Imperva Cyber Community

 View Only
Expand all | Collapse all

Flexing with IncapRules

  • 1.  Flexing with IncapRules

    Posted 06-21-2022 10:51
    Edited by Jaired Anderson 06-21-2023 10:56

    Are you ready to flex 💪 your brain? This thread will contain a list of IncapRules and be updated periodically. 

    Use Case: 
    Retrieve content from a 3rd party or location while masking the Origin. When a client accesses the content will be retrieved from 

    Your Site:
    3rd Party:

    You must have the load balancing module to define data centers.

    This can be accomplished using forward and rewrite rules.

    Define as a Data Center and check the box to Support only forward rules.

    Create a new Forward rule with the following filter criteria:

         URL == "/PathHere"

    Adjust the match criteria as desired. For example, the statement above is a strict match ( == ) on "/PathHere" and will not match "/PathHere/".

    For the Rule Action, select Forward to Data Center and select the Data Center.

    Give the rule a name and click Save.

    Imperva Cloud will now Forward all requests for (client facing) to (backend) and retrieve the content. The clients address bar will display

    Please note however that a Rewrite rule is also typically required in conjunction with a Forward rule. This is because the Origin Data Center usually won't respond because the original Host header is sent. Additionally, the SSL handshake can fail with the Origin server if the Host names do not match.

    Create a Rewrite matching the same path as the Forward rule.

         URL == "/PathHere"

    For the Rule Action, select Rewrite Header.

    For the Header Name, enter Host

    Leave the From empty and in the To enter

    Enter a name for the rule and click Save.

    Reply to this thread to share your IncapRules with the community! 👍

    Helpful Links

    IncapRule Syntax Guide

    IncapRule Parameter List 

    Simplified Redirect Rules

    Scheduler Syntax

    Variable$ Galore! 

    Custom Rate Rules


    ⚠ WARNING: Please follow your organization's change control procedures, and always test rules before adding to production

    📼 Cloud WAF Masterclass - Flexing with InCap Rules *Webinar Recording*

  • 2.  RE: Flexing with IncapRules

    Posted 06-22-2022 11:54
    Is there a location to see logs of rules that were matched, including Time, client IP, browser, etc?

    John Schoenstein
    IT Security Analyst
    Glendale AZ

  • 3.  RE: Flexing with IncapRules

    Posted 06-22-2022 12:25
    Hi John,

    There are 2 locations to review this information.

    Within the UI under Security Events. The label will "Security Rules". Also, on the right, you can filter for specific Security Rules if desired.

    Additionally, if you are gathering SIEM logs, it should be under the Request Result section for the security rule that is triggered.  

  • 4.  RE: Flexing with IncapRules

    Posted 06-22-2022 11:56
    When Log4j Hit last year, I utilized IncapRules to implement quick restrictions.  Example:

    If: Full-URL contains "jndi" & Full-URL not-contains "bWFzdGVyfGltYWdlc3wxMzc5NHxpbWFnZS9wbmd8aW1hZ2VzL2gyOS9oYjMvODc5NzY3NTE1OTU4Mi5wbmd8MGUxYTJiNjUzNTE2ZjNkM2I4ZjY4M2QxZDAxMjAzNmY3OGFkYTQ1MDM0ZmRhZDNmMGMwNjA3OWJjNDIyNjg2Mw"
    Then: Block Request

    This assisted to block attempts, before we implemented the full fix.

    David Gorman
    eCommerce Service Manager
    Collegeville NJ

  • 5.  RE: Flexing with IncapRules

    Posted 06-23-2022 10:13

    Use Case: Provide additional protection to a path. (eg: Login page)

    Click Add Rule

    The filter criteria will be:

         MaliciousIPList == TorIPs & MaliciousIPList == AnonymousProxyIPs & URL contains "^/login"

    For rule action, select Require Javascript Support.

    Summary: This rule requires any client originating from a TOR node or Anonymous Proxy to process a JS challenge if they are accessing the login page. 

    This accomplishes two things:

    1.) Keeps low level BOTs off your login page. Good BOTs (like search engine crawlers) will not be using TOR nodes or Anonymous Proxies.
    2.) If there is a an advanced BOT or automation technique accessing your login page, we now have a fingerprint (via the JS challenge) that can be used to block it. 

    Options: Taylor this rule to your liking. Perhaps you adopt an aggressive measure and require CAPTCHA support or block.

    A variation of this rule would be:

         IPReputationRiskLevel >= High & URL contains "^/login"

    Rule action: Require JavaScript Support or CAPTCHA

  • 6.  RE: Flexing with IncapRules

    Posted 06-23-2022 15:05
    I just implemented a rule that blocks access to a certain URL if you are not coming from our internal IP ranges. Is this the best way to create this rule?

    URL contains "^/<path>/" & ClientIP != x.x.x.0/24 & ClientIP != y.y.y.0/24 & ClientIP != z.z.z.0/24 & ClientIP != a.a.a.0/24

    Also, could I get a link to the page that talks about using incap rules to facilitate a certification pass through? I have some sites that use this that I cannot onboard to the WAF and would love a possible workaround.

    Caleb Larson
    Information Security Engineer
    Appleton MN

  • 7.  RE: Flexing with IncapRules

    Posted 06-23-2022 15:19
    Edited by Jaired Anderson 06-23-2022 15:22
    Hi Caleb,

    That technically works, however, a more efficient method would be to leverage a ; as a separator for the IP/Network list. Also, please be aware that the Cloud WAF cannot "see" your internal IP addresses. Are you referring to your corporate network ranges? (NAT)

         URL contains "^/<path>/" & ClientIP != x.x.x.0/24;y.y.y.0/24;z.z.z.0/24;a.a.a.0/24

    For information on configuring client-certificate support, please see:

    • ("Delivery Rules" referenced in this document are IncapRules)


  • 8.  RE: Flexing with IncapRules

    Posted 06-23-2022 16:00
    Yes, I am referring to our corporate network ranges.

    As for the client cert support in CWAF, I think the issue we ran into is that we need to use certain certs for certain paths, not just the entire site which is what the CWAF allows for if I am remembering correctly. I was wondering if there was a way that rules could help pass along certificate information to the origin. Is that what this section is talking about? Imperva Documentation Portal

    Caleb Larson
    Information Security Engineer
    Appleton MN

  • 9.  RE: Flexing with IncapRules

    Posted 06-23-2022 17:35
    Ah, yes; you are correct. As it stands today, client certificate support is per domain and cannot be configured per URL.

    I recommend submitting this as a feature request at


  • 10.  RE: Flexing with IncapRules

    Posted 06-28-2022 12:28
    Use Case: Redirect clients to specific path based on clients preferred language

    Yes - we can do this - however, It's difficult to provide a copy/paste example for this scenario as there are many variables that may or may not apply to your environment.

    Some common Imperva Parameters that are used to accomplish this are:

      - CountryCode
      - Accept-Language

    Additionally, we can look for cookies or cookie values as well as header and header values. 

    Summary: If clients connection originates from Mexico, then redirect to Spanish URL path.

    Filter example: CountryCode == MX

    Rule Action: Redirect

    Response Code: 302

    From: /*

    To: /es/$1

    The * creates a back reference that allows us to reorder the URL before redirecting.

    Example request:

    will be redirected to

  • 11.  RE: Flexing with IncapRules

    Posted 06-29-2022 04:57

    Hi InCap Rulers!

    Just to let you know that @Jaired Anderson's session has been posted in the blog section. If you missed it you can check it out here:

    Cloud WAF Masterclass - Flexing with InCap Rules *Webinar Recording*

    We'd love to hear your feedback and questions so feel free to comment on the blog itself or on this thread.


    Sarah Lamont(csp)
    Digital Community Manager

  • 12.  RE: Flexing with IncapRules

    Posted 07-21-2022 10:17
    Use case: Restrict HTTP methods

    Filter example: Method != HEAD;GET;POST

    Rule Action: Block Request

    This will block any HTTP method that does not equal HEAD, GET, or POST.


  • 13.  RE: Flexing with IncapRules

    Posted 08-05-2022 12:22
    Edited by Jaired Anderson 08-05-2022 12:23
    Use Case: Enrich headers with Geolocation data.

    Rule Filter: Leave this blank

    Rule Action: Rewrite Request Header

    Header Name: X-Loc     
    Note: You can enter your own name for the header. X-Loc is an example. This will be the name of the custom header appended that contains the location data.

    Add new if missing: Check this box

    From: Leave this field blank

    To: $latitude$longitude

    Rule Name: Give the rule a name. Ex: Add lat long

    Click Save.

    The CWAF will now pass along the latitude and longitude of the client in a custom header. These coordinates can also be logged by your web servers.


  • 14.  RE: Flexing with IncapRules

    Posted 02-16-2023 12:05

    Did you know 🤔 IncapRules can be scheduled? 🕑

    For example, the scheduler can be used to redirect requests to a backup site during a scheduled maintenance window to avoid downtime.

    The rule is triggered when requests arrive during the specified times and match all other conditions of the rule filter.

    For syntax, please see: 

    Jaired Anderson

  • 15.  RE: Flexing with IncapRules

    Posted 06-21-2023 13:14

    Use Case: Prevent your site from being loaded in an i-frame

    Rule Filter: Leave this blank

    Rule Action: Rewrite Response Header

    Header Name: X-Frame-Options    

    Add new if missing: Check this box
    Note: This will override an existing header if one is already set from the server/code

    From: Leave this field blank

    Alternatively, you may DENY. For all valid options, please see:

    Rule Name: Give the rule a name. Ex: Block i-frames

    Click Save.

    Jaired Anderson