Imperva Cyber Community

Hi Mitesh,

You need to define back-route for DB Server network that you installed the agent under "impcfg->gateway->agent listener" menu on Gateways' CLI.

Could you try this and let us know the results please?

------------------------------
Cezmi Cal
technical support engineer
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara
------------------------------

Hi Cezmi Cal,

Thanks for the answer.

But in your response I have 3 mentioned doubts:
1. In this agent route can i define 5-6 DB Zone network?
2. How this method works in Imperva. Earlier, at this point, I tried to verify connectivity from the Imperva Gateway to the DB server. At this point, the IP address of the listener interface (eth1) uses the interface's default gateway IP (eth0) for outbound data from the gateway. 
3. Can this backroute method be used on the LAN agent interface (eth1)?because we have not define another interface.

To clarify, this is a VM environment and we have defined two network interfaces. The interface (eth0) is used as the management interface and the interface (eth1) is the LAN interface on which we defined the agent listener.

------------------------------
Regards,
𝐌𝐢𝐭𝐞𝐬𝐡 𝐌𝐞𝐡𝐭𝐚
Senior Security Consultant
Mumbai
------------------------------


Original Message:
Sent: 05-10-2023 09:44
From: Cezmi Cal
Subject: DAM Agent Interface not Reachable

Hi Mitesh,

You need to define back-route for DB Server network that you installed the agent under "impcfg->gateway->agent listener" menu on Gateways' CLI.

Could you try this and let us know the results please?

------------------------------
Cezmi Cal
technical support engineer
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Hi Mitesh,

1. The first question's answer is yes. You can define as many as you want.
2. When you initiate the connection from GW, your traffic is routed from your eth0 interface because of default gateway configuration. On the other side, when the traffic is initiated from DB server (agent) to agent listener IP address, the first SYN packet reaches to eth1 (agent listener IP) then your SYN-ACK packet returns over eth0 (when you did not define any static route for this network as described previous post). This situation causes asymmetric traffic and connection cannot be established. You need to route the return traffic over eth1. You should use this menu -> https://docs.imperva.com/bundle/v14.9-dam-administration-guide/page/7284.htm
3. You should use because as I understand from this guide, it is not different from other interface types. https://docs.imperva.com/bundle/v14.9-dam-administration-guide/page/7290.htm

------------------------------
Cezmi Cal
technical support engineer
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara
------------------------------


Original Message:
Sent: 05-11-2023 03:26
From: Mitesh Mehta
Subject: DAM Agent Interface not Reachable

Hi Cezmi Cal,

Thanks for the answer.

But in your response I have 3 mentioned doubts:
1. In this agent route can i define 5-6 DB Zone network?
2. How this method works in Imperva. Earlier, at this point, I tried to verify connectivity from the Imperva Gateway to the DB server. At this point, the IP address of the listener interface (eth1) uses the interface's default gateway IP (eth0) for outbound data from the gateway. 
3. Can this backroute method be used on the LAN agent interface (eth1)?because we have not define another interface.

To clarify, this is a VM environment and we have defined two network interfaces. The interface (eth0) is used as the management interface and the interface (eth1) is the LAN interface on which we defined the agent listener.

------------------------------
Regards,
𝐌𝐢𝐭𝐞𝐬𝐡 𝐌𝐞𝐡𝐭𝐚
Senior Security Consultant
Mumbai


Original Message:
Sent: 05-10-2023 09:44
From: Cezmi Cal
Subject: DAM Agent Interface not Reachable

Hi Mitesh,

You need to define back-route for DB Server network that you installed the agent under "impcfg->gateway->agent listener" menu on Gateways' CLI.

Could you try this and let us know the results please?

------------------------------
Cezmi Cal
technical support engineer
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Hi Cezmi Cal,

Thank you for your detailed and valuable reply.

Just today I received confirmation from the one DB team that the communication issue was resolved after adding agent related routes to each GW.

Hi Mitesh,

1. The first question's answer is yes. You can define as many as you want.
2. When you initiate the connection from GW, your traffic is routed from your eth0 interface because of default gateway configuration. On the other side, when the traffic is initiated from DB server (agent) to agent listener IP address, the first SYN packet reaches to eth1 (agent listener IP) then your SYN-ACK packet returns over eth0 (when you did not define any static route for this network as described previous post). This situation causes asymmetric traffic and connection cannot be established. You need to route the return traffic over eth1. You should use this menu -> https://docs.imperva.com/bundle/v14.9-dam-administration-guide/page/7284.htm
3. You should use because as I understand from this guide, it is not different from other interface types. https://docs.imperva.com/bundle/v14.9-dam-administration-guide/page/7290.htm

------------------------------
Cezmi Cal
technical support engineer
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara


Original Message:
Sent: 05-11-2023 03:26
From: Mitesh Mehta
Subject: DAM Agent Interface not Reachable

Hi Cezmi Cal,

Thanks for the answer.

But in your response I have 3 mentioned doubts:
1. In this agent route can i define 5-6 DB Zone network?
2. How this method works in Imperva. Earlier, at this point, I tried to verify connectivity from the Imperva Gateway to the DB server. At this point, the IP address of the listener interface (eth1) uses the interface's default gateway IP (eth0) for outbound data from the gateway. 
3. Can this backroute method be used on the LAN agent interface (eth1)?because we have not define another interface.

To clarify, this is a VM environment and we have defined two network interfaces. The interface (eth0) is used as the management interface and the interface (eth1) is the LAN interface on which we defined the agent listener.

------------------------------
Regards,
𝐌𝐢𝐭𝐞𝐬𝐡 𝐌𝐞𝐡𝐭𝐚
Senior Security Consultant
Mumbai


Original Message:
Sent: 05-10-2023 09:44
From: Cezmi Cal
Subject: DAM Agent Interface not Reachable

Hi Mitesh,

You need to define back-route for DB Server network that you installed the agent under "impcfg->gateway->agent listener" menu on Gateways' CLI.

Could you try this and let us know the results please?

------------------------------
Cezmi Cal
technical support engineer
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Hi Mitesh,

I am happy to hear that the suggestion solved your case.

You may mark the Reply as Best Answer so others can easily find related post.

Hi Cezmi Cal,

Thank you for your detailed and valuable reply.

Just today I received confirmation from the one DB team that the communication issue was resolved after adding agent related routes to each GW.

Hi Mitesh,

1. The first question's answer is yes. You can define as many as you want.
2. When you initiate the connection from GW, your traffic is routed from your eth0 interface because of default gateway configuration. On the other side, when the traffic is initiated from DB server (agent) to agent listener IP address, the first SYN packet reaches to eth1 (agent listener IP) then your SYN-ACK packet returns over eth0 (when you did not define any static route for this network as described previous post). This situation causes asymmetric traffic and connection cannot be established. You need to route the return traffic over eth1. You should use this menu -> https://docs.imperva.com/bundle/v14.9-dam-administration-guide/page/7284.htm
3. You should use because as I understand from this guide, it is not different from other interface types. https://docs.imperva.com/bundle/v14.9-dam-administration-guide/page/7290.htm

------------------------------
Cezmi Cal
technical support engineer
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara


Original Message:
Sent: 05-11-2023 03:26
From: Mitesh Mehta
Subject: DAM Agent Interface not Reachable

Hi Cezmi Cal,

Thanks for the answer.

But in your response I have 3 mentioned doubts:
1. In this agent route can i define 5-6 DB Zone network?
2. How this method works in Imperva. Earlier, at this point, I tried to verify connectivity from the Imperva Gateway to the DB server. At this point, the IP address of the listener interface (eth1) uses the interface's default gateway IP (eth0) for outbound data from the gateway. 
3. Can this backroute method be used on the LAN agent interface (eth1)?because we have not define another interface.

To clarify, this is a VM environment and we have defined two network interfaces. The interface (eth0) is used as the management interface and the interface (eth1) is the LAN interface on which we defined the agent listener.

------------------------------
Regards,
𝐌𝐢𝐭𝐞𝐬𝐡 𝐌𝐞𝐡𝐭𝐚
Senior Security Consultant
Mumbai


Original Message:
Sent: 05-10-2023 09:44
From: Cezmi Cal
Subject: DAM Agent Interface not Reachable

Hi Mitesh,

You need to define back-route for DB Server network that you installed the agent under "impcfg->gateway->agent listener" menu on Gateways' CLI.

Could you try this and let us know the results please?

------------------------------
Cezmi Cal
technical support engineer
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara