Imperva Cyber Community

 View Only
Expand all | Collapse all

Required IPs for Inbound clients to whitelist for inbound to sites hosted on Imperva WAF

  • 1.  Required IPs for Inbound clients to whitelist for inbound to sites hosted on Imperva WAF

    Posted 08-15-2022 13:06
    Need some additional confirmation on this please.  What IP do external clients need to whitelist for reaching WAF-hosted websites?

    Scenario: A public client, who whitelists all of their allowed outbound traffic, is trying to reach a website hosted on a sub account on an Imperva WAF frontend.  The published IP for all sites under that sub account is always the same and is an IP on Imperva's subnet = 45.60.0.0/16.

    Question: Which of the following should we instruct the client to whitelist:
    1.  just the IP that the website resolves to (since it is never changing and static)
    2. the entire subnet that this IP belongs to (to be prepared if it should ever change in the future? although the IP has been static for several years.)
    3. All of the Incapsula subnets listed at https://docs.imperva.com/howto/c85245b7  (which appears to only be for WAF-2-backend application WL needs?
    4. other



    #CloudWAF(formerlyIncapsula)

    ------------------------------
    donna
    ------------------------------


  • 2.  RE: Required IPs for Inbound clients to whitelist for inbound to sites hosted on Imperva WAF

    Posted 08-15-2022 13:22
    Hi Donna,

    Number 3 is the preferred solution to ensure continued access.

    We use Anycast for the front end, (Ref: https://www.imperva.com/blog/how-anycast-works/ ) which is why the IPs appear to be static. However, it's possible (though not likely) that these IPs can change at some point. 


    Thanks.

    ------------------------------
    JairedAnderson
    Imperva
    ------------------------------