Hi Ken,
It is likely that your load balancers are defined as "Trusted IPs".
This ensures that the load balancer source IPs are never blocked. If they were, than ALL sites behind the load balancer would go down.
You can check this by accessing:
Main > Policies > Action Sets > Long IP Block
Note: You'll want to check "Short IP Block" also.
On the right, expand the action and check for a value under the "Trusted IPs" section. In the screenshot below, the value is "vivek".
The value of "vivek" actually refers to an IP/Network list.
To confirm the IPs/Networks in this list, access
Main > Setup > Global Objects
Select "IP Groups" from the Scope Selection, and look for the list name.
------------------------------
JairedAnderson
Imperva
------------------------------
Original Message:
Sent: 07-28-2022 12:45
From: Ken Chau
Subject: Source IP has violations but it is not shown in the Monitor > Blocked Souces
My WAF gateway is deployed in bridge mode between the load-balancer and web servers.
IP of load balancer: x.x.x.100/24
IP of web server1: x.x.x.1/24
IP of web server2: x.x.x.2/24
I find some traffic with violations from load-balancer (i.e. source x.x.x.100) to both web servers (i.e. destionation x.x.x.1 & x.x.x.2), and the immediation action is block. However, in the Monitor > Blocked Sources, I can't find the address x.x.x.100. This is quite strange.
Anyone has similar experience or know why? Or, do I missed to checking anything?
Thanks.
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Ken Chau
IT Manager
Central Hong Kong
------------------------------