Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Source IP has violations but it is not shown in the Monitor > Blocked Souces

    Posted 07-28-2022 12:45
    My WAF gateway is deployed in bridge mode between the load-balancer and web servers.

    IP of load balancer: x.x.x.100/24
    IP of web server1: x.x.x.1/24
    IP of web server2: x.x.x.2/24

    I find some traffic with violations from load-balancer (i.e. source x.x.x.100) to both web servers (i.e. destionation x.x.x.1 & x.x.x.2), and the immediation action is block. However, in the Monitor > Blocked Sources, I can't find the address x.x.x.100. This is quite strange.

    Anyone has similar experience or know why? Or, do I missed to checking anything?

    Thanks.
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Ken Chau
    IT Manager
    Central Hong Kong
    ------------------------------


  • 2.  RE: Source IP has violations but it is not shown in the Monitor > Blocked Souces
    Best Answer

    Posted 07-28-2022 13:39
    Edited by Ken Chau 08-08-2022 05:58

    Hi Ken,

    It is likely that your load balancers are defined as "Trusted IPs". 

    This ensures that the load balancer source IPs are never blocked. If they were, than ALL sites behind the load balancer would go down.

    You can check this by accessing:

         Main > Policies > Action Sets > Long IP Block

    Note: You'll want to check "Short IP Block" also.



    On the right, expand the action and check for a value under the "Trusted IPs" section. In the screenshot below, the value is "vivek".

    The value of "vivek" actually refers to an IP/Network list. 

    To confirm the IPs/Networks in this list, access

         Main > Setup > Global Objects

     


    Select "IP Groups" from the Scope Selection, and look for the list name. 



    ------------------------------
    JairedAnderson
    Imperva
    ------------------------------



  • 3.  RE: Source IP has violations but it is not shown in the Monitor > Blocked Souces

    Posted 07-31-2022 23:28
    Hi Anderson,

    Thanks. But, I check that my "Trusted IPs" setting is empty.

    ------------------------------
    Ken Chau
    IT Manager
    Central Hong Kong
    ------------------------------



  • 4.  RE: Source IP has violations but it is not shown in the Monitor > Blocked Souces

    Posted 08-08-2022 05:58
    Hi Anderson,

    Finally, I find that the Trusted IP was configured in the Followed Action Set instead of the default Long IP Block/Short IP Block. So, I think this is effectively working in the same way.

    Thank you!

    ------------------------------
    Ken Chau
    IT Manager
    Central Hong Kong
    ------------------------------



  • 5.  RE: Source IP has violations but it is not shown in the Monitor > Blocked Souces

    Posted 08-10-2022 12:01
    Hi Ken,

    Thanks for the update! That would make sense since only a single followed action can be defined, it's common to create a custom followed action that includes both sending the result to a SIEM as well as a long/short IP block. 

    I'm glad you were able to confirm.

    ------------------------------
    JairedAnderson
    Imperva
    ------------------------------