Hi Community,
I wanted to share the Q&A from our recent webinar, Cloud WAF Fundamentals: Understanding Key Concepts, Architecture, and Global Security. If you have any further questions, feel free to reach out!
1. Is it possible to send the traffic direct to origin server without SSL inspection via Imperva?
We do accept HTTP traffic. However, for HTTPS, both traffic from client to PoP and PoP to Origin has to be encrypted.
2. When I ping a website onboard Imperva CWAF, it response via USA's IP, not nearest POP. How can we check it connect to the nearest POP?
Some of our IP addresses are registered in US even though we advertise it to other region. The best way to check would be to append /_incapsula_resource?NWQ=1 at the end of the url. For example, https://imperva.com/_incapsula_resource?NWQ=1. it will show you which PoP that you are connected to.
3. Is the IP listed under Allowlist still monitored? or it is considered as bypassing?
Unfortunately, IP listed in the allowlist is not monitored so it would be a good practice to do a check on your allowlist policy regulary. Traffic from those allowed Ips will not be inspected by CWAF.
4. Shall we allow Good bots from Cloud WAF inbuilt options or using ABP Module?
We should allow from CWAF as the first request comes to CWAF then to ABP, even if it's allowed on ABP module, it may get blocked from CWAF.
5. WAF Policy Question ---> How block user action will work? How does Imperva know the User to block?
We assign a cookie for each unique user to track session. If the user is block, it will continue blocking the user till a new browser session is established. For cookieless session, the user IP address will be block for 10 mins. All these events will be logged under the Security Events page.
6. Can Adaptive DDoS be a default post onboarding?
We will check with our product management team on this suggestion and update this answer.
7. Is JavaScript support for L7 DDOS mitigation settings applicable for mobile apps and API-based applications?
It will not be applicable for Mobile Apps. For pure API application, we can set back end configuration to turn on DDoS rules specially for API application.
8. What is the advantage of an Imperva generated certificate?
The main benefit of using Imperva generated certificate over custom certificate is that Imperva will manage the lifecycle, automated renewals, which eliminate the risk of expired certificate. No manual upload or configuration is required. Certificate is available within a day.
9. If we select Adaptive DDoS it might change every week when traffic has change right? We don't need to manual change the value?
Yes, Adaptive DDoS might update the current threshold automatically (on a daily basis) based on Machine Learning Algorithm that analyses daily traffic volumes. We can change it manually if you are planning a campaign/sales or Load test.
10. Can be get this PPT or recording on my email id -sarojk@ metainfotech.com
If it's allowed. We can get their CSM or Digital CSM for this account to send it to them via pdf format.
11. How long are access logs stored in Cloud WAF?
We do not keep access logs for customer due to PCI Compliance. Customer has to have SIEM subscription and access logs can be pulled or pushed to their own repository.
12. How Imperva WAF distinguish between legitimate traffic and sophisticated bot attacks like headless browsers or API abuse?
Imperva WAF utilize different levels of signature and challenges to classify bots and API. You can refer to this KB for information about the classification process https://im-confluence.atlassian.net/wiki/spaces/IN/pages/20086840/Client+classification (We cannot share much information about the Classification steps)
13. Can you please shed some light on how origin server monitoring work? What are the options available?
There are 2 types of monitoring that Imperva uses to determine whether the origin is down or not.
Passive monitoring -- Imperva inspects all incoming live requests and checks how much portion of the requests that result in failure.
If failed requests cross the threshold defined in the monitoring setting, Imperva assumes the origin server is down and initiates the active monitoring
Active monitoring --- once Imperva suspects the origin server is down, it will initiate a probe request to the origin server to see if it is really down or not.
Imperva sends a request to the path that is defined in the monitoring setting and depends on the result. Imperva marks the server as down or up. Usually
Imperva expects non 5xx response from the origin server.
By default active monitoring is performed on port 443(HTTPS)/80(HTTP), or we can specify non standard port as well.
14. How does Imperva classsifies traffic good bot or bad bot based on traffic?
Imperva classifies good bot or bad bot traffic based on requests made by the client in a particular time frame and classification there is a multi-stage complex process that utilises JS challenge and Cookie challenge. In addtion, customer can consider having ABP product for persistant bot traffic issues.
15. What if we don't want a customer to be routed to a certain PoP? Is there a way to configure this?
Customers cannot choose which PoP their traffic is routed through. If there are compliance requirements, please contact Support, we have a couple of network slices that route only to specific PoPs.
16. Can you explain about CNAME ? When we onboard any URL, I believe we see two CNAME's? How does it work?
CNAME is a type of DNS Record. It maps one hostname to another hostname. Example: www.example.com -> 123xyz.impervadns.com. There are instances where you can chain multiple CNAMEs until it finally resolves to an IP address (Anycast)
17. Does IPs added to the DDoS exception list triggers DDoS – Slow HTTP mitigation?
IPs added to DDoS exception will still trigger DDoS - Slow HTTP mitigation.
18. As if with several sites it would be difficult to put sites to Adaptive manually post onboarding
You are correct as manually switching each site to Adapative mode post-onboarding can be time consuming when managing multiple sites. We recommend using API -> https://docs-cybersec.thalesgroup.com/bundle/api-docs/page/site-management-api-definition.htm?operationId=operations-Site_Management-modifySiteSecurityConfiguration or Terraform which allows you to programmatically update site settings across multiple domains. Refer to our documentation -> https://registry.terraform.io/providers/imperva/incapsula/latest/docs)
#CloudWAF(formerlyIncapsula)------------------------------
Seana Murray
------------------------------