Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Enough disk space to move apps in to active mode?

    Posted 01-08-2020 06:38
    We currently have SecureSphere WAF running in AWS using the on-demand licence.
    All services and applications are currently running in server groups with 'Simulation' mode set, so nothing is being blocked.
    We are looking at starting to move applications into 'Active' mode.
    From my understanding, in order to do this we will need to create new services within server groups that are set to 'Active' mode.
    Then, for each application, export the profile and import it into the new service.
    I am attempting to calculate if we will have enough disk space on the MX (and Gateways) to acheive this, given that we will end up with two copies of each applications
    profile, one in 'Simulation' and one in 'Active'.

    We currently have 2 server groups, one for NonProd and one for PreProd.
    Between these 2 server groups we have 14 services and 270 applications.

    The MX is created from an AWS ami and comes with an 80GB disk.
    I'm no linux expert so, using the information below, can anybody help me to figure this out?


    Below is the ifno from the lsblk command.

    [root@***** ~]# lsblk
    NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
    xvda 202:0 0 80G 0 disk
    ├─xvda1 202:1 0 251M 0 part /boot
    └─xvda2 202:2 0 79G 0 part
    ├─sysvg-root.vol (dm-0) 253:0 0 28G 0 lvm /
    ├─sysvg-swap.vol (dm-1) 253:1 0 5G 0 lvm [SWAP]
    └─sysvg-var.vol (dm-2) 253:2 0 45.8G 0 lvm /var
    sda 8:0 0 80G 0 disk
    ├─sda1 8:1 0 251M 0 part
    └─sda2 8:2 0 79G 0 part

    [root@i-***** ~]# lsblk -f
    NAME FSTYPE LABEL MOUNTPOINT
    xvda
    ├─xvda1 ext2 bootfs /boot
    └─xvda2 LVM2_member
    ├─sysvg-root.vol (dm-0) ext4 /
    ├─sysvg-swap.vol (dm-1) swap swap [SWAP]
    └─sysvg-var.vol (dm-2) ext4 /var
    sda
    ├─sda1 ext2 bootfs
    └─sda2 LVM2_member


    Below is the info from the df command.

    [root@i-***** ~]# df
    Filesystem 1K-blocks Used Available Use% Mounted on
    /dev/mapper/sysvg-root.vol
    28899452 11400728 16030720 42% /
    tmpfs 3771152 512 3770640 1% /dev/shm
    /dev/xvda1 248895 32488 203557 14% /boot
    /dev/mapper/sysvg-var.vol
    47219648 23142404 21678628 52% /var
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Richard Bowden
    Aviva
    ------------------------------


  • 2.  RE: Enough disk space to move apps in to active mode?

    Posted 01-08-2020 09:50
    Hi Richard,

    You can simply change each Server Group from Simulation to Active in the Setup > Sites tab of the MX without duplicating the config into a second identical server group. It is possible to switch between Active and Simulation mode at will:

    This is what we'd recommend you do, currently your /var directory is only 52% full so this should not present any problems.

    ------------------------------
    Stefan Pynappels
    Escalation Engineer
    Imperva
    ------------------------------



  • 3.  RE: Enough disk space to move apps in to active mode?

    Posted 01-09-2020 09:28
    Thanks for your reply. I was away that we could switch a server group mode to 'Active', the only issue with that is that we then switch every application to 'Active' in one hit and I can be sure that the business will not wear that.

    ------------------------------
    Richard Bowden
    Aviva
    ------------------------------



  • 4.  RE: Enough disk space to move apps in to active mode?

    Posted 01-08-2020 10:02
    Given: 2 server groups with a total of 14 services and 270 apps
              Non-Prod
              PreProd
    The goal is to move to active mode.

    Question? Where is Prod? Is the AWS set up for testing? How are you using the Non-Prod and PreProd?

    By design, there is no need to duplicate the site tree to move into active mode. Switch the server group into active mode and it will enforce your security policies for that server group. 

    There is a use case where the testing environment (server group) and the production environment (server group) will be identical in traffic and apps. During the testing, the profiles are built and then copied to the production (server group). In production, the server group is set to active mode to enforce blocking. The testing server group stays in simulation mode.
    The profiles should not be very large

    Operational mode:
    https://docs.imperva.com/bundle/v12.5-waf-on-amazon-aws-byol-installation-guide/page/10488.htm




    ------------------------------
    Scott Morgan
    Impreva
    ------------------------------



  • 5.  RE: Enough disk space to move apps in to active mode?

    Posted 01-09-2020 09:31

    Thanks for your reply. I was away that we could switch a server group mode to 'Active', the only issue with that is that we then switch every application to 'Active' in one hit and I can be sure that the business will not wear that. 

    Our NonProd and PreProd environments are on one single MX and two separate Gateway groups.

    Our Prod environment is on a separate MX and Gateway group. So the Prod MX has less applications as there are not dev/uat variants e.t.c.



    ------------------------------
    Richard Bowden
    Aviva
    ------------------------------



  • 6.  RE: Enough disk space to move apps in to active mode?

    Posted 01-09-2020 11:04
    Have you considered Imperva Cloud WAF? In Imperva Cloud WAF you can set individual sites to block.

    Having an active server group that you move validated profiles in would require much effort. An Imperva best practice is to have all sites under the server group ready to enforce policies.

    Thank you.

    ------------------------------
    Scott Morgan
    Impreva
    ------------------------------