. I will have Imperva's very own @Abhishek Gupta answer it. 


    #ImpervaInsights
    ​​​​​
    #CloudWAF(formerlyIncapsula)

    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------


  • 2.  RE: Which is processed first a blacklisted IP, or a rule that was created to block an IP?

    Imperva Employee
    Posted 08-09-2020 15:49
    BlockIP solution options
    Blacklist IP - Site ACL policy has block IP config
    Old UI view - https://docs.imperva.com/bundle/cloud-application-security/page/settings/security-settings.htm
    New UI view - https://docs.imperva.com/bundle/cloud-application-security/page/policies.htm
    default allow unless added to Block
    However can be added as block all mode as default action but allow only for exception matches
    Allow max 64k bytes limit for all Security ACL per site
    Allow multiple policy ACl per site in Policy ACL framework

    Incaprule to block IP - A clientip filter to block IP from access
    https://docs.imperva.com/bundle/cloud-application-security/page/rules/rules.htm
    default allow unless action has block/challenge for clientip=filter
    max 63 values per filter or 2048 character limit per rule filter

    Action
    Blacklist IP has default http code 403 resposne and error code 16 , SIEM act=REQ_BLOCKED_ACL, Block IP tag in dashboard.
    Incaprule for IP based filter has default http code 403 resposne and error code 15 for block request action, SIEM act=REQ_BLOCKED_SECURITY
    Incaprule for IP based filter has default http code 403 resposne and error code 14 for block session or Block IP action , SIEM act=REQ_BLOCKED_SESSION
    Incaprule for IP based filter will alert action can help some testing for reviewing events matching filter for troubleshooting.

    Dashboard and Reporting
    Security dashboard provides Visitors from blacklisted IPs count under Threats table
    Security dashboard provides Visitors from rule based incidents under Rule table.
    SIEM sends all security incidents with All Logs and Security logs level per site

    Now that we know what these features are and how to report and review them lets talk about use cases
    Security based BlockIP is helpful to allow only specifc say B2B or QA users to sites with specific to path exception if required like block /allow except VPN IP. 
    The Rule can be configured block all IP and add exception for IP that can access site ( combined with add and or rules that can be added in Site ACL)

    Incaprule has benefit for being tested before action is aggressive for blocking or challenge action
    Incaprule blocking for IP can combine IP or session based rate limiting
    ADR rule can  redirect to origin error/home page than ending as custom or default block page for blockIP action  to not disclose protected paths.
    Incaprule can be combined with may other filter with client IP to improve simple block like Firewall style rule match for block use cases. 

    If you have any more questions please share the specific use case.

    ------------------------------
    Abhishek Gupta
    Customer Success team
    Imperva
    ------------------------------