Professional Documents
Culture Documents
Cloud Application and Network Security 10-12-2022
Cloud Application and Network Security 10-12-2022
Cloud Application and Network Security 10-12-2022
Contents
Get Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Cloud Application Security Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Cloud Security Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Homepage Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Cloud Security Trial. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Onboarding Cloud WAF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Onboarding a Site - Web Protection and CDN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Onboarding and Keeping Your Own CDN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Onboarding FAQ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
WebSocket Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Customer Setup Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Cloud Maintenance Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Release Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
October 2, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
September 18, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
September 11, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
September 4, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
August 28, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
August 21, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
August 14, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
August 7, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
July 31, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
July 24, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
July 17, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
July 10, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
July 3, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
June 26, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
June 19, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
June 12, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
June 6, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
May 29, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
May 22, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
May 15, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
May 1, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
April 24, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
April 17, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
April 10, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
April 3, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
March 27, 2022 Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
APIv2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1668
API Version 2/3 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1669
Cloud WAF v2 API Definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1670
More. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1671
Imperva Data Centers (PoPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1672
Data Storage Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1674
Dedicated Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1678
CNAME Reuse. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1679
HTTP/2 FAQ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1682
IPv6 Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1686
Basic DNS terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1689
Attack Analytics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1691
Imperva FlexProtect Pro for Application Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1692
In this topic:
• Overview
• My Imperva Services
• Account and User Management
• Help
• FAQ
Overview
The homepage dashboard provides an at-a-glance view of all of your protected assets. It opens by default when you
log in to your account. Alternatively, click Home on the top menu bar. For details, see Homepage Dashboard.
• Open the help menu for links to support, documentation, and more
The sidebar displays a drill-down view based on your selections in the top banner, such as Application services.
My Imperva Services
The services displayed in the Cloud Security Console vary based on your subscription.
• Account Settings
• Sub Accounts
• My Profile
• Client CA Certificates
• Users
• Login Protect • Setup
• Roles
• Subscription
• Single Sign-On (SSO)
• Audit Trail
• Usage Report
Help
Click the Help button on the banner to find links to the product documentation, the latest release notes, Imperva
Support, and more.
FAQ
Where are my websites?
When you enter the Application service area, the Website list is displayed by default.
Website level:
You can update your personal details, including name, email address, and password on the User preferences page.
The Cloud Security Console has an idle timeout of 15 minutes. If your connection is idle for more than 15 minutes, you
will be automatically logged out.
Homepage Dashboard
The Home page provides an at-a-glance view of all of your protected assets. Quickly understand the overall account
status and identify what requires your immediate attention or further investigation.
In this topic:
• Overview
• Account snapshot
• Security
• Performance
• Website configuration posture
• Website Traffic
• Reliability
• Sub accounts
Overview
The home page is displayed by default when you log in to your account. Alternatively, click Home on the top menu
bar.
When viewed from a parent account, the dashboard displays an aggregated view of the metrics for the parent account
and all of its sub accounts.
Note: Aggregated data for accounts and sub accounts was implemented on January 17, 2021. Therefore, when
viewing statistics for earlier dates, the view from the parent account displays metrics for the parent account only.
When viewed from a sub account, the dashboard displays metrics for the specific sub account only.
Select and switch between accounts and sub accounts using the drop-down on the top menu banner.
Data on the home page displays metrics for the selected time range and is available for any time range in the previous
90 days.
Tip: You can customize the dashboard layout. The Arrange button enables you to show/hide sections of the
dashboard, or click and drag to change the order that the sections are displayed on the page. The customized view is
saved per user, per account.
Account snapshot
This section provides a quick view of metrics on all of your protected assets, enables you to select a different time
range, or download an image of the displayed dashboard as a PDF.
Security
View a snapshot of security metrics across your account.
The View security events link opens the Security Events page, enabling you to drill down further.
The links below each metric open the associated website level dashboards, enabling you to drill down into specific
websites.
Section Description
Section Description
Section Description
• Peak traffic: The highest value detected during
the selected time period.
Section Description
Remote File Inclusion, and custom rules
violation.
Performance
View a snapshot of performance and caching metrics across your account.
The View dashboard link opens the Website Performance Dashboard, enabling you to drill down further into specific
websites.
Section Description
Total number of requests sent to sites in your
Total requests
account.
Possible values:
Requests with errors Server: Server and application errors include failed
requests due to responses that do not comply with
the HTTP RFC, server TCP timeouts, server SSL
errors, and servers closing connections.
Section Description
Each data point in the graph represents the average
of the last 10 minutes.
For websites requiring attention in order to be fully configured and secured, click the ellipsis next to each section
to view more details.
Name Description
WAF settings WAF settings for the websites listed do not match
our recommendations.
Name Description
• At least one of the WAF settings for the website
is not set to Block
and/or
SSL certificates
Custom certificates:
Imperva certificates:
Name Description
• Active: The Imperva-generated certificate is
valid.
Website Traffic
View traffic and performance metrics for your websites.
Name Description
(Sessions.) The number of times the website was
Total visits
accessed.
All bandwidth used for responses served from the
Total bandwidth
Imperva cache and from your origin server.
The average number of bits per second of incoming
Average bits/second and outgoing traffic passing between clients and
Imperva, for the selected time range.
Reliability
Get an overall picture of website availability based on the status of your origin servers and connections.
Name Description
Sub accounts
The data reflects Application Security statistics only.
Column Description
Name The name and account ID of the subaccount.
Column Description
The number of visits (sessions) to websites in the
Total Visits
subaccount.
Note: If you are an existing customer interested in a trial for a service you do not currently subscribe to, please contact
an Imperva Sales Representative.
In this topic:
As one example, to get the most out of our application delivery mechanisms, we recommend you identify a domain or
application with static resources. This will enable you to see the full performance benefit our services can offer. You
will also want to be in touch with your application delivery team so they can help you fine tune your setup and best
evaluate the improvements Imperva brings to their application.
How to start the free trial
To start your trial, visit https://www.imperva.com/free-trial/.
After filling out the form, you will receive a confirmation email. Click the link to verify your email address and choose
an account password. This logs you in to the Imperva Cloud Security Console and you can get started by onboarding
your first website.
What's included with the trial?
The trial includes a wide variety of Imperva features and services. After you begin, you can opt in to additional service
trials directly from the Cloud Security Console.
Feature/Service Description
Feature/Service Description
Detection is included. A trial with mitigation is
available as an optional add-on.
You can start an optional free trial for any of these features and services.
DDoS Protection for Individual IPs On the IP Protection page, click Start your free
trial.
On the relevant feature page, click Contact Imperva Sales to Get Started to send an email directly to the Imperva
Sales team. A representative will contact you.
Feature/Service Description
The top menu bar displays the number of remaining days in your trial.
The account Subscription page provides more information on your trial plan and status, and displays the actual date
on which the trial will end.
To open the Subscription page, navigate to Account > Account Management > Subscription.
What happens when the trial ends?
If you have not already subscribed to Imperva, you can expect the following when the trial ends:
• Your websites are reconfigured to bypass Imperva and are no longer protected by the Imperva Cloud WAF.
Important: At this point, Imperva is no longer forwarding traffic to your websites. If you have not changed your
DNS settings to point back to your origin servers, your websites will stop receiving traffic. It is important to
reconfigure your DNS settings before the trial ends to make sure that your websites are always available to
visitors.
• If you choose to subscribe to Imperva services at a later date, your configured sites and settings may still be
available for a short period of time.
Each Imperva site carries a unique CNAME record that is used both for pointing traffic to the Imperva network and also
for identifying the Imperva site in cases where multiple applications share the same Imperva site.
• 80 (HTTP)
• 443 (HTTPS)
In addition, Imperva supports a number of non-standard ports. For the list of these additional ports, see Non-standard
Open Ports.
To use other non-standard ports that are not listed, contact support before onboarding to request a change. Note that
the change can take some time to implement.
Note: If you have already added a site to your Imperva account and want to add an additional site, go to the
Cloud Security Console Websites page and click Add website.
2. In the Add a website field, enter the full domain name (including the subdomain prefix, such as www) of your
site. For example, www.mydomain.com.
Alternatively, click Advanced configuration to manually set your web server IP/CNAME and skip the automated
DNS check for the origin IP. This enables you to prepare the site but configure DNS at a later time. The options
include:
3. Click Add website. The following is displayed, showing information automatically collected by Imperva about
your site:
If your site has SSL support, then HTTP + HTTPS is displayed in this window. Click the Continue button to
configure SSL support for your site in Imperva, as described in Step 2: Configure SSL support for secure sites.
If your site is not SSL protected, then skip to Step 3: Get an Imperva DNS A Record / CNAME Record.
Step 2: Configure SSL support for secure sites
Imperva acts as an HTTPS proxy and terminates connections in front of the end users. For this reason, a second SSL
certificate (or actually multiple copies of the same certificate) needs to be installed on the Imperva proxy servers, in
addition to the one already installed on the origin servers. This certificate is the one that is visible to the end users.
When onboarding a site on Imperva proxy servers, you can have Imperva generate a certificate for it, use your own
certificate, or skip certificate creation and complete the process in the future.
To begin onboarding your site, choose from one of the following options:
• Option A: Configure SSL for an active site - This default option instructs Imperva to generate a new certificate for
the site. The Certificate Authorities that certify these certificates for Imperva are required to validate the
customer’s ownership of the domain, a process that requires two consecutive changes in the DNS.
• Option B: Configure SSL for a new site - This 1-step option quickly generates an Imperva certificate for your site
and requires only a single change in the DNS. Imperva validates your ownership of the domain, but blocks
access to the site for approximately 5 minutes until the process is completed.
• Option C: No Imperva certificate - This option lets you onboard a new site without any certificate, then configure
a custom or Imperva certificate for it in the future.
Note: At any stage during the registration procedure, you can click the Configure Later button to return to the
Websites page without generating an SSL certificate for the site. The Websites page displays the new site with a status
indicating that configuration is not complete. At a later stage, you can configure a certificate for it directly from the site
settings. In such a case, new DNS instructions will be provided and you will need to configure its DNS records
accordingly.
During configuration and preparation of your Imperva certificate, your site will remain accessible. Once the new
Imperva SSL certificate is ready, you can point the traffic to Imperva.
1. From the Configure SSL for an active site option, select a SANs configuration for your site.
Add wildcard domain SAN: *.com Adds the wildcard SAN to the Imperva SSL
certificate instead of the full domain SAN.
3. The Certificate Authority is required to validate ownership of the domain. Select one of the following methods
described below:
▪ Validate by e-mail
2. Click the Record type dropdown and select one of the following:
▪ CNAME: This option ensures automatic revalidation of the site in the future by Imperva.
▪ TXT: This secondary option is for organizations that do not allow the use of a CNAME for site
validation or do not want Imperva to automatically manage this site's revalidation in the future.
3. Log into your DNS management console and open your DNS Zone file. If you are using a DNS management
service, log into it to make the change.
4. Set the Record type to match what you selected from the dropdown.
5. Copy the Host string into the DNS Record name field:
CNAME example: _delegate_validation.<domain>
This defines your domain's delegation to Imperva.
TXT example:
CNAME example:
TXT example:
7. On the Activate SSL Support page, click I added the records button (it will match your Record type
selection). Imperva verifies that the value of the new record(s) has been added to your DNS zone file. This
may take a few minutes.
2. Select an email address from the drop-down menu where you want to receive the validation link. The
drop-down menu is populated with default emails for the domain (e.g. admin@, administrator@, etc.). To
add emails to this list, see Adding Emails for Ownership Validation.
You can test whether these email addresses are correct by clicking the Send a test email to all the
addresses link which sends test emails to all the listed addresses. This enables you to check whether you
receive these emails, thus indicating that the addresses are correct. The test emails sent in this manner do
not contain a validation link.
3. When you have selected an email address from the drop-down menu, click the Send button. Imperva
sends the validation email to the selected address.
4. Open the email you received and click on the validation link.
5. On the Activate SSL Support page, click the I clicked the link button to indicate that you have clicked
the link in the validation email.
After website ownership has been validated, Imperva starts the process of issuing a new SSL certificate for the site,
which is typically completed after a few minutes. After a message pops up indicating that the certificate was issued
successfully (you do not have to remain in this window), continue to Step 3: Get an Imperva DNS A Record / CNAME
Record.
Note:
While waiting for the certificate to be issued, your site remains available as it was previously. Traffic is not yet being
diverted through Imperva. After the certificate is ready, Imperva sends DNS instructions for onboarding.
If, for any reason, the issuing of this new SSL certificate is not completed promptly, a message is displayed and you
will receive an email notification when the certificate is issued.
Onboard a new HTTPS site that does not have traffic, or one that can go offline temporarily, and configure an Imperva
SSL certificate in one step. Since Imperva validates the domain by HTML after you update the DNS, this option
eliminates the need to validate domain ownership via email or by adding a TXT record to the DNS . During this
process, your site will not be accessible for approximately 5 minutes until Imperva generates the new SSL certificate
for the site.
From the Configure SSL for a new site option, the SANs configuration is automatically set to Add full domain.
Note: Adding a wildcard domain SAN to the certificate is not supported for this option.
1. For sites with the www prefix, you can check the Add naked domain SAN option to include it in the Imperva
SSL certificate.
2. Click Continue for instructions on how to update your DNS records, as explained in Step 3: Get an Imperva DNS
A Record / CNAME Record.
When you onboard a new HTTPS site with the No Imperva certificate option, it will not receive any SSL traffic until
you upload a custom certificate, which will then be presented only to SNI-supporting clients. For details, see Upload a
Custom Certificate for Your Website on Imperva.
Note: If your site also needs to serve non SNI-supporting clients, it requires an Imperva certificate. Select one of the
following to install an Imperva certificate:
Click Continue for instructions on how to update your DNS records, as explained in Step 3: Get an Imperva DNS A
Record / CNAME Record.
Note:
• The certificate must include the SAN for the website’s domain.
Step 3: Get an Imperva DNS A Record / CNAME Record
After you click the Continue button, the Change your DNS records screen appears with instructions on how to setup
a DNS A record(s) / CNAME record. The content of this screen varies according to your network and the type of site you
are onboarding:
• If you entered a full domain name, then two IP addresses are provided to which to configure your site’s DNS A
Records for each IP. In addition, the domain name to which to configure your site’s CNAME Record is also
provided.
• If you entered a subdomain name, then a CNAME Record is provided to which to configure your site.
2. Create or update your site's records, as instructed on the Change your DNS records screen.
1. Update the A Record for your naked domain (for example, mydomain.com) so that it points to the IPs
provided by Imperva for the A Record. Imperva provides you with two different A records for the sake of
redundancy, and you will need to configure both of them for the naked domain. These IPs point to the
Imperva PoPs closest to the location where your application is hosted.
Note: The A records of your non-HTTP/S DNS records (such as ftp.mydomain.com or mail.mydomain.com)
must remain pointing to your origin web server and not to Imperva, which means that you should simply
leave them "as is" in the DNS Zone file.
Imperva provides full support for sites using IPv6. If your DNS records contain an AAAA record, Imperva
will also provide two AAAA records to replace the existing AAAA record.
2. Create or update the CNAME Record of the full domain of your site so that it points to the domain
provided by Imperva. Remember, the full domain includes the subdomain prefix, such as
www.mydomain.com or subdomain.mydomain.com. If an end user types in the subdomain, then Imperva
uses the CNAME Record and provides service from the PoP that is closest to you.
3. On the Change your DNS records screen, click the Validate button to verify that the records were updated
correctly.
4. If you selected the Configure SSL for a new site option, then the Status Check section also appears on the
screen. After your DNS records are successfully validated, click the second Validate button to verify that
5. Click Done to view the new site's settings or View all websites to view the current configuration status for your
new site on the Websites page.
For more details on the Websites page, see Web Protection - Websites
Note:
• We strongly recommend that you change the IP address of your origin server. This will render any archived IP
records obsolete, and new searches will display only the Imperva IP address.
• You can disable Imperva web protection at any time. When web protection is disabled, traffic gets routed
directly to the origin and not through the Imperva network.
How To
Read More
• Onboarding FAQ
• Web Protection – Introduction
• Web Protection - Websites
This is achieved by pointing the website domains to Imperva and configuring the other CDN addresses as the origin
servers on Imperva.
Parallel to Your CDN
The traffic is separated by assigning different sub-domains of the different traffic types. This is usually done by adding
a static.domain.com sub-domain for all static resources and pointing that sub-domain to the other CDN, while
pointing all other domains to Imperva.
In Back of Your CDN
This is achieved by pointing the site domains to the other CDN and configuring the Imperva CNAME as the origin
servers in the other CDN.
Note: This configuration requires XFF header support on your existing CDN. For example, X-Forwarded-For, True-
Client-IP, or another header used by your CDN for identifying the originating IP address of the connecting client.
Onboarding FAQ
Answers to some common questions about getting started with Imperva Cloud Application Security.
Once you have completed the DNS instructions that were provided as part of the “Add Site” wizard, visitors to your
website will be gradually routed through the Imperva network. This process can take anywhere from 5 minutes to 24
hours according to your DNS entries' TTL (Time to Live).
Visitors routed through Imperva will receive an enhanced user experience as pages will load faster when served by our
CDN.
Imperva does not add any latency to your site. In fact, Imperva makes your site load faster and consumes less
computing and bandwidth resources.
Adding your domain to Imperva can take as little as 5 minutes. If your website supports SSL, the onboarding process
might take a bit longer, but typically not more than a few hours to complete the entire process.
Yes. Each domain needs to be added to Imperva separately and has its own dashboard and configuration.
Does Imperva support websites hosted in cloud providers such as AWS or Azure?
Yes. In some cases the origin server address will be defined on Imperva as a CNAME rather than an IP.
Yes. Here's how to add your domain to Imperva while managing your DNS on Cloudflare:
1. Log in to your Cloudflare account and navigate to the DNS management screens.
2. Disable the Cloudflare HTTP service for the domain. (Typically an orange Cloudflare logo indicates that you are
using Cloudflare’s HTTP services.)
3. Add your domain to Imperva.
4. Use the DNS instructions provided by the Imperva Add Site wizard to configure your DNS entries on Cloudflare.
I already have a CDN. Can I use Imperva just for the security service?
Yes. You can add Imperva in front of or behind another CDN. Read more about this setup here: Onboarding and
Keeping Your Own CDN.
The Imperva service includes a Layer 7 load balancer capable of supporting multiple IPs and multiple data centers.
Each A record maps a domain name to a different IP address. Having more than one A record enables redundancy,
which ensures continuity of service if one of the servers goes down.
Will I need to change my hosting provider / registrar / name server in order to use Imperva?
No. The only thing you need to change is the setting of your domain DNS record, which needs to point to Imperva.
Website: A destination on the Internet and the SSL certificate, if used, for that destination. A destination is either a
public IP address or a CNAME.
Domain: Enables multiple websites or applications to resolve to a single destination. As long as these websites have
the same destination and SSL certificate (where applicable), they can be combined and routed together through the
system using just one website license. If multiple websites resolve to the same IP address, or CNAME, but have
different SSL certificates, they must be configured on the system separately and require individual licenses in order to
avoid SSL mismatch errors.
Using a single website license and configuring multiple websites together in the Imperva system results in all sites
being combined together into a single unit. These sites are reported and managed (security and acceleration policies)
as a single unit. If you require granular reporting or separate site management for some or all sites, it is important to
configure those sites individually in the Imperva Cloud Security Console.
WebSocket requests must be in accordance with RFC 6455 (http://tools.ietf.org/html/rfc6455 ) and in the following
standard format:
Client request:
GET /chat HTTP/1.1
Host: server.example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==
Sec-WebSocket-Protocol: chat, superchat
Sec-WebSocket-Version: 13
Origin: http://example.com
Server response:
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk=
Sec-WebSocket-Protocol: chat
Is Google AMP supported?
Yes. Imperva supports AMP pages natively, which means no injections will be made into AMP pages.
In order for an HTML page to be identified as an AMP page it must start with “<html amp” or “<html ▪”. Pages starting
with “<html anyothertext ▪” will not be identified as AMP pages.
You can download a copy of the SLA in pdf format from the Cloud Security Console's subscription page (Management
> Subscription).
WebSocket Support
This topic describes how Imperva handles WebSocket communication.
Imperva supports WebSocket communication by default. WebSocket requests must be in accordance with RFC 6455
(http://tools.ietf.org/html/rfc6455 ).
For compatibility with HTTP, the WebSocket handshake uses the HTTP Upgrade header to change the connection
from HTTP to WebSocket.
Imperva supports this functionality, using the HTTP Upgrade header mechanism, along with a few protocol-specific
headers, to switch the connection from HTTP to the WebSocket protocol.
After the protocol is successfully switched, Imperva passes WebSocket protocol traffic between the client and your
origin server as is, without inspection by the Cloud WAF.
Example
Client request:
Server response:
In order to prevent timeouts, you may want to align your application timeouts with the default Imperva timeouts.
• Provide a series of checks to make sure the customer’s environment is properly aligned with Imperva.
• Provide a series of checks that the customer should perform when setting up the Customer account using
Imperva’s management portal.
• Provide a series of checks that the customer should perform on each of the domain settings using Imperva
services. The domain checklists are divided into two parts:
• Domain settings checks to be performed on the Imperva management portal before activating the
service.
• Checks to be performed after activation of the Imperva service.
Terminology
Imperva Account – This is the entity through which a customer enables website traffic to be handled through the
Imperva solution. The Imperva account is where the customer can configure settings for his domain, review website
performance and monitor traffic statistics.
Portal – This refers to the Imperva Cloud Security Console. The customer can login to the portal, change settings and
review statistics and analytics about traffic routed through Imperva.
Top 10 - Quick Setup Checklist
The following checklist can be used for quick setup purposes. It covers the ten most important checks from the full
setup procedure and in most cases is sufficient to get you started.
However, for best results, we recommend performing the full set of checks as detailed in the subsequent sections of
this document.
The following checklist items should be verified/ performed for each new domain that is added to the account.
Control section.
If your application serves
non-browser clients (e.g.,
monitoring service,
application API, etc.),
please make sure these
clients are well defined in
(e.g., monitoring service,
your Imperva security
application API, etc.) to
policy.
the “bot access control”
It is possible to add
exception list.
exceptions based on:
URL, Visitor, IP, Country,
User Agent, or a specific
parameter. Exception
rules will override all
other “Bot Access
Control” rules.
You may edit your
security settings in the
Portal area: Settings >
case you need to restrict
5. Block Specific Resources Security > Block
access to your site from
Resources
specific countries, IPs or
certain URLs.
Portal area: Settings >
Security > Block
Resources. Traffic from
You may edit your these IPs will not be
security settings in the filtered by Imperva
case you need to allow security rules and will
6. Whitelist Specific Sources
access to your site with never be denied access to
no inspection from a your site. You can enter
specific IP. single IPs, IP ranges or
subnets (e.g. 192.168.1.1,
192.168.1.1-192.168.1.100
or 192.168.1.1/24).
Portal area: Settings >
WAF. By default, the WAF
rules are set to the Block
Make sure that the default Request option. The only
Web Application Firewall action for detecting WAF exception is the Cross Site
7.
(WAF) threats matches your Scripting rule, which is set
policy to Alert Only. You can
change the threat default
actions to one of the
block options or Ignore.
Make sure to adjust the Portal Area: Settings >
DDoS policy trigger based WAF > DDOS Click
8. DDOS settings
on the expected traffic Advanced settings (pop
rate and your web up page will display). If
Imperva actively protects the site only after the customer switches the site’s DNS settings to Imperva records.
domain protected by
Imperva. Check that the should reflect samples of
dashboard displays the the current session
request information and connected to the site
that the client receives through the Imperva PoPs
the content.
If you have uploaded your
Make sure the SSL is
own certificate to the
properly configured.
Portal, your certificate
Generate an HTTPS
will be used only for SNI
request to your site using
supporting web clients
3. SSL Test a web browser and check
(e.g., all modern web
that the correct certificate
browsers). Otherwise, the
is displayed (either
Imperva generated
Imperva or your own
certificate will be
custom certificate).
displayed.
Generate real traffic from
It’s important to verify
your API clients and other
that there are no service
non-browser services to
interruptions after
4. Non-browser clients test validate that the site’s
switching to Imperva DNS
security policy for non-
for API clients, bots,
browser clients is well
monitoring services, etc.
defined.
Portal area: Websites >
Dashboard > Security
maintenance information
and system status.
Scheduled Maintenance
Required for:
See also:
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader:
https://docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
When configuring a custom mitigation strategy for your website, you can now assign the Tarpit mitigation action in
addition to the existing Block and Captcha actions.
Tarpit mitigation delays the connection for the login request without immediate notification to the client. This leads
to confusion about the request status, causing the attacker to waste more of their time and resources.
To enable this method, you define a role in your S3 bucket policy that grants Imperva permission to upload log files to
the destination path/folder you specify.
Availability: The option is currently available via the UI for the Advanced Bot Protection (ABP) and Network Security
(DDoS Protection for Networks/IPs) services using the SIEM integration.
For details on configuring this new connection method, see Configure the SIEM Log Integration.
Time range change in Network Protection dashboards
To enhance caching and performance, the following change was made to the Network Protection dashboards.
When selecting a time range of the last 7, 30, or 90 days, the time period is now rounded to the last hour.
What changed: Previously, the time range was based on the exact time that the dashboard was loaded.
• The time range for the last 24 hours is not rounded. For example: 12 Jul 2022 07:35:00 – 13 Jul 2022 07:35:00.
• The custom range option always spans from 00:00 on the first day to 23:59 on the last day of the range.
New version of the Imperva Terraform Provider
Version 3.8.6 of the Imperva Terraform Provider is now available.
For more details on the Imperva resources, see the Terraform Registry.
Heads Up: Removal of old Performance and Traffic dashboards
As of October 23, 2022, the Performance and Traffic tabs of the old Website Dashboard page will no longer be
accessible.
The new website Performance dashboard covers both of these areas and introduces improved usability, faster
investigation time, as well as more actionable data.
For more details about the new dashboard, see Website Performance Dashboard.
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
Imperva's Near Real-Time SIEM solution sends security event logs for Imperva's cloud services to your S3 cloud
storage repository.
What changed: Once you configure the integration, your account is automatically onboarded to the new Near Real-
Time SIEM mechanism within several minutes. Previously, the onboarding was performed manually by Imperva.
Where it’s located: Configure the settings on the legacy log integration page and select the S3 method. In the Cloud
Security Console, open the SIEM Logs > WAF Log Setup page. For details on setting up the integration, see Cloud
WAF Log Integration.
For details on Imperva Near Real-Time SIEM, see Near Real-Time SIEM Log Integration.
DDoS Protection for Networks: Automated confirmation calls for on-
demand customers
When a DDoS attack is detected, a member of our Network Operations Center (NOC team) calls customers who are
working in on-demand mode and have requested confirmation before their network ranges are diverted through
Imperva.
What changed: This phone call has now been replaced by an automated call, notifying you more quickly when a
DDoS attack is detected.
During the automated call, you have the option of connection to a Support engineer, if needed.
Availability: We are gradually rolling out this change to the applicable customers over the next several weeks.
What changed:
• Bulk updates: Select multiple users and more quickly update their settings (Lock users, Delete users and Reset
password).
• Columns that were removed: Creation Date (now appears under a user's name on the Settings panel),
Two Factor Status (reduced performance), and User ID (replaced by email).
• Filters: Refine results by specifying definitions from Status, Roles and External users.
• Set as account admin: Update a user directly from the Actions menu (Settings panel).
• Roles: Search the enhanced view of an assigned role with enabled permissions, as well as associated services
and types.
Where it’s located: Account (top menu bar) > Account Management, which opens User Management (side menu
bar) > Users.
Rollout and migration: In this release, we are introducing the new Account Users page to selected, direct customers
(not resellers). We will provide updates in future release notes about the continued rollout. To request access to the
new page at an earlier date, contact Support.
New My Profile page with Identity Management
Over the next several weeks, we are starting to gradually roll out the new My Profile page, under User Management. It
provides usability enhancements that enable users to view and update their personal settings more easily.
What changed:
• Multi-factor authentication: Users can now configure additional methods for receiving a passcode: Okta Verify
app and phone call.
• API keys: Users can now create and update API keys (up to 5), which are dependent on their user-defined roles
and permissions, directly from their My Profile page.
Note: Users with limited permissions that have access to the new My Profile page will no longer be able to
access API keys from User Management > API Keys.
For more details, see User with limited permissions, under API Key Management.
• Roles: Users can now view their assigned roles with enabled permissions, as well as associated services and
types.
Where it’s located: Account (top menu bar) > My Profile, which opens User Management (side menu bar) > My
Profile.
Rollout and migration: In this release, we are introducing the new My Profile page to selected, direct customers (not
resellers). We will provide updates in future release notes about the continued rollout. To request access to the new
page at an earlier date, contact Support.
Policies API response has changed
To align with our current API standards and conventions, the response for invalid JSON errors is now returned in a
single structure that is more traceable and detailed. Previously, the API response for invalid JSON errors returned
different responses and was harder to track.
Details of the specific error type are provided within the new response structure.
For example:
"headers": {},
"body": {
"errors": [
{
"status": 400,
"id": <trace_id>,
"source": {
"pointer": "<route>"
},
"title": "unexpected value at: …."
}
]
},
"statusCodeValue": 400,
"statusCode": "BAD_REQUEST"
}
Note: This change applies only to invalid JSON errors. The response structure of other errors remains unchanged.
What changed: Previously, you could define an exception on a specific URL. Now you can configure the exception
according to any of the following options:
For more details on policies and configuring exceptions, see Create and Manage Policies.
Updates to SAN status definitions
The SAN details table (SSL Certificates page) now displays the following updated status definitions:
• SANs that had the Published status now display the Validated status.
• SANs that are set for automatic validation are now tagged Automatic and have the In Process status, instead of
Pending user action.
Where it’s located: From the Cloud Security Console > Application > SSL/TLS (side bar) > SSL Certificates >
Certificates: SAN.
For more details, see SAN details under View SSL Certificates.
Waiting room visitor page template updated
The default HTML template used as the basis for the waiting room page that is displayed to your website visitors has
been updated.
The following placeholder variables used for template validation were added:
• $WAITING_ROOM_LOADER$ - Used to validate the loading of the page. This parameter is mandatory and should
not be modified or deleted.
• $WAITING_ROOM_WRAPPER$ - Used to validate the content of the template. This parameter is mandatory and
should not be modified or deleted.
Where it’s located: On the Add/Edit Waiting Room page, under HTML Customization.
Root cause:
For enhanced data fetching performance and loading of historical data for large accounts, the fetching resolution was
changed. This resulted in a discrepancy between the usage displayed on the Account Dashboard, and the usage
displayed in the Usage Report.
Impact:
There was no impact on billing. The usage displayed on the Account Dashboard is used for informational purposes
only. To view account usage data that is used as the basis for billing your account, see the Usage Report.
The fix:
• The label and tooltip of the Usage column were updated to remove reference of the 95th percentile and clearly
state that this data is not used for billing purposes. A link to the Usage Report was also added to the tooltip.
• The 95th percentile indicator on the Website Traffic > Bits per second chart was deemed irrelevant and
confusing and was removed.
• Account Dashboard: When you log in to the Cloud Security Console, the account dashboard is displayed by
default. Alternatively, click Home on the top menu bar.
• Usage Report:
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
Previously, connections could be created in the parent account only, and were then shared by the parent and sub
accounts.
Where it’s located: Connections are defined in the Cloud Security Console on the Network > Network Protection >
Connectivity Settings page.
For details on enabling and working with this feature, see Sub Account Support.
Advanced Bot Protection: New Mobile SDK versions
New versions of the ABP mobile SDKs for iOS and Android are now available.
This release adds the collection of additional biometrics information including gyroscope and rotation data. The SDK
module sends the collected data back to ABP, improving bot analysis.
To turn on the new functionality, use the SDK’s Protection object. It is not enabled by default.
The SDK code (apart from the API signature classes) is obfuscated using DexGuard to protect intellectual property. If
you do not exclude this code from any subsequent obfuscation of your application, this can cause runtime errors. The
release includes ProGuard rules to prevent double obfuscation and a sample mobile application built with ProGuard
to illustrate this. In addition, the modules obfuscated code is now rationalized under a single well known package
path to simplify exclusion for other obfuscation tools (i.e. other than ProGuard).
You can download the new versions from ftp://ftp-us.imperva.com or ftp://ftp-eu.imperva.com. For more information,
see Downloading the ABP SDK Software.
For more information on the SDK, see Working with ABP SDK.
Refactored Security Events page
We have made significant backend improvements to the Security Events page and are starting a gradual rollout of
this change.
Availability: We are gradually rolling out this improvement over the next several months. It may not be immediately
available in your account.
What changed: There are currently no major visible changes to the page. We have implemented this change in
preparation for the development of new features in the near future. Minor noticeable changes include:
• Newer events are using the new infrastructure, while older events continue to be based on the previous
infrastructure. When you move from a time range that is using the old infrastructure to one that is using the new
infrastructure or back again, a pop up is displayed indicating that the page has been redirected by Imperva. For
example, if you view data for the last 7 days, and then select the option for the last 30 days, the page is
redirected.
Data for all time ranges will eventually be based on the new infrastructure and available on the current page, so
users will no longer be redirected.
• Current page: The URL includes events-page in the path. (No change.)
• New page: The URL includes event-page-ng in the path. (Accounts rolled out with new infrastructure
will be temporarily redirected to this new path, depending on the data range selected. After
approximately 90 days of time range data has been collected, the URL redirect will be removed.)
• When viewing an event on the new page, the Policy ID of a triggered policy is now part of the request details.
Previously, it was part of the session details. Similarly, the Edit policy option is now available at the request
level instead of at the session level.
For more details on the Security Events page, see View Security Events.
Heads Up: API Security Role-Based Access Control
As part of an effort to enhance administrative security, role-based access control will be enforced in API Security
starting October 23, 2022. Two permissions are added:
• View All API Security allows read access to API Security. Users with this ability as part of their role definition
will be limited to viewing API security configurations, inventories, and events.
• Edit All API Security Configs allows the user to edit API Security configurations.
The predefined Reader role will include the View All API Security permission by default.
Customer admin users can add these permissions to their custom defined roles if users with custom roles need access
to API Security.
Because role-based access control was not enforced on API security in the past, some users will lose access when the
enforcement takes place starting October 23, 2022. For example, users with the default Reader role will lose the
ability to edit API Security configurations. Users with only custom roles will lose all access to API Security if
permissions are not added to the custom roles.
Recommended action: You are encouraged to review all user roles that use API Security before October 23, 2022 to
ensure proper access is enabled, especially for users with custom roles.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
What changed: A link to the Support Portal will replace all existing email references throughout all system files,
product UX, email templates and documentation.
For details and to claim your Support Portal access, visit the Imperva Support & Services blog.
"Download Bandwidth History" button removed
The Download Bandwidth History button that enabled you to download bandwidth data for the current and two
previous billing cycles was removed from the Subscription page.
Instead, you can access an extended usage history for your account in the following ways:
• The Usage Report provides an enhanced view of your account’s bandwidth usage per service over time,
enabling you to easily understand usage trends and quickly detect overages in your account. You can also
download the report.
Where it’s located: In the Cloud Security Console, navigate to Account > Account Management > Usage
Report.
• The Usage Report API enables you to retrieve bandwidth usage history for your account.
What changed: When drilling down on an endpoint shown on the Inventory page, multiple data types are now
indicated for each parameter of the endpoint.
Enabled: 1-step HTTPS setup in the Website Onboarding Wizard
The Configure SSL for a new site option is once again enabled and now appears in the Site Onboarding wizard. It lets
you onboard a new site in 5 minutes and eliminates the need to complete validation of domain ownership via txt or
email. This option is suitable for a domain that does not have traffic. It was initially announced in the June 26, 2022
Release.
For more details, see Configure SSL for a new site, under Onboarding a Site – Web Protection and CDN.
For more details on APIs, see Cloud Application Security v1/v3 API Definition.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
What changed: Previously, the divert and revert actions were only performed by Imperva, either automatically or via
Support.
Now, you can divert your ranges directly from the Cloud Security Console as needed. For example, this can be useful
when:
• Imperva has attempted to contact your organization but you could not be reached. You then receive email
and/or SMS notification from Imperva that you are under attack and can immediately divert your ranges.
• You want to divert a range to test performance when your traffic is diverted to Imperva. Previously, this required
a Support Ticket.
• You want to avoid reverting traffic back to your network during peak business hours. You can now choose to
revert traffic before the end of Imperva’s “clean traffic waiting period”, or optionally extend the diversion by an
additional 72 hours during which time you will be able to schedule the revert.
Note: The on-demand divert option applies only to ranges whose diversion is controlled by Imperva. If you are
controlling your ranges, by starting/stopping BGP advertisement or adding/removing the "no-export" community,
you cannot manually divert those ranges.
• On the Network Security Dashboard. In the Cloud Security Console, navigate to Network > Network Protection
> Dashboard and click the Security tab. The On-Demand Diverted Ranges widget is displayed in the banner.
Click Configure to diver/revert your ranges. For details, see Security Dashboard: DDoS Protection for Networks
and IPs.
• Via the API. For details, see Network Range Diversion API Definition.
Availability: We are gradually rolling out this feature to our customers. It may not be immediately available in your
account.
For more details on this feature, see Control Network Range Diversions.
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
1. When you log in to the Cloud Security Console, the account dashboard is displayed by default. Alternatively,
click Home on the top menu bar.
• Homepage Dashboard
What changed: In the API Security > Inventory page, you can now see HEAD and OPTIONS methods under the APIs
Inventory section.
New Imperva Data Center in Manilla, Philippines
We are starting to roll out a new data center (PoP) in Manilla, Philippines and expect it to be fully functional within the
next few weeks.
The Manilla PoP is the newest addition to our world-wide network of 50 data centers, helping you deliver your
applications securely and optimally across the globe.
For the full list of PoPs, see Imperva Data Centers (PoPs).
Heads Up: Removal of "Download Bandwidth History" button
On August 28, 2022, the Download Bandwidth History button that enables you to download billing date for the
current billing cycle and two previous billing cycles will be removed from the Subscription page.
Instead, you can access an extended usage history for your account in the following ways:
• The Usage Report provides an enhanced view of your account’s bandwidth usage per service over time,
enabling you to easily understand usage trends and quickly detect overages in your account. You can also
download the report.
Where it’s located: In the Cloud Security Console, navigate to Account > Account Management > Usage
Report.
• The Usage Report API enables you to retrieve bandwidth usage history for your account.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
What changed:
• In the Website Traffic > Top websites section, an option was added to sort the list of websites according to
their API call count.
• In the Traffic by Geo Location section, an option was added to view the traffic distribution by API calls.
Where it’s located: When you log in to the Cloud Security Console, the account dashboard is displayed by default.
Alternatively, click Home on the top menu bar.
• Homepage Dashboard
For example:
Instead, you can access an extended usage history for your account in the following ways:
• The Usage Report provides an enhanced view of your account’s bandwidth usage per service over time,
enabling you to easily understand usage trends and quickly detect overages in your account. You can also
download the report.
Where it’s located: In the Cloud Security Console, navigate to Account > Account Management > Usage
Report.
• The Usage Report API enables you to retrieve bandwidth usage history for your account.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
What changed: A new section called Data Classification was added to the API Security Settings page. When you set
the data labels to Sensitive and Visible, they are displayed in the API Security > Dashboard and API Security >
Inventory (Discovered APIs and My APIs tabs) pages.
For more details, see: Settings, Discovered APIs Dashboard, Discovered APIs (Inventory) and My APIs (Inventory)
pages.
Account Takeover Protection: View dashboard data per login endpoint
If you have defined multiple login endpoints for a website, you can now display data for an individual endpoint.
What changed: By default, the ATO Dashboard displays data for all endpoints simultaneously. You can now select an
endpoint from the new Endpoint Selection drop-down. The dashboard is then refreshed and displays data for the
selected endpoint only.
Note: The User Anomaly section on the Dashboard is not currently refreshed by the endpoint selection and continues
to display data for all endpoints.
For more details on the Account Takeover Protection dashboard, see Explore the Data.
Time range change in dashboards
To enhance caching and performance, dashboard data is now provided as follows:
When selecting a time range of the last 7, 30, or 90 days, the time period is now rounded to the last hour.
What changed: Previously, the time range was based on the exact time that the dashboard was loaded.
• The time range for the last 24 hours is not rounded. For example: 12 Jul 2022 07:35:00 – 13 Jul 2022 07:35:00.
• The custom range option always spans from 00:00 on the first day to 23:59 on the last day of the range.
Availability:
• The change was implemented for most dashboards in the Cloud Security Console and will be rolled out to the
remaining dashboards at a later date.
• This change does not apply to the Security Events page, which will continue to reflect the exact time period
requested. For example: 06 Jul 2022 07:35:00 – 13 Jul 2022 07:35:00.
Certificate Management pages have moved
In preparation for upcoming enhancements to Imperva’s Certificate Management capabilities, the following changes
were made in the Cloud Security Console:
Instead, you can access an extended usage history for your account in the following ways:
• The Usage Report provides an enhanced view of your account’s bandwidth usage per service over time,
enabling you to easily understand usage trends and quickly detect overages in your account. You can also
download the report.
Where it’s located: In the Cloud Security Console, navigate to Account > Account Management > Usage
Report.
• The Usage Report API enables you to retrieve bandwidth usage history for your account.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
Deprecation of WAF settings API and Terraform
Following the migration of WAF settings to the new WAF Rules policy, the old WAF setting APIs and Terraform
resources are now deprecated.
The WAF Rules policy type enables you to easily manage your mitigation settings for website WAF rules in a central
policy, while still benefiting from the default out-of-the-box policies. You can define a policy once, and apply it to
multiple websites in your account.
• /api/prov/v1/sites/configure/allowlists
• /api/prov/v1/sites/configure/whitelists
• /api/v1/sites/{SiteId}/settings/rules/
SQL_INJECTION/exception
API
• /api/v1/sites/{SiteId}/settings/rules/
CROSS_SITE_SCRIPTING/exception
• /api/v1/sites/{SiteId}/settings/rules/
ILLEGAL_RESOURCE_ACCESS/exception
• /api/v1/sites/{SiteId}/Settings/rules/
REMOTE_FILE_INCLUSION/exception
• api.threats.cross_site_scripting
Terraform
• api.threats.illegal_resource_access
• api.threats.remote_file_inclusion
• api.threats.sql_injection
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
What changed: When you log in to the Cloud Security Console, this page is now displayed. After entering your email
address, the process continues on to the standard screen, enabling you to enter your password or to log in via SSO.
The Cape Town PoP is the newest addition to our world-wide network of 49 data centers, helping you deliver your
applications securely and optimally across the globe.
For the full list of PoPs, see Imperva Data Centers (PoPs).
Disabled: 1-step HTTPS setup in the Website Onboarding Wizard
Configure SSL for a new site, the 1-step SSL setup option, has been temporarily turned off. The feature will return
shortly with enhancements.
What changed: There are now two site onboarding options: Configure SSL for an active site and No Imperva
certificate.
For more details, see: Onboarding a Site – Web Protection and CDN.
For customers who were using the previous log integration, the new audit events also track migration of your account
to the new Near Real-Time SIEM mechanism.
• Connection created/updated/deleted
The Audit Trail displays a log of actions performed in your account by: account users, system processes, and Imperva
system administrators and support.
Where it’s located: In the Cloud Security Console, navigate to Account Management > Audit Trail.
• Audit Trail
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
The Rio de Janeiro PoP is the newest addition to our world-wide network of 48 data centers, helping you deliver your
applications securely and optimally across the globe.
For the full list of PoPs, see Imperva Data Centers (PoPs).
API Security: Filtering enhancements
The API Security Inventory page was enhanced with the following improvements:
My APIs tab > APIs Inventory widget: You can now filter the displayed data.
Discovered APIs tab > APIs Inventory widget. When you click an endpoint to drill down:
• You can now filter the request and response by Type and by Constraint.
• The Copy as JSON feature now takes into account the filters you have set.
Where it’s located: In the Cloud Security Console, navigate to Application > API Security > Inventory.
Website Performance Dashboard: Delivery Rules
Details of Delivery rules and statistics are now presented in the Website Performance Dashboard. This information
was not previously migrated to the new Website Performance Dashboard and had only been available on the old
Website Dashboard.
What's changed:
• Filter function was added to limit the Delivery Rules displayed (up to 5 selected websites).
• Sort functionality was added to view data by Rule Name, Action or Hits columns.
Where it’s located: On the Website Performance Dashboard, click Delivery Rules (next to Visits by country).
• Create Rules
Heads Up: Deprecation of WAF settings API and Terraform
As of August 1, 2022, following the migration of WAF settings for all customer accounts to the new WAF Rules policy,
the old WAF setting APIs and Terraform resources will be deprecated.
The WAF Rules policy type enables you to easily manage your mitigation settings for website WAF rules in a central
policy, while still benefiting from the default out-of-the-box policies. You can define a policy once, and apply it to
multiple websites in your account.
• /api/prov/v1/sites/configure/allowlists
• /api/prov/v1/sites/configure/whitelists
• /api/v1/sites/{SiteId}/settings/rules/
SQL_INJECTION/exception
API
• /api/v1/sites/{SiteId}/settings/rules/
CROSS_SITE_SCRIPTING/exception
• /api/v1/sites/{SiteId}/settings/rules/
ILLEGAL_RESOURCE_ACCESS/exception
• /api/v1/sites/{SiteId}/Settings/rules/
REMOTE_FILE_INCLUSION/exception
• api.threats.cross_site_scripting
Terraform
• api.threats.illegal_resource_access
• api.threats.remote_file_inclusion
• api.threats.sql_injection
You can now retrieve certificate details for your protected websites using the new SSL Certificates API. For details, see
SSL Certificates API Definition.
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
New rule filter parameters
The following rule filter parameters are now available:
• Response Content-Type: Checks for the value of the HTTP Content-Type header sent by the origin server in the
response. You can use this filter parameter in a Rewrite/Remove Response rule or a custom cache rule.
• Content Datacenter ID: Checks for the Imperva ID of the destination origin data center for the request.
This ID is relevant to your data centers that are defined to support only forward rules (data centers that you
have defined in Website Origin Server Settings with the Support only forward rules option enabled).
• Origin Destination IP: Checks for the IP address of the destination origin server for the request.
Where it’s located: On the Cloud Security Console Rules page (Application > Websites > <select a website> > Security
> Rules).
For more details on creating rules and configuring these parameter, see:
• Create Rules
• Cache Settings
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
What changed:
• UI: During site onboarding or certificate revalidation, a new drop-down menu for Record type offers both
CNAME and TXT options. Selecting the CNAME option generates a unique value that you copy into your DNS
records to complete domain validation of an active site. For more details, see Onboarding a Site – Web
Protection and CDN or Revalidate Your Imperva Certificate.
• API: The API has been updated to include the CNAME value, as follows: Add Site API (/api/prov/v1/sites/add) to
receive the CNAME/A records required for traffic configurations, then the Modify Site Configuration API (/api/
prov/v1/sites/configure) with the parameter domain_validation and value CNAME. In response, you will receive
the value for the CNAME record. For details, see the Site Management section of Cloud Application Security
v1/v3 API Definition.
Contingency DDoS Network Protection
We are introducing a new on-demand service that offers a limited number of network range diversions to redirect
your traffic to Imperva Network Protection when under attack.
Contingency DDoS Network Protection is intended as a backup service in the event of an outage in your primary
protection service.
In the Cloud Security Console, you can independently divert and revert your ranges as needed.
Where it’s located: When the service is enabled in your account, you can manage your ranges as follows:
1. Navigate to the Network Protection Security Dashboard (Network > Network Protection > Dashboard >
Security > Protected Networks tab).
2. The On-Demand Diverted Ranges widget displays the number of currently diverted ranges, and time
remaining until the range is automatically reverted (72 hours after divert, unless still under attack. In that case,
Imperva reverts the range once the attack ends).
3. Click Configure to select a range to divert or revert. You can also see the number of remaining diversions
available in your account.
For more details, see DDoS Protection for Networks as a Contingency Strategy.
• The API specification assessment tool - This tool scans through OpenAPI Specification files that you upload to
generate an assessment report, providing a risk assessment score about the API design against a set of security
best practices.
• The API security test tool - This tool creates a test bundle for you to download and run in your controlled
environment to discover any security vulnerabilities in your application. The test bundle contains a set of tests
simulating attack patterns against APIs in question.
Availability: This new feature is available with the Advanced license only.
By default, Imperva provides DoS mitigation for slow HTTP attacks based on a minimum request body timeout rate of
5000 bytes received every 30 seconds.
What changed: You can choose to override the default rates for any or all of the following HTTP methods: GET, POST,
PUT, RPC_IN_DATA, RPC_OUT_DATA.
1. Navigate to the website WAF Settings page (Application > Websites > Website Settings > WAF).
2. In the DDoS section, click Slow HTTP and configure the settings.
API: You can also customize the mitigation settings via the API, using the request_body_timeouts parameter, under
Site Management > Modify Site Configuration. For details, see Cloud Application Security API.
Availability: We are rolling out this feature over the next several weeks. It may not be immediately available in your
account.
You can now configure the log integration independently to export your Advanced Bot Protection dashboard data to
your SIEM without needing to contact Support. Previously, Support was required to enable the integration.
1. On the Cloud Security Console top menu bar, click Account > Account Management.
You can now start using the Near Real-Time SIEM solution with the S3 push method. Previously, the new mechanism
was available only to customers already using the old log integration with the S3 method.
1. On the Cloud Security Console top menu bar, click Account > Account Management.
Note that the integration is initially configured for the old log integration mechanism and is then migrated to the new
Near Real-Time SIEM mechanism within one week.
The integration continues to be available per request. To enable the feature for your account, contact Imperva
Support.
Waiting Rooms: Rollout Complete
Rollout of the Imperva Waiting Room service is now complete and available to all Cloud WAF (AppProtect) customers.
Availability: One waiting room is now included with your plan. Additional waiting room licenses are available as an
add-on to the Cloud WAF service.
Waiting Rooms let you control the traffic to your website when the origin server is unable to handle the load, while
providing a seamless experience to your customers.
The solution routes your website visitors to a virtual waiting room when their requests can't be handled immediately.
Visitors are placed in a virtual queue, creating a positive user experience and preventing loss of business.
Feature highlights:
• Set activation thresholds based on the incoming rate of traffic and/or total active users.
• Create custom rules to define with more granular control when to activate a waiting room.
• Customize the waiting room page that is displayed to your customers by adding your company logo, banner,
colors, images, videos, and so on. This enables you to keep your brand recognition, as well as engage visitors
with content that promotes your brand while they wait.
• The waiting room page reports the customer’s position in line, providing an indication of when their turn to
access your website will arrive. This information is regularly updated while they wait. At a later date, we will add
the estimated wait time to the page.
Events: New events were added to the Network Protection Dashboard, which displays a log of security events
detected by Imperva. For more details, see Security Dashboard: DDoS Protection for Networks and IPs.
• IP range diverted
• IP range reverted
SIEM events: New SIEM events were added to the ATTACK log type. For more details, see SIEM Log Integration: DDoS
Protection for Networks and IPs.
• IP range diverted
• IP range reverted
Notifications: New email notifications were added to the Network Security > Network Protection Notifications
category. Emails are sent when an IP range is diverted and reverted. For more details, see Notification Settings.
Website Real-Time Dashboard: Visitor samples
Details of security rules that were triggered by a request are now presented in the visitor samples, which enable to
you view a sampling of real-time requests.
This information was not previously migrated to the new Real-Time Dashboard and was still available only on the old
Website Dashboard.
In addition, you can now search the visitor samples according to client name or IP address.
Where it’s located: On the Real-Time Dashboard, click Show visitor samples.
• In a session section, click More details. If any security rules were triggered by requests in the session, they are
listed here.
• Rules
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
What changed: A new SSL certificate options page now provides three site onboarding options (Configure SSL for an
active site, Configure SSL for a new site, No Imperva certificate).
• Configure SSL for a new site option lets you onboard a new HTTPS site in 1-step and skip validation of domain
ownership via txt or email. After you change the DNS record and point traffic to Imperva, we validate the domain
by HTML since the site’s traffic is now managed by Imperva.
• No Imperva certificate option replaces the "I don't want SSL" link and lets you skip creation of the Imperva
certificate when you only want to upload a custom certificate.
• Configure SSL for an active site option includes the Wildcard SAN and Naked SAN options that previously
appeared on the scanning results page.
• The Configure later button lets you skip all SSL setup options and displays the View all websites page with the
new site already added to the table.
The API has been updated to trigger the new 1-step SSL configuration when adding a new site and configuring traffic
to reach Imperva.
• Previously, you needed to run two APIs, as follows: Add Site API (/api/prov/v1/sites/add) to receive the
CNAME/A records required for traffic configurations, then the Modify Site Configuration API (/api/prov/v1/
sites/configure) with the parameter domain_validation and value (DNS/HTML/EMAIL), add the txt record and
configure the traffic.
• Today, you run the first API, configure traffic, then run the second API to automatically add SSL support for the
new site using the HTML method validation, as follows:
parameter = domain_validation, value = html
For more details, see Configure SSL for a new site, under Onboarding a Site – Web Protection and CDN.
For more details on APIs, see Cloud Application Security v1/v3 API Definition.
• Instant blocking: Instantly block unwanted assets even while working in Monitor mode.
When enabling Instant Block on your website, you first turn it on only for a specified IP address. This enables you to
test your settings on a limited basis before enabling the feature for your entire application.
Where it’s located: On the Client-Side Protection dashboard, click Settings to enable Instant Block.
What changed: You can now turn on Enforce mode for one or more specific IP addresses and for a specific path on
your website. Services that are set to be blocked will be blocked for the specified IPs and path only.
Where it’s located: On the Client-Side Protection dashboard, click Simulate Enforce and fill in the details.
In this release:
• The ability to upload, replace, and delete custom certificates has been removed from the Modify Site Settings
permission.
• All existing users who were previously assigned the Modify Site Settings permission have been automatically
assigned the new Manage custom certificates permission as well.
For new roles created in your account, use only the new Manage custom certificates permission to manage custom
certificates.
API Security: Discovered APIs dashboard enhancement
The Discovered APIs dashboard was enhanced and now in the API Hosts, API Resources and API Endpoints widgets,
you can click on the Expand button to open a popup page. This page shows all items for that widget for your account,
not only the top ones as indicated in the widget. You can also filter the results on the page to show only the new ones
by selecting the checkbox.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
The page includes a link to the new website security dashboard, introduced in 2021.
For details on the new security dashboard, see Website Security Dashboard.
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
Defining a very low threshold can be useful for testing purposes. However, the recommended minimum value for
production purposes remains 200.
Note that when a threshold value of 1-199 is defined, the New incoming users per minute option is not available.
Resolution: The issue is fixed. Relevant custom rules now work as intended.
This change is scheduled to take place starting June 19, 2022, and will be gradually rolled out to all accounts over the
following 2 weeks.
API Schema Protection based on uploaded API specifications will continue to work. The old API Discovery and
Automatic Integration functions will be deprecated during the same rollout period. Customers interested in API
Discovery and Automatic Integration are welcome to consider the Cloud WAF API Security Add-on. Contact your
Imperva Sales Representative if you have any questions.
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
Advanced Bot Protection Updates
New Executive Report Dashboard
A new report dashboard is available that provides key data for executives including: traffic types; mitigation by site;
CAPTCHA effectiveness by site; triggered conditions; traffic listing. You can schedule storage and/or sending an
automatic email.
Where it's located: You access the dashboard from the Dashboard entry in the navigation pane. Click Reporting Data
Region and from the drop down list on the right, select Executive Report.
For more information, see Understanding the Other (non-Traffic Overview) Displays.
When you make changes in your Advanced Bot Protection configuration, these changes do not take immediate effect.
Using a special link available in most main displays you can review all the pending changes you have made before you
publish, and you publish them all with a single click.
New enhancement of user verification that leverages Biometrics Collection added to the Mobile SDK and web
JavaScript. This feature leverages the user’s movement and other attributes, as a way to verify their identity. Since
each individual has their own unique features, this method of authentication adds an additional, highly advanced
layer to Imperva’s detection model.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
Where it’s located: On the Cloud Security Console Security Events page (Application > Security Events), under
Request Details, click Add exception to policy.
You then have the option to open and edit the policy, or add the exception to the policy in 1-click.
The exception is added only for the specific website in which the rule was triggered.
Within the policy, the exception is labeled Added through the Security Events page.
This permission is granted to the Account Admin user by default. The Account Admin or any user with Manage users/
Manage user roles permissions can assign this permission to other account users as needed.
Note:
• Previously, the Modify site settings permission granted users the ability to manage custom certificates. Users
who currently have the Modify site settings permission can continue to manage custom certificates. At a later
date, Imperva will automatically migrate permissions for these users to the new Manage custom certificates
permission. Updates will follow in future release notes.
• For new roles created in your account, use only the new Manage custom certificates permission to assign this
ability.
For more details on configuring custom certificates for your websites, see:
For origin servers that are configured according to a CNAME, the new status is displayed when one or more of the
servers using this CNAME are down.
Where it's located: On the Website Performance Dashboard (Application > WAF > Dashboards > Performance) under
Status (Origin DC).
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
The Attack Report helps you discover the value of your security solution by providing an overview of attacks on your
websites and web applications, including attack distribution by type, severity, time, source country, source client, and
website. The report covers an extended list of attack types, helping you understand trends based on real attack data.
Data in the report represents activity in the websites in your account and its subaccounts that were most targeted
over the past year.
Availability: We are gradually rolling out the new report to customers over the next several months. It may not yet be
available in your account.
Subscribe: Configure notification recipients to receive a monthly email with the report attached, in PDF format. The
report is available to anyone via email.
• By default, the account admin user and any recipient listed in the Notification Settings Default Executive
Attack Report Notifications policy automatically receive the report.
• You can add additional recipients to the default policy, or configure a new notification policy in Notification
Settings: Account and Website > Executive Attack Report Notifications.
• Attack Report
• Notification Settings
New rule filter parameter: IP Reputation Risk Level
The new IP Reputation Risk Level rule filter parameter was added for configuring custom rules. This parameter
enables you to define an action for Imperva to take based on the Imperva Reputation Intelligence assessment of risk
posed by the source IP address.
The risk assessment is based on activity of an IP across the Imperva customer base over the previous 2 weeks (clean
and malicious traffic). Risk is continually evaluated so the risk level for a given IP can change on a daily basis.
Where it’s located: On the Cloud Security Console Rules page (Application > Websites > <select a website> > Security
> Rules.
For more details on creating rules and configuring this parameter, see:
• Create Rules
The response includes details for each user, including Imperva user ID, first and last name, email address, and the
roles to which the user is assigned.
What changed: The domain's Whois record is no longer used for SSL email validation. Imperva previously pulled
additional emails from the record and automatically added them to the domain's default emails used to authenticate
website ownership.
You can now retrieve certificate details for your protected websites using the new SSL Certificates API. For details, see
SSL Certificates API Definition.
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
Where it’s located: On the API Security > Settings tab, under Automatic Integration, select a checkbox next to the
website you want to enable automatic integration for.
When automatic integration is enabled, the discovered endpoints are added to the APIs Inventory table in the My APIs
tab under API Security > Inventory. This ensures that the violations are alerted immediately.
Note: If you enabled the automatic integration feature via the API Schema Protection UI, you have to enable the
feature again as this is now a feature of the Advanced API security Add-on.
Reputation Intelligence leverages reputation data from across the Imperva customer base and 3rd party providers to
help in incident response.
What changed: The source IP was previously presented as a static number only.
Where it’s located: In the Cloud Security Console Security Events page. (Application > Security Events)
The Source IP of each session links to Reputation Intelligence data on the specific IP address.
• Reputation Intelligence
Heads Up: End of support for SSLv3 and RC4 cipher
As of July 1, 2022, Imperva will no longer support the SSLv3 security protocol and the RC4 cipher.
For the list of supported TLS versions, see Web Protection - SSL/TLS.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
The solution routes your website visitors to a virtual waiting room when their requests can't be handled immediately.
Visitors are placed in a virtual queue, creating a positive user experience and preventing loss of business.
Feature highlights:
• Set activation thresholds based on the incoming rate of traffic and/or total active users.
• Create custom rules to define with more granular control when to activate a waiting room.
• Customize the waiting room page that is displayed to your customers by adding your company logo, banner,
colors, images, videos, and so on. This enables you to keep your brand recognition, as well as engage visitors
with content that promotes your brand while they wait.
• The waiting room page reports the customer’s position in line, providing an indication of when their turn to
access your website will arrive. This information is regularly updated while they wait. At a later date, we will add
the estimated wait time to the page.
Availability:
• As of this release we are starting a gradual rollout of the new add-on to our customers. In the first stage, the
service is enabled upon request.
• Waiting Rooms are available as an add-on to the Cloud WAF service. Once enabled, you can configure 1 waiting
room in your account. Licenses for additional waiting rooms are available for purchase.
Traditional solutions detect and reconcile fraud after it has taken place. Imperva’s OFP solutions can make the
difference between fixing the damage after the fact, or stopping fraud before it occurs.
Imperva OFP consist of 3 products: Advanced Bot Protection, Account Takeover Protection, and Client-Side Protection.
In this release, we introduce the following enhancements to those products to support OFP.
Note: The OFP products are available as individual add-ons or as part of the App Protect Enterprise bundle. Contact
your Imperva Sales Representative for details.
ABP now presents a list of the endpoints in your websites that have API calls in them, enabling you to configure
appropriate per-Path Policies for them.
For more information, see Configuring per-Path Policies for Endpoints with API Calls.
There are two new Conditions that are active in the allow Directive of the Default Policy:
• Financial Data Aggregators: Identifies requests that come from one of the data aggregator IP ranges attributed
to ASNs owned by financial/fintech organizations.
• Monitoring Tools: Identifies requests that come from a known monitoring tool, either: Host Tracker, New Relic,
Pingdom, or Uptime Robot.
A new report is available that enables you to better understand your Captcha mitigation, showing how many bots vs
humans are being served Captchas, and how many are solving or failing them.
Gain visibility into user credentials logging in to your website that have been used by known attackers and are likely
publicly leaked.
Imperva Research Labs analyze Account Takeover Protection data on credential stuffing attacks across our customer
base to determine which other credentials may be connected to an identified attacker, and therefore likely to also be
at risk.
View login requests that were classified as coming from known aggregators. Use the data for your own security
investigation.
Aggregators can generate many logins from the same IP address, which can be perceived as an attack. Account
Takeover Protection identifies aggregators, distinguishing them from attackers, and thereby reduces false positives.
Behaviors that deviate from what is considered standard and reasonable login activity can be an indication of fraud.
Account Takeover Protection tracks login patterns to detect anomalies, and presents you with that information.
Client-Side Protection
Terraform support
Use Terraform to onboard and configure Client-Side Protection. Programmatically configure Client-Side Protection
instead of using the Cloud Security Console.
This can be useful when creating users that only require access to the API, such as for automation processes.
What changed: The Set as API-only user option was added to User Settings. The account admin or anyone with the
Manage users permission can set this option.
Note:
• When this option is enabled for a user, the label API Only is displayed next to the user name.
• To remove the API-only limitation, click the Remove API-only restriction option under Actions.
• You cannot set this option for an external user in your account (a user that was created in a different account
and then added to your account). Example: A user is created in Account A, and then added to Account B. You can
set the user as API-only in Account A, but not in Account B.
• The API-only access is managed for the user at the parent account level. Therefore, the user cannot access any
other accounts or their subaccounts via login to the Cloud Security Console.
HTTP Strict transport security (HSTS) ensures that any attempt by visitors to use the unsecure version (http://) of a
page will be forwarded automatically to the secure version (https://). HSTS support is available only for sites that have
SSL support. For more details on HSTS support, see Web Protection - General Settings.
• GET /api/prov/v3/sites/{extSiteId}/settings/TLSConfiguration
• POST /api/prov/v3/sites/{extSiteId}/settings/TLSConfiguration
For details on using the new APIs, see Cloud Application Security API Definition under Site Management.
Bot Access Control Configuration API
Retrieve and update the bot configuration for your websites using the Imperva API. The new endpoints correspond to
the settings configured on the Web Protection - Security Settings page in the Cloud Security Console.
The Bot Access Control configuration reflects the manual changes performed by a user in your account. It includes:
• Canceled good bots: Bots that are removed from the default “Good bots list”. These bots can no longer access
your website by default and must pass additional challenges.
• Bad bots: Bots that are added to the default list of blocked bots.
For details on using the new APIs, see Cloud Application Security API Definition under Site Management.
DDoS Protection for Networks: Change of automatic revert duration for
On-Demand customers
If you are using Imperva’s Network Protection service in on–demand mode, and if your traffic diversion is controlled
by Imperva when under attack (automatically or after your confirmation), your traffic is reverted back to you
automatically after 12 hours with no malicious activity.
What changed: We are extending this period to 48 hours. This extended period enables you to coordinate the revert
time with your off hours or with another convenient time prior to the automatic 48 hour operation.
If you would like the traffic reverted back to you earlier than 48 hours, contact Imperva Support to submit your
request.
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
For details on troubleshooting in the Cloud Security Console, see Troubleshoot Website Errors.
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
It is possible that a browser requesting resources from multiple sites or apps, all of which use a common root domain
and resolve to the same Imperva IP, will automatically use the same connection during the session. Depending on the
client, if any connection is opened to a website with HTTP/2 support enabled in the Cloud Security Console delivery
settings, all additional requests sent to sub-domains or the naked domain will continue to use HTTP/2, even if their
HTTP/2 setting is disabled.
Using HTTP/2 in most cases, even when disabled for the specific site, is not problematic. If, however, your website is
experiencing any issues, please contact Imperva Support for assistance.
Example:
You have 2 sites configured in the Cloud Security Console. Both sites point to the same IP address. The Enable
HTTP/2 setting is turned on for www.example.com. The setting is turned off for api.example.com. When the browser
opens an HTTP/2 connection to www.example.com, it will use the same HTTP/2 connection that was already
established to send a request to api.example.com.
Change in existing custom rules
Over the next several weeks, custom rules that include only the IP List filter parameter configured to detect
anonymous proxy IP addresses or a Tor exit node will be converted to the Malicious IP List filter parameter. No impact
to current rule behavior is expected.
Note:
• Rules in which the IP List parameter is present but set to other values will not be changed.
• To avoid the risk of impacting current rule functionality, we will not convert a custom rule that includes other
parameters in addition to the IP List parameter.
Why the change? The IP List parameter is configurable only by Support. One of the reasons it is used is to define an
action for Imperva to take if the source IP of the request is identified as an anonymous proxy IP or Tor exit node.
After Support added the custom rule (per customer request), you could view it in the UI, but not edit it.
With the recent introduction of the Malicious IP List parameter which serves the same function, we will convert your
existing rule so that you can configure and edit it yourself.
Before After
IPList == 1;16 (for Tor IPs) MaliciousIPList == TorIPs
IPList == 1;3;14;16 (for anonymous proxy IPs) MaliciousIPList == AnonymousProxyIPs
For example:
Before:
After:
• Manage Rules
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
What’s changed: The SSL Certificates page was added, displaying certificate and status details for all websites in the
account. In addition, details of any domain requiring ownership validation are listed, including instructions for
completing the validation.
Availability: In this release, we start rolling out the new page. It may not yet be available in your account. We expect
to complete rollout to all accounts by the end of May.
Where it’s located: In the Cloud Security Console, navigate to Application > WAF > SSL Certificates.
You can also access the certificate and status details using the API. For details, see SSL Certificates API Definition.
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
Policy Management enables you to define a set of policies to apply to multiple sites instead of replicating the same
policy over and over.
The new WAF Rules policy type lets you to easily manage your mitigation settings for website WAF rules in a central
policy, while still benefiting from the default out-of-the-box policies.
No downtime is expected during migration, and no action is required on your part. Imperva runs an automated
migration process that moves all of your existing WAF settings into the new WAF Rules policies.
What’s changing: The following WAF settings are currently available on the Website WAF Settings page under each
website’s configuration. After migration, they are managed using the WAF Rules policy via the UI and API.
• SQL Injection
The Backdoor Protection rule continues to be defined at the website level on the WAF Settings page and will be
migrated at a later date.
Where it’s located: Policies are managed on the Cloud Security Console’s Policies page.
API: Once your account is migrated, you can no longer use the following APIs to configure WAF settings and
exceptions:
• /api/prov/v1/sites/configure/allowlists
• /api/prov/v1/sites/configure/whitelists
• /api/v1/sites/{SiteId}/settings/rules/SQL_INJECTION/exception
• /api/v1/sites/{SiteId}/settings/rules/CROSS_SITE_SCRIPTING/exception
• /api/v1/sites/{SiteId}/settings/rules/ILLEGAL_RESOURCE_ACCESS/exception
• /api/v1/sites/{SiteId}/Settings/rules/REMOTE_FILE_INCLUSION/exception
Instead, use the Policies API to configure WAF Rules. For details, see Policy Management API Definition.
Note: Once the migration process is complete for all customers, the old (existing) WAF settings will be removed from
the application, and the APIs listed above will be decommissioned.
If your SIEM storage repository becomes unavailable, Imperva will be unable to upload the log files.
When this happens, you will be notified by email, according to your notification settings. (Make sure that SIEM storage
notifications are configured for your account. For details, see Notification Settings.)
For more details on SIEM storage unavailability, see Configure the SIEM Log Integration.
The Near Real-Time SIEM log integration now supports connections to multiple cloud storage repositories.
What changed: Previously, when configuring the log integration to send security logs to your cloud storage
repository, you could create only a single connection. Now you can create multiple connections, enabling you to send
logs for different Imperva services to different storage locations.
Availability: The Log Configuration page is currently available to customers who are using the Near Real-Time SIEM
log integration for the DDoS Protection for Networks and IPs service, or for Advanced Bot Protection.
1. On the Cloud Security Console top menu bar, click Account > Account Management.
Where it’s located: On the Home page, displayed when you log in to the Cloud Security Console, view ACL Policies in
the Security events graph.
• Homepage Dashboard
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
Problem: The BGP Monitoring status was not previously included in the Connection added or Connection changed
audit events.
Resolution: The issue is fixed. BGP Peer Monitoring status is now included in the relevant audit events.
Heads up: Deprecation of WAF settings API
As of August 1, 2022, following the migration of WAF settings for all customer accounts to the new WAF Rules policy,
the old WAF setting APIs will be deprecated.
The WAF Rules policy type enables you to easily manage your mitigation settings for website WAF rules in a central
policy, while still benefiting from the default out-of-the-box policies. You can define a policy once, and apply it to
multiple websites in your account.
What changed: Once your account is migrated, you can no longer use the following APIs to configure WAF settings
and exceptions:
• /api/prov/v1/sites/configure/allowlists
• /api/prov/v1/sites/configure/whitelists
• /api/v1/sites/{SiteId}/settings/rules/SQL_INJECTION/exception
• /api/v1/sites/{SiteId}/settings/rules/CROSS_SITE_SCRIPTING/exception
• /api/v1/sites/{SiteId}/settings/rules/ILLEGAL_RESOURCE_ACCESS/exception
• /api/v1/sites/{SiteId}/Settings/rules/REMOTE_FILE_INCLUSION/exception
In addition, details of the WAF settings and exceptions will be removed from the following Site Management APIs:
• All other Site Management APIs that return details of the site’s WAF settings configuration
Instead, use the Policies API to configure WAF Rules. For details, see Policy Management API Definition.
For more details on the migration of WAF settings to the WAF Rules policy see the February 20, 2022 release notes.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
As of this release, rollout of self-adaptive policies for both detection and security is now complete for all DDoS
Protection for Networks customers.
These policies are automatically generated and updated based on our machine-learning algorithm that continuously
analyzes the assets’ (networks, IPs) traffic rates and patterns.
The automated policies can adapt more quickly and accurately than policies relying on manual configuration, as the
policy is continuously aligned with the current traffic behavior.
New API for uploading custom certificates
Imperva’s v2 API now supports the upload of custom certificates for your protected websites. Imperva’s v2 API better
aligns with REST API standards and best practices.
For details on the new endpoints for custom certificates, see Cloud WAF v2 API Definition.
The custom certificate endpoints support upload of RSA certificates, as well as ECC certificates, a recently added
capability. For more details, see ECC Certificate Support.
Old email notification list removal
The E-mail for notifications option on the Account Settings page is no longer displayed in accounts in which the new
Notification Settings feature is enabled. This option was previously used for defining notification recipients.
For reseller accounts, the email option is located in the Account Settings > Preferences page:
The new Notification Settings feature introduced earlier this year provides you with more granular control over
which notifications you receive, and the list of recipients who receive them. The new page is currently being rolled out
and may not yet be available in your account.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
You can upload your own ECC certificate to Imperva so it can be presented to your website visitors.
Benefits:
• ECC certificates have a smaller key size than RSA certificates, so less data is passed to the client during the TLS
handshake. This results in faster page load times, as well as offering better support for mobile devices.
• ECC certificates provide a security level comparable to or surpassing that of an RSA 2048 certificate.
By default, Imperva supports the prime256v1 (secp256r1) Elliptic Curve Digital Signature Algorithm (ECDSA) only.
1. In the Cloud Security Console, navigate to Application > Websites > <your site> > Website Settings > General.
2. Under SSL Support > ECC Custom Certificate, click Configure and follow the onscreen instructions.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
For reseller accounts, the email option is located in the Account Settings > Preferences page:
The new Notification Settings feature introduced earlier this year provides you with more granular control over
which notifications you receive, and the list of recipients who receive them. The new page is currently being rolled out
and may not yet be available in your account.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
• API Security
• Notification Settings update
• DDoS Protection for Networks/IPs: Account Asset API
• Recently mitigated CVEs
API Security
API Security is now available under the account-level on the Cloud Security Console as an add-on to the CloudWAF.
The API Security feature under the website-level has been renamed API Schema Protection and still exists as a built-
in feature of the CloudWAF. It will continue to be supported for customers who want to validate API calls using their
own well defined API Specifications. In addition, CloudWAF will continue to support automatic generation of API
endpoints as a baseline.
The API Security add-on is purpose-built to address application specific threats against custom APIs. It is not
uncommon for APIs in production to deviate from API specifications due to the lack of API documentation or frequent
changes. There are also categories of data exfiltration attacks leveraging schema conforming API calls that cannot be
detected by API Schema Protection. The key first step to protect applications against these new categories of threats is
to discover the APIs, to discover their structure in order to differentiate from API endpoint detection, and to identify
sensitive information that is being transferred using the APIs.
The initial release of the API Security add-on provides a comprehensive, data driven API Discovery, which enables you
to:
• Understand your API exposure surface with complete and up to date inventory of your APIs and their
configuration.
• Protect your APIs with a positive security model even if you don’t have an OAS file. With an ongoing learning
mechanism, API Discovery constantly learns the structure of the APIs whenever they are updated.
• Gain tighter protection of your APIs on top of the existing OAS files provided by the development teams.
• Decide on the appropriate security level for each API endpoint according to the sensitivity of the data returned
by it.
• Use analytics and display Data Classification so that you can know which API endpoint transfers PII and other
sensitive information.
Additional capabilities
• Integrates with API management platforms through designated APIs and open source tools, making security an
integral part of API lifecycle management.
• Automatically disables Captcha cookie challenges and JavaScript challenges on API traffic.
• Leverages the SaaS infrastructure and the CDN, WAF, BOT and DDoS capabilities of the Imperva Application
Security suite, and uses the same management portal.
• Next phase of migration: We are starting to rollout the new Notification Settings to partners and reseller
accounts, as well as their customer accounts. The new settings replace the former email notification options in
Account Settings. The migration of all accounts is expected to be completed within several weeks.
• Get notified about activity in your subaccounts: For accounts with subaccounts, you can now also create
policies to receive notifications about activity in your subaccounts. The new functionality is available via the UI
and the API in accounts that have been moved over to the new Notification Settings mechanism.
For reseller accounts, your existing Account E-mail Settings that determine if you receive notifications on
activity in your subaccounts will be automatically moved over to the Notification Settings page. They will be
listed as Subaccount Default Notifications.
Where it’s located: On the Notification Settings page, you can view default notification settings and create new
notification policies. In the Cloud Security Console, navigate to Account > Account Management > Notification
Settings.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Heads Up: WAF settings migration to Policy Management
Website WAF rule settings are moving to our Policy Management feature.
Policy Management enables you to define a set of policies to apply to multiple sites instead of replicating the same
policy over and over.
The new WAF Rules policy type enables you to easily manage your mitigation settings for website WAF rules in a
central policy, while still benefiting from the default out-of-the-box policies.
Migration to policies: Starting in March 2022, WAF settings for customer accounts will be migrated to the new WAF
Rules policy over the course of several months. (Migration of a WAF settings for a single account is completed in just a
few minutes.)
No downtime is expected during migration, and no action is required on your part. Imperva runs an automated
migration process that moves of all your existing WAF settings into the new WAF Rules policies.
What’s changing: The following WAF settings are currently available on the Website WAF Settings page under each
website’s configuration. After migration, they will be managed using the WAF Rules policy via the UI and API.
• SQL Injection
The Backdoor Protection rule continues to be defined at the website level on the WAF Settings page and will be
migrated at a later date.
Where it’s located: Policies are managed on the Cloud Security Console’s Policies page.
Note: Once the migration process is complete for all customers, the old (existing) WAF settings will be removed from
the application.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
SIEM log change for user agent
SIEM logs now report the value of the user agent field for each request instead of according to the session as a whole.
Previously, the user agent reported for each request on a session was based on the first request in the session.
For more details on SIEM log files for the Imperva Cloud WAF log integration, see Log File Structure.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
New Imperva Data Center in Bogota, Columbia
We are starting to roll out a new data center (PoP) in Bogota, Columbia and expect it to be fully functional within the
next few weeks.
The Bogota PoP is the newest addition to our world-wide network of 47 data centers, helping you deliver your
applications securely and optimally across the globe.
For the full list of PoPs, see Imperva Data Centers (PoPs).
Website dashboard enhancements
Real-Time Dashboard: The following sections were added:
• Imperva data centers: Real-time data according to the Imperva data centers handling the requests.
• Origin servers: Real-time data on your origin servers. Select multiple servers to view and compare
simultaneously.
• New options for expanding each graph for an enlarged view or saving the graph as an image file
• The DC status and Origin status columns were temporarily removed from the All websites table while we
reevaluate these statistics
Where it’s located: In the Cloud Security Console, navigate to Application > WAF > Dashboards.
What changed: Previously, when a subaccount user logs in to the Cloud Security Console, they can view assets in the
parent account by entering the Application, Network, or Data areas. These menu items are no longer visible until the
user enters a subaccount in which they have an assigned role.
To allow a subaccount user to access the parent account, the user must be assigned an appropriate role in the parent
account. This can be done by the account admin, or by any user who has the Manage users and Manage user roles
permissions in the parent account. For more details, see Manage Roles and Permissions.
Certificate renewal process change
There has been a minor change in the certificate renewal process.
If an Imperva-generated certificate for your website includes unverified SANS, they will be removed from the new
certificate and the old certificate will be replaced 72 hours before the actual expiry date. Previously, the change was
made 24 hours before the expiry date.
If you did not verify all SANs and they were removed from the new certificate, this time extension allows Imperva to
republish the previous certificate that has not yet expired. This provides you with a last opportunity to verify all
required SANs before the actual expiration date and maintain your SSL support.
Typically, when your site's Imperva-generated certificate needs to be renewed, the process is completed
automatically by Imperva. In some instances, you will receive an email notification from Imperva requiring you to
revalidate ownership of your domain.
It is critical to review the required action and deadline as specified in the email, and take prompt action. If your
websites are not revalidated before the deadline, SSL support will be removed and the sites will be unreachable over
SSL.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
Heads Up: SIEM log change for user agent
The following change is scheduled to roll out during the week of February 20th, 2022.
SIEM logs will now report the value of the user agent field for each request instead of according to the session as a
whole.
Previously, the user agent reported for each request on a session was based on the first request in the session.
For more details on SIEM log files for the Imperva Cloud WAF log integration, see Log File Structure.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Near Real-Time SIEM log configuration updates
A new page was added to the Cloud Security Console for configuring the new Near Real-Time SIEM log integration for
your account.
Availability: The Log Configuration page is now available to customers who are using the Near Real-Time SIEM log
integration for the DDoS Protection for Networks and IPs service, or for Advanced Bot Protection. You can now
view and modify the log configuration for your account.
DDoS Protection for Networks and IPs and Advanced Bot Protection customers: Interested in the new Near Real-
Time SIEM log integration? The integration is currently offered as an Early Availability feature. To enable the feature
for your account during this period, contact Imperva Support.
• Customers who are using the legacy SIEM log integration with the S3 push method can contact Imperva Support
to request migration to the new mechanism.
• In early 2022, we will migrate all customer accounts that are currently using the Imperva SIEM log integration
with the S3 push method to the new Near Real-Time SIEM mechanism.
• At a later stage, the new mechanism will be available to new and existing customers who start using the SIEM
log integration with the S3 push method.
This is especially useful when the existing certificate was generated using a CSR and you want to use it for multiple
websites in your account.
Note: This applies to websites directly under the same parent account, or websites in the same subaccount.
1. Navigate to Application > Websites > <your site> > Website Settings > General.
3. Follow the onscreen instructions to upload your certificate without uploading the private key.
For more details, see Upload a Custom Certificate for Your Website on Imperva.
You can also configure the certificate to be used for multiple websites in your account using the /api/prov/v1/sites/
customCertificate/csr API. The domain parameter enables you to define the common name, which can be a wildcard
domain to cover multiple domains. For more details, see Create New CSR in the Site Management section of Cloud
Application Security v1/v3 API Definition.
Audit events added for Imperva support actions
The Imperva team has the ability to assume the identity of a specific end-user in a customer account for investigation
and troubleshooting purposes.
This enables Imperva Support, for example, to view the account from the customer perspective, or to perform pre-
approved actions on the customer’s behalf.
What changed: When an Imperva employee assumes the identity of a user in your account, the following events are
logged in the Audit Trail:
These audit trail entries indicate the account user whose identity was temporarily taken on. For example: “Imperva
Support logged in as account user user@demo.com”.
In addition, all actions performed by Imperva Support while logged in as a user of your account are also recorded in
the Audit Trail. For example: “API key created. Performed by Imperva Support logged in as user@demo.com”.
Where it’s located: In the Cloud Security Console’s Audit Trail page.
For more details on Audit Trail, see the Audit Trail Documentation.
Website settings display active custom error page
Custom error pages can be defined at the website level by account users, or at the account level, by submitting a
request to Imperva Support.
If a custom error page is defined at the account level it is used for all websites in the account that have not defined
their own custom error page.
What changed: When viewing the custom error pages for a website, the UI displayed only the website level
configuration. Now, if there is a custom page defined only at the account level, it is displayed in the website settings,
so you can see the error page that is currently active for the website.
This is based on the logic of how custom error pages are applied. If a “more specific” custom error page is defined, it
overrides more general pages.
For example, if there is a custom error page defined for an Access denied error at the website level, it overrides a
custom error page defined for an Access denied error at the account level, and is presented in the event of an error of
that type. For more details, see Custom Error Pages.
Where it’s located: In the Cloud Security Console, open the Delivery Settings page under Application > Websites >
<your site> > CDN > Delivery and scroll to the Custom Error Page section.
For enhanced security, a subaccount user who is not assigned a role in the parent account will no longer be able to
view assets in the parent account.
What’s changing: Currently, when the user logs in to the Cloud Security Console, they can view assets in the parent
account by entering the Application, Edge, or Data areas. These menu items will no longer be visible until the user
enters a subaccount in which they have an assigned role.
To allow a subaccount user to access the parent account, the user must be assigned an appropriate role in the parent
account. This can be done by the account admin, or by any user who has the Manage users and Manage user roles
permissions in the parent account. For more details, see Manage Roles and Permissions.
Heads Up: Certificate renewal process change
As of February 2022, there will be a minor change in the certificate renewal process.
If an Imperva-generated certificate for your website includes unverified SANS, they will be removed from the new
certificate and the old certificate will be replaced 72 hours before the actual expiry date. Previously, the change was
made 24 hours before the expiry date.
If you did not verify all SANs and they were removed from the new certificate, this time extension allows Imperva to
republish the previous certificate that has not yet expired. This provides you with a last opportunity to verify all
required SANs before the actual expiration date and maintain your SSL support.
Typically, when your site's Imperva-generated certificate needs to be renewed, the process is completed
automatically by Imperva. In some instances, you will receive an email notification from Imperva requiring you to
revalidate ownership of your domain.
It is critical to review the required action and deadline as specified in the email, and take prompt action. If your
websites are not revalidated before the deadline, SSL support will be removed and the sites will be unreachable over
SSL.
Heads Up: End of support for SSLv3 and RC4 cipher
As of July 1, 2022 Imperva will no longer support the SSLv3 security protocol and the RC4 cipher.
For the list of supported TLS versions, see Web Protection - SSL/TLS.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
Custom error pages not displayed
Problem: Custom website error pages are not displaying in some cases.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
WAF Policies: Upload IPs in bulk from a CSV file
When configuring IP addresses, ranges, or subnets in a WAF policy, you can now add a list of IPs in bulk by uploading a
file in .csv format.
Where it’s located: Bulk upload is available everywhere in the Policies page where IPs are entered.
For enhanced security, a subaccount user who is not assigned a role in the parent account will no longer be able to
view assets in the parent account.
What’s changing: Currently, when the user logs in to the Cloud Security Console, they can view assets in the parent
account by entering the Application, Edge, or Data areas. These menu items will no longer be visible until the user
enters a subaccount in which they have an assigned role.
To allow a subaccount user to access the parent account, the user must be assigned an appropriate role in the parent
account. This can be done by the account admin, or by any user who has the Manage users and Manage user roles
permissions in the parent account. For more details, see Manage Roles and Permissions.
Heads Up: Certificate renewal process change
As of February 2022, there will be a minor change in the certificate renewal process.
If an Imperva-generated certificate for your website includes unverified SANS, they will be removed from the new
certificate and the old certificate will be replaced 72 hours before the actual expiry date. Previously, the change was
made 24 hours before the expiry date.
If you did not verify all SANs and they were removed from the new certificate, this time extension allows Imperva to
republish the previous certificate that has not yet expired. This provides you with a last opportunity to verify all
required SANs before the actual expiration date and maintain your SSL support.
Typically, when your site's Imperva-generated certificate needs to be renewed, the process is completed
automatically by Imperva. In some instances, you will receive an email notification from Imperva requiring you to
revalidate ownership of your domain.
It is critical to review the required action and deadline as specified in the email, and take prompt action. If your
websites are not revalidated before the deadline, SSL support will be removed and the sites will be unreachable over
SSL.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
Custom error pages not displayed
Problem: Custom website error pages are not displaying in some cases.
Solution: This issue is expected to be resolved shortly. An update will follow in future release notes.
For more details on custom error pages, see Custom Error Pages.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Client-Side Protection: API update
For enhanced security, the following API endpoints were updated so that sensitive information is sent only in the
POST body, instead of in the URL as query parameters.
Before After
PUT /v1/sites/{siteId}/settings/emails/{email} POST /v1/sites/{siteId}/settings/emails/add
DELETE /v1/sites/{siteId}/settings/emails/{email} POST /v1/sites/{siteId}/settings/emails/delete
These endpoints enable you to manage the list of users who receive email notifications for your protected websites.
If an Imperva-generated certificate for your website includes unverified SANS, they will be removed from the new
certificate and the old certificate will be replaced 72 hours before the actual expiry date. Previously, the change was
made 24 hours before the expiry date.
If you did not verify all SANs and they were removed from the new certificate, this time extension allows Imperva to
republish the previous certificate that has not yet expired. This provides you with a last opportunity to verify all
required SANs before the actual expiration date and maintain your SSL support.
Typically, when your site's Imperva-generated certificate needs to be renewed, the process is completed
automatically by Imperva. In some instances, you will receive an email notification from Imperva requiring you to
revalidate ownership of your domain.
It is critical to review the required action and deadline as specified in the email, and take prompt action. If your
websites are not revalidated before the deadline, SSL support will be removed and the sites will be unreachable over
SSL.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
Attack Analytics: “Exposed origin server” insight fixed
An issue with the Attack Analytics "exposed origin server" insight was detected, and the insight was temporarily
disabled during our investigation.
The issue is now fixed and the insight has been re-enabled.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
New rule filter parameter: Malicious IP List
The new Malicious IP List rule filter parameter is now available when configuring custom rules. The parameter
enables you to define an action for Imperva to take if the source IP of the request is identified as an anonymous proxy
IP or Tor exit node.
If an Imperva-generated certificate for your website includes unverified SANS, they will be removed from the new
certificate and the old certificate will be replaced 72 hours before the actual expiry date. Previously, the change was
made 24 hours before the expiry date.
If you did not verify all SANs and they were removed from the new certificate, this time extension allows Imperva to
republish the previous certificate that has not yet expired. This provides you with a last opportunity to verify all
required SANs before the actual expiration date and maintain your SSL support.
Typically, when your site's Imperva-generated certificate needs to be renewed, the process is completed
automatically by Imperva. In some instances, you will receive an email notification from Imperva requiring you to
revalidate ownership of your domain.
It is critical to review the required action and deadline as specified in the email, and take prompt action. If your
websites are not revalidated before the deadline, SSL support will be removed and the sites will be unreachable over
SSL.
Fixes
None.
Known Issues
Attack Analytics: “Exposed origin server” insight temporarily disabled
We have detected an issue with the Attack Analytics "exposed origin server" insight and have temporarily disabled
this insight while we investigate.
Actionable insights are recommended actions for you to take, based on attacks that have targeted your sites and
applications. For more information, see Actionable Insights.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
Introducing Website Troubleshooting
A new Troubleshooting page provides greater visibility into connectivity issues that occur when Imperva proxies
cannot reach your origin server.
The new page is intended to help you troubleshoot the following errors:
• Error code 20: The Imperva proxy failed to connect to your web server, due to a TCP connection timeout.
• Error code 8: The Imperva proxy failed to connect to your web server, due to a TCP connection rejection (TCP
reset).
When one of these errors occurs, Imperva automatically runs connectivity tests (Ping, MTR, and MTR over TCP) and
displays the results on the Troubleshooting page.
Benefits:
• Quickly determine if the connectivity issue is on the origin server side and proceed to resolve it.
Availability: We are starting to gradually roll out this new feature. It may not be immediately available in your
account.
Where it’s located: In the Cloud Security Console, navigate to Application > Troubleshooting. Expand a row to view
the test results.
• Troubleshoot Website Errors
• Cloud WAF Error Pages and Codes
• How to Troubleshoot error codes 20 and 8
Enhancements
Enhanced sidebar navigation
You can now easily collapse the side navigation panel in the Cloud Security Console to maximize the work area on the
screen.
When the sidebar is collapsed, menu options are displayed on hover to enable you to quickly access the page you
want.
To enable this functionality, some sidebar options in Website Management were changed and moved into a
hierarchical structure:
• The new Origin and Network category includes the General, Monitoring, and Client CA Certificates pages.
• The new Security category includes the Policies and Rules pages.
Menu options in Account Management and Data pages were also placed in collapsible sections:
If client certificate support is enabled for your site, you can upload a CRL file to verify whether certificates are valid
and trustworthy.
Management of DNS domains configured for Imperva DNS Protection and their DNS records were separated.
• DNS record details and configuration were removed from all of the /domain endpoints and instead are managed
using the /domain/{domainId}/records endpoint only.
• A PUT method was added for editing the existing DNS record configuration for a domain.
The Origin NS Records column was removed. This information applies to zones configured for Imperva Proxy DNS
and is visible when viewing or editing the specific zone’s configuration.
If an Imperva-generated certificate for your website includes unverified SANS, they will be removed from the new
certificate and the old certificate will be replaced 72 hours before the actual expiry date. Previously, the change was
made 24 hours before the expiry date.
Typically, when your site's Imperva-generated certificate needs to be renewed, the process is completed
automatically by Imperva. In some instances, you will receive an email notification from Imperva requiring you to
revalidate ownership of your domain.
It is critical to review the required action and deadline as specified in the email, and take prompt action. If your
websites are not revalidated before the deadline, SSL support will be removed and the sites will be unreachable over
SSL.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
Attack Analytics: “Exposed origin server” insight temporarily disabled
We have detected an issue with the Attack Analytics "exposed origin server" insight and have temporarily disabled
this insight while we investigate.
Actionable insights are recommended actions for you to take, based on attacks that have targeted your sites and
applications. For more information, see Actionable Insights.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Mobile App update
A new version of the Imperva Security Mobile App is now available.
Enhancements include:
• Security hardening
• The minimum Android version required is now 8
• General fixes
The new version is available via the Apple App Store and the Google Play App Store.
For more details on the mobile app, see Imperva Security Mobile App.
Client-Side Protection updates
The following enhancements were added to Client-Side Protection:
Direct IP communication
View IP addresses that are receiving data directly from your website.
If your site or application is communicating directly with specific IP addresses, it is likely to indicate malicious activity.
Therefore, communication to these IP addresses is automatically blocked when Client-Side Protection is in Enforce
mode. While in Monitor mode, this communication is allowed.
When direct IP communication is detected, you can see it listed on the Dashboard. You can then click for more details,
and view the list of IP addresses, as well as the web pages that are making the requests.
Domain categories
Services are categorized according to their purpose or industry, and listed in the Client-Side Protection dashboard
under the service name.
Management of DNS domains configured for Imperva DNS Protection and their DNS records will be separated.
• DNS record details and configuration will be removed from all of the /domain endpoints and instead be
managed using the /domain/{domainId}/records endpoint only.
• A PUT method will be added for editing the existing DNS record configuration for a domain.
For details on the current DNS Protection API, see DNS Protection API Definition.
The Origin NS Records column will be removed. This information applies to zones configured for Imperva Proxy DNS
and is visible when viewing or editing the specific zone’s configuration.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
Attack Analytics: “Exposed origin server” insight temporarily disabled
We have detected an issue with the Attack Analytics "exposed origin server" insight and have temporarily disabled
this insight while we investigate.
Actionable insights are recommended actions for you to take, based on attacks that have targeted your sites and
applications. For more information, see Actionable Insights.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Heads Up: DNS Protection minor UI and API enhancements
For enhanced simplicity, the following changes are planned for early January 2022.
Management of DNS domains configured for Imperva DNS Protection and their DNS records will be separated.
• DNS record details and configuration will be removed from all of the /domain endpoints and instead be
managed using the /domain/{domainId}/records endpoint only.
• A PUT method will be added for editing the existing DNS record configuration for a domain.
For details on the current DNS Protection API, see DNS Protection API Definition.
The Origin NS Records column will be removed. This information applies zones configured for Imperva Proxy DNS
and is visible when viewing or editing the specific zone’s configuration.
Our existing log integration enables you to receive your Imperva logs and archive or push these events into your SIEM
solution.
The new mechanism introduces a dramatic reduction in the time it takes to deliver logs to you after the security event
occurs.
Availability:
• During December 2021, customers who are currently using the SIEM log integration with the S3 push method
can contact Imperva Support to request migration to the new mechanism.
• In Q1 of 2022, we will migrate all customer accounts that are currently using the Imperva SIEM log integration
with the S3 push method.
• At a later stage, the new mechanism will be available to new and existing customers who start using the SIEM
log integration with the S3 push method.
Note:
• Additional IP addresses that are used for the new SIEM mechanism were recently added to the Imperva IP
address list.
18.197.138.101/32
52.28.122.247/32
18.196.8.244/32
34.195.164.78/32
34.227.199.200/32
35.168.228.214/32
54.178.125.129/32
13.114.18.213/32
13.115.55.10/32
54.153.205.221/32
13.239.174.189/32
13.236.96.83/32
To prepare for migration, verify that you have all Imperva IP addresses included in your allowlist. Note that the
IPs supporting the Near Real-Time SIEM integration are not returned by the API that retrieves the Imperva
ranges, as they are not required by all Cloud WAF customers. For details, see Allowlist Imperva IP addresses &
Setting IP restriction rules.
Note that during the migration process, there will be a short period in which logs will be sent from both the old
and new systems.
What to expect after your account is migrated to the Near Real-Time SIEM integration:
• Amazon S3 push method only, in which logs are pushed to your S3 bucket.
• Security event logs only, which include suspicious events detected by Imperva. Access logs will be added at a
later date.
Note: In the event that you change your connection details in the Logs Setup, it can take up to 3 hours for the
configuration changes to take effect.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
Attack Analytics: “Exposed origin server” insight temporarily disabled
We have detected an issue with the Attack Analytics "exposed origin server" insight and have temporarily disabled
this insight while we investigate.
Actionable insights are recommended actions for you to take, based on attacks that have targeted your sites and
applications. For more information, see Actionable Insights.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
DDoS Protection for Networks/IPs Updates
Cross connect support for Megaport
You can now establish a direct connection between your infrastructure located in Megaport-enabled facilities and the
Imperva service via a Layer 2 connection.
Availability: Supported in the Imperva data centers in Melbourne and Sydney Australia.
You can now get performance metrics for your DDoS Protection for Networks connections via the Imperva API.
Performance Monitoring metrics provide visibility into the performance of the connections between Imperva data
centers and your origin network. View metrics on latency, jitter, and packet loss to assess the stability of your
connections.
For details on the API, see DDoS Protection for Networks: Performance Monitoring API Definition.
For more information on Imperva Performance Monitoring, see Configure Performance Monitoring.
You can now retrieve Flow Exporter details via the API by providing the IP address of your exporter. The exporterIp is
the IP address of your network device that is sending flow data to Imperva.
What changed: Previously, details were available only by providing the Imperva exporter ID.
For more details on the API, see Flow Exporter API Definition.
For more details on Imperva’s Flow Monitoring service, see Flow Monitoring.
View real-time data for a protected network or IP on dashboards in a sub account. See top traffic patterns for DDoS
traffic on your network.
1. In the Cloud Security Console, navigate to Edge > Network Protection > Dashboard or Edge > IP Protection
> Dashboard.
2. In the Ranges or IPs table, click an IP range or a single IP to open the Analytics page.
3. Make sure the Real Time view is selected in the time range drop-down.
For more details on the Analytics Dashboard, see Analytics: DDoS Protection for Networks and IPs.
Note: The Real-Time view in the main Network Protection and IP Protection Dashboards is not yet supported in sub
accounts.
Mobile App: Attack Analytics Actionable Insights
You can now view Attack Analytics Actionable Insights on the Imperva Security Mobile App.
Actionable Insights provide recommended actions for attacks that have targeted your sites and applications. Learn
about the steps you can take to enhance your security posture.
The new version is available via the Apple App Store and the Google Play App Store.
In addition, the details popup that is displayed when you click the ellipsis has been updated.
Where it’s located: The homepage is displayed by default when you log in to your account. Alternatively, click Home
on the top menu bar.
Roles and permissions must be configured by an admin user for non-admin users to be able to perform any
configuration actions in Advanced Bot Protection.
The required permission is Can edit ABP configuration. Users without this permission can access Advanced Bot
Protection in read-only mode.
Note that the limitations for a user in read-only mode apply to the settings windows and not to the dashboards.
Users in read-only mode continue to have access to full dashboard functionality.
For details on assigning roles and permissions, see Manage Roles and Permissions.
For details on Advanced Bot Protection, see Understanding Advanced Bot Protection.
Heads Up: Migration to Near Real-Time SIEM integration
In January 2022 we will start to automatically migrate customer accounts to our new Near Real-Time SIEM
integration.
Our existing log integration enables you to receive your Imperva logs and archive or push these events into your SIEM
solution.
The new mechanism introduces a dramatic reduction in the time it takes to deliver logs to you after the security event
occurs.
Availability:
• During December 2021, customers who are currently using the SIEM log integration with the S3 push method
can contact Imperva Support to request migration to the new mechanism.
• In Q1 of 2022, we will migrate all customer accounts that are currently using the Imperva SIEM log integration
with the S3 push method.
• At a later stage, the new mechanism will be available to new and existing customers who start using the SIEM
log integration with the S3 push method.
Note:
• Additional IP addresses that are used for the new SIEM mechanism were recently added to the Imperva IP
address list.
18.197.138.101/32
52.28.122.247/32
18.196.8.244/32
34.195.164.78/32
34.227.199.200/32
35.168.228.214/32
54.178.125.129/32
13.114.18.213/32
13.115.55.10/32
54.153.205.221/32
13.239.174.189/32
13.236.96.83/32
To prepare for migration, verify that you have all Imperva IP addresses included in your allowlist. Note that the
IPs supporting the Near Real-Time SIEM integration are not returned by the API that retrieves the Imperva
ranges, as they are not required by all Cloud WAF customers. For details, see Allowlist Imperva IP addresses &
Setting IP restriction rules.
Note that during the migration process, there will be a short period in which logs will be sent from both the old
and new systems.
What to expect after your account is migrated to the Near Real-Time SIEM integration:
• Amazon S3 push method only, in which logs are pushed to your S3 bucket.
• Security event logs only, which include suspicious events detected by Imperva. Access logs will be added at a
later date.
Note: In the event that you change your connection details in the Logs Setup, it can take up to 3 hours for the
configuration changes to take effect.
For the list of supported TLS versions, see Web Protection - SSL/TLS.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
Attack Analytics: “Exposed origin server” insight temporarily disabled
We have detected an issue with the Attack Analytics "exposed origin server" insight and have temporarily disabled
this insight while we investigate.
Actionable insights are recommended actions for you to take, based on attacks that have targeted your sites and
applications. For more information, see Actionable Insights.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
DDoS Protection for Networks: View performance metrics
Gain visibility into the performance of the GRE tunnel connections between Imperva data centers and your origin
network.
View metrics on latency, jitter, and packet loss to assess the stability of your connections, when you're experiencing
network issues, or any time you want to check on the connection status in order to speed up your investigation.
Where it’s located: On the new performance dashboard. In the Cloud Security Console, navigate to Edge > Network
Protection > Dashboard > Performance.
Regulatory requirements may demand that your certificate's private key be hosted in an HSM. If you choose to use
your own certificate for your Imperva-protected website, you can upload your certificate without the private key while
maintaining the private key in a 3rd party cloud HSM service.
Fortanix Data Security Manager is the HSM service currently supported for this integration.
Enhancements
DDoS Protection for Networks and IPs: Send us your feedback
How did we do? Easily share your feedback about Imperva’s mitigation of a specific DDoS attack.
You can then opt to open a short form and provide your feedback.
The message is displayed when you open the analytics page as follows:
• You receive a DDoS event ended mail notification, and click the link to view more details.
• You click the Analyze Attack button on the Network/IP Protection Dashboard. The button is displayed in the
dashboard’s Event Log table for a DDoS event has ended event.
Website certificate selection by Imperva proxies
If you have uploaded a custom certificate for a website in addition to the Imperva-generated certificate we provide
(“Imperva-generated certificate”), the Imperva proxy server must decide which certificate to use.
What changed: To optimize the selection process, the algorithm used to select which certificate to use has been
changed.
Note: Applies to newly onboarded websites only. We will continue to use the previous method for existing sites.
2. A custom certificate from another site in your account with a SAN corresponding to the site in question.
3. A custom certificate from another site in your account with a SAN corresponding to the site in question.
To ensure that your custom certificate is used for a website, make sure that it is uploaded to that specific website's
configuration in Imperva.
Heads Up: Migration to Near Real-Time SIEM integration
Starting the week of December 5, 2021, we will start to automatically migrate customer accounts to our new Near
Real-Time SIEM integration.
Our existing log integration enables you to receive your Imperva logs and archive or push these events into your SIEM
solution.
The new mechanism introduces a dramatic reduction in the time it takes to deliver logs to you after the security event
occurs.
Availability:
• Early December 2021: Migration of approximately 50% of Enterprise 20 customer accounts that are currently
using the Imperva SIEM log integration with the S3 push method.
• In Q1 of 2022, migration of additional customer accounts who are currently using the SIEM log integration with
the S3 push method will continue. Updates will follow in future release notes.
• At a later stage, the new mechanism will be available to new and existing customers who start using the SIEM
log integration with the S3 push method.
Note:
• Additional IP addresses that are used for the new SIEM mechanism were recently added to the Imperva IP
address list.
18.197.138.101/32
52.28.122.247/32
18.196.8.244/32
34.195.164.78/32
34.227.199.200/32
35.168.228.214/32
54.178.125.129/32
13.114.18.213/32
13.115.55.10/32
54.153.205.221/32
13.239.174.189/32
13.236.96.83/32
To prepare for migration, verify that you have all Imperva IP addresses included in your allowlist. Note that the
IPs supporting the Near Real-Time SIEM integration are not returned by the API that retrieves the Imperva
ranges, as they are not required by all Cloud WAF customers. For details, see Allowlist Imperva IP addresses &
Setting IP restriction rules.
What to expect after your account is migrated to the Near Real-Time SIEM integration:
• Amazon S3 push method only, in which logs are pushed to your S3 bucket.
• Security event logs only, which include suspicious events detected by Imperva. Access logs will be added at a
later date.
Note: In the event that you change your connection details in the Logs Setup, it can take up to 3 hours for the
configuration changes to take effect.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
Attack Analytics: “Exposed origin server” insight temporarily disabled
We have detected an issue with the Attack Analytics "exposed origin server" insight and have temporarily disabled
this insight while we investigate.
Actionable insights are recommended actions for you to take, based on attacks that have targeted your sites and
applications. For more information, see Actionable Insights.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
• DDoS Protection for Networks and IPs: Enhanced sub account support
• Change in the Alternative Domain/Hosts table
• Certificate configuration options added
• Domain validation policy changes
• Security rule statistics added to Website Security Dashboard
• Heads Up: Planned maintenance on the Cloud Security Console
• Heads Up: Old Performance/Security/Traffic dashboards removal
• Recently mitigated CVEs
• Attack Analytics: “Exposed origin server” insight temporarily disabled
New Features
None.
Enhancements
DDoS Protection for Networks and IPs: Enhanced sub account support
In addition to protected networks, you can now manage protected IPs and flow exporters at the sub account level.
To facilitate the transition, you can move your existing assets from the parent account to its sub accounts using a new
Imperva API.
Where it’s located: On the General Settings page in the Cloud Security Console (Application > Websites> <select a
website> > General Settings > DNS Settings).
What changed: The Verified field was renamed Protected Status, and the possible values were changed as follows:
Your preferences are used by Imperva the first time the certificate is generated, and each time the certificate is
renewed.
What changed: Previously, you could not change these options in the UI after onboarding, and needed to use the API
or contact Imperva Support if you wanted to make a change. Now you can configure the options in the UI.
Impact: Changing the options does not impact the current certificate for your website. The new settings will take
effect the next time the certificate is renewed.
The primary goal of this industry mandate is to improve the security posture by addressing the security issues of the
existing baseline requirements to authenticate an entire domain namespace.
This policy change will apply to all new requests, renewals, and re-issues for Imperva-generated certificates issued for
your protected websites.
There is no impact to TLS/SSL certificates that have already been issued until the certificate expires. However, no
additional SANs could be added to or removed from a certificate containing a wildcard SAN validated using HTTP
Domain control validation.
To continue using this validation method, it will be required to validate each subdomain (SAN:DNSName) individually.
Therefore, Imperva will support wildcard SAN validation only via DNS or email validation.
If we have identified that your configuration needs to be updated to comply with this change in the standards, you will
receive additional communications from Imperva.
Security rule statistics added to Website Security Dashboard
You can now view statistics for triggered custom security rules for your protected websites.
Where it’s located: On the Website Security Dashboard, under Security settings (Application > WAF > Dashboards >
Security).
During the process, the Cloud Security Console (UI and API) will be unavailable.
Your assets will remain fully protected by Imperva systems for the duration of the activity.
Heads Up: Old Performance/Security/Traffic dashboards removal
The Performance, Security, and Traffic tabs of the old Website Dashboard page are planned for removal in the near
future. Updates will follow in future release notes.
If you are still using the old Website Dashboard, we encourage you to familiarize yourself now with the new, enhanced
dashboards.
The new website Performance and Security dashboards introduce improved usability, faster investigation time, and
more actionable data, and are currently available to all users.
Where the new dashboards are located: On the top menu bar, navigate to Application. On the sidebar, click WAF >
Dashboards.
The Traffic tab has moved to the Performance & traffic section of the new Website Performance dashboard.
For more details about the new Website Dashboards, see Website Dashboards.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
Attack Analytics: “Exposed origin server” insight temporarily disabled
We have detected an issue with the Attack Analytics "exposed origin server" insight and have temporarily disabled
this insight while we investigate.
Actionable insights are recommended actions for you to take, based on attacks that have targeted your sites and
applications. For more information, see Actionable Insights.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Website Performance Dashboard: Enhanced Performance
The Performance dashboard provides caching and traffic statistics for your Imperva-protected websites and
applications.
What changed: The following performance improvements are rolling out over the next several weeks:
• Resolution of 1 minute when the selected time range is less than 12 hours. The maximum resolution was
previously 10 minutes.
• Improved page loading time.
• Click the toggles to show or hide a section of the dashboard. By default, all sections are displayed.
• Click and drag to change the order of the sections displayed on the dashboard.
In addition to Imperva contacting you by automated mail, and by text/phone call according to your preferred method,
our Network Operations Center (NOC) team was also manually sending a confirmation mail.
What changed: The NOC team is no longer sending the duplicate confirmation mail. If you have any automation rules
that rely on the manual mails, we recommend you update them to rely on the automated mails.
During the process, the Cloud Security Console (UI and API) will be unavailable.
Your assets will remain fully protected by Imperva systems for the duration of the activity.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
Attack Analytics: “Exposed origin server” insight temporarily disabled
We have detected an issue with the Attack Analytics "exposed origin server" insight and have temporarily disabled
this insight while we investigate.
Actionable insights are recommended actions for you to take, based on attacks that have targeted your sites and
applications. For more information, see Actionable Insights.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Introducing Near Real-Time SIEM integration
We are starting to roll out our new near real-time SIEM integration solution. The new mechanism introduces a
dramatic reduction in the time it takes to deliver logs to you after the security event occurs.
Our existing log integration enables you to receive your Imperva logs and archive or push these events into your SIEM
solution.
• Amazon S3 push method only, in which logs are pushed to your S3 bucket.
• Security event logs only, which include suspicious events detected by Imperva. Access logs will be added at a
later date.
Availability:
Until December 1, 2021, customers who are currently using the Imperva SIEM log integration with the S3 push
method can contact Imperva Support to request migration to the new mechanism.
• Additional IP addresses that are used for the new SIEM mechanism were recently added to the Imperva IP
address list. To prepare for migration, verify that you have all Imperva IP addresses included in your allowlist.
Note that the IPs supporting the Near Real-Time SIEM integration are not returned by the API that retrieves the
Imperva ranges, as they are not required by all Cloud WAF customers. For details, see Allowlist Imperva IP
addresses & Setting IP restriction rules.
At a later stage, the new mechanism will be available to new and existing customers who start using the SIEM log
integration with the S3 push method. Updates will follow in future release notes.
What changed:
After your account is migrated to the new mechanism, the following changes to the log files will apply:
Note: In the event that you change your connection details in the Logs Setup, it can take up to 3 hours for the
configuration changes to take effect.
The new website Performance and Security dashboards introduce improved usability, faster investigation time, and
more actionable data, and are currently available to all users.
Where the new dashboards are located: On the top menu bar, navigate to Application. On the sidebar, click WAF >
Dashboards.
The Traffic tab has moved to the Performance & traffic section of the new Website Performance dashboard.
For more details about the new Website Dashboards, see Website Dashboards.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
Enhancements
Notifications of ongoing network level DDoS attacks
Popup notifications have been added to the Cloud Security Console, giving you greater visibility into ongoing Layer
3/4 volumetric DDoS attacks on your assets.
What changed: In the event of an active DDoS attack, a notification is displayed in the top-right corner of the Console
window when you log in.
The popup includes links to the attacked assets, opening a drill-down view of the attack analysis.
• Website groups: The Imperva IPs that support your Cloud WAF protected websites.
• Protected Networks and IPs: Your origin IP addresses or ranges protected by the DDoS Protection for Networks
and Single IPs services.
The information updates every 5 minutes. If you close the popup and a new attack occurs during your logged in
session, a new notification is displayed.
CDN: Enhanced option for purging specific resources
As part of the caching functionality provided by Imperva CDN, you have the option to tag resources according to a
specified response header value in the resources. This enables you to subsequently purge resources according to the
tag name.
What changed: Previously, the response was tagged according to the entire value of the specified header. Now, if
there are multiple values in the header separated by commas, the resource is tagged with multiple tags. This provides
you with greater granularity for purging specific resources.
For example:
Previous behavior:
New behavior:
Where it’s located: In the Cloud Security Console, navigate to Application > <select your website> > Cache >
Advanced Settings > Tag the Response According to the Value of this Header.
Our existing log integration enables you to retrieve or receive your Imperva logs and archive or push these events into
your SIEM solution.
• Amazon S3 push method only, in which logs are pushed to your S3 bucket.
• Security event logs only, which include suspicious events detected by Imperva. Access logs will be added at a
later date.
Availability:
• In the initial phase of rollout, customers who are currently using the Imperva SIEM log integration with the S3
push method will be migrated to the new mechanism. This phase is expected to continue through the end of the
year.
• At a later stage, the new mechanism will be made available to new and existing customers who start using the
SIEM log integration with the S3 push method. Updates will follow in future release notes.
What changed:
After your account is migrated to the new mechanism, the following changes to the log files will apply:
Note:
• Access to your S3 bucket is verified by Imperva before your account is migrated. In the event that your S3 bucket
is not accessible, our team will contact you to update your S3 allowlist.
To verify that you have all Imperva IP addresses included in your allowlist, see Allowlist Imperva IP addresses &
Setting IP restriction rules. The additional IP addresses that are used for the new SIEM mechanism were recently
added to the list. They will be in use as of start of the Near Real-Time SIEM rollout on November 1st.
• In the event that you change your connection details in the Logs Setup, it can take up to 3 hours for the
configuration changes to take effect.
For backward compatibility, we still support sending the api_id and api_key parameters in the query string.
On November 1, 2021, support for API authentication by sending the API Key/ID as query parameters will be
discontinued. At that point, API calls using the authentication query parameters will no longer work.
Where the new dashboards are located: On the top menu bar, navigate to Application. On the sidebar, click WAF >
Dashboards.
The Traffic tab has moved to the Performance & traffic section of the new Website Performance dashboard.
For more details about the new Website Dashboards, see Website Dashboards.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
DDoS Protection for Networks: SIEM integration
Send events logs for the Imperva DDoS Protection for Networks and IPs services to your preferred SIEM solution.
Imperva pushes the event logs to your Amazon S3 bucket, enabling you to import the events into your SIEM solution.
This integration is based on the new Imperva Near Real-Time SIEM solution, currently rolling out.
Availability: We are now offering the SIEM integration for DDoS Protection for Networks and IPs as an Early
Availability feature. To enable the feature for your account during this period, contact Imperva Support.
Events include:
• Connection up
• Connection down
• IP up
• IP down
For more details, see SIEM Log Integration: DDoS Protection for Networks and IPs.
Enhancements
Heads up: Near Real-Time SIEM integration
On November 1, 2021, we are starting rollout of our new near real-time SIEM solution. The new mechanism
introduces a dramatic reduction in the time it takes to deliver logs to you after the security event occurs.
Our existing log integration enables you to retrieve or receive your Imperva logs and archive or push these events into
your SIEM solution.
• Amazon S3 push method only, in which logs are pushed to your S3 bucket.
• Security event logs only, which include suspicious events detected by Imperva. Access logs will be added at a
later date.
Availability:
• In the initial phase of rollout, customers who are currently using the Imperva SIEM log integration with the S3
push method will be migrated to the new mechanism. This phase is expected to continue through the end of the
year.
• At a later stage, the new mechanism will be made available to new and existing customers who start using the
SIEM log integration with the S3 push method. Updates will follow in future release notes.
What changed:
After your account is migrated to the new mechanism, the following changes to the log files will apply:
Note:
• Access to your S3 bucket is verified by Imperva before your account is migrated. In the event that your S3 bucket
is not accessible, our team will contact you to update your S3 allowlist.
To verify that you have all Imperva IP addresses included in your allowlist, see Allowlist Imperva IP addresses &
Setting IP restriction rules. The additional IP addresses that are used for the new SIEM mechanism were recently
added to the list. They will be in use as of start of the Near Real-Time SIEM rollout on November 1st.
• In the event that you change your connection details in the Logs Setup, it can take up to 3 hours for the
configuration changes to take effect.
For backward compatibility, we still support sending the api_id and api_key parameters in the query string.
On November 1, 2021, support for API authentication by sending the API Key/ID as query parameters will be
discontinued. At that point, API calls using the authentication query parameters will no longer work.
Where the new dashboards are located: On the top menu bar, navigate to Application. On the sidebar, click WAF >
Dashboards.
The Traffic tab has moved to the Performance & traffic section of the new Website Performance dashboard.
For more details about the new Website Dashboards, see Website Dashboards.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Visibility into alternative domains defined for a website (CNAME reuse)
Alternative domains that are connected to an onboarded website via CNAME reuse are now displayed in the Cloud
Security Console.
Background: Imperva enables the use of website settings for several different domains that share the same IP
address. This is implemented by using the CNAME provided by Imperva for the onboarded (primary) website. For
more details, see CNAME Reuse.
What changed: The list of all domains pointing to the IP address of an onboarded website via CNAME reuse is now
provided via the UI and API.
Next steps:
• For enhanced protection, Imperva will add an option in the near future to block all domains that do not appear
in the table. Initially, this option will be disabled by default. You can choose to turn it on for a higher level of
protection.
• Imperva will also be introducing a new website level “Imperva-generated certificate” that will provide support
for all alternative domains associated with an onboarded website. Note: The website certificate will support SNI
communication only. The existing certificates will continue to be used for non-SNI communication.
• UI: A new table lists all the alternative domains pointing to the IP address of the onboarded website via CNAME
reuse, and therefore sharing the same site configuration.
• Domains are automatically added to the table when requests for them reach Imperva.
• You can also manually add domains to the table to prepare for the enhanced protection offered by the
next steps explained above. Add domains to the table to instruct Imperva to allow legitimate traffic to
these domains once the next steps are implemented.
To access the UI, navigate to Application > Websites > <select a website> > General Settings. For more details,
see Website General Settings.
• API: You can also manage alternative domains using the Imperva API. For details, see Website Domain
Management API Definition.
Cloud WAF: DNSSEC compliance for DNS CNAME resolution
In this release, we are re-enabling DNSSEC compliance on the impervadns.net and incapdns.net domains. These
domains support all websites onboarded to Imperva’s Cloud WAF.
This enhancement completes the end-to-end chain of trust as we now sign and validate Imperva’s CNAME records
with DNSSEC.
Details:
DNSSEC (Domain Name System Security Extensions) adds a layer of authentication to DNS CNAME resolution to
prevent requests from being “hijacked” and diverted to other addresses. This boosts protection against man-in-the-
middle attacks, such as DNS cache poisoning and forged DNS responses.
When onboarding your site to Cloud WAF, Imperva provides you with a CNAME that is used both for pointing traffic to
the Imperva network, and for identifying the site in the event that multiple domains are linked under the same
Imperva site configuration and policy. The CNAME resolves to an IP address in Imperva’s DNS zone.
After onboarding, you can see DNS settings for your site in the General Settings page. For details, see Website General
Settings.
Heads up: Near Real-Time SIEM integration
On November 1, 2021, we are starting rollout of our new near real-time SIEM solution. The new mechanism introduces
a dramatic reduction in the time it takes to deliver logs to you after the security event occurs.
Our existing log integration enables you to retrieve or receive your Imperva logs and archive or push these events into
your SIEM solution.
• Amazon S3 push method only, in which logs are pushed to your S3 bucket.
• Security event logs only, which include suspicious events detected by Imperva. Access logs will be added at a
later date.
Availability:
• In the initial phase of rollout, customers who are currently using the Imperva SIEM log integration with the S3
push method will be migrated to the new mechanism. This phase is expected to continue through the end of the
year.
• At a later stage, the new mechanism will be made available to new and existing customers who start using the
SIEM log integration with the S3 push method. Updates will follow in future release notes.
What changed:
After your account is migrated to the new mechanism, the following changes to the log files will apply:
Note:
• Access to your S3 bucket is verified by Imperva before your account is migrated. In the event that your S3 bucket
is not accessible, our team will contact you to update your S3 allowlist.
To verify that you have all Imperva IP addresses included in your allowlist, see Allowlist Imperva IP addresses &
Setting IP restriction rules. The additional IP addresses that are used for the new SIEM mechanism were recently
added to the list. They will be in use as of start of the Near Real-Time SIEM rollout on November 1st.
• In the event that you change your connection details in the Logs Setup, it can take up to 3 hours for the
configuration changes to take effect.
The allowlist enables you instruct ATO Protection to allow all login attempts from specific IP addresses.
What changed: To help you more easily identify these maintenance announcements, the sender name was added to
the email address, and will appear as follows: Imperva NOC <noc@incapsula.com>.
Where the new dashboards are located: On the top menu bar, navigate to Application. On the sidebar, click WAF >
Dashboards.
The Traffic tab has moved to the Performance & traffic section of the new Website Performance dashboard.
For more details about the new Website Dashboards, see Website Dashboards.
Heads Up: Deprecation of API authentication using query parameters
In September 2020, we introduced support for API authentication using request headers instead of sending them as
query parameters.
For backward compatibility, we still support sending the api_id and api_key parameters in the query string.
On November 1, 2021, support for API authentication by sending the API Key/ID as query parameters will be
discontinued. At that point, API calls using the authentication query parameters will no longer work.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
New Notification Policies in Notification Settings
Additional notification policies are being rolled out for the new Notification Settings feature, providing users with
more granular control over which notifications they receive, and the list of recipients who receive them.
• Subscription notifications
• Edge security (includes notifications for Network DDoS events, status and configuration updates on flow
exporters, router connections, and DNS zones)
In addition, an API for creating and managing notification settings for user accounts has been added.
Availability:
• As of this release, new accounts can take advantage of the complete Notification Settings feature, including the
newly added notification policies.
• Rollout of the Notification Settings feature to all accounts that do not yet have access is starting and will
continue through the end of the year.
Where it’s located: In the Cloud Security Console, navigate to Account Management > Notification Settings.
For more details about the Notification Settings page, see Notification Settings.
For more details about the Notification Settings API, see Notification Settings API Definition.
Classic UI removed
The Switch to Classic UI option was removed.
The new navigational structure in the Cloud Security Console rolled out last year aligns with Imperva’s offering
categories (Application, Edge, Data), addresses scalability and usability issues, and reduces time to navigate.
For more details on the new UI, see Cloud Security Console.
Heads Up: Old Performance/Real-time/Security/Traffic dashboards
removal
As of October 24, 2021, the Performance, Real-time, Security and Traffic tabs of the old Website Dashboard page will
no longer be accessible. The new website Performance, Real-time, and Security dashboards introduce improved
usability, faster investigation time, and more actionable data, and are currently available to all users.
Where the new dashboards are located: On the top menu bar, navigate to Application. On the sidebar, click WAF >
Dashboards.
The Traffic tab has moved to the Performance & traffic section of the new Website Performance dashboard.
For more details about the new Website Dashboards, see Website Dashboards.
Heads Up: Deprecation of API authentication using query parameters
In September 2020, we introduced support for API authentication using request headers instead of sending them as
query parameters.
For backward compatibility, we still support sending the api_id and api_key parameters in the query string.
On November 1, 2021, support for API authentication by sending the API Key/ID as query parameters will be
discontinued. At that point, API calls using the authentication query parameters will no longer work.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Account Takeover Protection Updates
The following enhancements were made to Account Takeover Protection:
If you have defined a password for viewing username fields in cleartext, you can now reset the password directly from
the Account Takeover Protection dashboard.
Previously, only the Imperva Support team could reset the password.
Where it’s located: On the ATO Protection Settings page, click Change password.
For enhanced usability, you can now add single IP addresses, multiple IP addresses, or IP ranges to the allowlist.
What changed: Previously, you could only add individual IP addresses to the allowlist, one at a time.
Where it’s located: On the ATO dashboard, click the settings icon to access the allowlist settings.
To add multiple IP addresses, separate the IPs with commas. To add an IP range, use the IP/mask format.
When adding a service to the allowlist, you can now add it to multiple websites at once.
2. Click Set for multiple websites and select from the list of websites in your account.
Possible values for estimated risk now include malicious, magecart, and malware.
The estimated risk value indicates the likelihood that the service is being used for malicious intent. Previously, values
included Low, Medium, High, and No data.
In the event that the service is determined by Imperva to be malicious, or to be connected specifically to malware or
Magecart attacks, the new values are used instead of the low/medium/high categorization.
What changed: If the certificate does not include the website’s domain, the upload is blocked and an error message is
displayed. Previously, upload of the certificate was not blocked, even if it did not include the website’s domain. This is
not a valid configuration and could impact the protection of the website.
Where it’s located: You can upload a custom certificate for your Imperva-protected website on the General Settings
page of the Cloud Security Console: Application > Websites > <your site> > Website Settings > General.
For details, see Upload a Custom Certificate for Your Website on Imperva.
Heads Up: Closing access to the Classic UI
On October 3, 2021, the Switch to Classic UI option will be removed.
The new navigational structure in the Cloud Security Console rolled out last year aligns with Imperva’s offering
categories (Application, Edge, Data), addresses scalability and usability issues, and reduces time to navigate.
If you are still using the Classic UI, we encourage you to familiarize yourself now with the enhanced look and feel of
the new UI and start taking advantage of new features available only in the new UI.
For more details on the new UI, see Cloud Security Console.
Heads Up: Old Performance/Real-time/Security/Traffic dashboards
removal
As of October 24, 2021, the Performance, Real-time, Security and Traffic tabs of the old Website Dashboard page will
no longer be accessible. The new website Performance, Real-time, and Security dashboards introduce improved
usability, faster investigation time, and more actionable data, and are currently available to all users.
Where the new dashboards are located: On the top menu bar, navigate to Application. On the sidebar, click WAF >
Dashboards.
The Traffic tab has moved to the Performance & traffic section of the new Website Performance dashboard.
For more details about the new Website Dashboards, see Website Dashboards.
Heads Up: Deprecation of API authentication using query parameters
In September 2020, we introduced support for API authentication using request headers instead of sending them as
query parameters.
For backward compatibility, we still support sending the api_id and api_key parameters in the query string.
On November 1, 2021, support for API authentication by sending the API Key/ID as query parameters will be
discontinued. At that point, API calls using the authentication query parameters will no longer work.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
RSA key length limit for custom certificates
As part of onboarding your website to Imperva, you have the option to upload your own certificate.
What changed: You can no longer upload a certificate that is 4096 bits or larger. This change applies to all existing
websites or newly onboarded websites.
Exception: If your website is currently using a certificate that is 4096 bits or larger, you can replace it as required for
certificate rotation.
Why the change? According to industry standards for PKI, the recommended key size is an RSA 2048 bit certificate.
This is the recommendation of the National Institute of Standards and Technology (NIST), Mozilla, and others.
In addition, Imperva supports this recommendation for the following reason: The majority of clients support PFS
ciphers. When a client supports PFS ciphers, the Imperva proxy will always use it. And when a PFS cipher is used, the
certificate key is used only for server authentication. It does not affect key exchange, and therefore has no impact on
encryption strength and security.
Where it’s located: You can upload a new custom certificate for your website on the General Settings page. For
details, see Web Protection - General Settings.
Heads Up: Custom certificates must include the website’s domain
The following change is planned for September 26, 2021.
When onboarding or configuring SSL support for a secure website in Imperva, if you choose to upload your own
custom certificate, it must include the SAN for the website’s domain.
What’s changing: If the certificate does not include the website’s domain, the upload will be blocked and an error
message will be displayed. Previously, upload of the certificate was not blocked, even if it did not include the
website’s domain. This is not a valid configuration and could impact the protection of the website.
Where it’s located: You can upload a custom certificate for your Imperva-protected website on the General Settings
page of the Cloud Security Console: Application > Websites > <your site> > Website Settings > General.
For details, see Upload a Custom Certificate for Your Website on Imperva.
Website traffic metrics displayed on the account dashboard
Website traffic metrics were added to the account-level dashboard, located on the Home page of the Cloud Security
Console.
Availability: This change is being rolled out over the next several weeks and may not yet be enabled in your account.
• Total visits: (Sessions) The number of times the website was accessed.
• Total bandwidth: All bandwidth used for responses served from the Imperva cache and from your origin server.
• Bits per second: The average number of bits per second of incoming and outgoing traffic passing between
clients and Imperva, based on calculation of the 95% percentile.
• Top websites: The websites in the account with the highest total visits, total bandwidth, or bits per second.
The new Traffic by Geo Location map shows traffic distribution by country.
What changed: Previously, the State parameter applied to states within the United States, and accepted only the 2-
character ISO codes for those states. Now, the parameter supports any 2-character alphanumeric string, enabling you
to create a filter that identifies regions or subdivisions within countries outside of the United States, according to
standard ISO codes.
For example, the Ukraine country code is UA, and the region code for Crimea is 43. To match requests coming from
Crimea, you can create the following filter: "CountryCode == UA & State == 43".
Where the new Monitoring Settings page is located: On the top menu bar, navigate to Application > Websites >
<select a website> > Monitoring Settings.
For more details about the new Website Monitoring Settings page, see Load Balancing Monitoring Settings.
Website Performance Dashboard: 95th percentile indicator removed
An indicator of the 95th percentile of bandwidth usage was previously displayed in the new Website Performance
Dashboard’s Requests over time and Bits/second graphs.
The metric was not aligned with calculation of the 95th percentage of bandwidth usage presented in the Usage
Report, used for billing clean traffic, and was therefore removed.
The new navigational structure in the Cloud Security Console rolled out last year aligns with Imperva’s offering
categories (Application, Edge, Data), addresses scalability and usability issues, and reduces time to navigate.
If you are still using the Classic UI, we encourage you to familiarize yourself now with the enhanced look and feel of
the new UI and start taking advantage of new features available only in the new UI.
For more details on the new UI, see Cloud Security Console.
Heads Up: Old Performance/Real-time/Security/Traffic dashboards
removal
As of October 24, 2021, the Performance, Real-time, Security and Traffic tabs of the old Website Dashboard page will
no longer be accessible. The new website Performance, Real-time, and Security dashboards introduce improved
usability, faster investigation time, and more actionable data, and are currently available to all users.
Where the new dashboards are located: On the top menu bar, navigate to Application. On the sidebar, click WAF >
Dashboards.
The Traffic tab has moved to the Performance & traffic section of the new Website Performance dashboard.
For more details about the new Website Dashboards, see Website Dashboards.
Heads Up: Deprecation of API authentication using query parameters
In September 2020, we introduced support for API authentication using request headers instead of sending them as
query parameters.
For backward compatibility, we still support sending the api_id and api_key parameters in the query string.
On November 1, 2021, support for API authentication by sending the API Key/ID as query parameters will be
discontinued. At that point, API calls using the authentication query parameters will no longer work.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Client-Side Protection API
You can now access your Client-Side Protection data and configuration via the API.
Client-Side Protection guards your customers’ data from theft through client-side attacks like digital skimming, supply
chain attacks, and Magecart.
Subject lines of the mail: "Domain revalidation required" or "Domain revalidation deadline"
It is critical to review the required action and deadline as specified in the email, and take prompt action. If your
websites are not revalidated before the deadline, SSL support will be removed and the sites will be unreachable over
SSL.
Note:
• Due to internal changes made to enhance our certificate revalidation process, you may be asked to revalidate
ownership of your domain long before the certificate’s expiration date. This will help us align our system, and
enable us to complete the process more automatically moving forward.
• For customers who subscribed to Imperva after June 27, 2021, notification recipients are defined on
the Notification Settings page. For details, see Notification Settings.
• For customers who subscribed to Imperva before June 27, 2021, notification recipients are defined in
Account Settings. For details, see Account Settings. Notification settings for existing customers will be
migrated to the new mechanism at a later date.
Make sure that the users who need to receive these mails are defined in the relevant location.
For more details on certificate renewal, see Revalidate Your Imperva Certificate.
Heads Up: Closing access to the Classic UI
On October 3, 2021, the Switch to Classic UI option will be removed.
The new navigational structure in the Cloud Security Console rolled out last year aligns with Imperva’s offering
categories (Application, Edge, Data), addresses scalability and usability issues, and reduces time to navigate.
If you are still using the Classic UI, we encourage you to familiarize yourself now with the enhanced look and feel of
the new UI and start taking advantage of new features available only in the new UI.
For more details on the new UI, see Cloud Security Console.
Heads Up: Old Security and Performance dashboards removal
As of October 24, 2021, the Security and Performance tabs of the old Website Dashboard page will no longer be
accessible. The new website Security and Performance dashboards introduce improved usability, faster investigation
time, and more actionable data, and are currently available to all users.
Where the new dashboards are located: On the top menu bar, navigate to Application. On the sidebar, click WAF >
Dashboards.
For more details about the new Website Dashboards, see Website Dashboards.
For backward compatibility, we still support sending the api_id and api_key parameters in the query string.
On November 1, 2021, support for API authentication by sending the API Key/ID as query parameters will be
discontinued. At that point, API calls using the authentication query parameters will no longer work.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Heads Up: GlobalSign Atlas TLS ICA certificate rotation
To promote good ecosystem security and agility, GlobalSign will be rotating their Atlas Intermediate CA certificates
(ICAs) on a regular schedule.
The first certificate replacement is scheduled for August 24, 2021. Thereafter, the ICA certificate will be replaced
quarterly.
However, if you are using certificate pinning, note that it is not supported for Imperva-generated certificates.
Websites using SSL certificate pinning with Imperva-generated certificates may experience a service disruption when
the ICA certificate is replaced.
To prevent that from happening, we advise you to remove any certificate pinning linked to Imperva-generated
certificates.
You may continue to use certificate pinning by uploading and pinning custom certificates instead. For details, see
Upload a Custom Certificate for Your Website on Imperva.
What changed: The Security Events page provides an enhanced view for exploring the security events detected and
mitigated by Imperva.
Where the Security Events page is located: In the Cloud Security Console, navigate to Application > Security
Events.
Where the new Monitoring Settings page is located: On the top menu bar, navigate to Application > Websites >
<select a website> > Monitoring Settings.
For more details about the new Website Monitoring Settings page, see Load Balancing Monitoring Settings.
Heads Up: Closing access to the Classic UI
On October 3, 2021, the Switch to Classic UI option will be removed.
The new navigational structure in the Cloud Security Console rolled out last year aligns with Imperva’s offering
categories (Application, Edge, Data), addresses scalability and usability issues, and reduces time to navigate.
If you are still using the Classic UI, we encourage you to familiarize yourself now with the enhanced look and feel of
the new UI and start taking advantage of new features available only in the new UI.
For more details on the new UI, see Cloud Security Console.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Website Monitoring Settings API
You can now manage website monitoring settings via the API.
The website monitoring settings determine when origin servers should be considered “up” or “down” (active or
inactive) by the Imperva Load Balancer. They also enable you to select which failure scenarios you want to produce
alarm messages, and how to send them.
What changed: Imperva is now advertising BGP routes to our performance monitoring servers over GRE tunnels.
You can now see the IP addresses that are advertised for each GRE tunnel connection. They are listed as PM Server 1
and PM Server 2 in the Origin Connectivity table.
Where it’s located: In the Cloud Security Console, navigate to Edge > Network Protection > Connectivity Settings.
RSA key length limit for custom certificates
As part of onboarding your website Imperva, you have the option to upload your own certificate.
What changed: To date, Imperva has not limited the size of uploaded certificates. As of this release, you cannot
upload a certificate that is 4096 bits or larger. This applies only to websites onboarded to Imperva on or after this
release.
Why the change? According to industry standards for PKI, the recommended key size is an RSA 2048 bit certificate.
This is the recommendation of the National Institute of Standards and Technology (NIST), Mozilla, and others.
In addition, Imperva supports this recommendation for the following reason: The majority of clients support PFS
ciphers. When a client supports PFS ciphers, the Imperva proxy will always use it. And when a PFS cipher is used, the
certificate key is used only for signing. It does not affect key exchange, and therefore has no impact on encryption
strength and security.
Where it’s located: You can upload a new custom certificate for your website on the General Settings page. For
details, see Web Protection - General Settings.
New Website Monitoring Settings page: Rollout complete
As part of our new, improved user experience for the Cloud Security Console, we have completed the rollout of the
new Website Monitoring Settings, which is now available to all customers. The new Website Monitoring Settings page
replaces the old Monitoring Settings page, which will no longer be available after August 29, 2021.
What changed: The UI has been streamlined for an enhanced user experience.
Where it’s located: On the top menu bar, navigate to Application > Websites > <select a website> > Monitoring
Settings.
For more details about the Website Monitoring Settings page, see Load Balancing Monitoring Settings.
Heads Up: GlobalSign Atlas TLS ICA certificate rotation
To promote good ecosystem security and agility, GlobalSign will be rotating their Atlas Intermediate CA certificates
(ICAs) on a regular schedule.
The first certificate replacement is scheduled for August 24, 2021. Thereafter, the ICA certificate will be replaced
quarterly.
However, if you are using certificate pinning, note that it is not supported for Imperva-generated certificates.
Websites using SSL certificate pinning with Imperva-generated certificates may experience a service disruption when
the ICA certificate is replaced.
To prevent that from happening, we advise you to remove any certificate pinning linked to Imperva-generated
certificates.
You may continue to use certificate pinning by uploading and pinning custom certificates instead. For details, see
Upload a Custom Certificate for Your Website on Imperva.
What changed: The Security Events page provides an enhanced view for exploring the security events detected and
mitigated by Imperva.
Where the Security Events page is located: In the Cloud Security Console, navigate to Application > Security
Events.
The new navigational structure in the Cloud Security Console rolled out last year aligns with Imperva’s offering
categories (Application, Edge, Data), addresses scalability and usability issues, and reduces time to navigate.
If you are still using the Classic UI, we encourage you to familiarize yourself now with the enhanced look and feel of
the new UI and start taking advantage of new features available only in the new UI.
For more details on the new UI, see Cloud Security Console.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Limitations to assigning Admin roles
Only an account administrator or users with the Administrator role are now able to assign the Administrator role to
other users.
What changed: All users with the ability to manage user roles were previously able to assign the Administrator role to
users.
Due to security hardening, only account administrators and users with the Administrator role are now able to:
In addition, users who aren’t account administrators and don’t have the Administrator role are no longer able to
modify administrator user assignments.
• To add/modify a user: In the Cloud Security Console, navigate to Account Management > Users & Identity
section > Users.
• To create a new role: In the Cloud Security Console, navigate to Account Management > Users & Identity
section > Roles.
For more details about managing roles, see Manage Roles and Permissions.
For more details about creating account users, see Account Users.
Heads Up: GlobalSign Atlas TLS ICA certificate rotation
To promote good ecosystem security and agility, GlobalSign will be rotating their Atlas Intermediate CA certificates
(ICAs) on a regular schedule.
The first certificate replacement is scheduled for August 24, 2021. Thereafter, the ICA certificate will be replaced
quarterly.
However, if you are using certificate pinning, note that it is not supported for Imperva-generated certificates.
Websites using SSL certificate pinning with Imperva-generated certificates may experience a service disruption when
the ICA certificate is replaced.
To prevent that from happening, we advise you to remove any certificate pinning linked to Imperva-generated
certificates.
You may continue to use certificate pinning by uploading and pinning custom certificates instead. For details, see
Upload a Custom Certificate for Your Website on Imperva.
What changed: The Security Events page provides an enhanced view for exploring the security events detected and
mitigated by Imperva.
Where the Security Events page is located: In the Cloud Security Console, navigate to Application > Security
Events.
The new navigational structure in the Cloud Security Console rolled out last year aligns with Imperva’s offering
categories (Application, Edge, Data), addresses scalability and usability issues, and reduces time to navigate.
If you are still using the Classic UI, we encourage you to familiarize yourself now with the enhanced look and feel of
the new UI and start taking advantage of new features available only in the new UI.
For more details on the new UI, see Cloud Security Console.
Heads Up: Deprecation of API authentication using query parameters
In September 2020, we introduced support for API authentication using request headers instead of sending them as
query parameters.
For backward compatibility, we still support sending the api_id and api_key parameters in the query string.
On November 1, 2021, support for API authentication by sending the API Key/ID as query parameters will be
discontinued.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
DNS Protection: Issue with hyphens in managed domain name and record
name fixed
Problem: Hyphens in a domain name or record name would prevent the domain or record from resolving. For
example, domain-with-hyphens.com or record-with-hyphens.example.com would not resolve.
Solution: The behavior is fixed. Managed domains or records will now resolve even if they contain hyphens.
For more information on managed domains, see Add/Edit a Primary Managed DNS Zone.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Account dashboard updates
The following updates were made to the account dashboard, located on the Home page of the Cloud Security
Console:
• Top attacked websites: The Security section displays the 5 websites in the account with the highest number of
security events.
You can filter the websites according to total events, blocked events, or alerted events.
The Expand button opens a popup that displays up to the 10 top websites.
• Top websites: The Performance section displays the 5 websites in the account with the highest number of
requests.
You can filter the websites according to total requests or requests with errors.
The Expand button opens a popup that displays up to the 10 top websites.
• Sub account metrics: The Sub accounts table displays application security statistics for each of the account’s
subaccounts.
Information presented in the table has been changed, and now includes:
• Total visits
• WAF events
• Mitigated bots
• Total bandwidth
• Usage (95th percentile)
The first certificate replacement is scheduled for August 24, 2021. Thereafter, the ICA certificate will be replaced
quarterly.
However, if you are using certificate pinning, note that it is not supported for Imperva-generated certificates.
Websites using SSL certificate pinning with Imperva-generated certificates may experience a service disruption when
the ICA certificate is replaced.
To prevent that from happening, we advise you to remove any certificate pinning linked to Imperva-generated
certificates.
You may continue to use certificate pinning by uploading and pinning custom certificates instead. For details, see
Upload a Custom Certificate for Your Website on Imperva.
What changed: The Security Events page provides an enhanced view for exploring the security events detected and
mitigated by Imperva.
Where the Security Events page is located: In the Cloud Security Console, navigate to Application > Security
Events.
The new navigational structure in the Cloud Security Console rolled out last year aligns with Imperva’s offering
categories (Application, Edge, Data), addresses scalability and usability issues, and reduces time to navigate.
If you are still using the Classic UI, we encourage you to familiarize yourself now with the enhanced look and feel of
the new UI and start taking advantage of new features available only in the new UI.
For more details on the new UI, see Cloud Security Console.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
DNS Protection: Hyphens in managed domain records
We’ve identified an issue with managed domain records that contain hyphens. If the DNS record name includes a
hyphen, the domain is not resolved. For example, record-with-hyphens.example.com won't resolve.
We are currently working on a resolution. A workaround solution is to remove hyphens from DNS record names using
the UI or API.
For more information on managed domains, see Add/Edit a Primary Managed DNS Zone.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Revamped Website Monitoring Settings page
The Website Monitoring Settings page has been revised in order to improve the user experience.
The website monitoring settings determine when origin servers should be considered “up” or “down” (active or
inactive) by the Imperva Load Balancer. They also enable you to select which failure scenarios you want to produce
alarm messages, and how to send them.
Availability:
• The new page is currently being rolled out and may not yet be enabled for your account.
What changed:
• An API for viewing and modifying the website monitoring settings has been added.
Where it’s located: On the top menu bar, navigate to Application > Websites > <select a website> > Monitoring
Settings.
For more details about the Website Monitoring Settings page, see Load Balancing Monitoring Settings.
For more details about the Website Monitoring Settings API, see Load Balancing Monitoring Settings API Definition.
The first certificate replacement is scheduled for August 24, 2021. Thereafter, the ICA certificate will be replaced
quarterly.
However, if you are using certificate pinning, note that it is not supported for Imperva-generated certificates.
Websites using SSL certificate pinning with Imperva-generated certificates may experience a service disruption when
the ICA certificate is replaced.
To prevent that from happening, we advise you to remove any certificate pinning linked to Imperva-generated
certificates.
You may continue to use certificate pinning by uploading and pinning custom certificates instead. For details, see
Upload a Custom Certificate for Your Website on Imperva.
The new navigational structure in the Cloud Security Console rolled out last year aligns with Imperva’s offering
categories (Application, Edge, Data), addresses scalability and usability issues, and reduces time to navigate.
If you are still using the Classic UI, we encourage you to familiarize yourself now with the enhanced look and feel of
the new UI and start taking advantage of new features available only in the new UI.
For more details on the new UI, see Cloud Security Console.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
DNS Protection: Hyphens in managed domain records
We’ve identified an issue with managed domain records that contain hyphens. If the DNS record name includes a
hyphen, the domain is not resolved. For example, record-with-hyphens.example.com won't resolve.
We are currently working on a resolution. A workaround solution is to remove hyphens from DNS record names using
the UI or API.
For more information on managed domains, see Add/Edit a Primary Managed DNS Zone.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Single sign-on (SSO) now available to resellers
Single sign-on for login to the Cloud Security Console is now available to reseller accounts.
SSO provides multiple benefits, including an improved user experience and centralized user authentication
management.
For backward compatibility, we still support sending the api_id and api_key parameters in the query string.
On November 1, 2021, support for API authentication by sending the API Key/ID as query parameters will be
discontinued.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
DNS Protection: Hyphens in managed domain records
We’ve identified an issue with managed domain records that contain hyphens. If the DNS record name includes a
hyphen, the domain is not resolved. For example, record-with-hyphens.example.com won't resolve.
We are currently working on a resolution. A workaround solution is to remove hyphens from DNS record names using
the UI or API.
For more information on managed domains, see Add/Edit a Primary Managed DNS Zone.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
DDoS Protection for Networks: Configure Flow Monitoring Settings
Imperva’s monitoring service monitors your origin network to detect and notify you about DDoS attacks, as well as
enabling an automated mitigation process.
What changed: DDoS Protection for Networks customers using the on-demand deployment mode can now configure:
• notification recipients
Where it’s located: In the Cloud Security Console, navigate to Edge > Network Protection > Flow Monitoring
Settings.
What changed: New options enable you to multi-select websites in your account, and apply the mitigation status for
the service to all of the selected websites. Previously, you could only set the status for one website at a time.
Where it’s located: On the Client-Side Protection Dashboard, in the Status column.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
DNS Protection: Hyphens in managed domain records
We’ve identified an issue with managed domain records that contain hyphens. If the DNS record name includes a
hyphen, the domain is not resolved. For example, record-with-hyphens.example.com won't resolve.
We are currently working on a resolution. A workaround solution is to remove hyphens from DNS record names using
the UI or API.
For more information on managed domains, see Add/Edit a Primary Managed DNS Zone.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
Introducing Notification Settings: Define your own policies
The new Notification Settings feature provides you with more granular control over which notifications you receive,
and the list of recipients who receive them.
Availability: As of this release, all new customers and new App Protect Professional self-service trial accounts can
take advantage of the new Notification Settings.
Where it’s located: In the Cloud Security Console, navigate to Account Management > Notification Settings.
Enhancements
DDoS Protection for Networks: Details added to attack notifications
When a volumetric DDoS attack on your network assets is detected by Imperva’s network monitoring service, email
notifications are sent to you.
What changed: The attack notifications now include a list of the top destination IPs in the 5 minutes that preceded
the notification. You can then view additional details in the Analytics dashboard, under Destination IPs.
• Monitoring
• Notifications
• Analytics
Homepage dashboard: Details added on DDoS attacks
The Home page account-level dashboard now provides more details on network level (Layer 3/4) DDoS attacks,
including:
• The specific asset targeted in the attack, such as the IP address or website.
• The peak value of malicious traffic detected during the selected time frame.
Where it’s located: The homepage is displayed by default when you log in to your account in the Cloud Security
Console. Alternatively, click Home on the top menu bar.
The new dashboard provides consolidated performance and availability monitoring for your origin servers and traffic.
Where it’s located: Navigate to Application > WAF > Dashboards > Real-Time.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
DNS Protection: Hyphens in managed domain records
We’ve identified an issue with managed domain records that contain hyphens. If the DNS record name includes a
hyphen, the domain is not resolved. For example, record-with-hyphens.example.com won't resolve.
We are currently working on a resolution. A workaround solution is to remove hyphens from DNS record names using
the UI or API.
For more information on managed domains, see Add/Edit a Primary Managed DNS Zone.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
DDoS Protection for Networks: Change in network prefix usage calculation
The usage calculation of network prefixes for licensing and billing purposes has been adjusted, providing you with
more value for your investment.
The add-on for network prefixes determines how many network ranges you can define as part of your subscription to
DDoS Protection for Networks.
What changed: Before the change, each /48 IPv6 address was counted as 1 prefix. Following the change, all /48 IPv6
addresses under the same /32 subnet are considered 1 prefix in total.
Where it’s located: This change is reflected on the Subscription page in the Cloud Security Console. Under
Infrastructure Protection > C Class Ranges, the Used column will now display the adjusted value.
New website General Settings page: Rollout complete
As part of our new, improved user experience for the Cloud Security Console, we have completed the rollout of the
new website General Settings page, now available to all existing accounts and new customers.
What changed:
• All settings from the old website General Settings page except for SSL Support settings have moved to the new
page.
• SSL Support settings are still available on the old website General Settings page. They will be moved to a new
location at a later date. For more details, see Web Protection - General Settings.
To open the new page, navigate to Application > Websites > <select a website> > General Settings. For more details,
see Website General Settings.
The new page is available only in the new UI. Learn more: Cloud Security Console.
Expanded homepage dashboard: Rollout complete
We have completed the rollout of adding Website configuration and reliability sections to the Home page account-
level dashboard. This improvement, now available to all customers, provides enhanced visibility to the status of your
websites and connections.
• Get more details on any open configuration issues and how to address them.
Website reliability:
• Cloud WAF customers: View the up/down status of your websites based on the origin server availability.
• DDoS Protection for Networks/IPs customers: View the availability of your protected networks or IPs.
Each section is clickable and opens modal screens for further drill-down into each metric.
Where it’s located: The homepage opens by default when you log in to your account. Alternatively, click Home on the
top menu bar.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
DNS Protection: Hyphens in managed domain records
We’ve identified an issue with managed domain records that contain hyphens. If the DNS record name includes a
hyphen, the domain is not resolved. For example, record-with-hyphens.example.com won't resolve.
We are currently working on a resolution. A workaround solution is to remove hyphens from DNS record names using
the UI or API.
For more information on managed domains, see Add/Edit a Primary Managed DNS Zone.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Advanced Bot Protection Billing Dashboard
The new billing dashboard in Advanced Bot Protection enables you to view the number of requests that ABP
processed for your application. You can configure the report to show data for your desired time frame and websites.
This enables you to compare your bills with the number of requests on the application.
Availability: The dashboard is currently available to US customers only. It is expected to be available to all customers
within a few weeks.
2. Select the Reporting Data Region from the bar at the top.
Custom rules that use the Rewrite Response Header action are now also applied to error pages returned by Imperva
in the event of a connection error.
• Create Rules
You can configure an Origin PoP as part of the Dynamic Content Acceleration service for improved performance. For
more details, see Dynamic Content Acceleration.
For backward compatibility, we still support sending the api_id and api_key parameters in the query string.
On November 1, 2021, support for API authentication by sending the API Key/ID as query parameters will be
discontinued.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
DNS Protection: Hyphens in managed domain records
We’ve identified an issue with managed domain records that contain hyphens. If the DNS record name includes a
hyphen, the domain is not resolved. For example, record-with-hyphens.example.com won't resolve.
We are currently working on a resolution. A workaround solution is to remove hyphens from DNS record names using
the UI or API.
For more information on managed domains, see Add/Edit a Primary Managed DNS Zone.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
Introducing Notification Settings: Define your own policies
The new Notification Settings feature provides you with more granular control over which notifications you receive,
and the list of recipients who receive them.
Availability: As of this release, all new App Protect Professional self-service trial accounts can take advantage of the
new Notification Settings.
Where it’s located: In the Cloud Security Console, navigate to Account Management > Notification Settings.
Enhancements
API Security enhancements
The following enhancements were introduced in this release:
• Protect your APIs with a positive security model even if you don’t have an OAS file. With an ongoing learning
mechanism, API Discovery constantly learns the structure of the APIs whenever they are updated.
• Gain tighter protection of your APIs on top of the existing OAS files provided by the development teams.
View Data Classification. Know which API endpoint transfers PII information and decide on the appropriate security
level for each API endpoint according to the sensitivity of the data returned.
UI enhancements. To improve the usability experience, API Security is now separated into two options on the Cloud
Security Console sidebar:
• APIs: This page now enables you to view all the APIs that are configured for the website, edit the APIs, and view
APIs that were discovered using API Discovery. In addition, you can now access the API Security Dashboard from
here.
• API Settings: This page now enables you to perform the site configuration, enable API Discovery, and enable
automatic integration.
• Get more details on any open configuration issues and how to address them.
Website reliability:
• Cloud WAF customers: View the up/down status of your websites based on the origin server availability.
• DDoS Protection for Networks/IPs customers: View the availability of your protected networks or IPs.
Each section is clickable and opens modal screens for further drill-down into each metric.
Where it’s located: The home page opens by default when you log in to your account. Alternatively, click Home on
the top menu bar.
Availability: The new dashboard sections are gradually rolling out over the next few weeks and may not be
immediately enabled for your account.
What changed:
• All settings from the old Website General Settings page except for SSL Support settings have moved to the new
page.
• SSL Support settings remain on the old Website General Settings page. They will be moved to a new location at
a later date.
• To open the new page, navigate to Application > Websites > <select a website> > General Settings. For more
details, see Website General Settings.
• To open the old page, navigate to Application > Websites > <select a website> > Website Settings > General.
For more details, see Web Protection - General Settings.
Availability:
• Rollout is expected to continue for two months and therefore may not be immediately enabled for your
account.
• The new page is available only in the new UI. Featuring a new navigational structure and a clean, streamlined
experience, the new UI is currently rolling out to customers. Learn more: Cloud Security Console.
"View security information" permission removed
The View security information permission was not in use and was removed.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
None.
Fixes
DDoS Protection for Networks: Monitoring email notifications fixed
Problem: Monitoring alert mails were not sent to the account notification list (defined in Account Settings) unless
there was also at least one recipient defined in the account escalation notification list (defined in Monitoring
Settings).
Solution: The behavior is fixed. Monitoring alert mails are now sent to the account notification list whether or not
there are recipients defined in the account escalation notification list.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Advanced Bot Protection (ABP) events added to Audit Trail
ABP events are now tracked and displayed in the Audit Trail.
The Audit Trail displays a log of actions performed in your account by account users, system processes, and Imperva
system administrators and support.
Where it’s located: In the Cloud Security Console, navigate to Account Management > Audit Trail.
Availability: This functionality is being rolled out over the next several weeks.
• Create Rules
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
OpenAPI (Swagger) definition file for Cloud API v1
All APIs for managing your Imperva account and sites are now available in a Swagger API definition file.
Swagger is a cloud based, interactive API testing and documentation tool. APIs are visually rendered as a fully
interactive document, enabling you to:
• try out the API before integrating it into your code using your API ID and key
Note: To better align with REST API standards and best practices, Imperva is gradually rolling out API V2 — a new
version of APIs, available for your use in managing your Cloud Application Security account and sites. The V2 APIs
either provide an alternative to existing APIs, or provide APIs with new functionality. (All existing version 1 APIs
continue to be supported.) For details, see API Version 2/3 Overview.
Consolidated API documentation
A consolidated reference to all Imperva customer-consumable APIs is now available in the documentation portal.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
For backward compatibility, we still support sending the api_id and api_key parameters in the query string.
On December 31, 2021, support for API authentication by sending the API Key/ID as query parameters will be
discontinued.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Mobile App: Support added for sub accounts
View data for sub accounts in the Imperva Security Mobile App.
• Users with sub account access: You can now log in to the mobile app with your Imperva user credentials and
view your account.
• Users with parent account access: When you log in to a parent account that has sub accounts, you can now
switch between the parent and sub accounts.
Tap the Account icon to view and select from the list of your account’s sub accounts.
For more details on the mobile app, see Imperva Security Mobile App.
New Imperva Data Center in Dublin, Ireland
We are starting to rollout a new PoP in Dublin, Ireland and expect it to be fully functional within the next few weeks.
The Dublin PoP is the newest addition to our world-wide network of 46 data centers, helping you deliver your
applications securely and optimally across the globe.
For the full list of PoPs, see Imperva Data Centers (PoPs).
In the Classic UI: On the API Security page, click the API Security Dashboard link to open the dashboard.
In the New UI: The dashboard is now located together with all website dashboards. (Application > WAF > Dashboards
> API Security)
• Action Configuration: For each of your APIs/endpoints, configure alert or block actions for each API Security
violation type.
The API Security menu (Application > Websites > API Security) now includes two options:
This can be useful if your website hosts several applications and you want to define a different threat response for one
or more of the applications, such as Alert instead of Block.
What changed: You can now create a custom rule to define an alternative WAF action for a subset of your domain, for
a specific threat type.
Where it’s located: On the Add Rule page, select the Override WAF Settings rule action.
What changed: A parameter is now available for your use with the API to instruct Imperva to send the cookie without
the domain. Previously, only Support was able to configure this option.
Where it’s located: The Modify Site Configuration API (/api/prov/v1/sites/configure) now includes the
set_cookies_without_domain parameter. When set to true, the naked domain is not included in the cookie.
Note: If this option was previously enabled for your site by Support, you cannot disable the setting via the API unless
the support team first removes the manual configuration. If you want to use the API to disable the option for your
sites, contact Support to request the adjustment.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Usage Report in sub accounts
The Usage Report is now available in sub accounts, displaying data for the specific sub account only.
What changed:
Availability:
• We are gradually rolling out this change for all accounts over the next several weeks.
Note:
• When viewed in a sub account, the purchased quantity and overage data are not displayed. Those values are
relevant to the overall parent account only.
• In the API, the purchasedQuantity and overages fields display -1 for a sub account.
New UI:
Classic UI:
For more details on the usage report, see View Account Usage.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Note: Unless otherwise specified, the changes described here are rolled out throughout the week and may not be
immediately available in all accounts.
In this release:
New Features
None.
Enhancements
Rollout of the new UI extended
In order to facilitate a smooth transition for our customers, gradual rollout of the Cloud Security Console’s new UI has
been extended.
• A new navigational structure aligns with Imperva’s offering categories (Application, Edge, Data), addresses
scalability and usability issues, and reduces time to navigate.
• The Home page provides an at-a-glance view of all of your protected assets from the moment you log in to your
account. Quickly understand the overall account status and identify what requires your immediate attention or
further investigation.
• The new Website Dashboards and Security Events Page provide enhanced usability, faster investigation, and
more actionable data at the website level. These dashboards are easily accessible — no need to navigate to each
individual website.
Learn more:
• Homepage Dashboard
• Website Dashboards
Don’t want to wait? If the new UI is not yet enabled for your account and you would like to opt-in now, contact your
sales representative to request the change.
• Estimated risk: View the estimated likelihood that the service is being used for malicious intent. Client-Side
Protection assigns an estimated risk level for each service: Low, Medium, or High.
• Apply bulk action to grouped services: Set the action for all services in the group with one click.
Where it’s located: In the Client-Side Protection dashboard, under Discovered Website Services.
When you select a time range option, the dashboard reflects data spanning from the current time back to the same
time at the start of the time range.
In this example, the data spans the time period starting from the current time back through the same time 7 days
earlier.
What changed: Previously, the time range spanned from the current time back to 00:00 on the start date of the range.
Note: There is no change in the custom range option, which always spans from 00:00 on the first day to 23:59 on the
last day of the range.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
CDN: Delivery rule data added to Get Statistics API
The Get Statistics API now enables you to retrieve information on your custom delivery rules for a single website or
for all websites in your account, including the option to specify a custom time frame.
Where it’s located: The following values were added to the stats parameter of the Get statistics API (/api/stats/v1):
• delivery_rules: Returns the list of delivery rules with total number of hits for each rule.
• delivery_rules_timeseries: Returns the list of delivery rules with the number of hits per rule for each time stamp
in the selected time range.
For more details on the Get Statistics API, see Traffic Statistics and Details API.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
New real-time website dashboard
As part of our new user experience for the Cloud Security Console, we are now starting to roll out the new and
improved Website Real-Time Dashboard.
The new dashboard provides consolidated performance and availability monitoring for your origin servers and traffic.
Availability:
• The new dashboard is available only in the new UI. Featuring a new navigational structure and a clean,
streamlined experience, the new UI is currently rolling out to customers. Learn more: Cloud Security Console.
• The existing real-time dashboard continues to be displayed in both the classic and new UI.
Where it’s located: Navigate to Application > WAF > Dashboards > Real-Time.
The Denver PoP is the newest addition to our world-wide network of 45 data centers, helping you deliver your
applications securely and optimally across the globe.
For the full list of PoPs, see Imperva Data Centers (PoPs).
CDN: Variables added for delivery rules
New variables are available for your use when defining custom redirect and rewrite delivery rules.
• Proxy ID
• PoP ID
• Origin PoP ID
• Session ID
• Request ID
• Site ID
• Account ID
For example, you can create a rule to rewrite request headers to provide you with information on the Imperva data
center that handles each request.
Where it's located: You can use these variables in the To field when creating a rule. For more details, see Create Rules.
New Site Reference ID field in SIEM logs
Reference ID is a free-text field defined in account and website settings that enables you to add a unique identifier to
correlate an object in our service, such as a protected website, with an object on the customer side.
The following change to Reference ID in the SIEM log integration is rolling out during the course of the week.
The new Site Reference ID field will be added, in the following formats:
• CEF: siteTag
• LEFF: siteTag
• W3C: s-sitetag
The Site Ref ID field corresponds to the Reference ID option in the Cloud Security Console Website General Settings.
• If Reference ID is already configured in website settings, the new field will appear in your logs when this change
is implemented.
• If this field is not configured in your website settings, the field will not appear in logs in CEF or LEFF formats. For
W3C format, the field will appear with an empty value.
Note: There is no change to the Account Reference ID field in the SIEM logs. This field corresponds to the account
level Reference ID option in the Cloud Security Console Account Settings.
In response to customer feedback, the certificate migration process has been extended until April 30, 2021. To
minimize any disruption to your service, we ask that you complete the required actions described below prior to that
date.
For follow-up questions or specific configuration issues, contact Imperva Support at https://www.imperva.com/login.
Background: For improved security and performance, we are now moving to the new GlobalSign Atlas Platform for
ordering and maintaining new SSL certificates. This platform is replacing the GlobalSign CloudSSL service that was
used until now.
To support this change, we are migrating all of our existing GlobalSign CloudSSL certificates to the new platform.
Impact:
While most customers can expect a seamless and transparent process, there are a few use cases where your attention
and action are required.
• Revalidation: During the migration, all SAN’s will be migrated to the new SSL certificates. In most cases,
Imperva will revalidate the SANs automatically. In the event that automatic revalidation is not possible, you will
receive a revalidation email from Imperva. We ask that you promptly complete the process to revalidate
ownership of your domain. You will receive an additional mail confirming that validation completed
successfully.
• Certificate pinning: Websites using SSL certificate pinning with Imperva-generated certificates may experience
a service disruption when the certificate is migrated.
To prevent that from happening, we advise you to remove any certificate pinning linked to any Imperva-
generated certificates.
You may continue to use certificate pinning by uploading and pinning custom certificates instead. For details,
see Upload a Custom Certificate for Your Website on Imperva.
• GlobalSign root certificate: Client applications that are using the GlobalSign root certificate in their trust store
will need to update the trust store with the Atlas root certificate after migration.
• https://www.globalsign-media.com/en/datasheet/atlas/
• https://www.globalsign.com/en/blog/atlas-blogged
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
DDoS Protection for Networks: Sub account support
DDoS Protection for Networks now supports sub accounts, enabling you to simplify the management of enterprise
accounts and manage user access.
You can share the connectivity configuration between the parent and sub accounts, while isolating the management
of network ranges to specific sub accounts.
In a sub account, the network dashboard and traffic analytics provide data on the specific sub account only, enabling
complete user access management.
For details, see DDoS Protection for Networks and IPs: Sub Account Support.
Starting February 28, 2021, we will roll out the following change to Reference ID in the SIEM log integration. The
rollout is expected to be completed during the course of the week.
The new Site Ref ID field will be added, in the following formats:
• CEF: siteTag
• LEFF: siteTag
• W3C: s-sitetag
The Site Ref ID field corresponds to the Reference ID option in the the Cloud Security Console Website General
Settings.
• If Reference ID is already configured in website settings, the new field will appear in your logs when this change
is implemented.
• If this field is not configured in your website settings, the field will not appear in logs in CEF or LEFF formats. For
W3C format, the field will appear with an empty value.
Note: There is no change to the Ref ID field in the SIEM logs. This field corresponds to the account level Reference ID
option in the Cloud Security Console Account Settings.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Introducing account and website dashboards
We are starting to roll out a new user experience, with both new and improved dashboards in a state-of-the-art
platform.
• Account dashboard: New! The Home page provides an at-a-glance view of all of your protected assets from the
moment you log in to your account. Quickly understand the overall account status and identify what requires
your immediate attention or further investigation.
• Website dashboards: Improved security and performance website dashboards provide enhanced usability,
faster investigation, and more actionable data at the website level. The website dashboards are easily
accessible - no need to navigate to the each individual website.
• Security Events page: An enhanced view for exploring the security events detected and mitigated by Imperva.
Availability:
• The new dashboards are available only in the new UI. Featuring a new navigational structure and a clean,
streamlined experience, the new UI is currently rolling out to customers.
• Don’t want to wait? If the new UI is not yet enabled for your account, you can Opt in via a popup displayed
when you log in. This option enables the new UI for your account, as well as the new dashboards. For more
details, see Cloud Security Console.
• The existing website dashboards and website events page continue to be displayed in both the classic and new
UI.
• The Home page dashboard is displayed by default when you log in to the Cloud Security Console. Learn more:
Homepage Dashboard
• Security Events: Navigate to Application > Security Events. Learn more: View Security Events
• Website dashboards: Navigate to Application > WAF > Dashboards. Learn more: Website Dashboards
• Note: The existing Network Traffic Dashboard was moved to the new website dashboard location in the new UI.
It displays incoming traffic metrics on network layer (Layer 3/4) DDoS protection for all websites in your Imperva
account. Learn more: Network Traffic Dashboard
Attack Analytics: 1-click mitigation for bad IP reputation insights
When the Attack Analytics Insights mechanism identifies malicious traffic from IP addresses with negative
reputations, you can now turn on mitigation with a single click.
The new option automatically creates a security rule that denies access to the malicious IP for 3 days.
What changed: Previously, there was a link to open the Rules page for the relevant site, enabling you to manually
create a custom security rule.
Where it’s located: On the Insights page, click the block icon to automatically create the rule.
DNSSEC (Domain Name System Security Extensions) adds a layer of authentication to DNS CNAME resolution to
prevent requests from being “hijacked” and diverted to other addresses. This boosts protection against man-in-the-
middle attacks, such as DNS cache poisoning and forged DNS responses.
What changed: When onboarding your site to Cloud WAF, Imperva provides you with a CNAME that is used both for
pointing traffic to the Imperva network, and for identifying the site in the event that multiple domains are linked
under the same Imperva site configuration and policy. The CNAME resolves to an IP address in Imperva’s DNS zone.
This enhancement completes the end-to-end chain of trust as we now sign and validate Imperva’s CNAME records
with DNSSEC.
New sites: Sites receive a CNAME from the new impervadns.net domain that supports DNSSEC.
Existing sites: Sites that were onboarded before this change are defined with the incapdns.net domain. DNSSEC is
now enabled on that domain as well.
After onboarding, you can see DNS settings for your site in the Website Settings > General page. For details, see Web
Protection - General Settings.
The X-Iinfo HTTP response header is used by Imperva to track and troubleshoot the caching of resources. You can use
it as a quick way of checking if a specific resource was cached.
Stale content can be served when the resource is not found or not fresh in the Imperva cache, and Imperva can’t
connect to the origin server. (You can define settings to determine when stale content may be served. For more
details, see Cache Settings.)
Starting February 28, 2021, we will roll out the following change to Reference ID in the SIEM log integration. The
rollout is expected to be completed during the course of the week.
The new Site Ref ID field will be added, in the following formats:
• CEF: siteTag
• LEFF: siteTag
• W3C: s-sitetag
The Site Ref ID field corresponds to the Reference ID option in the the Cloud Security Console Website General
Settings.
• If Reference ID is already configured in website settings, the new field will appear in your logs when this change
is implemented.
• If this field is not configured in your website settings, the field will not appear in logs in CEF or LEFF formats. For
W3C format, the field will appear with an empty value.
Note: There is no change to the Ref ID field in the SIEM logs. This field corresponds to the account level Reference ID
option in the Cloud Security Console Account Settings.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
None.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
Cloud security self-service trial
On Monday, February 1, 2021, we are introducing a free, self-service trial, enabling you to experience Imperva's cloud
services for yourself.
The trial includes a wide variety of Imperva features and services. with optional add-ons available to try out as well.
For more details on the trial, see Imperva Cloud Security Trial.
Note: If you are an existing customer interested in a trial for a service you do not currently subscribe to, please contact
an Imperva Sales Representative.
New and improved DNS Protection Service: Rollout complete
We have completed rollout of the new DNS Protection service, now available to all existing accounts and new
customers.
The new DNS Protection service includes both Managed DNS and Protected (Proxy) DNS, along with a new UI and
API.
What changed: Imperva DNS Protection now includes the following components:
• Protected DNS: The existing DNS Protection service provided by Imperva. Imperva serves as a DNS proxy,
where DNS queries are first processed by Imperva to filter out DDoS attacks before being forwarded to your
origin name server. With this solution, your DNS service is hosted outside of Imperva.
Existing DDoS Protection for DNS customer accounts were migrated to the new Proxy DNS component, which
includes an enhanced user interface and full API coverage. You can now also onboard your DNS zones to the
new Managed DNS service.
• Managed DNS: Our new offering of an end-to-end service as a DNS hosting provider. With this solution, your
DNS service is hosted within Imperva.
With Managed DNS, Imperva serves as the DNS records host and authoritative DNS, providing definitive
responses to DNS queries, as well as protecting you from Volumetric and DNS DDoS attack.
A new dashboard was added, providing an at-a-glance view of metrics and advanced analytics for your
protected and managed DNS zones. View the number of queries per zone, a breakdown of passed vs. blocked
queries, top source IP addresses, and more.
• Increased performance, reducing DNS queries response time via Imperva’s global anycast network of 45 PoPs
• Easy onboarding & migration via simplified UI and API
• Complete management of your DNS configuration within Imperva
• Built-in security, with L3/L4/L7 DDoS attack mitigation
More information:
• DNS Protection
• Onboard DNS Protection
Imperva Security Mobile App: Now available for Android
Cloud WAF customers can now take advantage of the Imperva Security mobile app, now also available for Android.
What changed: Previously, the app was available for iOS and Mac only.
Download: You can download the app for Android directly from the Google Play Store at https://play.google.com/
store/apps/details?id=com.app.imperva.
For more information on the app, see Imperva Security Mobile App.
Enhancements
CDN: New custom cache rule action to serve stale content
A new action was added for custom cache rules, enabling you to define a TTL for serving stale content for specific
resource types.
When Imperva can't connect to the origin server, stale content is served instead of displaying an error to end users.
Availability: This feature is currently being rolled out and is expected to be available to all customers as of February
11, 2021.
What changed: Previously, there was only an option to enable a global setting to serve stale content for all cached
resources.
Where it’s located: On the Cache Settings page, under Custom Cache Rules. For details, see Cache Settings.
Note:
• When there is at least one enabled Serve Stale Content custom rule, the global Serve Stale Content option is
automatically enabled if it was not already, but does not apply globally and cannot be modified. The custom
rules override the global setting.
• The new action is also available in the API. For details, see Cache Settings API Definition.
Attack Analytics: 1-click mitigation for misconfigured WAF settings
When the Attack Analytics Insights mechanism identifies a misconfigured WAF setting, you can now turn on
mitigation with a single click.
What changed: Previously, there was a link to open the WAF Settings for the relevant site, requiring to manually
change the setting.
Where it’s located: On the Insights page, click the block icon to change the site’s setting from Alert Only to Block
Request for the specified threat type.
For more options, such as Block IP or Block User, go to the WAF Settings page.
• View the graph as an area chart or a column chart. Easily switch between views.
• Click and drag an area of the graph to zoom in for a closer look.
>
Note: Zooming in changes the view in the graph only and does not affect other data displayed on the page.
• Click a section of a column to open the Incidents page to drill down into the associated incidents.
What changed:
• Audit Trail API v1 is now deprecated. For details on the deprecation policy for Imperva SaaS products, see API
Lifecycle & Deprecation Policy.
• Audit Trail API v2 is now available. For details, see Audit Trail API Definition.
• The API response in both versions now also includes the user_details parameter, providing information on who
performed the action.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
API Security settings are moving
The API Security settings are moving from the Website General Settings page to the API Security Site Configuration
page.
Settings for existing sites are being migrated over the next 2 weeks. When complete, the settings will be visible within
API Security.
Note: The settings that were already defined for an existing site will remain the same after the change.
Before:
After:
Previously, the time range spanned from the current time back to the same time on the start date of the time range.
For example, the data that is now displayed for this selection of the last 7 days covers the time range from 00:00 on
January 17th through the current time on January 24th.
• SIEM logs: The time range begins at 00:00 of the start date.
• Attack Analytics API: You select a custom time range according to the UNIX time stamp.
Client-Side Protection: Visibility into Google Analytics IDs
Gain visibility into Google Analytics IDs getting data from your website to ensure data is not transferred to
unauthorized Google Analytics accounts.
This new capability helps protect you from Magecart attacks that leverage Google Analytics.
Where it’s located: On the Client-Side Protection dashboard, under the service name, Analytics IDs shows the
amount of IDs identified for the service. Applies to the Google LLC service only.
When you click Details to view more information for the service, you can view the individual IDs:
In addition, the menu names and page names have been updated as follows:
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
Account Usage Report
The new usage report displays bandwidth usage history for an account. It provides you with a view of your bandwidth
usage per service over time, enabling you to easily understand usage trends and quickly detect overages in your
account.
When a row in the table is expanded, a breakdown of usage for each service is displayed.
Availability: The feature is currently rolling out through March 2021. To request access to the new report at an earlier
date, contact Support.
• New navigation (also currently rolling out): On the top menu bar, select Account > Account Management. On
the sidebar, select Usage Report.
The billing and actual usage data is also available via the API.
Enhancements
Aggregated statistics in weekly report
The statistics presented in the weekly report for an account with sub accounts (the parent account) now include all of
the sub accounts as well.
Note:
• Because weekly reports contain comparative information between last week and the previous week, it will take
two weeks until the report will present all information with accurate comparisons.
• In addition to the report for the parent account, a report can be generated separately for each sub account and
includes only the statistics for the specific sub account.
Note:
• Users can set two-factor authentication for themselves. For details, see User Preferences.
• The account admin can also enforce two-factor authentication for all account users. For details, see Account
Settings.
In addition to the Auto, Normal, and Hard difficulty levels, the Extra Hard level was added.
Availability: The GeeTest CAPTCHA is available to Advanced Bot Protection and Account Takeover Protection
customers only.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
New navigational structure in the Cloud Security Console
We are starting to gradually roll out a new navigational structure in the Cloud Security Console. The new format aligns
with Imperva’s offering categories (Application, Edge, Data), addresses scalability and usability issues, and reduces
time to navigate. Rollout is expected to continue through April 2021.
Once the new structure is enabled for your account, it is automatically displayed when you log in to the Cloud Security
Console.
To return to the old layout for the duration of your browser session, select Account > Switch to Classic UI on the
banner.
Previously, the origin lock feature could only be configured according to origin server IP / Range. Using the fingerprint
provides a solution for using Origin Lock when your site uses dynamic IP addresses.
For more details on the Origin Lock feature, see Account Settings.
Unverified users are locked out
When a user is created in an account, a verification link is sent to the email address listed for the user. The new user
must click the link in the email to verify their address and set a login password.
What changed: The following changes were made to the email verification process:
The following users will receive 3 email reminders and must click the link to verify their address within 15 days or will
be locked out. The user:
• was created since January 1, 2020 or last logged in after January 1, 2020
• was created before January 1, 2020 or last logged in before January 1, 2020
Locked users: Users who are locked out because they did not verify their email address will receive an email when
they try to log in. The mail includes a link to verify their email address and unlock their user.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
Account bandwidth overage email notifications are sent
Problem: Some customers did not receive email notification of overages in their account.
Resolution: Overage notifications are now sent at the end of the billing period when your account usage has
exceeded the amount included in your billing plan.
Note: These email notifications are not directly connected to billing. Billing statements were unaffected and
accurately reflected usage and overages.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
Introducing the Managed DNS Service
We are starting a gradual rollout of our new Managed DNS service, with an end-to-end service as a DNS hosting
provider.
Imperva serves as the DNS records host and authoritative DNS, providing definitive responses to DNS queries, as well
as protecting you from Volumetric and DNS DDoS attack.
• Increased performance, reducing DNS queries response time via Imperva’s global anycast network of 45 PoPs
What’s changing: The Imperva DDoS Protection for DNS will now transition to a Protected DNS solution and will
include two components:
• Proxy DNS: The existing DNS Protection service provided by Imperva. Imperva serves as a DNS proxy, where
DNS queries are first processed by Imperva to filter out DDoS attacks before being forwarded to your origin
name server. With this solution, your DNS service is hosted outside of Imperva.
• Managed DNS: Our new offering. With this solution, your DNS service is hosted within Imperva.
The rollout process is expected to continue through the end of January 2021.
During rollout, existing DDoS Protection for DNS customer accounts will be migrated to the new Proxy DNS
component, which will include an enhanced user interface and full API coverage. After migration, you can also
onboard your DNS zones to the new Managed DNS service.
When rollout is complete, the new service including both Managed DNS and Proxy DNS, along with the new UI and
API, will be available to all other existing accounts and new customers.
More information:
• DNS Protection
Enhancements
DDoS Protection for Networks: Configure GRE tunnel connections
DDoS Protection for Networks customers can now configure GRE tunnel connections via the Cloud Security Console UI
or API.
What changed: After onboarding to the DDoS Protection for Networks service, you may want to edit or add new
connections. For example, if you change ISP or want to create new GRE tunnels. You can now do this via the Cloud
Security Console or API, for GRE-Tunnel type only. Other connection types must be configured by the Imperva team.
This is the first step in self-service configuration for the DDoS protection for Networks service. Additional functionality
is planned for future releases.
Where it’s located: On the Cloud Security Console sidebar, click Infrastructure > Network Settings.
Imperva’s SD-SOC (Software-Defined Security Operations Center) is designed to enhance the DDoS Protection for
Networks solution for the protected assets under our service. By automating security policy profiling, the risk of false
positives/negatives is significantly reduced as the policy is continuously aligned with the current traffic behavior.
What changed: Previously, security policies were defined and implemented manually for each asset by Imperva’s
SOC. These policies are now automatically updated and periodically reviewed by Imperva’s SOC as needed.
Availability: Currently available for Always-On customers only. Support for On-Demand customers will be available at
a later date.
Migration: We are starting migration of existing DDoS Protection for Networks Always-On customer accounts. Note
that:
• You will be notified directly by Imperva before migration, and asked to confirm the migration date scheduled
for your account.
• Migration is seamless and does not require you to make any configuration changes.
For more details on DDoS security policies, see Security Policy and Mitigation.
API Security updates
The following changes were implemented for API Security:
API Configuration:
• The API Configuration page was enhanced to enable you to set different configurations for the violation types:
Invalid URL, Invalid Method, Missing Parameter and Invalid Parameter Value violations.
• The APIs table filtering capabilities were also enhanced. You can now perform a search, select the option to
show only modified specs/endpoints, and filter each violation type column.
Site Configuration: This new page enables you to set a site level configuration that acts as the default configuration
for all APIs under it. You can now view and configure the default actions for the Invalid URL, Invalid Method, Missing
Parameter and Invalid Parameter Value violations.
Once the new structure is enabled for your account, it is automatically displayed when you log in to the Cloud Security
Console.
To return to the old layout for the duration of your browser session, select Account > Switch to Classic UI on the
banner.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
Heads Up: Introducing the Managed DNS Service
We are starting a gradual rollout of our new Managed DNS service, with an end-to-end service as a DNS hosting
provider.
Imperva serves as the DNS records host and authoritative DNS, providing definitive responses to DNS queries, as well
as protecting you from Volumetric and DNS DDoS attack.
• Increased performance, reducing DNS queries response time via Imperva’s global anycast network of 45 PoPs
What’s changing: The Imperva DDoS Protection for DNS will now transition to a Protected DNS solution and will
include two components:
• Proxy DNS: The existing DNS Protection service provided by Imperva. Imperva serves as a DNS proxy, where all
DNS queries are first processed by Imperva to filter out DDoS attacks before being forwarded to your origin
name server. With this solution, your DNS service is hosted outside of Imperva.
• Managed DNS: Our new offering. With this solution, your DNS service is hosted within Imperva.
Rollout:
Existing DDoS Protection for DNS customer accounts are migrated to the new Proxy DNS component, which
will include:
• The option to transition any DNS zone to the new Managed DNS service
Managed DNS is available to all other existing accounts and new customers.
Details on onboarding the new Managed DNS service will follow in future release notes.
Enhancements
Unverified users are locked out
New users are now required to verify their email address within 15 days or the user will be locked.
• When a new user is created in an account, a verification link is sent to the email address listed for the user. The
new user must click the link in the email to verify their address and set a login password.
• If the user does not verify their email address within 15 days after the user was created, the user is locked out.
To unlock the user, contact Imperva Support.
• Notification emails are sent to the user before the user is locked, as a reminder to verify their email address. The
address verification link is included in the mail.
• When users are locked out, the account admin user receives an email notification with the list of unverified
users in the account.
Note: Applies only to users who are added to the system on or after November 13, 2020.
What changed: You can now add specific domain names to a pre-approved list, with the option to include
subdomains. If and when these domains are discovered by Client-Side Protection, they are automatically approved
and marked as Allowed. In addition, an entry is logged to the Audit Trail indicating that the domain was allowed
based on the pre-approved list.
Where it’s located: On the Client-Side Protection dashboard, click Pre-approve Services.
If your site is using a custom certificate, the Get Site Status API response returns details of the certificate’s fingerprint
and serial number. This can be useful when integrating with an external certificate management system, such as
Venafi.
Availability: Applies to custom certificates uploaded after the feature is implemented only.
Where it’s located: The fingerPrint and serialNumber parameters were added to the custom certificate section of
the response.
For more details on Get Site Status, see Site Management API.
Policy Management API Update
The following changes were made to the Policy Management API:
Note: There is no change for sites using custom error pages, as described here: Custom Error Pages.
Imperva SaaS service email change
The email sender name and address for mail notifications sent by the Cloud Security Console have changed from
Incapsula Service no_reply@incapsula.com to Imperva Service no_reply@out.imperva.com.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Cloud WAF: DNSSEC compliance for DNS CNAME resolution
We are starting a gradual rollout of DNSSEC compliance for CNAME resolution.
DNSSEC (Domain Name System Security Extensions) adds a layer of authentication to DNS CNAME resolution to
prevent requests from being “hijacked” and diverted to other addresses. This boosts protection against man-in-the-
middle attacks, such as DNS cache poisoning and forged DNS responses.
What changed: When onboarding your site to Cloud WAF, Imperva provides you with a CNAME that is used both for
pointing traffic to the Imperva network, and for identifying the site in the event that multiple domains are linked
under the same Imperva site configuration and policy. The CNAME resolves to an IP address in Imperva’s DNS zone.
The upcoming enhancement completes the end-to-end chain of trust as we will now sign and validate Imperva’s
CNAME records with DNSSEC.
Rollout:
• The feature will apply initially to newly added sites only. During onboarding, sites will receive a CNAME from the
new impervadns.net domain that supports DNSSEC.
• DNSSEC will be supported for existing sites at a later point, when DNSSEC is enabled on the incapdns.net
domain. Rollout is expected to continue through January 2021.
For details on onboarding, see Onboarding a Site – Web Protection and CDN.
After onboarding, you can see DNS settings for your site in the Website Settings > General page. For details, see Web
Protection - General Settings.
For example, you can rewrite responses or set caching rules according to the response code.
Where it’s located: In the Cloud Security Console, when adding or editing a custom response rule or a cache rule,
under Rule Filter.
The IP Score is taken from Reputation Intelligence at the time of attack, and provides an assessment of the risk level
posed by the attacking IP.
For more information on the risk score, see the Reputation Intelligence documentation.
• On the Incident Details page. For more details, see View Incident Details.
Client-Side Protection guards your customers’ data from theft through client-side attacks like digital skimming, supply
chain attacks, and Magecart.
Where it’s located: On the Cloud Security Console sidebar, click Client-Side Protection, and click the Try it for free
button.
If your site is using a custom certificate, the Get Site Status API response will return details of the certificate’s
fingerprint and serial number. This can be useful when integrating with an external certificate management system,
such as Venafi.
Availability: Applies to custom certificates uploaded after the feature is implemented only.
Where it’s located: The fingerPrint and serialNumber parameters will be added to the custom certificate section of
the response.
For more details on Get Site Status, see Site Management API.
Security Mitigation
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
New Imperva Data Center in Santiago, Chile
We are starting to rollout a new PoP in Santiago, Chile and expect it to be fully functional within the next few weeks.
The Chile PoP is the newest addition to our world-wide network of 44 data centers, helping you deliver your
applications securely and optimally across the globe.
For the full list of PoPs, see Imperva Data Centers (PoPs).
New permissions limit access to Account Takeover Protection and Client-
Side Protection configuration
The following permissions are now required for onboarding new sites, removing sites, changing mitigation options,
and modifying other settings in the associated service:
By default, the account admin user has full permissions, and other users have read-only access, without the ability to
make changes to configuration settings. The account admin can grant the appropriate permissions to additional
users, as needed.
For instructions on defining user permissions, see Manage Roles and Permissions.
Update: Migration to the new GlobalSign Atlas platform
In response to customer feedback, the certificate migration process has been extended and is now expected to be
completed in February 2021. This extension enables us to bypass the deployment of non-critical changes during the
end of year high-impact time.
Background: For improved security and performance, we are now moving to the new GlobalSign Atlas Platform for
ordering and maintaining new SSL certificates. This platform is replacing the GlobalSign CloudSSL service that was
used until now.
To support this change, we are migrating all of our existing GlobalSign CloudSSL certificates to the new platform.
Impact:
While most customers can expect a seamless and transparent process, there are a few use cases where your attention
and action are required.
• Revalidation: During the migration, all SAN’s will be migrated to the new SSL certificates. In most cases,
Imperva will revalidate the SANs automatically. In the event that automatic revalidation is not possible, you will
receive a revalidation email from Imperva. We ask that you promptly complete the process to revalidate
ownership of your domain. You will receive an additional mail confirming that validation completed
successfully.
Note that if the validation is not completed by February 2021, the pending Imperva SSL certificate will expire.
• Certificate pinning: Websites using SSL certificate pinning with Imperva-generated certificates may experience
a service disruption when the certificate is migrated.
To prevent that from happening, we advise you to remove any certificate pinning linked to any Imperva-
generated certificates.
You may continue to use certificate pinning by uploading and pinning custom certificates instead. For details,
see Upload a Custom Certificate for Your Website on Imperva.
• GlobalSign root certificate: Client applications that are using the GlobalSign root certificate in their trust store
will need to update the trust store with the Atlas root certificate after migration.
• https://www.globalsign-media.com/en/datasheet/atlas/
• https://www.globalsign.com/en/blog/atlas-blogged
For follow-up questions or specific configuration issues, contact Imperva Support at https://www.imperva.com/login.
Heads Up: Policy Management API Update
On December 13, 2020 the following changes will be implemented in the Policy Management API:
PATCH /v2/policies/{policyId}/
N/A
{assetType}/{assetId} The functionality was added.
Fixes
Change in weekly report
The report was aligned to accurately reflect the last 7 days of activity.
What changed:
• All statistics now report data for the last 7 days. Previously, the report was showing statistics from the previous 8
days for top sites.
• The report dates were adjusted to accurately reflect the last 7 days. For example, a report generated on October
30 now displays the date range of October 23-October 29, instead of October 23-October 30.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Account Takeover Protection: View top successful user logins
View the list of users that have the most successful logins, along with the risk level that ATO Protection has assigned to
them.
Users with high risk probability who are successfully logging in are a good indication of user accounts that are
compromised and being used in an attack.
Where it’s located: On the Account Takeover Protection Dashboard, in the Top Visitors table.
For more details, see Explore the Data in the ATO Protection documentation.
DDoS Protection: Export and Share Network Layer Analytics Reports
Options for exporting and sharing network layer analytics were added.
What changed: Two buttons were added to the DDoS Protection for Networks Analytics and Network Traffic
Analytics pages.
• Export to PDF: Downloads a PDF file that includes a snapshot of the current view of the dashboard.
• Copy URL: Copies the URL to the clipboard, enabling you to share a link with others. (Users must log in to the
Cloud Security Console to access the analytics pages.)
What changed: The Performance Settings API Definition (Swagger) file has been divided into separate documents
according to cache, delivery, and load balancing settings.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Define a custom error page for each error type
Define a separate custom error page for each type of error that Imperva presents to your website visitors.
What changed: Previously, you could define only a single custom error page for all error types.
Where it’s located: On the Cloud Security Console sidebar, click Websites > Delivery and scroll to the Custom Error
Page section.
Note: There is no change to existing custom error pages. If you have already defined a custom error page for your site,
it will continue to be used for all error types. No action is required.
Where it's located: On the Client-Side Protection dashboard. For more details, see Dashboard.
• GET methods were added, enabling you to retrieve details of your protected IPs.
• The methods for editing your protected IPs were changed from POST to PUT.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Attack Analytics API change
The insight type MALICIOUS_IP_IN_WHITELIST_INSIGHT was renamed MALICIOUS_IP_IN_ALLOWLIST_INSIGHT.
Details:
The GET /v1/insights API returns details of actionable insights that were detected for your account. The API response
includes the insight type, in which the value MALICIOUS_IP_IN_WHITELIST_INSIGHT was changed to
MALICIOUS_IP_IN_ALLOWLIST_INSIGHT.
For more details on the Attack Analytics API, see Attack Analytics API Definition.
Updated error page for connectivity issues
The error page displayed to website visitors when the Imperva proxy cannot connect to your origin server was
updated.
The new page provides additional guidance to you and to your visitors to help understand and troubleshoot the
problem.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Policy Migration Update
We are resuming automatic migration of existing enterprise and FlexProtect customer accounts to Policy
Management. Policies enable you to centrally configure settings and apply them to sites in your account.
Policies are migrated at the parent account level. If your account has sub accounts, you can manually restrict the
viewing and editing of policies to specific sub accounts after migration.
For details on Policy Management and migration, see Create and Manage Policies.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
CDN: Configure weighted load balancing
Assign weights to your data centers and origin servers to gain more precise control over the distribution of load
between them.
You can define a load balancing ratio to distribute load across your data centers, as well as a ratio for servers within a
data center.
What changed: Adds the option to define a predefined load balancing ratio in addition to the existing performance
and geo-targeting load balancing methods.
• In the Cloud Security Console Website Settings > Origin Servers page. For details, see Load Balancing Settings.
• Via the API. For details, see Cache Settings API Definition.
To support this change, we are migrating all of our existing GlobalSign CloudSSL certificates to the new platform
starting today, October 11, 2020. Cloud SSL will be gradually phased out and is expected to be decommissioned by
November 22, 2020.
Impact:
While most customers can expect a seamless and transparent process, there are a few use cases where your attention
and action are required.
• Revalidation: During the migration, all SAN’s will be migrated to the new SSL certificates. In most cases,
Imperva will revalidate the SANs automatically. In the event that automatic revalidation is not possible, you will
receive a revalidation email from Imperva. We ask that you promptly complete the process to revalidate
ownership of your domain. You will receive an additional mail confirming that validation completed
successfully.
Note that if the validation is not completed by November 22, 2020 , the pending Imperva SSL certificate will
expire.
• Certificate pinning: Websites using SSL certificate pinning with Imperva-generated certificates may experience
a service disruption when the certificate is migrated.
To prevent that from happening, we advise you to remove any certificate pinning linked to any Imperva-
generated certificates.
You may continue to use certificate pinning by uploading and pinning custom certificates instead. For details,
see Upload a Custom Certificate for Your Website on Imperva.
• GlobalSign root certificate: Client applications that are using the GlobalSign root certificate in their trust store
will need to update the trust store with the Atlas root certificate after migration.
• https://www.globalsign-media.com/en/datasheet/atlas/
• https://www.globalsign.com/en/blog/atlas-blogged
For follow-up questions or specific configuration issues, contact Imperva Support at https://www.imperva.com/login.
Statistics temporarily unavailable for accounts using Policy Management
In accounts that have already migrated to Policy Management, the following website statistics are not currently
available:
What changed: If you are using the new Policies feature, the values of blocked IPs, requests, and sessions are not
counted at the site level, and are therefore hidden in the UI, and removed from the API. We are currently working on
providing these statistics within the framework of Policy Management.
Where it’s located: In accounts that have migrated to Policy Management, these statistics were removed from the
following locations:
• Cloud Security Console: In the Website Dashboard > Security page, under Threats.
• Weekly Report: These statistics are also currently unavailable in the weekly report that is sent to accounts that
have subscribed to receive it using the option in Account Settings.
• API: These statistics are not provided by the Get Statistics API for a site (/api/stats/v1).
Heads Up: Attack Analytics API change
On October 25, 2020, the following change will be made in the Attack Analytics API:
Details:
The GET /v1/insights API returns details of actionable insights that were detected for your account. The API response
includes the insight type, which currently includes the value MALICIOUS_IP_IN_WHITELIST_INSIGHT as one possible
value. This value will be changed to MALICIOUS_IP_IN_ALLOWLIST_INSIGHT.
For more details on the Attack Analytics API, see Attack Analytics API Definition.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Attack Analytics: Snooze insights for later
Temporarily hide an insight to review at a later time.
Snoozed insights are listed in the Snoozed section in the left pane.
What changed: Imperva’s software-defined network range advertisement was recently enhanced to advertise
customer IP ranges from all Imperva PoPs in the region where the customer data center is located. Previously,
customer IP ranges were advertised only from the PoPs to which the customer was connected via a GRE tunnel, as
well as from our higher-capacity PoPs outside of the region.
This change is expected to result in improved performance, whether or not you are under attack. The new method
provides better DDoS handling, as more PoPs take part in traffic scrubbing.
Note:
• This change does not impact data storage regulation. User data continues to be stored only in the region that is
defined in Account Settings.
• With this method, traffic flows through a GRE connection which lowers the MTU of each packet by 24 bytes,
requiring you to adjust your TCP-MSS.
Availability: To activate routing optimization for network ranges for cross-connect, contact Imperva Support.
For more details on Imperva's software-defined network range advertisement, see Introduction: DDoS Protection for
Networks.
For more details on DDoS Protection for Networks over cross connect, see Direct Connection.
Delivery Rules: Remove multiple occurrences of a header
You can now remove all occurrences of a specified header from a request or response.
What changed: Previously, only the first occurrence of the header was removed. An additional rule was required to
remove each additional header.
Where it’s located: On the Cloud Security Console’s Rules page, when creating or editing a Remove Request Header
or Remove Response Header rule, select the option to Remove multiple header occurrences. For details, see Create
Rules.
Impact: This change will be reflected in lower reported bandwidth usage, although the portion of bandwidth usage by
the DNS Protection service is typically negligible. You can therefore expect minimal if any change in your account’s
bill. For details on how Imperva calculates your bandwidth for billing, see Account Bandwidth Calculation.
Where it’s located: Bandwidth usage is displayed in the Cloud Security Console’s Subscription page.
Policies are migrated at the parent account level, although the option to restrict the viewing and editing of a policy to
a specific sub account was recently introduced.
If your account has sub accounts and you want your policies to be separated by sub account:
• If your account was already migrated, you can manually restrict policies to specific sub accounts using the UI or
API.
• If your account has not yet been migrated and you would like Imperva to automatically migrate your account
policies to your sub accounts, contact Imperva Support to request this option before October 18th.
• In order to implement critical enhancements to the process, migration was postponed and is now scheduled to
start on October 11, 2020.
• GlobalSign Atlas is now using the following CA for issuing new certificates: GlobalSign Atlas R3 DV TLS CA 2020.
Certificates issued by the old Atlas CA (GlobalSign HV RSA DV SSL CA 2018) are scheduled to be revoked on
October 21, 2020. To prepare for this change, all Imperva certificates issued by the old Atlas CA will be reissued
using the new Atlas CA starting October 11, 2020.
For details on the impact of migration and reissuing of the certificates, see the August 16, 2020 Release Notes.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Heads Up: DNSSEC compliance for DNS CNAME resolution
On November 15, 2020, we are starting a gradual rollout of DNSSEC compliance for CNAME resolution. Rollout of this
feature was previously scheduled for September but was postponed in order to enhance the stability of the service.
DNSSEC (Domain Name System Security Extensions) adds a layer of authentication to DNS CNAME resolution to
prevent requests from being “hijacked” and diverted to other addresses. This boosts protection against man-in-the-
middle attacks, such as DNS cache poisoning and forged DNS responses.
What changed: During the existing process of onboarding your site to Cloud WAF, Imperva provides you with a CNAME
that is used both for pointing traffic to the Imperva network, and for identifying the site in the event that multiple
domains are linked under the same Imperva site configuration and policy. The CNAME resolves to an IP address in
Imperva’s DNS zone. The upcoming enhancement completes the end-to-end chain of trust as we will now sign and
validate Imperva’s CNAME records with DNSSEC.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
• Heads Up: DNS bandwidth removed from “Always On” bandwidth usage
New Features
None.
Enhancements
Heads Up: DNS bandwidth removed from “Always On” bandwidth usage
The Always On Bandwidth package includes bandwidth usage from multiple services. On October 4, 2020, DNS
Protection will be removed from the Always On Bandwidth calculation for billing purposes.
Impact: This change will be reflected in lower reported bandwidth usage, although the portion of bandwidth usage by
the DNS Protection service is typically negligible. You can therefore expect minimal if any change in your account’s
bill. For details on how Imperva calculates your bandwidth for billing, see Account Bandwidth Calculation.
Where it’s located: Bandwidth usage is displayed in the Cloud Security Console’s Subscription page.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
New API authentication method hides PII
You can now submit your API key and API ID using headers instead of sending them as query parameters.
This is a more secure method than sending the API key and ID in the query string, preventing exposure of your
personally identifiable information (PII).
For backward compatibility, you can also continue to send the authentication details as query parameters.
CDN: Disable all website caching
A new cache mode option was added to completely disable caching for a site, including any user-defined custom
cache rules.
What changed:
In the Cloud Security Console, on the Website Cache Settings page, the No caching option was added. When enabled,
caching is completely disabled, including any user-defined custom cache rules.
In the version 1 API /api/prov/v1/sites/performance/cache-mode, the values available for the cache_mode parameter
were changed:
• The disable value turns off site caching entirely, including user-defined custom cache rules.
• The custom_cache_rules_only value was added. It enables caching for custom cache rules only. All other
site caching is disabled. (The former behavior of the disable value.)
In the version 2 API /sites/{siteId}/settings/cache, the values available for the mode parameter were changed:
• The disable value turns off site caching entirely, including user-defined custom cache rules.
• The custom_cache_rules_only value was added. It enables caching for custom cache rules only. All other
site caching is disabled. (The former behavior of the disable value.)
In both the version 1 and 2 API, the disabledByCacheMode parameter was added to custom cache rules. It
indicates if a custom cache rule is inactive because cache mode is set to “no caching”. The default value is false.
Policy Management: API to manage sub account access
APIs were added for managing the list of sub accounts that can access your account’s policies.
For each policy, you can define which sub accounts can view and manage the policy.
For details, see the Policy Management account application section of the Policy Management API Definition.
DDoS Protection Dashboards: 95th percentile of bandwidth usage is
displayed
The DDoS Protection for Networks and Network Traffic dashboards now indicate the 95th percentile mark of
bandwidth usage based on your account plan’s bandwidth allotment.
This provides you with continuous visibility into your general bandwidth usage ahead of the billing period.
In the Cloud Security Console DDoS Protection dashboards, the indicator is displayed when you select the following
view settings:
To learn more about how Imperva calculates the 95th percentile of bandwidth usage, see Account Bandwidth
Calculation.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
Introducing Client-Side Protection
Client-Side Protection guards website visitor data from theft through client-side attacks like digital skimming, supply
chain attacks, and Magecart.
Client-Side Protection provides you with visibility into third-party services used in your applications. It enables you to
review requests for external resources coming from you website and take action to block them as needed.
Key capabilities:
Benefits:
Enhancements
DDoS Protection for Individual IPs: API
You can now onboard your IP addresses to the DDoS Protection for Individual IPs service and manage their
configuration using the API.
Imperva provides an API definition file (Swagger) that presents an interactive version of the Protected IP APIs that you
can use to learn about the APIs, or test them using your API ID and key.
What's changing:
• Starting September 7, 2020, new Imperva-generated certificates that are created will be issued by a new
Certificate Authority: GlobalSign Atlas R3 DV TLS CA 2020.
• Certificates issued by the old Atlas CA are scheduled to be revoked on October 21, 2020. To prepare for this
change, all Imperva certificates issued by the old Atlas CA will be reissued by the new Atlas CA before October
21, 2020. For more details on the impact of the change, see the August 16, 2020 Release Notes.
DNSSEC compliance for DNS CNAME resolution
We are starting a gradual rollout of DNSSEC compliance for CNAME resolution.
DNSSEC (Domain Name System Security Extensions) adds a layer of authentication to DNS CNAME resolution to
prevent requests from being “hijacked” and diverted to other addresses. This boosts protection against man-in-the-
middle attacks, such as DNS cache poisoning and forged DNS responses.
What changed: During the existing process of onboarding your site to Cloud WAF, Imperva provides you with a CNAME
that is used both for pointing traffic to the Imperva network, and for identifying the site in the event that multiple
domains are linked under the same Imperva site configuration and policy. The CNAME resolves to an IP address in
Imperva’s DNS zone. The upcoming enhancement completes the end-to-end chain of trust as we will now sign and
validate Imperva’s CNAME records with DNSSEC.
The following changes will be made in the values available for the cache_mode parameter (as described here in the
documentation):
• The disable value cache behavior will be updated. It will now turn off site caching entirely, including user-
defined custom cache rules.
• The custom_cache_rules_only value will be added. It will enable caching for custom cache rules only.
All other site caching will be disabled. (The current behavior of the disable value.)
The following changes will be made in the values available for the mode parameter (as described here in the
documentation):
• The disable value cache behavior will be updated. It will now turn off site caching entirely, including user-
defined custom cache rules.
• The custom_cache_rules_only value will be added. It will enable caching for custom cache rules only.
All other site caching will be disabled. (The current behavior of the disable value.)
In addition, the cache mode options available in the Cloud Security Console UI will be updated accordingly. A new
option will be added to disable caching entirely, including user-defined custom cache rules.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Heads Up: New Atlas CA for Imperva certificates
For improved security and performance, we are now moving to the new GlobalSign Atlas Platform for ordering and
maintaining new SSL certificates, as described in the August 16, 2020 Release Notes. Imperva certificates created by
GlobalSign Atlas are issued by GlobalSign HV RSA DV SSL CA 2018.
What's changing:
• Starting September 7, 2020, new Imperva-generated certificates that are created will be issued by a new
Certificate Authority: GlobalSign Atlas R3 DV TLS CA 2020.
• Certificates issued by the old Atlas CA are scheduled to be revoked on October 21, 2020. To prepare for this
change, all Imperva certificates issued by the old Atlas CA will be reissued by the new Atlas CA before October
21, 2020. For more details on the impact of the change, see the August 16, 2020 Release Notes.
Heads Up: DNSSEC compliance for DNS CNAME resolution
On September 6, 2020, we are starting a gradual rollout of DNSSEC compliance for CNAME resolution.
DNSSEC (Domain Name System Security Extensions) adds a layer of authentication to DNS CNAME resolution to
prevent requests from being “hijacked” and diverted to other addresses. This boosts protection against man-in-the-
middle attacks, such as DNS cache poisoning and forged DNS responses.
What changed: During the existing process of onboarding your site to Cloud WAF, Imperva provides you with a CNAME
that is used both for pointing traffic to the Imperva network, and for identifying the site in the event that multiple
domains are linked under the same Imperva site configuration and policy. The CNAME resolves to an IP address in
Imperva’s DNS zone. The upcoming enhancement completes the end-to-end chain of trust as we will now sign and
validate Imperva’s CNAME records with DNSSEC.
The following changes will be made in the values available for the cache_mode parameter (as described here in the
documentation):
• The disable value cache behavior will be updated. It will now turn off site caching entirely, including user-
defined custom cache rules.
• The custom_cache_rules_only value will be added. It will turn off site caching except for custom cache
rules. (The current behavior of the disable value.)
The following changes will be made in the values available for the mode parameter (as described here in the
documentation):
• The disable value cache behavior will be updated. It will now turn off site caching entirely, including user-
defined custom cache rules.
• The custom_cache_rules_only value will be added. It will turn off site caching except for custom cache
rules. (The current behavior of the disable value.)
In addition, the cache mode options available in the Cloud Security Console UI will be updated accordingly. A new
option will be added to disable caching entirely, including user-defined custom cache rules.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Create and manage policies in a sub account
Policies can now be created and managed in a sub account, and restricted to the specific sub account only.
A policy created in a sub account can be managed only by users with the appropriate permissions in the specific sub
account, and is not visible from other sub accounts.
What changed: Previously, policies could be created and managed only in the parent account, and were available
from all sub accounts.
• Create and manage policies in a sub account: On the Cloud Security Console sidebar, select Management >
Policies.
• Edit policies from the Website Policies page: On the Cloud Security Console sidebar, select Websites > Policies.
DNSSEC (Domain Name System Security Extensions) adds a layer of authentication to DNS CNAME resolution to
prevent requests from being “hijacked” and diverted to other addresses. This boosts protection against man-in-the-
middle attacks, such as DNS cache poisoning and forged DNS responses.
What changed: During the existing process of onboarding your site to Cloud WAF, Imperva provides you with a CNAME
that is used both for pointing traffic to the Imperva network, and for identifying the site in the event that multiple
domains are linked under the same Imperva site configuration and policy. The CNAME resolves to an IP address in
Imperva’s DNS zone. The upcoming enhancement completes the end-to-end chain of trust as we will now sign and
validate Imperva’s CNAME records with DNSSEC.
The following changes will be made in the values available for the cache_mode parameter (as described here in the
documentation):
• The disable value cache behavior will be updated. It will now turn off site caching entirely, including user-
defined custom cache rules.
• The custom_cache_rules_only value will be added. It will turn off site caching except for custom cache
rules. (The current behavior of the disable value.)
The following changes will be made in the values available for the mode parameter (as described here in the
documentation):
• The disable value cache behavior will be updated. It will now turn off site caching entirely, including user-
defined custom cache rules.
• The custom_cache_rules_only value will be added. It will turn off site caching except for custom cache
rules. (The current behavior of the disable value.)
In addition, the cache mode options available in the Cloud Security Console UI will be updated accordingly. A new
option will be added to disable caching entirely, including user-defined custom cache rules.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
DDoS Protection for Networks: Routing optimization for network ranges
DDoS Protection for Networks customer IP ranges will now be advertised from all Imperva PoPs in the region where
the customer data center is located.
What changed: Previously, customer IP ranges were advertised only from the PoPs to which the customer was
connected via a GRE tunnel, as well as from our higher-capacity PoPs outside of the region.
This change is expected to result in improved performance, whether or not you are under attack. The new method
provides better DDoS handling, as more PoPs take part in traffic scrubbing.
Note: This change does not impact data storage regulation. User data continues to be stored only in the region that is
defined in Account Settings.
For more details on Imperva's software-defined network range advertisement, see Introduction: DDoS Protection for
Networks.
Migration to the new GlobalSign Atlas Platform
For improved security and performance, we are now moving to the new GlobalSign Atlas Platform for ordering and
maintaining new SSL certificates.
The GlobalSign CloudSSL service that was used until now is obsolete and expected to be deactivated in the near
future.
To support this change, we are migrating all of our existing GlobalSign CloudSSL certificates to the new platform over
the next several weeks.
Impact:
Support:
• For more details on how Imperva supports secure websites, see Web Protection - SSL/TLS.
• For any additional questions, please contact Support.
https://www.globalsign-media.com/en/datasheet/atlas/
https://www.globalsign.com/en/blog/atlas-blogged
DDoS Protection: Improved notification of DDoS events
The notification mechanism for the start of L3/4 DDoS events was updated for improved sensitivity and accuracy.
What changed: The Cloud Security Console dashboards and email notifications more accurately reflect the start of
DDoS events.
Where it’s located: Event notifications are displayed in the Network Traffic Dashboard, in the DDoS for Networks/IPs
(Infrastructure) Dashboard, and sent by email. For details, see:
DNSSEC (Domain Name System Security Extensions) adds a layer of authentication to DNS CNAME resolution to
prevent requests from being “hijacked” and diverted to other addresses. This boosts protection against man-in-the-
middle attacks, such as DNS cache poisoning and forged DNS responses.
What changed: During the existing process of onboarding your site to Cloud WAF, Imperva provides you with a CNAME
that is used both for pointing traffic to the Imperva network, and for identifying the site in the event that multiple
domains are linked under the same Imperva site configuration and policy. The CNAME resolves to an IP address in
Imperva’s DNS zone. The upcoming enhancement completes the end-to-end chain of trust as we will now sign and
validate Imperva’s CNAME records with DNSSEC.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
DDoS Protection for Individual IPs: Self-service onboarding
The DDoS Protection for Individual IPs service over GRE or IPinIP tunnels now supports end-to-end self-service
onboarding.
It is deployed as an always-on service and traffic flow is symmetric, where both ingress and egress traffic flow through
the Imperva network, providing a 3 second mitigation time SLA.
Availability: This change is being rolled out over the next several weeks.
1. On the Cloud Security Console sidebar, click Infrastructure > IP Protection Settings.
2. Click Add Protected IP, and then select GRE Tunnel or IPinIP Tunnel.
This calls your attention to sites you may want to onboard to Imperva API Security to benefit from the additional
protection.
Where it’s located: In the Attack Analytics Dashboard, click the Insights button in the banner to view the
recommended actions for your account.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
API Security updates
The following changes were implemented for API Security:
OpenAPI Specification (Swagger) Version 3 support added: You can now use OASv3 to define your API structure.
New dashboard: For improved visibility and investigation capabilities, the landing page for API Security has been
replaced with a new dashboard that displays metrics at the individual site level. For details, see API Security
Dashboard.
Attack Analytics: Exposed origin server insight updated
The exposed origin server insight now identifies if your origin server IP address is visible in public DNS records,
indicating that the server is at increased risk of attack.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Account Takeover Protection API
You can now access your Account Takeover Protection data using an API.
• Leaked credentials login report: Retrieve the list of successful login events that used publicly available leaked
credentials.
• Compromised users login report: Retrieve the list of successful login events that had a non-zero probability of
being an attack.
Attack Analytics detects if the origin server IP address is directly accessible via HTTP/S request, indicating that the
server is at increased risk of attack.
Where it’s located: In the Attack Analytics Dashboard, click the Insights button in the banner to view the
recommended actions for your account. This enables you to make any necessary adjustments to ensure that all traffic
to your site will pass only through Cloud WAF.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Add DNS TXT records for your website
The option to configure DNS text records for your site was added. TXT records specified in this section are returned by
Imperva when responding to TXT queries for your site's CNAME.
As part of onboarding your site, you configure your DNS settings to use the CNAME provided by Imperva. Because DNS
protocol does not permit other record types when the CNAME record exists, you can't add TXT records directly to your
domain's DNS configuration. This section enables you to configure TXT records while also using a CNAME record for
your domain.
For example, you can define a TXT record here for SPF and/or DKIM in order to prevent email spoofing.
Where it’s located: On the Cloud Security Console sidebar: Websites > Settings > General > DNS.
What changed: Previously, exceptions could be managed at the account level only.
Required permissions: The user must have a role in the specific sub account that includes one or more of the
following: Add/Edit/Delete exception to policy
For more details on policies, see the section on adding an exception in Create and Manage Policies.
Change in regional anycast topology for Cloud WAF
To further enhance our global network routing capabilities for DDoS attack mitigation, we are rolling out the following
network topology change over the next several weeks.
What’s changing:
Our current regional anycast topology for Cloud WAF customers is going to be enhanced with an additional layer of
global anycast. This means that a region will also be advertised globally.
This unique topology allows us to maintain the best performance for your end-customers (content will be served by
the nearest PoP), while improving our DDoS mitigation capacity.
As a practical example, the Imperva IP ranges for the US region will also be advertised in additional PoPs within EU
and APJ. Attacks originating from APJ and directly targeting your US IP address will already be mitigated within APJ.
As mentioned above, this change will result in the advertising of regional IPs to other regions, which means that traffic
processing will not be isolated within the region.
If you require traffic to be terminated (decrypted) in Imperva PoPs within the region only, please contact Support. Our
team will assist in provisioning the appropriate regional routing policy for you (US, EU, CA, AU).
Fixes
None.
Known Issues
None.
The change applies to configuring the plan_id parameter in the following APIs:
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
L3/L4 DDoS attack reporting added to Imperva Security mobile app
Layer 3/4 DDoS attacks on website and network assets are now displayed in the mobile app dashboard.
In addition, you can set alerts to receive push notifications for the L3/L4 DDoS attacks.
For more details on the app, see Imperva Security Mobile App.
Heads Up: Change in regional anycast topology for Cloud WAF
To further enhance our global network routing capabilities for DDoS attack mitigation, we’re planning to make the
following network topology change.
The change is scheduled for July 12, 2020, as a gradual rollout over several weeks.
What’s changing:
Our current regional anycast topology for Cloud WAF customers is going to be enhanced with an additional layer of
global anycast. This means that a region will also be advertised globally.
This unique topology allows us to maintain the best performance for your end-customers (content will be served by
the nearest PoP), while improving our DDoS mitigation capacity.
As a practical example, the Imperva IP ranges for the US region will also be advertised in additional PoPs within EU
and APJ. Attacks originating from APJ and directly targeting your US IP address will already be mitigated within APJ.
As mentioned above, this change will result in the advertising of regional IPs to other regions, which means that traffic
processing will not be isolated within the region.
If you require traffic to be terminated (decrypted) in Imperva PoPs within the region only, please contact Support. Our
team will assist in provisioning the appropriate regional routing policy for you (US, EU, CA, AU).
Fixes
None.
Known Issues
None.
The change applies to configuring the plan_id parameter in the following APIs:
ACL details will be removed from the following Site Management APIs:
For details on the new Policy Management API and the migration process, see Create and Manage Policies.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Attack Analytics: Direct access to Volumetric DDoS Attack analytics
The link from an Attack Analytics volumetric DDoS attack incident to your account in the Cloud Security Console has
been adjusted. The link now directly opens the advanced analytics for the relevant website group, enabling you to
drill down for more information about the related DDoS attack on your websites.
What changed: Previously, the link opened the Network Traffic Dashboard at the account level.
Where it’s located: When viewing the Volumetric DDoS Attack incident in Attack Analytics, click Network traffic
dashboard.
The change is scheduled for July 12, 2020, as a gradual rollout over several weeks.
What’s changing:
Our current regional anycast topology for Cloud WAF customers is going to be enhanced with an additional layer of
global anycast. This means that a region will also be advertised globally.
This unique topology allows us to maintain the best performance for your end-customers (content will be served by
the nearest PoP), while improving our DDoS mitigation capacity.
As a practical example, the Imperva IP ranges for the US region will also be advertised in additional PoPs within EU
and APJ. Attacks originating from APJ and directly targeting your US IP address will already be mitigated within APJ.
As mentioned above, this change will result in the advertising of regional IPs to other regions, which means that traffic
processing will not be isolated within the region.
If you require traffic to be terminated (decrypted) in Imperva PoPs within the region only, please contact Support. Our
team will assist in provisioning the appropriate regional routing policy for you (US, EU, CA, AU).
Fixes
Whitelist rules now apply to smuggling attacks
Whitelist rules configured for your site now also apply to smuggling attacks, allowing them to bypass the Cloud WAF.
For example, if you add a whitelist rule on a specific IP address, and a smuggling attack is detected coming from that
IP, it will not be blocked. This can be useful for testing purposes.
What changed: Previously, the whitelist rule was ignored and the smuggling attack was blocked.
Known Issues
None.
The change applies to configuring the plan_id parameter in the following APIs:
ACL details will be removed from the following Site Management APIs:
For details on the new Policy Management API and the migration process, see Create and Manage Policies.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Attack Analytics: New log fields
The following fields were added to the Attack Analytics logs.
The change is scheduled for July 12, 2020, as a gradual rollout over several weeks.
What’s changing:
Our current regional anycast topology for Cloud WAF customers is going to be enhanced with an additional layer of
global anycast. This means that a region will also be advertised globally.
This unique topology allows us to maintain the best performance for your end-customers (content will be served by
the nearest PoP), while improving our DDoS mitigation capacity.
As a practical example, the Imperva IP ranges for the US region will also be advertised in additional PoPs within EU
and APJ. Attacks originating from APJ and directly targeting your US IP address will already be mitigated within APJ.
As mentioned above, this change will result in the advertising of regional IPs to other regions, which means that traffic
processing will not be isolated within the region.
If you require traffic to be terminated (decrypted) in Imperva PoPs within the region only, please contact Support. Our
team will assist in provisioning the appropriate regional routing policy for you (US, EU, CA, AU).
Fixes
None.
Known Issues
None.
ACL details will be removed from the following Site Management APIs:
For details on the new Policy Management API and the migration process, see Create and Manage Policies.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Heads Up: Change in regional anycast topology for Cloud WAF
To further enhance our global network routing capabilities for DDoS attack mitigation, we’re planning to make the
following network topology change.
The change is scheduled for July 12, 2020, as a gradual rollout over several weeks.
What’s changing:
Our current regional anycast topology for Cloud WAF customers is going to be enhanced with an additional layer of
global anycast. This means that a region will also be advertised globally.
This unique topology allows us to maintain the best performance for your end-customers (content will be served by
the nearest PoP), while improving our DDoS mitigation capacity.
As a practical example, the Imperva IP ranges for the US region will also be advertised in additional PoPs within EU
and APJ. Attacks originating from APJ and directly targeting your US IP address will already be mitigated within APJ.
As mentioned above, this change will result in the advertising of regional IPs to other regions, which means that traffic
processing will not be isolated within the region.
If you require traffic to be terminated (decrypted) in Imperva PoPs within the region only, please contact Support. Our
team will assist in provisioning the appropriate regional routing policy for you (US, EU, CA, AU).
Heads Up: New fields in Attack Analytics logs
On June 21, 2020, the following fields will be added to the Attack Analytics logs.
Fixes
None.
Known Issues
None.
ACL details will be removed from the following Site Management APIs:
For details on the new Policy Management API and the migration process, see Create and Manage Policies.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
Introducing Policy Management
Centrally configure and manage settings, save them as a policy, and then apply the policy to multiple sites in your
account.
What changed: Previously, each website protected by Imperva had to be configured separately. Now you can
configure and maintain ACL and whitelist settings for your account, in one location.
Benefits include:
Rollout plan:
For details on Policy Management and the migration process, see Create and Manage Policies.
Enhancements
Advanced Bot Protection: Support added for GeeTest CAPTCHA
You can now opt to use GeeTest CAPTCHA and select a difficulty level for the challenge that you want to present to
visitors.
Availability: Advanced Bot Protection customers integrating via Connectors only. (If you are instead using Advanced
Bot Protection via Imperva Cloud WAF, you can configure GeeTest CAPTCHA directly in the Cloud Security Console. For
details, see Web Protection - Security Settings.)
What changed: Previously, the GeeTest option required the user to provide credentials. That option has been
renamed Custom Geetest.
Where it’s located: On the Edit Website page, expand the advanced settings. Under Captcha settings, select Geetest.
For instructions on accessing the settings, see Editing a Website.
Heads Up: New fields in Attack Analytics logs
On June 21, 2020, the following fields will be added to the Attack Analytics logs.
Fixes
None.
Known Issues
None.
ACL details will be removed from the following Site Management APIs:
For details on the new Policy Management API and the migration process, see Create and Manage Policies.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
HTTP/2 support for connection between Imperva and origin
HTTP/2 is now supported for the connection between Imperva and your origin servers, providing enhanced
performance and security.
What changed: Previously, HTTP/2 was supported for the connection between clients and Imperva only.
Where it’s located: On the Delivery Settings page, under Network > Enable HTTP/2, select Support HTTP/2 from
client to Imperva and from Imperva to origin server.
For example, you can create a rule to rewrite responses or to set caching behavior when a specific action is taken by
ABP.
Where it’s located: In the Cloud Security Console Rules page, or the Cache Settings page (under Custom Cache
Rules). For more details, see Rule Filter Parameters
Fixes
None.
Known Issues
None.
As part of the rollout, website access control lists (ACLs) will be automatically migrated to the new policies, and the
APIs used for website ACLs will be replaced with new APIs.
ACL details will be removed from the following Site Management APIs:
What is Policy Management? Currently, each website protected by Imperva must be configured separately. Manually
configuring a large number of sites can be resource-intensive, time-consuming, and error-prone. Policy Management
introduces the ability to centrally configure and manage settings, save them as a policy, and then apply the policy to
multiple sites in your account.
For details on Policy Management and the migration process, see the Policy Management beta documentation.
• June 7, 2020: The feature will be available to all new accounts, by default.
• June 14, 2020: The feature will be available to any customer, by request. Contact Imperva Support or your sales
representative to schedule a time for migration.
• June 21, 2020: Automatic migration of existing free, pro, and business plan accounts begins.
• July 5, 2020: Automatic migration of existing enterprise and FlexProtect customer accounts begins.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
API: Changes in API responses
As part of an upgraded certificate validation process, changes were made to API responses that affect several APIs.
What changed:
• When the action performed by the APIs requires DNS verification by the user, the response includes the
domain_dns key. Previously, this key contained a single value. Now it is an object composed of key/value pairs
(domain name: array of values).
For example:
Before Now
{"res":0,"res_message":"OK","debug_info":{"id-
{"res":0,"res_message":"OK","debug_info":{"id-
info":"999999", "domain_dns”:
info":"999999","domain_dns":"_globalsign-
{“example.com”:[“_globalsign-domain-
domain-verification content\u00-####-93403"}}
verification\u00-####-93403”]}}
• For APIs that include site status details in the response structure, the array of objects under ssl > generated
certificate > validation data previously contained only one element. Now it can have up to 2 elements.
In addition, the set_data_to field previously contained only one element. Now it can have up to 4 elements.
For example:
"validation_data": [
{
"dns_record_name": "incaptest.co",
"set_type_to": "TXT",
"set_data_to": [
"_globalsign-domain-verification=sdl_####_####_w9",
"_globalsign-domain-verification=70en#######DXSrwYj"
]
},
{
"dns_record_name": "test.incaptest.co",
"set_type_to": "TXT",
"set_data_to": [
"_globalsign-domain-verification=ldsFF########50725"
]
}
]
The APIs impacted by this change are any that include site status details in the response structure.
GET /sites/{siteId}/settings/cache/rules
What changed: Previously you could retrieve details of a single rule only by specifying a specific rule ID.
For details on cache and delivery APIs, see the Cache Settings API Definition.
Fixes
Origin Lock fix
Origin Lock associates a specific IP with your account to prevent other accounts on the Imperva service from setting
up sites that forward traffic to that origin IP.
Problem: If a parent account configured origin lock but does not have any sites configured directly under it, the IPs
configured for origin lock were ignored and not locked.
Solution: The bug is fixed. All IPs configured for origin lock in an account are locked for use by the account and its sub
accounts only.
Known Issues
None.
As part of the rollout, website access control lists (ACLs) will be automatically migrated to the new policies, and the
APIs used for website ACLs will be replaced with new APIs.
ACL details will be removed from the following Site Management APIs:
What is Policy Management? Currently, each website protected by Imperva must be configured separately. Manually
configuring a large number of sites can be resource-intensive, time-consuming, and error-prone. Policy Management
introduces the ability to centrally configure and manage settings, save them as a policy, and then apply the policy to
multiple sites in your account.
For details on Policy Management and the migration process, see the Policy Management beta documentation.
• June 7, 2020: The feature will be available to all new accounts, by default.
• June 14, 2020: The feature will be available to any customer, by request. Contact Imperva Support or your sales
representative to schedule a time for migration.
• June 21, 2020: Automatic migration of existing free, pro, and business plan accounts begins.
• June 28, 2020: Automatic migration of existing enterprise and FlexProtect customer accounts begins.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Restore default cache and delivery settings APIs added
The following APIs were added:
Settings are restored to the default state as they are when a new site is created (all options are turned off).
Fixes
None.
Known Issues
None.
As part of the rollout, website access control lists (ACLs) will be automatically migrated to the new policies, and the
APIs used for website ACLs will be replaced with new APIs.
ACL details will be removed from the following Site Management APIs:
What is Policy Management? Currently, each website protected by Imperva must be configured separately. Manually
configuring a large number of sites can be resource-intensive, time-consuming, and error-prone. Policy Management
introduces the ability to centrally configure and manage settings, save them as a policy, and then apply the policy to
multiple sites in your account.
For details on Policy Management and the migration process, see the Policy Management beta documentation.
Heads Up: Change in edit cache and delivery settings APIs
On May 24, 2020, to better align with REST API best practices, the following APIs will be changed from POST to PUT
operations:
For details on cache and delivery APIs, see the Cache Settings API Definition.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
New rule filter parameter: Site Average Request Rate
The new Site Average Request Rate 1m parameter enables you to create rules that run based on the average RPS
(requests per second) rate of your website over a period of one minute.
For example, you can create a rule to divert traffic to a different server when the average request rate (i.e HTTP load)
over the past minute on this website exceeds a specified value.
Where it’s located: In the Cloud Security Console Rules page. For more details, see Rule Filter Parameters.
Data Center API Update
The following changes were made to the Data Center APIs:
• The response for the List Data Centers API now indicates if the data center is defined as the primary/active data
center (isStandBy=false) or the secondary/standby data center (isStandBy=true).
• The option to use the is_standby parameter in the Add Data Center API was removed. The is_standby
parameter was previously deprecated. If used, an error is now returned. To define a data center as Standby via
the API, use Edit Data Center.
For more details on the Data Center APIs, see Site Management API.
What changed: Previously, the connection test was available to you to run on demand, but was not run automatically
before saving the configuration.
Where it’s located: On the Cloud Security Console sidebar, click Logs > Log Setup.
Fixes
None.
Known Issues
None.
As part of the rollout, website access control lists (ACLs) will be automatically migrated to the new policies, and the
APIs used for website ACLs will be replaced with new APIs.
ACL details will be removed from the following Site Management APIs:
What is Policy Management? Currently, each website protected by Imperva must be configured separately. Manually
configuring a large number of sites can be resource-intensive, time-consuming, and error-prone. Policy Management
introduces the ability to centrally configure and manage settings, save them as a policy, and then apply the policy to
multiple sites in your account.
To assist you in preparing for the change, documentation will soon be available and will include:
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
Introducing Advanced Bot Protection
Release Date: April 27, 2020
Imperva’s best-in-class Advanced Bot Protection protects mission-critical websites, mobile apps, and APIs from
automated threats without affecting the flow of business-critical traffic.
Key capabilities
• Full visibility and control over human, good bot, and bad bot traffic
• Mitigation of all OWASP automated threats including account takeover, web scraping, and online fraud
• Superior technology identifies more bots and catches what others miss
• Real time updates leverage data from our global network
• Smart controls to easily manage your protection settings by specific threat or path
• Comprehensive, customizable, out-of-the-box reporting
Advanced Bot Protection is part of the Imperva Cloud Application Security suite.
To learn about what bad bots do, the tell-tale signs that you have a bot problem, and more, see Imperva Bad Bot
Report 2020: Bad Bots Strike Back.
Enhancements
Self-service interface for client certificate support
Independently configure client certificate support for the websites in your account directly from the Cloud Security
Console or via the new Certificate Manager API.
What changed: Previously, client certificate support required configuration by the Imperva Support team.
IP reputation data is based on calculations by Imperva Research Labs. Imperva’s Reputation Intelligence provides an
assessment of the risk level posed by an IP, based on the IP’s activity across the Imperva customer base. For more
information, see Reputation Intelligence.
Where it’s located: In the Attack Analytics Dashboard, click the Insights button in the banner to view the
recommended actions for your account.
What changed: Previously, these features opened in a separate browser window after clicking the Launch button.
Forward requests to a specific port on the origin server
The new Forward to Port action for custom rules enables you to dynamically forward requests that match your filter
criteria to a specific port.
What changed:
• The Forward to Port rule action was added to the Add/Edit Rule page.
• To maintain a streamlined user experience, the Forward to Data Center action and the new Forward to Port
action were moved under a Forward category.
• On the Cloud Security Console sidebar, navigate to Websites > Rules and click Add Rule. For details, see Create
Rules.
• The new functionality is also supported by the API. For details, see Rules API.
Cache rule API update
To better align with REST API best practices, the method for partially updating a custom cache rule was changed from
POST to PUT.
What changed:
POST /api/prov/v2/sites/{extSiteId}/settings/cache/rules/{ruleId}
PUT /api/prov/v2/sites/{extSiteId}/settings/cache/rules/{ruleId}
What changed: Previously, API Security was available at the account level only and opened in a separate browser
window after clicking the Launch button. Details of all websites in the account were displayed on one page.
Where it’s located: On the Cloud Security Console sidebar, navigate to Websites > <your website> > API Security.
The Audit Trail displays a log of actions performed in your account by account users, system processes, and Imperva
system administrators and support.
Where it’s located: On the Cloud Security Console sidebar, click Management > Audit Trail.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
DDoS for Networks: Analytics for network services
The DDoS for Networks (Infrastructure Protection) Analytics now displays top traffic patterns for services - the unique
combination of destination port, protocol, and IP address.
View advanced analytics for services running on your protected networks, monitored networks, and protected IPs:
Availability: Available for network traffic occurring after Apr 1, 13:30 UTC.
For more details on Analytics, see Analytics: DDoS Protection for Networks and IPs.
Updated Cache and Delivery Settings API
The following Version 2 APIs were added to the Performance Settings APIv2 and are currently being rolled out.
• Purge cache
• Delete cache rule
• Get XRAY access URL for debug headers
Imperva version 2 API introduces naming and formatting conventions for the HTTP requests that are consistent with
REST API standards and best practices. To learn more about Imperva v2 APIs for the Cloud Security Console, see API
Version 2/3 Overview.
DDoS mitigation threshold limit increased
Imperva enables you to set a DDoS threshold to determine when Imperva to activate DDoS mitigation rules for your
protected website.
What changed: Previously, the range of allowed values was between 10 and 5000 requests per second. The upper
limit is now 10,000.
Note: If you are activating a marketing campaign and expect a significant increase in traffic over a short period of
time, you may want to increase this value so it is not considered a DDoS attack. If you are setting a high threshold to
handle a temporary, significant increase in traffic, remember to adjust it when traffic returns to normal. Rates above
5000 RPS are considered high.
1. On the Cloud Security Console sidebar, click Websites > Settings > WAF.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
• Attack Analytics: Filter incidents based on the action taken (Alert or Block)
• New rule filter parameter: Site Request Rate
• Updated cache and delivery settings API
• Two-factor authentication is disabled when logging in with SSO
• Suspected Bots statistic renamed and clarified
• Audit Trail and Role Management open directly in the Cloud Security Console
New Features
None.
Enhancements
Attack Analytics: Filter incidents based on the action taken (Alert or Block)
You can now filter incidents based on the action taken on the events in the incident.
For example, you can filter for incidents that include alerted events, while hiding incidents that include only blocked
events. This enables you to direct your attention to areas that may require configuration adjustments, such as
changing a policy from alert to blocking mode in your account’s WAF settings.
Action:
Location Description
Dashboard
Under Action
Location Description
Incidents view
For example, you can create a rule to divert traffic to a different server when the request rate (i.e. HTTP load) on this
website exceeds a specified value.
Where it’s located: In the Cloud Security Console Rules page. For more details, see Rule Filter Parameters.
Availability: The new parameter is being rolled out and will be available to all customers within the next two weeks.
Updated cache and delivery settings API
We are starting to roll out updated APIs for managing cache and delivery settings for websites in your account.
Imperva version 2 API introduces naming and formatting conventions for the HTTP requests that are consistent with
REST API standards and best practices. To learn more about Imperva v2 APIs for the Cloud Security Console, see API
Version 2/3 Overview.
Two-factor authentication is disabled when logging in with SSO
If two-factor authentication is enabled for a user in the Cloud Security Console, it is no longer activated if the user logs
in with SSO.
When login is carried out via your organization’s SSO, the authentication flow is handled by the SSO provider.
Suspected Bots statistic renamed and clarified
For clarity and consistency, the Suspected Bots statistic was renamed and the displayed data was adjusted to more
accurately reflect the functionality.
What changed:
The count is always relevant because suspected bots can be challenged with a CAPTCHA by the default Imperva
process, even when the “Require” option, which enforces a stricter policy against unknown clients, is disabled.
• In the Cloud Security Console, on the Websites > Dashboard > Security page:
• In the Weekly Report (which is sent by email when the option is enabled in your Account Settings):
Audit Trail and Role Management open directly in the Cloud Security
Console
The Audit Trail and Role Management UI are now displayed directly in the Cloud Security Console.
What changed: Previously, these features opened in a separate browser window after clicking the Launch button.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
DDoS Protection for DNS: DNSSEC support added
The Imperva DDoS Protection for DNS service now supports DNSSEC, providing you with enhanced security for your
DNS data.
DNSSEC (Domain Name System Security Extensions) adds a layer of authentication to DNS to boost protection against
MITM attacks, such as DNS cache poisoning and forged DNS responses.
For details on configuring DNS Protection and DNSSEC support, see Add/Edit a Protected DNS Zone.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
DDoS Protection for Networks: Analytics for Monitored Networks
Analytics capabilities are now available for network traffic on monitored network ranges (via NetFlow/xFlow/IPFix
protocols).
Availability: Available for network traffic occurring after March 4, 2020 13:00 UTC.
For more details on analytics, see Analytics: DDoS Protection for Networks and IPs.
Enhancements
Attack Analytics: View the CVEs associated with your incidents
Attack Analytics now provides a list of the CVEs (Common Vulnerabilities and Exposures) that are associated with your
incidents.
CVE associations are based on ongoing investigation and monitoring by Imperva Research Labs. An incident is
associated with a CVE if one or more its events triggered a security rule determined by Imperva to be associated with
that specific CVE.
Note that an event may be blocked by general mitigation rules even though it was not found to be associated with any
specific CVEs.
What changed: You can now view associated CVEs for an incident, and filter your incidents according to all or specific
CVEs.
Location Details
Location Details
Location Details
Availability: Applies to customers subscribed to both Cloud WAF and Advanced Bot Protection. We are rolling out the
feature over the next two weeks.
1. On the Cloud Security Console sidebar, navigate to Websites > Settings > Security.
2. Under Bot Access Control > CAPTCHA Provider, select GeeTest and choose the difficulty level setting.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
DNS option added for domain ownership validation
When configuring SSL support for a site that is already onboarded to Imperva, you can now validate your domain
ownership by email or by adding a DNS record.
Where it's located: In the Cloud Security Console, navigate to Website > Settings > General > SSL Support. Click
Configure and follow the onscreen instructions.
For more details on the SSL support configuration options, see Onboarding a Site – Web Protection and CDN.
Fixes
None.
Known Issues
None.
All rule changes are now tracked and available through the Imperva Audit Trail.
What changed:
• Rule revision history was removed from the Rules interface (Websites > Rules > More > Revisions).
• The corresponding APIs were also removed:
• Revert rule
• List rule revisions
• The option to revert to previous versions of rules is no longer available.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Regional data storage for Australia
Regional data storage is now available for Australia, in addition to the existing APAC, EU, and US regions. Imperva
provides the option to isolate data per region, per site, in accordance with data privacy requirements. For more
information on Imperva data storage, see Data Storage Management.
What changed: The Melbourne and Sydney data centers are now located separately under the AU data storage region,
and are no longer part of the APAC data storage region.
Note: Your current data regions will not be automatically changed or migrated to the AU region. You can manually
view or change the data storage region options for your account or for individual sites.
• The account-level data region setting sets the default storage region for new sites created in your account, and
also determines where network layer data is stored. On the Cloud Security Console sidebar, select Management
> Account Settings > Data Management. For details, see Account Settings.
• The site-level data region setting determines the geographical region for storing your Layer 7 (application layer)
Imperva data. On the Cloud Security Console sidebar, select Websites > Settings > General > Data Storage. For
details, see Web Protection - General Settings.
Attack Analytics: Change in aggregated mode
On January 26, 2020 the aggregated analytics option was introduced into the Attack Analytics settings. In aggregated
mode, an attack that targets multiple sites in multiple sub accounts is clustered and presented as a single incident in
the parent account.
What changed:
• When aggregated mode was enabled, Attack Analytics data was available only in the parent account and not in
the sub accounts. Now, incidents are presented in both the parent account and in the sub accounts. An incident
in a sub account is based on events in the individual sub account only.
• In aggregated mode, you can access Attack Analytics from the Cloud Security Console from both the parent
account and from the sub accounts.
• When opened from the parent account, incidents from sites in the parent account and all sub accounts
are presented.
• When opened from a sub account, only incidents from the sites in the specific sub account are
presented.
What changed: When you reset your password using the “Forgot your password?” link on the Cloud Security Console
login screen, two-factor authentication is activated. Previously, a password reset email was immediately sent to your
email address. Now, you must complete the two-factor authentication before the password reset email is sent.
Availability: This applies to users who have already configured and enabled two-factor authentication via SMS or
Google Authenticator on the User Preferences page in the Cloud Security Console. For details, see User Preferences.
Role Management API update
Role details that are returned by the APIs now include the email of the user, and the account or sub account ID.
For example, when requesting the list of users assigned to a given role, the following details are now returned for
userAssignment:
"userAssignment": [
{
"userEmail": "user1@example.com",
"accountId": 1234
},
{
"userEmail": "user2@example.com",
"accountId": 5678
},
],
Fixes
Custom error page template update
A problem in the custom error page default template prevented the feature from working.
Problem: The feature was blocked due to the onload HTML event in the default template. The custom error page
template cannot contain script tags, iframe tags, or illegal HTML actions.
Solution: The onload HTML event was added to the list of illegal HTML event attributes and removed from the default
template.
ACTION REQUIRED: If you have already configured a custom error page for your website using the default template,
you need to use the updated default template and reintroduce your customizations.
For details on configuring a custom error page for your websites, see Custom Error Pages.
Known Issues
None.
This functionality is now available as part of the new Audit Trail feature, which displays a log of actions performed in
your account by account users, system processes, and Imperva system administrators and support.
For details, see Audit Trail and the Audit Trail API Definition.
Rule changes are now tracked and available through the Imperva Audit Trail.
Changes:
• Rule revision history will be removed from the Rules interface (Websites > Rules > More > Revisions).
• The corresponding APIs will also be removed:
• Revert rule
• List rule revisions
• The option to revert to previous versions of rules will no longer be available after the rule revision feature is
removed.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
Imperva Security Mobile App
View your Cloud Application Security dashboards on the go using our new iOS mobile app.
Cloud WAF customers can now take advantage of the Imperva Security mobile app, currently available for iPhone and
iPad.
Key features:
Where it’s located: The Imperva Security free mobile app is available in the Apple App Store: https://
apps.apple.com/us/app/imperva-security/id1479543020
Integration of Advanced Bot Protection security events
Advanced Bot Protection (formerly Distil Networks) security events are now supported by the Cloud Security Console
and the SIEM log integration. When the new Bad Bot (Advanced Bot Protection) security rule is triggered, the incidents
are now displayed along with all other types of security incidents targeting your websites and applications.
• Bad Bot (Advanced Bot Protection) security events are now displayed in the Website > Events page for your
protected websites.
• The Imperva SIEM log integration now indicates when the Bad Bot (Advanced Bot Protection) security rule is
triggered. For details, see Log File Structure.
Availability: Applies to customers subscribed to both Cloud WAF and Advanced Bot Protection.
Enhancements
None.
Fixes
None.
Known Issues
None.
This functionality is now available as part of the new Audit Trail feature, which displays a log of actions performed in
your account by account users, system processes, and Imperva system administrators and support.
For details, see Audit Trail and the Audit Trail API Definition.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Set on/off times for custom rules
The new Scheduler rule filter parameter enables you to configure fixed times and days for a custom rule to be active.
For example, you can use it to redirect requests to a backup site during scheduled maintenance to avoid downtime.
Where it’s located: On the Rules page, when adding a new custom rule.
For instructions on using the Scheduler parameter in a custom rule, see Scheduler.
Performance improvement in SIEM log push mechanism
This issue applies to customers using the push mode for uploading Imperva SIEM integration logs to an S3 or SFTP
repository.
In the event that a significantly slowed upload rate is detected over an extended period of time, you will be notified by
email. This notification enables you to verify your account's log integration settings, as well as check your repository's
availability and stability to resolve any issues that may be preventing proper upload.
Upload attempts will continue for the period of time specified in the email. If the issue is not resolved during that
time, another notification email is sent, informing you that log files may be partially or fully lost, without the
possibility of retrieval.
What changed: Previously, email notifications were sent and log files deleted only in the event of total upload failure.
Fixes
Dynamic Content Acceleration (Origin PoP) requirements
The Dynamic Content Acceleration service (Origin PoP) leverages the high-quality connectivity between Imperva
network PoPs to improve response time for dynamic resources.
As part of this service, Imperva utilizes connection pooling, maintaining and reusing TCP connections between the
selected Origin PoP and your origin server to optimize round-trip times. To support this, the Origin Connection Reuse
setting must be enabled.
What changed: Previously, when selecting an Origin PoP, a message was displayed indicating that the Origin
Connection Reuse setting was required, but it was not enforced in the UI or API. Rather, it was enabled in the
background to support activation of the Origin PoP service.
• To enable the Origin PoP setting, the Origin Connection Reuse option must first be enabled.
• You cannot disable the Origin Connection Reuse option if Origin PoP is enabled.
Origin PoP: On the sidebar, click Websites > Settings > Origin Servers. For details, see Dynamic Content
Acceleration.
Origin Connection Reuse: On the sidebar, click Websites > Delivery. For details, see Delivery Settings.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
Terraform Provider for onboarding and configuring sites
Manually onboarding and configuring a large number of sites can be resource-intensive, time-consuming, and error-
prone.
The Terraform Incapsula Provider enables you to carry out self-service provisioning of websites for Imperva Cloud
Application Security on a large scale, in a fraction of the time. Using Terraform configuration files, you can create and
configure sites, including managing load balancers, data centers, ACLs, and custom security and delivery rules.
What changed: Our Terraform provider, previously available as an open source plugin, is now officially approved and
tested by HashiCorp and listed on the official Terraform website: https://www.terraform.io/docs/providers/incapsula/
index.html
Where it’s located: The provider is available for download in the Terraform Provider Repository in github: https://
github.com/terraform-providers/terraform-provider-incapsula
Enhancements
None.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Attack Analytics: Self-service activation of aggregated analytics
View incidents from all sub accounts directly from the parent account
In an account with sub accounts, you can now choose to aggregate incidents from both the parent account and its sub
accounts. When this option is enabled, the incidents are clustered and presented together in the parent account.
In aggregated mode, an attack that targets multiple sites in multiple sub accounts is clustered and presented as a
single incident in the parent account. When the aggregated mode is turned off, the same scenario results in individual
incidents presented in each of the relevant sub accounts.
What changed: You can now enable this option directly in Attack Analytics. Previously, a request to the Support team
was required in order to enable the aggregated view.
Where it’s located: To enable this option, open Attack Analytics in the parent account and enable the following
setting:
1. On the Attack Analytics banner, click Settings to open the Account Configuration page:
2. Enable the Aggregate incidents from the parent account and all of its sub accounts option:
Example:
• If the Add sites permission is included in a role assigned to a user in a sub account, it enables the user to add
sites to the sub account.
(Note that If the same role is assigned to a user in the parent account, the user is not automatically granted the
Add sites permission in the sub accounts. The role must be explicitly assigned to the user in the relevant sub
accounts as well.)
• The Edit account settings permission is only relevant to a parent account. If it is included in a role assigned to a
user in a sub account, the user is still not granted this permission in the sub account.
• User management: On the Cloud Security Console sidebar, click Management > Users. Select a user and click
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Attack Analytics integrates network level L3/L4 DDoS attacks
You can now see L3/L4 DDoS attacks in Attack Analytics, in addition to the security incidents targeting your websites
and applications.
Volumetric DDoS attacks can often be used to divert attention from other simultaneous L7 WAF attacks. Attack
Analytics now provides greater visibility and insights into what is happening to your assets.
This L3/4 DDoS integration joins the API Security, Account Takeover Protection, and Reputation Intelligence
integrations with Attack Analytics to provide a single pane of glass for all types of attacks.
Availability: Changes will be displayed for DDoS attacks that occur as of this feature's release date.
• The Dashboard’s Incidents graph now also displays network level (layer 3/4) DDoS attacks that occurred during
the selected time period.
• Click the DDoS bar in the graph to view the related incidents, and additional statistics on the DDoS attack.
• View an analysis of the DDoS attack via the Network Traffic Dashboard.
Scenario: If you have a multi-data center topology configured for Imperva load balancing, and all of your active data
centers go down, traffic is rerouted to your standby data center.
When at least one active data center is back up, you can manually reroute your traffic back to the active data center.
Traffic does not revert automatically to your active data centers.
What changed: Previously, this functionality was available only in the Cloud Security Console. The Resume Traffic to
Active DCs button is displayed on the Websites > Settings > Origin Servers page in the Cloud Security Console.
What changed: This functionality enables you to define custom delivery or cache rules to be triggered for either
mobile devices or desktop clients only. For example, as part of a strategy to optimize mobile content delivery.
Where it’s located: In the Cloud Security Console, when adding or editing a custom delivery or cache rule, under Rule
Filter.
Example: This rule is triggered when a request made for URL path “welcome.html” is sent from a mobile device.
What changed: Response content sent from your origin server in Brotli format is now decompressed and scanned,
enabling us, for example, to better identify and quarantine backdoors planted on your website.
Validation added to custom error page configuration
A validation was added to ensure that a custom error page does not include any script tag, iframe tag, or illegal HTML
action, such as these HTML event attributes: onerror, onmessage, onoffline, ononline, onchange, onfocus, oninput,
onsearch, onsubmit, onselect.
What changed: When configuring a custom error page template for your site that includes any of the above, it cannot
be saved. An error message is displayed when you use the preview function or try to save your changes.
Where it’s located: On the Cloud Security Console sidebar, click Websites > Delivery and scroll to the Custom Error
Page section.
This represents the amount of time that the browser session of a logged in user can be inactive before the session
times out and closes.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Cache rule action renamed
The Force User Authentication rule action for custom cache rules was renamed to Force Resource Validation to
better reflect the functionality of the action.
When this option is enabled, Imperva validates with the origin server that the resource has not changed before
returning the cached resource to the client.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
New Features
None.
Enhancements
Attack Analytics integrates Account Takeover Protection incidents
Account Takeover (ATO) incidents are now displayed in Attack Analytics, providing you with a wider view of your
attack landscape. Only mitigated (blocked) ATO incidents are presented.
Availability: Only incidents that occur from this point forward will be displayed.
• Attack Analytics Dashboard: Account Takeover violations are displayed in the Top violations distribution
widget.
• Attack Analytics incidents view: The incident description indicates Account Takeover and the subtitle indicates
the activity that caused the accounts to be marked as compromised, such as brute force or credential stuffing.
• Attack Analytics incident details view: In the list of violations under Which violations were discovered?,
Account Takeover and the type are listed. Click the info icon for more details.
• Account takeover incidents are supported by the SIEM integration and API.
For more details on Attack Analytics and Account Takeover Protection, see:
• Invalid URL
• Invalid method
• Missing parameter
• Invalid parameter value
• Invalid parameter name
Availability: Only incidents that occur from this point forward will include this change.
What changed: Previously, incidents listed API violation without details of the specific API Security violation type.
• Attack Analytics incident view: The incident description indicates API violation and the subtitle indicates the
violation type.
• Attack Analytics incident details view: In the list of violations under Which violations were discovered?, the API
violation and type are listed. For an invalid parameter name or invalid parameter value violation, the parameter
name is also provided in the violation details.
For more details on Attack Analytics, see the Attack Analytics Documentation.
DDoS Protection for Websites: Dashboard enhancements and advanced
analytics
This release introduces new dashboard and analytics capabilities for the websites in your account, enabling advanced
analysis of legitimate and malicious (DDoS) network layer traffic.
Where it’s located: On the Cloud Security Console sidebar, click Network Traffic.
Availability: Network traffic data for the websites in your account and advanced analytics data is available for traffic
occurring after January 7, 2020. If you choose to display data for a time range that starts before January 7th, the
website group data and analytics are not displayed.
Changes include:
• The new Website Group table displays data per website group.
A website group is a group of protected websites in your account that share a set of Imperva anycast IPs. Most
accounts typically have only one website group. Some of the protected sites might be grouped separately, when
a specific configuration is required. For example, when using a dedicated network or when network traffic
isolation is needed to meet regulatory requirements.
Expand the group to view the sites included in the group. The list of sites is available only when viewing data
from a previous or custom time period. It is not available in real-time view.
Role Management reduces administrative overhead and enables you to improve your organization's security by
granting users only the specific privileges they need to carry out their responsibilities.
• A role is a set of permissions granting a certain level of access to Imperva cloud assets and services.
• Role Management includes creating and managing roles, and assigning those roles to your account users.
Details on migration:
• Customer accounts will be migrated automatically over a period of several weeks, beginning on January 5,
2020. (Migration of an individual account takes only several minutes.)
• The migration process takes the set of permissions that are currently assigned to a user and groups them into a
role. The role is then assigned to the user.
• If multiple users have the same set of permissions, they will be assigned to the same role.
• Roles that are created during the migration process are displayed with the name “Automatically created role”
and a role ID. For example, [3] Automatically created role. We recommend that you change the role name after
migration, assigning a name that is more meaningful for your organization.
Note: This change does not impact user authorization/login to the Cloud Security Console.
For full details on Role Management, see Manage Roles and Permissions.
User and Role Management API Updates
The following improvements were made in the Role Management API:
• Add and delete role assignment were combined into a single API for updating role assignments: POST /v1/
assignments
• APIs to create, get, and delete a user were added: POST/GET/DELETE /v1/users
This option enables you to remove all potentially sensitive or personal data that is stored in our systems, such as IP
addresses. (Configuration and settings in the Cloud Security Console are not deleted.) For more details on the data
that is stored for your account and the deletion process, see Data Storage Management.
What changed: The deletion process was previously available via a Support ticket only.
Where it’s located: In the Cloud Security Console, navigate to Management > Account Settings and scroll to Data
Management. The option is available to the account admin user only
Note: The deletion process is carried out at the account level. If the account has sub accounts, data from the sub
accounts is also deleted.
• For an Enterprise plan account that was previously set up as a reseller account in order to implement sub
accounts, data can be deleted at the sub account level only. If this type of account has already been migrated to
the Sub Account model as described in Manage Account Resources, data is deleted at the account level.
• For reseller accounts, data can be deleted at the sub account level only.
The Activity page has been replaced by the new Audit Trail feature, which displays a log of actions performed in your
account by account users, system processes, and Imperva system administrators and support.
Fixes
Expanded limits on restricted IPs
As of December 8, 2019, IP addresses that are restricted from logging in to the Cloud Security Console are also blocked
from sending API requests.
Where it’s located: In the Cloud Security Console: Management > Account Settings > Allow login from the
following IP addresses only.
Known Issues
None.
Tip: Open the latest release notes directly from the Cloud Security Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Gain visibility into the reputation of the IPs attacking your sites to make more informed, data-driven decisions.
Leverage reputation data from across the Imperva customer base and 3rd party providers to help in incident
response.
• Risk assessment: A score calculated by Imperva researchers to better understand the IP’s maliciousness level.
• Attack types and tools: The types of attacks originating from the IP and the tools it used to attack.
• Attacked industries, geographical targeting, and more.
• API: Consumable also via the Reputation API to support your in-house dashboards and workflows.
• From the Cloud Security Console: On the sidebar, click Reputation Intelligence > Launch Reputation
Intelligence.
• From Attack Analytics: When viewing incident details, click on the attacking IP to open Reputation Intelligence.
A new rewrite action is available for use when creating custom rules.
The Rewrite Response Error enables you to replace the default error response and error code that are returned to
the client when a request is blocked.
You can:
• Define the custom error response for all error types, or for a specific error type, such as Connection timeout or
Access denied.
• Select the response status code to return.
• Provide a custom response body in JSON or XML format.
• In the Cloud Security Console: On the sidebar, navigate to Websites > Rules and click Add Rule.
• Via the Rules API.
You can configure a custom error page to display to your website visitors in the event of an error.
What changed: In the Cloud Security Console, you can now configure a custom error page for individual websites in
your account. Previously, there was only the option of a single custom error page applied to every site in your account,
configured by Support.
How it works: You provide a custom HTML error page that will replace the default error page used by Imperva. Your
template must include $TITLE$ and $BODY$ placeholders to indicate the location of the information that is
dynamically inserted by Imperva depending on the type of error that occurs.
• In the Cloud Security Console Delivery Settings page. On the sidebar, click Websites > Delivery and scroll to
the Custom Error Page section.
• Site Management API > Modify Error Page to add or edit a custom error page for your site.
By default, the IP DDoS Protection over TCP/IP service uses ICMP for monitoring the connection to your origin server.
Options for monitoring over TCP and for disabling monitoring are now also available.
What changed: When onboarding an IP or editing the IP Protection settings, you can now choose the monitoring
method.
Where it’s located: On the Cloud Security Console sidebar, click Infrastructure > IP Protection Settings.
A new field was added to the Imperva logs, providing additional information on the violation that triggers a security
rule.
Detailed
Description CEF LEEF W3C
Description
Additional
information on the
Additional rule info cs11 cs11 cs-ruleInfo violation that
triggered the rule, in
JSON format.
This field is used for API Specification Violation events, and uses the following JSON structure:
{“api_specification_violation_type”:”<type>”,”parameter_name”:”<parameter name>”}
• INVALID_URL
• INVALID_METHOD
• MISSING_PARAM
• INVALID_PARAM_VALUE
• INVALID_PARAM_NAME
The “parameter_name” is present only if the violation occurs in the context of a parameter. Its value is the relevant
parameter name.
Starting on January 5, 2020, customer accounts will be migrated from the existing model of permission management
to the new Role Management model. Roles were recently introduced for new accounts, as described in the October 27,
2019 Release .
Role Management reduces administrative overhead and enables you to improve your organization's security by
granting users only the specific privileges they need to carry out their responsibilities.
• A role is a set of permissions granting a certain level of access to Imperva cloud assets and services.
• Role Management includes creating and managing roles, and assigning those roles to your account users.
Details on migration:
• Customer accounts will be migrated automatically over a period of several weeks, beginning on January 5,
2020. (Migration of an individual account takes only several minutes.)
• The migration process takes the set of permissions that are currently assigned to a user and groups them into a
role. The role is then assigned to the user.
• If multiple users have the same set of permissions, they will be assigned to the same role.
• Roles that are created during the migration process are displayed with the name “Automatically created role”
and a role ID. For example, [3] Automatically created role. We recommend that you change the role name after
migration, assigning a name that is more meaningful for your organization.
Note: This change does not impact user authorization/login to the Cloud Security Console.
For full details on Role Management, see Manage Roles and Permissions.
Change in Feature Availability
Heads Up: Removal of Activity page
On January 5, 2020, the Cloud Security Console Management > Activity page will be removed.
The Activity page has been replaced by the new Audit Trail feature, which displays a log of actions performed in your
account by account users, system processes, and Imperva system administrators and support.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Role Management was recently introduced for new customer accounts, as described in the October 27, 2019 Release
Notes.
The following enhancements to the feature were implemented over the past month:
• Restricted access: To grant a user permissions in a sub account without granting the user access to the parent
account, you do not assign a role to the user in the parent account. Instead, you assign a role to the user in one
or more sub accounts only. Several changes were made to support this functionality:
• The explicit Access parent account permission was removed.
• You can create a user without assigning a role to the user. Note that the user must be granted a role in
the parent account or in at least one sub account to be able to log in to the Cloud Security Console.
• Roles API: An API was added for creating and managing roles. For details, see Role Management API Definition.
• New default role added: In addition to the default Administrator role, a new Reader role was added. The
Reader role grants view-only permissions to the assigned user in the account or sub account.
• Improved audit trail: Each action performed to create and manage roles and user role assignments generates a
specific audit message. For more details, see Audit Trail.
• UI enhancements: Miscellaneous UI bugs were fixed.
For more details on Role Management, see Manage Roles and Permissions.
A new rewrite action is now available for use when you create custom delivery rules.
The Rewrite Response Code action modifies the status code in the response from the origin server before sending it
back to the client.
Where it’s located: On the Cloud Security Console sidebar, navigate to Websites > Rules and click Add Rule. For
more details, see Create Rules.
In addition to the existing time filter, multi-select filters were now added to the Audit Trail Type and Context columns,
enabling you to view audit events for a specific subset of activities.
For the API Specification Violation threat type, additional details are now displayed on the Events page.
What changed:
Where it’s located: On the Cloud Security Console sidebar, click Websites > Events. In the Event Details column, click
More to view details about the requests in the event.
On December 8, 2019, a new field will be added to the Imperva logs, providing additional information on the violation
that triggers a security rule.
Detailed
Description CEF LEEF W3C
Description
Additional
information on the
Additional rule info cs11 cs11 cs-ruleInfo violation that
triggered the rule, in
JSON format.
This field will initially be used for API Specification Violation events only. The following JSON structure will be used:
{“api_specification_violation_type”:”<type>”,”parameter_name”:”<parameter name>”}
• INVALID_URL
• INVALID_METHOD
• MISSING_PARAM
• INVALID_PARAM_VALUE
• INVALID_PARAM_NAME
If the violation occurs in the context of a parameter, the “parameter_name” will be present, and its value will be the
relevant parameter name.
For more details on the Imperva Cloud Application Security log integration, see Cloud WAF Log Integration.
Fixes
None.
Known Issues
None.
Change in Feature Availability
Heads Up: Removal of rule revision history
The November 3, 2019 release notes announced the planned removal of the option to view and revert to previous
versions of your custom rules.
In response to significant customer request, the removal of this feature has been postponed.
• Rule changes are currently tracked and available through the Imperva Audit Trail. All relevant details of rule
changes will be added to Audit Trail before the rule revision feature is removed.
• The option to revert to previous versions of rules will no longer be available after the rule revision feature is
removed.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Account Takeover Protection's capabilities to detect and mitigate account takeover attempts start with behavior
detection on login pages. To get started with ATO Protection, you need to provide details about your site's login
process.
What changed: You can now configure a login endpoint for your site directly from the Account Takeover Protection
interface. Previously, onboarding required the involvement of an Imperva sales engineer.
Where it’s located: The onboarding wizard is available from the ATO Protection Settings page.
Availability: Self-service onboarding is rolling out during the week of November 4, 2019.
When creating or resetting an API key and setting the expiration period, the Never option was added and set as the
default option. For more details, see API Key Management.
Additional information was added to the Network Ranges / IP Lists table in the Dashboard, providing you with an at-
a-glance view of DDoS attack status.
• Status column added: Provides attack status information for each range / IP covering the last 90 days.
• More column added: Click the button to view Layer 3/4 traffic analytics for the range. For a range with a
previous attack or currently under attack, a focused view of analytics data for the attack is displayed.
Where it’s located: On the Cloud Security Console sidebar, click Infrastructure > Dashboard.
For more details on the DDoS for Networks Dashboard and Analytics, see:
On December 8, 2019, the option to view and revert to previous versions of your custom rules will be removed.
Where it’s located: On the Cloud Security Console sidebar, Websites > Rules > More > Revisions.
• Revert rule
• List rule revisions
These changes are being introduced as a part of our continued effort to provide an improved, simplified, and
consistent interface.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Create and manage roles to provide the appropriate level of permissions to your account users.
A role is a set of permissions granting a certain level of access to Imperva cloud assets and services. Role
Management includes creating and managing roles, and assigning those roles to your account users.
Role Management reduces administrative overhead and enables you to improve your organization's security by
granting users only the specific privileges they need to carry out their responsibilities.
Availability:
• Currently available for customer accounts created after October 27, 2019 only. User permissions for other
accounts are managed directly in the Users page. For details, see Account Users.
• Not available for reseller accounts.
• Existing accounts will be migrated to Role Management in the next few months. To request an earlier migration
date, contact Support.
An expiration date is now set when you create a new API key or reset an existing API key.
What changed: When you add or reset an API key, an expiration date is set. Previously, API keys did not expire.
The default time period is six months. You can select the following time periods for expiration:
• 3 months
• 6 months
• 1 year
Where it's located: In the Cloud Security Console, navigate to Management > Users. Click a user row to display the
settings pane and expand API keys. For more details, see API Key Management.
Grace period:
• Expired API key: When an API key has expired, you can still use it for a grace period of two weeks.
• Reset API key: When you reset an existing API key, the previous key will still work for a period of two weeks from
its expiration date or from the time it is reset - whichever comes first.
• Additional reset during the two week grace period: Resetting the key more than once within the grace period
cancels any earlier key resets. The grace period is valid for the last reset only. The keys generated by previous
resets are no longer valid.
Extending the validity period of the API key: Email notifications will be sent to you before the API key expires. The
email will include a link enabling you to extend the validity of the API key for two weeks.
When onboarding an SSL site to the Imperva Cloud WAF, a certificate needs to be generated or uploaded and installed
on the Imperva proxy servers, in addition to the certificate already installed on your origin servers.
If there is an issue with your origin server’s certificate, Imperva now displays additional details onscreen to identify
the specific issue to assist you in resolving it quickly. For example, the connection may have timed out, or the
certificate may be expired.
Note that a site will onboard successfully if the SSL handshake is successful during the onboarding process, even if the
certificate is expired. It is recommended to resolve any certificate issues promptly for optimal security.
For more details on the onboarding process, see Onboarding a Site – Web Protection and CDN.
Smuggling attacks can enable attackers to gain unauthorized access to or otherwise compromise your site or
application. The following changes are being implemented to protect against smuggling attacks.
If an HTTP request contains one or more of the following, it will now be blocked:
Availability: The changes are being rolled out over the next week.
Whenever HTTP methods are displayed in the Cloud Security Console, for example on the Events page, all method
types are now supported and displayed.
What changed: Previously, the method type was listed as GET, POST, or OTHER. Now each method type that would
have been displayed as OTHER is listed as its proper type, such as PUT or DELETE.
Enterprise parent accounts can now retrieve logs for sub accounts
Enterprise accounts can now activate logs for the account’s sub accounts, directly from the parent account.
What changed: Previously, the log integration for sub accounts could be activated and configured only from the sub
account. To retrieve the sub accounts' logs, you had to enter each sub account and configure the log integration. Now,
logs can be activated and configured from both the parent account and the sub account.
Where it’s located: On the Cloud Security Console sidebar, select Logs.
• Accounts Log Levels: (New) Activate logs for each sub account. Once activated, logs are collected for all sites in
the sub account and retrieved according to the method configured in the Logs Setup page for the account.
• Sites Log Levels: (No change) Activate logs for sites in the parent account. Activate logs on a per site basis.
In accounts without sub accounts, or in sub accounts, the Log Levels page was renamed to Sites Log Levels. This
page enables you to activate logs for sites in your account. There is no change in existing functionality.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
You can now retrieve a list of actionable insights using the API. The insights are recommended actions to follow based
on security incidents presented in Attack Analytics. For details, see Attack Analytics API.
For more details on Attack Analytics Insights, see Get Actionable Insights.
• Audit history: Audit actions that were recorded by Imperva prior to the opening of the new Audit Trail feature
have been migrated and can now be viewed in the Audit Trail page.
• Audit events: A list of audit actions is now available in the documentation. For details, see Audit Trail Event
Types.
You can now rewrite the port number that is used to access the origin. This enables you to, for example, redirect
incoming requests to an origin port secured behind your firewall..
Where it's located: On the Cloud Security Console sidebar, navigate to Websites > Delivery. On the Delivery Settings
page, in the Network section, use the Rewrite Port option.
Two new rule actions were added to the Rules interface in the Cloud Security Console.
The Rewrite Response Header and Remove Response Header rule actions enable you to modify, add, and remove
headers from the response. When the defined rule criteria are met, Imperva receives the response from the origin
server, applies the relevant changes, and then returns the response to the client.
Where it’s located: On the Cloud Security Console sidebar, navigate to Websites > Rules and click Add Rule. For
more details, see Create Rules.
The Add Rule and Edit Rule APIs were also updated with the new rule actions.
• RULE_ACTION_RESPONSE_REWRITE_HEADER
• RULE_ACTION_RESPONSE_REMOVE_HEADER
SEO support
To support recent changes made to Googlebot, the Google web crawler used to index web content for its search
engine, the following change was implemented:
The X-Robots-Tag: noindex HTTP header is now added to resources that are part of the Imperva Cloud WAF’s
JavaScript challenge mechanism.
This header indicates that these resources should not be crawled or indexed.
To ensure maximum availability of service for our customers, a rate limit for the Get Visits API will be implemented
within the next several weeks. Details to follow.
For more details on the Get Visits API, see Traffic Statistics and Details API.
Documentation update
When website visitors are trying to access your site or application and encounter an error, Imperva displays an error
page with information to help you identify the error in your account in the Cloud Security Console. Details include:
• error code
• time stamp
• the source IP address of the request
• the IP address and internal ID of the Imperva proxy that handled the request
• the incident ID
A list of the error codes and troubleshooting suggestions is now available here: Cloud WAF Error Pages and Codes.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
You can now retrieve audit activity for your account using the API. For details, see Imperva Audit Trail API Definition.
For details on viewing the Audit Trail page from the Cloud Security Console, see Audit Trail.
Existing functionality: Google Authenticator is used for user authentication by Imperva as a part of several features:
• Login Protect: Google Authenticator is one of the methods used for authenticating visitors who are attempting
to access protected pages on your website. For more details on Google Authenticator configuration, see Web
Protection - Login Protect.
• Two-factor authentication: Google Authenticator is one of the available user authentication methods for login
to your account in the Cloud Security Console. For more details on two-factor authentication, see User
Preferences.
What changed:
• The Google Authenticator QR code that is generated and stored by Imperva is now encrypted. Once the code
has been scanned by the Google Authenticator app, it is no longer accessible. If Login Protect or two-factor
authentication needs to be reconfigured by the user, a new code is generated.
• As part of this change, Google Authenticator QR codes were reset. Visitors/users who choose to use Google
Authenticator as their authentication method will be required to reactivate it:
• Login Protect: On the next attempt to access protected pages on your website.
• Two-factor authentication: On the next login to the Cloud Security Console.
• A reset option is now available for the Google Authenticator QR code, if, for example, a user needs to enable it
using a new device.
In our continued effort to further improve and simplify the Imperva Cloud Security Console, we are rolling out the
following design changes over the next few weeks.
These changes do not affect the caching functionality or your current cache settings.
From To Description
Resources are cached according
Disable caching Custom caching to custom cache rules only. If
there are no custom cache rules
From To Description
defined for the site, no caching is
performed.
Cache according to standard
Static only Standard caching
HTTP headers.
Dynamic pages are also profiled
to identify and cache static
Static and dynamic Smart caching
content that was not marked as
static.
All site content is cached for a
All resources Cache all
specified amount of time.
Note: In addition to caching according to the selected mode, content is also cached as specified by any custom
cache rules that are defined for your site.
• The Secure Resource options are now integrated directly with cache mode settings. These options are available
for SSL sites and enable you to define caching behavior for HTTPS resources.
To improve our mitigation capabilities against HTTP request smuggling attacks, requests with duplicate Content-
Type or Content-Length HTTP headers that contain different values are now blocked. Previously, such requests were
passed on to the customer origin servers.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
The IP Protection service is now available over IP-in-IP encapsulation, providing DDoS protection at the IP level for
your cloud assets, such as websites or applications hosted on Google Cloud Platform.
IP Protection over IP-in-IP is deployed as an always-on service. Traffic flow is symmetric, where both ingress and
egress traffic flow through the Imperva network via an IP-in-IP tunnel. The service provides Layer 3/4 protection
against volumetric and protocol DDoS attacks, and is backed up by Imperva’s SLA.
Onboarding: Contact your Imperva sales representative to get started. Imperva assigns a sales engineer or solution
manager to take responsibility for the onboarding process, and to work with you to set up Imperva DDoS Protection
for individual IPs over IP-in-IP.
For details on onboarding and configuring IP Protection over IP-in-IP, see Onboarding IP Protection over GRE or IP-in-
IP.
After onboarding, you can view statistics for the Protected IP in the Security Dashboard: DDoS Protection for Networks
and IPs and in Analytics: DDoS Protection for Networks and IPs.
Enhancements
CRL support for client certificate validation
If client certificate support is enabled for your site, you can now upload a Certificate Revocation List (CRL) file via the
Imperva API to verify whether certificates are valid and trustworthy. A CRL is a list of certificate numbers that have
been revoked by the issuing CA, and should therefore be blocked.
Request Headers and Response Headers fields were added to Imperva logs.
The following examples show the new fields added to the Imperva log file in the supported formats. The new fields
are displayed in bold.
#Fields: date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support cs-clappsig s-capsupport s-suid
cs(User-Agent) cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-accountname sr-
pop cs-uri cs-postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-status s-xff
cs-bytes cs-start c-port cs-rule c-ip cs-protver cs-end cs-additionalReqHeaders cs-additionalResHeaders cs-severity
cs-attacktype cs-attackid s-ruleName
"2016-01-20" "14:19:47" "" "" "" "" "" "" "" "555" "curl/7.33.0" "" "1177375" "IL" "" "Rehovot" "AccessLevelW3C.test.co"
"mia" "" "" "w3cACCESS" "accesslevelw3c.test.co/" "" "HTTP" "" "26210617967913034" "" "" "" "GET" "" "200" ""
"956" "443" "" "12.12.12.12" "TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256" "1566300670892" "{\"Accept\":\"*/*\"},
{\"x-v\":\"1\"},{\"x-fapi-interaction-id\":\"1.1.1.1\"}]" "[{\"Content-Type\":\"text/html; charset\=UTF-8\"}]" ""
"" "" ""
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-09-08 Release
New Features
None.
Enhancements
Password reset change
When resetting the password for an account user, a password reset link is displayed. The account admin can then
send the link to the user.
Where it’s located: On the Cloud Security Console Account users page, click a user row and select Actions > Reset
password. This page is visible to account admin users and any user with the Manage users permission.
The following new filter parameters were added to the Rules interface. These parameters can be used with Delivery
Rules, for example, to create a granular GeoIP based forwarding policy.
• City
• Epoch
• Latitude
• Longitude
• Postal Code
• Src port
• State
Egress traffic for IP Protection will now be included in the calculation of account bandwidth utilization, in accordance
with the existing bandwidth calculation method.
Where it's located: You can view bandwith usage and billing details on the Cloud Security Console Subscription page
(Management > Subscription).
• For existing Infrastructure Protection customers, the IP protection bandwidth is calculated as part of Always On
Infrastructure Protection Bandwidth:
• For Cloud WAF customers without Infrastructure Protection, the IP protection bandwidth is calculated as part of
Always On Bandwidth for Cloud WAF/DDoS Protection, and listed here as Edge IP bandwidth:
Egress traffic is displayed in the Infrastructure Protection Dashboard for Protected IPs, in addition to ingress traffic.
Where it’s located: You can view egress traffic in the Infrastructure Protection Dashboard, in both the graph and
table, as follows:
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-09-01 Release
New Features
Introducing Audit Trail
Gain full visibility into the actions performed in your account by account users, system processes, and Imperva system
administrators and support.
Benefits:
• Provides full visibility at all times into which actions were performed, when they were performed, and by whom.
• Supports decision-making by providing visibility into change management.
• Speeds up troubleshooting - quickly see who did what, when, and where.
Availability: The feature is currently being rolled out and will be available to all Enterprise plan accounts within the
next several weeks. The Audit Trail will display account activity that occurs after the feature has been enabled for your
account.
Where it’s located: In the Cloud Security Console, navigate to Management > Audit Trail and click the launch button.
For full details, see Audit Trail.
Attack Analytics now provides recommended actions for mitigating attacks that have targeted your sites and
applications, and for proactively protecting against future attacks. Learn about the steps you can take to enhance your
security posture.
Benefits of Insights:
Availability: For Cloud WAF customers only. The insights are based on the analysis of attacks on your account in
conjunction with your account configuration settings, which are not currently linked to your on-premises WAF
settings. Therefore, recommended actions are currently supported for Cloud WAF only.
In the Attack Analytics Dashboard, click the Insights button in the banner to view the recommended actions for your
account.
The Attack Analytics Dashboard now opens by default when you log in, enabling you to view the distribution of top
metrics and then drill down for a more detailed look. Previously, the Incidents View was the default.
In addition to the changes in password policy announced in August 18, 2019 release notes, the following restrictions
are now implemented:
The following fields are being added to Imperva logs this week.
The Request Headers and Response Headers fields are added to support an upcoming feature. They are currently
added as placeholders only (empty) and relevant to the W3C format only.
The following examples show the new fields added to the Imperva log file in the supported formats. The new fields
are displayed in bold.
#Fields: date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support cs-clappsig s-capsupport s-suid
cs(User-Agent) cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-accountname sr-
pop cs-uri cs-postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-status s-xff
cs-bytes cs-start c-port cs-rule c-ip cs-protver cs-end cs-additionalReqHeaders cs-additionalResHeaders cs-
severity cs-attacktype cs-attackid s-ruleName
"2016-01-20" "14:19:47" "" "" "" "" "" "" "" "555" "curl/7.33.0" "" "1177375" "IL" "" "Rehovot" "AccessLevelW3C.test.co"
"mia" "" "" "w3cACCESS" "accesslevelw3c.test.co/" "" "HTTP" "" "26210617967913034" "" "" "" "GET" "" "200" ""
"956" "443" "" "12.12.12.12" "TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256" "1566300670892" "" "" "" "" "" ""
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-08-25 Release
New Features
None.
Enhancements
View Account Takeover Protection events in the Cloud Security Console
What changed: For sites configured in Imperva Account Takeover (ATO) Protection, account takeover attempts are
now displayed in the Cloud Security Console Events page.
Where it’s located: In the Cloud Security Console, navigate to Websites > Events.
The following fields will be added to Imperva logs in the coming weeks. Details to follow in subsequent release notes.
In addition to the changes in password policy announced in August 18, 2019 release notes, the following restriction is
now implemented:
6 failed attempts to log in to the Cloud Security Console now lock the user out for 30 minutes.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-08-18 Release
New Features
None.
Enhancements
Enriched IP reputation information in Attack Analytics
Attack Analytics now provides you with richer detail on the IP addresses attacking your sites.
Drawing on additional sources of threat detection based on our customer base and crowdsourcing capabilities, we
have added more information on the attacking IPs to help you take more data-driven decisions when deciding
whether an IP and an incident are malicious or not.
What changed: IP Reputation information that is displayed in Attack Analytics now includes additional reputation
categories.
Where it’s located: In the Attack Analytics Incident Details view, under Which IPs did the attacker use?, IP
Reputation indicators are displayed.
As an added security measure and to meet PCI compliance requirements, a maximum password age and stronger
policy has been implemented for users logging in to the Cloud Security Console.
Note: This change does not affect organizations that log in to the Cloud Security Console via SSO.
Your login password can now be used for 90 days, and must then be changed. If the password expires, you will not be
able to administer your account and sites before changing your password.
Password requirements:
This change is being rolled out over the next several weeks.
These changes will be communicated in subsequent release notes as they are implemented.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-08-11 Release
New Features
None.
Enhancements
Enhanced cache settings design
In our continued effort to further improve and simplify the Imperva Cloud Security Console, we are rolling out the
following design changes over the next few weeks.
These changes do not affect the caching functionality or your current cache settings.
From To
Disable caching <no change>
Static only Standard caching
Static and dynamic Smart caching
All resources Cache all
• The Secure Resource options are now integrated directly with cache mode settings.
These options are available for SSL sites and enable you to define caching behavior for HTTPS resources.
The following changes were made to the Add/Edit Rule page for Cache Rules.
• Only the rule filter parameters that are supported for cache rules are now displayed in the filter list. Other filters
were removed.
• The Cache Resource rule action cannot be used with some filters. These filters are marked with an asterisk.
• Additional validation checks were implemented to ensure that the selected filters can be used with the selected
action. Otherwise, the rule cannot be saved.
In the Infrastructure Protection Dashboard, graphs now display data for up to 5 of the top PoPs or Ranges by default.
Previously, all data was displayed by default.
You can select additional PoPs or ranges or modify the selection using the legend below the graph.
Where it’s located: In the Infrastructure Protection Dashboard, select View by Ranges or View by PoP.
Up to 5 of the top PoPs or Ranges are displayed, according to max values of the selected view. For example, this graph
displays the top 5 ranges for total traffic.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-08-04 Release
New Features
None.
Enhancements
Update of HTTP/2 options
The following changes were implemented for the HTTP/2 option. This option enables supporting browsers to take
advantage of the performance enhancements provided by HTTP/2 for your websites.
• A new http_2 parameter was added to the Advanced Caching Settings and Get Advanced Caching Settings
API. For details, see Site Management API.
• The Enable HTTP/2 site-level option was moved from the Websites > Settings > General page to the Websites
> Settings > Delivery page. For details, see Delivery Settings.
An option was added to enable Imperva to cache unavailable resources for a specified amount of time for your sites.
This can be useful to reduce load on your origin server if, for example, your site is getting too many hits on an
unavailable page.
• Cloud Security Console: Websites > Cache > Cache 404 Responses. The option is disabled by default. For
details, see Cache Settings.
• API: Site Management API > Modify Cache 404 Settings and Get Cache 404 Settings. For details, see Site
Management API
If your origin web server supports client requests using the HTTP Range header, and caching is enabled for your
Imperva protected site, the responses will now be cached by Imperva.
Note: The Range header must request the full range of data.
This change expands Imperva current caching capabilities by enabling caching of additional resources, such as small
videos.
Change in feature format
Heads up: Change in weekly report
Imperva produces a weekly report for every account that chooses to receive it. The report contains general
information on the account as well as all sites under the account.
What’s changing: The format of the weekly report email, which currently includes the contents of the report and a
link to download a PDF version of the report, will now include the link only.
Where it’s located: Cloud Security Console > Management > Account Settings.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-07-28 Release
New Features
None.
Enhancements
Network layer data storage for Website DDoS Protection customers
What changed: As part of ongoing improvements to the Network Traffic Dashboard, we are starting to collect Layer 3
(network layer) data statistics.
Stored data includes network layer 3/4 headers, which contain IP addresses .
By default, the data storage region for this collected data is US. You can update the region in accordance with your
data privacy requirements, such as GDPR.
Where it’s located: To check or modify this setting, log in to your account in the Cloud Security Console, and navigate
to Management > Account Settings > Data Management.
Note: The account-level data region setting determines where network layer data is stored, regardless of site-level
data region settings.
For more details on regional data storage, see Data Storage Management.
To further enhance visibility into Imperva caching behavior and assist you in troubleshooting, the following XRAY
debug headers were added for cache rules:
incap-cache-tags: Lists the tags added to the resource by cache rules. The list includes tags that were defined by the
Create Tag and Enrich Cache Key cache rules. It does not contain tags defined by the origin.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-07-21 Release
New Features
None.
Enhancements
View ATO Protection username data in cleartext
To protect the privacy of your users, username fields containing personally identifiable information (PII) are encrypted
by default and displayed as an encoded string in the Account Takeover Protection console.
What changed: To access the username details for the users who attempt to log in to your protected sites, you can
now configure Account Takeover Protection settings to display username data in cleartext.
Where it’s located: ATO Protection Dashboard > Settings > Personally Identifiable Information (PII) Management.
Recent changes to the Purge Specific Resources dialog box provide you with an improved user experience, including
an autocomplete enabled drop-down list of your custom-defined tags to assist you in purging the cache according to a
specific tag.
Where it’s located: On the Cloud Security Console Cache Settings page, click Purge Specific Resources.
The following parameters were added to the Advanced Caching Settings and Get Advanced Caching Settings APIs:
If your site is using a custom certificate, you can retrieve details on the certificate’s status using the Get site status
and Upload custom certificate APIs.
What changed: You can now enable the hashing method for masking data fields in your logs and in the Events page,
instead of the default (XXX) data masking.
Use the hashing method and add a salt value to add increased protection for your sensitive information.
Where it’s located: On the Cloud Security Console sidebar, navigate to Websites > Settings > General. Under Data
Storage and Privacy, enable the Mask data by hashing option. For more details, see Web Protection - General
Settings.
You can also configure the data masking settings using the API. For details, see Masking Settings API.
We are currently starting rollout of the Luhn algorithm as the default method for data masking. The Luhn algorithm is
a formula used to validate identification numbers, such as credit card details.
What changed: Luhn replaces our in-house algorithm, improving our ability to identify identification numbers, such
as credit card details. It helps reduce false positives that we currently see when we incorrectly identify parameters as
credit card details and mask them.
Imperva produces a weekly report for every account that chooses to receive it. The report contains general
information on the account as well as all sites under the account.
What’s changing: The format of the weekly report email, which currently includes the contents of the report and a
link to download a PDF version of the report, will now include the link only.
Where it’s located: Cloud Security Console > Management > Account Settings.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-07-14 Release
New Features
None.
Enhancements
Cache Shield enabled by default
Cache Shield is now enabled by default for new sites added to FlexProtect Plus and Premier plan accounts. Previously,
you needed to manually enable each site in the Cloud Security Console.
Cache Shield adds an intermediate cache between other Imperva PoPs and your origin servers to protect your servers
from redundant requests.
The following new APIs are now available, enabling you to retrieve information on your cache and delivery settings for
a specific site.
Where it’s located: A link to the package is located in the Cloud Security Console’s Logs Setup page.
The following new fields were added to the Attack Analytics logs:
GeeTest CAPTCHA added to Login Protect for client requests from China
We are currently rolling out new functionality enabling Login Protect to work in China with GeeTest CAPTCHA.
The GeeTest CAPTCHA will be presented by Login Protect to clients from China, based on the client’s IP geolocation.
To support recent changes to caching capabilities and to allow improved tuning of application security, the following
new rule filter parameters are now available:
Parameter Description
Checks for the specified string patterns in the cookie
Cookie Value
name and value in the client request.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-07-07 Release
New Features
None.
Enhancements
Attack Analytics API Updates
The following fix is being rolled out over the next few weeks.
Problem: When you disable caching, toggles for the following options remained on, although the actual functionality
was turned off.
Solution: When you select Disable caching cache mode, the toggles listed above, as well as the other relevant
toggles which are already disabled, are all now turned off in the UI and cannot be modified.
If Disable caching was already selected for your site, the toggles will now be set to off. There is no change to actual
behavior - the functionality was already turned off.
Where it’s located: In the Cloud Security Console > Website > Cache Settings page.
Note: This behavior occurs only when there are no cache rules defined for the site. If there are cache rules, there is no
change to these toggles, and caching is carried out according to the custom rules you have defined.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-06-23 Release
New Features
None.
Enhancements
New DDoS mitigation Service Level Agreement
A new SLA is applicable to Imperva Cloud Application Security customers who joined or renewed the service on or
after June 1st, 2019.
What changed:
Imperva previously offered a 10-second DDoS mitigation time, which is now reduced to 3 seconds for “Always On”
services.
To download the full SLA, log in to your account in the Cloud Security Console, and navigate to the Subscription page:
Management > Subscription.
This release introduces email notifications for Layer 3/4 DDoS attacks targeting your account.
What changed:
In addition to listing DDoS start and end events in the Network Traffic Dashboard, you will now also receive email
notifications for the start and end events.
Note:
To provide more granularity and control, there are new options to the Param Value rule filter that support numeric
values.
What changed:
The existing Param Value parameter can now have the following operators:
Under Website Protection > Site > Rules, when adding or editing a rule.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-06-16 Release
New Features
None.
Enhancements
Create and view simplified redirect rules in the Cloud Security Console
You can now create and view simplified redirect rules on the Cloud Security Console Rules page.
Simplified redirect rules enable you to create up to 20,000 redirect rules with restricted settings per site in your
account. This is in addition to existing functionality that enables you to create up to 500 delivery and security rules per
site.
What changed:
• In addition to creating simplified redirects rules using the API, an option was added to create and view them on
the Rules page.
• When this option is enabled for an account, rules created via the API are also displayed on the Rules page.
For guidelines on creating simplified redirect rules, see Create Simplified Redirect Rules.
Fixes
None.
Known Issues
None.
Change in Feature Availability
Change in availability of the Dynamic Content Acceleration service
During the beta period for Dynamic Content Acceleration we enabled the capability for all Imperva customers at no
additional cost.
Now, as the capability is mature and stable, we are disabling it for non-Enterprise customers who were able to take
advantage of the service at no additional cost.
What changed: The Dynamic Content Acceleration service was disabled for non-Enterprise plan customers who had
already enabled the feature. The functionality was turned off for these accounts and the Origin PoP option is now
read-only.
If you’d like to upgrade to an Enterprise plan and keep using Dynamic Content Acceleration, please contact us.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-06-02 Release
New Features
Introducing Account Takeover Protection
Account Takeover (ATO) Protection detects and mitigates account takeover attempts to protect your web applications
against volumetric and low and slow ATO attacks.
Benefits include:
Imperva Account Takeover Protection is part of the Imperva Cloud Application Security suite.
Introducing API Security
Imperva is excited to announce that its solution to further support Defense-in-Depth now includes API Security. Please
note that from this past Tuesday, May 28th, API Security became available for self-service trials within the Cloud
Security Console and will be inclusive within FlexProtect Pro, Plus, and Premier tiers.
Imperva API Security is part of the Imperva Cloud Application Security suite, allowing you to protect your APIs.
Benefits include:
• Leveraging of the SaaS infrastructure and the CDN and DDoS capabilities of Imperva Cloud Application Security
suite, and uses the same management portal.
• Positive security model that is automatically created and enforced from your Open API specification document
(i.e. Swagger).
• New security event for positive security model event – “API Specification violation”.
• API Specification violation events are part of the Attack Analytics tool.
• Automatic disabling of Captcha cookie challenge and Javascript challenge on API traffic.
• Integration with API management platforms through designated APIs and open source tools, making security an
integral part of API lifecycle management.
The new IP Protection service provides complete DDoS protection at the IP level.
IP Protection over TCP/IP is deployed as an always-on service. Traffic flow is symmetric, where both ingress and egress
traffic flow through the Imperva network via an allocated anycast Edge IP.
Benefits include:
The IP Protection for TCP/IP service supports onboarding using your origin IP address or by allowing Imperva to
dynamically resolve the domain name or CNAME.
After onboarding, you can view statistics for the Protected IP in the Security Dashboard: DDoS Protection for Networks
and IPs and in Analytics: DDoS Protection for Networks and IPs.
You can also onboard and edit IP Protection settings using the Imperva API. For details, see DDoS Protection for
Networks API.
For details on the free trial, onboarding, and configuring IP Protection over TCP/IP, see Onboarding IP Protection over
TCP/IP.
Enhancements
Change required in your Attack Analytics configuration
As of Monday, June 3, 2019, customers using the Imperva on-premises WAF must manually enable Attack Analytics so
that alerts will be sent to the cloud. This is required for the Attack Analytics service.
What changed: A new setting was added to Attack Analytics enabling you to turn on or off the sending of alerts to the
cloud.
If you are an on-premises WAF customer and are already using Attack Analytics or want to get started, you need to
enable the new setting in Attack Analytics.
What changed: Two new widgets were added to Infrastructure Protection Analytics:
• New Connections Per Second: Incoming connections from clients to the customer origin and outgoing
connections from the origin.
• Concurrent connections: The number of incoming connections over time. Available for Protected IPs only.
Where it’s located: In the Management Console, open Analytics: DDoS Protection for Networks and IPs.
Imperva Cloud Application Security is now using MaxMind GeoIP ASN database for IP to ASN mapping, used in rule
filters. MaxMind replaces an internal mechanism previously used, leading to improved accuracy.
Availability: Implementation is currently being rolled out to the Imperva global network and will be completed within
a few weeks.
What changed: A new option was added to SSO Settings, enabling you to send the Subject element in the SAML
request to identify the authenticated user.
Where it’s located: On the Management Console sidebar, navigate to Management > SSO Settings > Advanced
Configuration and select the Send Subject element in SAML request option.
The use of host name in the From field of simplified redirect rules is now supported.
For guidelines on creating simplified redirect rules, see Create Simplified Redirect Rules.
Fixes
None.
Known Issues
None.
Change in Feature Availability
Change in availability of the Dynamic Content Acceleration service
During the beta period for Dynamic Content Acceleration we enabled the capability for all Imperva customers at no
additional cost.
Now, as the capability is mature and stable, we’ll be disabling it for non-Enterprise customers who were able to take
advantage of the service at no additional cost.
Heads up: On June 16, 2019, the Dynamic Content Acceleration service will be disabled for non-Enterprise plan
customers who have already enabled the feature. The functionality will be turned off for these accounts and the
Origin PoP option will be read-only.
If you’d like to upgrade to an Enterprise plan and keep using Dynamic Content Acceleration, please contact us.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-05-26 Release
New Features
None.
Enhancements
New and Improved API
To better align with REST API standards and best practices, Imperva is gradually rolling out a new version of APIs,
available for your use in managing your Cloud Application Security sites.
The new APIs either provide an alternative to existing APIs or provide APIs with new functionality.
What changed:
• Naming and formatting conventions for the HTTP requests are consistent with REST API standards and best
practices. For example:
• The resource to operate on, such as the rule ID, is included in the core HTTP request and not as an
additional parameter.
• Parameters are sent in JSON format in the body of the request, and not as form data.
• In addition to POST, other common HTTP methods are used (GET, POST, PUT, DELETE).
• In addition to reporting error codes in the response body, proper HTTP response status codes are now also
returned.
• Rule APIs - you can now:
• Retrieve rule details for a single rule.
• Overwrite a single rule.
For details on working with the new APIs, see API Version 2/3 Overview.
Fixes
None.
Known Issues
None.
Change in Feature Availability
Change in availability of the Dynamic Content Acceleration service
During the beta period for Dynamic Content Acceleration we enabled the capability for all Imperva customers at no
additional cost.
Now, as the capability is mature and stable, we’ll be disabling it for non-Enterprise customers who were able to take
advantage of the service at no additional cost.
What changed:
• As of this release, the Origin PoP option is disabled for non-Enterprise customers (Incapsula Free, Pro, and
Business web plans) who did not previously enable the feature.
• Heads up: On June 16, 2019, the Dynamic Content Acceleration service will be disabled for non-Enterprise
plan customers who have already enabled the feature. The functionality will be turned off for these accounts.
• If you’d like to upgrade to an Enterprise plan and keep using Dynamic Content Acceleration, please contact us.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-05-19 Release
New Features
Cache Shield protects origin servers from redundant requests
Our new Cache Shield service protects your origin servers from redundant requests, further enhancing our caching
capabilities beyond the existing PoP level cache.
Cache Shield designates a specific PoP to serve as an origin shield, a CDN capability that adds an intermediate cache
between our PoPs and your origin servers.
Currently, each of our PoPs can access the origin server directly, and as a result, can overwhelm it with requests.
When the new functionality is enabled, all requests to the origin go through an intermediate PoP automatically
selected by the system. If another PoP does not have the requested content in its cache, it must query the Cache
Shield PoP to determine if the resource is already cached there.
Benefits:
• Reduces spikes on the origin during high request periods, such as after cache purge
• Increases likelihood of cache hits as all requests will go through one PoP
• Reduces outgoing traffic from your public cloud origin and decreases your monthly bill
Availability:
1. On the Management Console sidebar, select Websites > Cache to open the Cache Settings page.
2. Expand the Advanced section.
3. In the Response section, enable the Cache Shield option.
You can also enable Cache Shield using the API. For details, see Site Management API.
Enhancements
New rule filter parameters
To provide more granularity and control we introduced new rule filter parameters to distinguish between query string
and post data, available when creating custom rules.
What changed:
The existing Param Exists parameter checks for a specified string pattern in the parameter names in both the query
string and the post data. Two new parameters were added to check in either the query string or body of the request
separately:
The existing Param Value parameter checks for a specified string pattern with a specific parameter value in both the
request query string and the post body. Two new parameters were added to check in either the request query string or
post body of the request separately.
To align with recent changes in Management Console settings, the following redirect options were moved from the
General Settings page to the Delivery Settings page.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-05-05 Release
New Features
Attack Analytics API
You can now access your Attack Analytics data using an API.
• List incident: Retrieve a list of all incidents that occurred within a specified time frame.
• Get incident statistics: Retrieve full details about a specific incident.
You can now choose to cache resources separately based on geolocation of the request.
Where it’s located: In the Management Console Cache Settings page, under Cache Rules. When you add or edit a
cache rule, under Rule Action, select Differentiate Cache Key > Geolocation.
A new redirect rule action is now available, enabling you to create up to 20,000 redirect rules with restricted settings
per site in your account. This is in addition to existing functionality that enables you to create up to 500 delivery and
security rules per site.
What changed:
• You can create and manage simplified redirect rules using the standard Site API rule operations: Add Rule, Edit
Rule, Enable/Disable Rule, Delete Rule, List Rules.
• A new action, RULE_ACTION_SIMPLIFIED_REDIRECT, was added to the Add Rule and Edit Rule operations.
This action redirects the client request to a different URL, responding with a 30X response.
• The List Rules API response now returns details of the current number of rules defined for the site, and the
remaining number of rules that can be added.
As part of recent changes made to our cache settings, you can now control how HTTPS secured resources are cached
on the Imperva edge.
What changed: Previously, you could not control how HTTPS resources were cached without contacting Imperva
support. Now, you can independently select the desired cache mode for secured resources in the Management
Console or using an API.
Problem: For sites that had the All Resources cache mode selected and did not change the Secured Resources
setting after April 28, 2019, HTTPS resources that were previously cached are no longer cached, and the Do not cache
HTTPS resources option is selected. (Prior to April 28, 2019, the default option was Use default HTTPS caching. Also
cache HTML pages.)
There was no change to cache behavior for sites using No Cache, Static Only, or Static + Dynamic cache modes, or
explicit cache rules.
Solution: If you would like to cache HTTPS resources, navigate to the Cache Settings page and select the desired
setting, or add explicit cache rules.
Where it’s located: On the Management Console sidebar, select Websites > Cache > Advanced > Secure Resources.
For more details, see Cache Settings.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-04-21 Release
New Features
None.
Enhancements
Introducing Attack Analytics SIEM Log Support
Integrate Attack Analytics logs into your SIEM. Retrieve your logs from the Imperva cloud repository or push the logs
to your remote storage location.
By default, error responses that are returned to clients when a request is blocked are provided in HTML format. A new
option is available to return error responses in JSON or XML format, based on the Accept or Content-type HTTP
request headers.
1. On the Management Console sidebar, select Websites > <your site> > Settings > General.
2. Under Additional Settings, enable the Enable content based error responses option.
Two new caching options are available in the Management Console, on the Cache Settings page:
• Enrich Cache Key: Add custom text to the cache key as a suffix. Use this option to add specific logic to the cache
key calculation.
• Ignore All Parameters: If the same resource is returned regardless of request parameters, you can opt to ignore
all parameters when determining a cache key match.
API operations are now available for all caching options, including all new caching settings and custom cache rules
that were recently added to the Cache Settings page in the Management Console.
Where it’s located: On the Management Console sidebar > Rules page.
Each entry in the log file provides information about a single request.
Previously, the entry included details of the source client IPs and protocol version that were used in the session to
which the request belongs.
To provide more precise information, each log file entry now lists the client IP and protocol version used by the
specific request.
• The
description
name was
changed to
Client IP. (No
impact on log
files.)
• The field now
Main Client IP src src c-ip lists the client
IP used by the
specific
request.
• The field was
moved to a
new location
in the log
entry.
Examples:
date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support c-ip s-caip cs-clappsig s-capsupport s-suid
cs(User-Agent) cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-accountname sr-
pop cs-protver cs-uri cs-postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-
status s-xff cs-bytes cs-start c-port cs-rule cs-severity cs-attacktype cs-attackid s-ruleName
date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support cs-clappsig s-capsupport s-suid cs(User-Agent)
cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-accountname sr-pop cs-uri cs-
postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-status s-xff cs-bytes cs-
start c-port cs-rule c-ip cs-protver cs-severity cs-attacktype cs-attackid s-ruleName
For more details on logs, see Log File Structure and Example Logs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-04-14 Release
New Features
None.
Enhancements
Enhanced caching control
Create custom cache rules using any of the expansive list of built-in filter parameters. This enhancement provides you
with greater control over which specific resources are cached and under what conditions.
For example, you can create a caching rule for the following scenario:
If the client type is recognized by our client classification mechanism as a crawler, such as Google crawler, and the
request is from Google, cache the resource for 1 day.
IF ClientType == Crawler & ASN == 15169 THEN Cache resource and set TTL = '1 days'
What changed: Previously, custom rules could be created based on URL only.
Availability: We are rolling out the changes over the next several weeks, with full rollout to all customers expected by
April 28th.
Where it’s located: From the Management Console sidebar, navigate to Websites > <your site> > Cache.
Each entry in the log file provides information about a single request.
The entry currently includes details of the source client IPs and protocol version that were used in the session to
which the request belongs.
To provide more precise information, each log file entry will list the client IP and protocol version used by the specific
request.
• The
description
name will be
Main Client IP src src c-ip
changed to
Client IP. (No
impact on log
files.)
Examples:
date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support c-ip s-caip cs-clappsig s-capsupport s-suid
cs(User-Agent) cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-accountname sr-
pop cs-protver cs-uri cs-postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-
status s-xff cs-bytes cs-start c-port cs-rule cs-severity cs-attacktype cs-attackid s-ruleName
date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support cs-clappsig s-capsupport s-suid cs(User-Agent)
cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-accountname sr-pop cs-uri cs-
postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-status s-xff cs-bytes cs-
start c-port cs-rule c-ip cs-protver cs-severity cs-attacktype cs-attackid s-ruleName
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-04-07 Release
New Features
User authentication using single sign-on (SSO)
Single sign-on for login to the Management Console is now available. SSO provides multiple benefits, including an
improved user experience and centralized user authentication management.
As part of our mission to better protect the pulse of your business, we have simplified our product portfolio and
officially retired the Incapsula.com website.
Each entry in the log file provides information about a single request.
The entry currently includes details of the source client IPs and protocol version that were used in the session to
which the request belongs.
To provide more precise information, each log file entry will list the client IP and protocol version used by the specific
request.
• The
description
name will be
Main Client IP src src c-ip
changed to
Client IP. (No
impact on log
files.)
Examples:
date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support c-ip s-caip cs-clappsig s-capsupport s-suid
cs(User-Agent) cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-accountname sr-
pop cs-protver cs-uri cs-postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-
status s-xff cs-bytes cs-start c-port cs-rule cs-severity cs-attacktype cs-attackid s-ruleName
date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support cs-clappsig s-capsupport s-suid cs(User-Agent)
cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-accountname sr-pop cs-uri cs-
postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-status s-xff cs-bytes cs-
start c-port cs-rule c-ip cs-protver cs-severity cs-attacktype cs-attackid s-ruleName
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-03-31 Release
New Features
None.
Enhancements
Custom rate rules
Create custom rates to use in security and delivery rules. A rate filter triggers the rule when the rate passes a specified
threshold.
For example, you can now create a security rule for the following scenario:
If a client accesses /login.html from China more than 20 times per minute, block it.
This new functionality boosts our ability to mitigate brute force or scraping attacks, which use a high rate of activity to
gain unauthorized access to resources.
Custom rate rules are an extension of our existing mitigation capabilities in which you can create custom security or
delivery rules to meet a specific need.
What changed: A new Rate action is available in rules. A rate rule counts the number of requests received that match
your specified criteria within a specified amount of time. Rate rules are run after redirect rules.
Once the rate rule is created, you can create a new security or delivery rule, using the rate in the rule filter.
Where it’s located: Management Console sidebar > Websites > Rules.
(Note that there is an addition to the changes reported in the March 24 release notes: Protocol Version.)
Each entry in the log file provides information about a single request.
The entry currently includes details of the source client IPs and protocol version that were used in the session to
which the request belongs.
To provide more precise information, each log file entry will list the client IP and protocol version used by the specific
request.
• The
description
name will be
changed to
Client IP. (No
impact on log
files.)
• The field will
Main Client IP src src c-ip list the client
IP used by the
specific
request.
• The field will
be moved to a
new location
in the log
entry.
Examples:
date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support c-ip s-caip cs-clappsig s-capsupport s-suid
cs(User-Agent) cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-accountname sr-
pop cs-protver cs-uri cs-postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-
status s-xff cs-bytes cs-start c-port cs-rule cs-severity cs-attacktype cs-attackid s-ruleName
date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support cs-clappsig s-capsupport s-suid cs(User-Agent)
cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-accountname sr-pop cs-uri cs-
postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-status s-xff cs-bytes cs-
start c-port cs-rule c-ip cs-protver cs-severity cs-attacktype cs-attackid s-ruleName
Removed Features
Incapsula Website Seal Heads up
On April 7, 2019 the Websites > General Settings > Show Seal option will be removed and the functionality
discontinued. This option enables you to display the Incapsula Website Seal of Security on your site.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-03-24 Release
New Features
None.
Enhancements
New caching and delivery capabilities
We are starting to roll out new caching and delivery capabilities and an enhanced user interface.
What changed: New Cache and Delivery setting pages have been added to the Management Console and now
include a more comprehensive set of capabilities. They replace the settings previously located in Website
Performance Settings.
Highlights:
• Purge by tag. Identify resources based on tags in the resource headers, and then purge the specific resources
according to tag name.
• Expanded caching options for caching HTTPS resources, client-side caching, tagging responses according to
origin response header value, cache key, and more.
• New delivery options to further enhance performance.
Availability: We are rolling out the changes over the next several weeks, with full rollout to all customers expected by
April 7.
• Cache Settings
• Delivery Settings
Each entry in the log file provides information about a single request.
The entry currently includes details of the source client IPs that were used in the session to which the request
belongs.
To provide more precise information, each log file entry will list the client IP used by the specific request.
• The
description
name will be
changed to
Main Client IP src src c-ip Client IP. (No
impact on log
files.)
• The field will
list the client
IP used by the
Examples:
CEF format before the change. The highlighted fields will be removed:
CEF format after the change. The highlighted field will be added:
W3C format - file header before the change. The highlighted fields will be removed:
date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support c-ip s-caip cs-clappsig s-capsupport s-suid
cs(User-Agent) cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-accountname sr-
pop cs-protver cs-uri cs-postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-
status s-xff cs-bytes cs-start c-port cs-rule cs-severity cs-attacktype cs-attackid s-ruleName
W3C format - file header after the change. The highlighted field will be added:
date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support cs-clappsig s-capsupport s-suid cs(User-Agent)
cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-accountname sr-pop cs-protver
cs-uri cs-postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-status s-xff cs-
bytes cs-start c-port cs-rule c-ip cs-severity cs-attacktype cs-attackid s-ruleName
On April 7, 2019 the Websites > General Settings > Show Seal option will be removed and the functionality
discontinued. This option enables you to display the Incapsula Website Seal of Security on your site.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-03-17 Release
New Features
None.
Enhancements
Change of default SAN settings in Imperva generated certificates
The default setting for the SAN types that are added to the Imperva SSL certificate have changed.
What changed: The default setting for Business and Pro Plan accounts has changed from wildcard domain SAN
(*.example.com) to full domain SAN (such as www.example.com).
For Enterprise plan accounts, the wildcard SAN continues to be the default option.
• Account level settings: Account admins can change the default settings that will be used for new sites created
in the account. For details, see Account Settings.
• Site level settings: You can override the default settings when creating a new site or enabling SSL for an
existing site. For details, see Onboarding a Site – Web Protection and CDN.
These options are also available using the API. For details, see Account Management API and Site Management API.
Fixes
None.
Known Issues
None.
Removed Features
Incapsula Website Seal
On April 7, 2019 the Websites > General Settings > Show Seal option will be removed and the functionality
discontinued. This option enables you to display the Incapsula Website Seal of Security on your site.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-03-10 Release
New Features
None.
Enhancements
Compare performance with and without Dynamic Content Acceleration
If Dynamic Content Acceleration is enabled for your site, you can use the origin_pop=disabled parameter to
bypass the functionality when sending a request to the site.
For example:
On April 7, 2019 the Websites > General Settings > Show Seal option will be removed and the functionality
discontinued. This option enables you to display the Incapsula Website Seal of Security on your site.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-03-03 Release
New Features
None.
Enhancements
Improved algorithm for DNS resolution yields improved performance
Until now, when a client would try to access your site, DNS queries would resolve to the IP of the Imperva PoP closest
to the client (end user). However when the closest PoP is located in another country, better performance is seen using
the PoP in the same country, although it may be located farther away.
What changed: Moving forward, when the closest PoP to a client is located in another country, and there is a PoP in
the same country, the DNS query will give higher priority to the IP of the PoP in the same country as the client.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
2019-02-17 Release
New Features
None.
Enhancements
Control the SANs in Imperva generated certificates
What changed: You can now choose which SAN types are added to the Imperva SSL certificate. This certificate is
generated when you onboard a new SSL site, or enable SSL for an existing protected site.
For example: For www.example.com, the wildcard SAN is *.example.com and the full domain SAN is
www.example.com.
• Add naked domain SAN. For sites with the www prefix, you can choose to also add the naked domain to the
certificate.
For example: For www.example.com, the SAN example.com is added to the certificate in addition to the
wildcard or full domain SAN.
• Account level settings: Account admins will be able to change the default settings that will be used for new
sites created in the account. For details, see Account Settings.
• Site level settings: The default settings can be overridden when creating a new site or enabling SSL for an
existing site. For details, see Onboarding a Site – Web Protection and CDN.
These options are also available using the API. For details, see Account Management API and Site Management API.
Within a few weeks we will update the default settings according to account plan. An update on this change will be
announced in the Release Notes.
• Enterprise plan accounts: The wildcard SAN will continue to be the default option.
• New Business and Pro plan accounts: The full domain SAN will be the default option, instead of the wildcard
domain SAN that is used currently.
What changed: Requests that are not suspicious and do not trigger alerts will no longer be displayed on the website
Events page. The reduced volume of items enables you to more easily focus in on the suspicious events.
This change is being rolled out over the next several weeks.
1. On the Management Console sidebar, click Websites and select a website from the list.
2. Click Events.
3. In the Event Details column, click More to view details about the requests in the event.
What changed: In order to streamline the analysis process, additional details are now available in Infrastructure
Protection Analytics for Source IP addresses, including country of origin and autonomous system number (ASN).
1. To view the Analytics, open the Infrastructure Protection Dashboard and select an IP range, a time range, and
filter for blocked or passed traffic.
2. Click a source IP address to display a popup with additional details.
For more details on Infrastructure Protection Analytics, see Analytics: DDoS Protection for Networks and IPs.
Fixes
None.
Known Issues
None.
Tip: Open the latest release notes directly from the Management Console's Help menu.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2019-02-10 Release
New Features
None.
Enhancements
Infrastructure Protection: Static routing configuration displayed in the Management Console
What changed: If your Infrastructure Protection connection is configured for static routing, you can now see the
configuration setup in the Management Console.
Where it’s located: On the Infrastructure Protection Network Settings page, under Routing Options, the Type column
displays Static Route. Click the connection name to view additional routing details.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2019-02-03 Release
New Features
None.
Enhancements
Control the SANs in Imperva generated certificates
Within the next several weeks, we will introduce new options for the Imperva SSL certificate that is generated when
you onboard a new SSL site, or enable SSL for an existing protected site.
The new options will enable you to choose which SAN types are added to the certificate:
For example: For www.example.com, the wildcard SAN is *.example.com and the full domain SAN is
www.example.com.
• Add naked domain SAN. For sites with the www prefix, you can choose to also add the naked domain to the
certificate.
For example: For www.example.com, the SAN example.com is added to the certificate in addition to the
wildcard or full domain SAN.
• Enterprise plan accounts: The wildcard SAN will continue to be the default option.
• New Business and Pro plan accounts: The full domain SAN will be the default option, instead of the wildcard
domain SAN that is used currently.
Settings
• Account level settings: Account admins will be able to change the default settings that will be used for new
sites created in the account.
• Site level settings: The default settings can be overridden when creating a new site or enabling SSL for an
existing site.
Attack Analytics
You can now filter the dashboard data according to targeted host.
Fixes
EDNS Compliance
To meet new standards for EDNS, major DNS software and service providers agreed to remove accommodations for
non-compliant DNS implementations on or around February 1. To learn more about the DNS changes, see https://
dnsflagday.net/.
In preparation for these DNS Flag Day changes, the ISC provided an EDNS Compliance Tester: https://
ednscomp.isc.org/ednscomp.
Problem: Incapsula DNS is fully EDNS compliant. However, tests run on incapdns.net and some customer domains
using our name server protection were not completing successfully.
Solution: We are rolling out a fix over the next week that enables the tests to pass.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2019-01-27 Release
New Features
Topology view for Infrastructure Protection
View a graphical representation of your Infrastructure Protection connections and BGP peering topology.
Where it’s located: In the Management Console, navigate to Infrastructure > Network Settings and click Topology
view.
You can also click the arrow to access the new Settings view for a view of the connection settings.
Support for TLS 1.3 is now being rolled out and will be completed over the next several weeks.
Enhancements
TLS update
To enhance TLS security, client-initiated TLS renegotiation is being disabled and will be completed over the next
several weeks.
The default error page, which is presented to clients when a web page cannot be displayed, will be updated on 28/1.
The text "Powered by Incapsula" is being changed to "Powered by Imperva". The link remains the same. This may be
relevant if you have a script that identifies the error page according to this text, for example.
What changed: You can now view the following details of the connections between Incapsula and your origin
network:
• Origin Connectivity: Maximum transmission unit (MTU) available for GRE connections. Click the connection
name to view the connection settings.
• Routing Options: Your account’s BGP peer configuration.
• ASN configuration: The autonomous systems that Incapsula uses for communication between Incapsula’s
network and your origin network.
Where it’s located: In the Management Console, navigate to Infrastructure > Network Settings.
We have identified an issue in the Cedexis test and have therefore temporarily removed the Imperva Dynamic CDN
platforms (under Dynamic Object Delivery) from view in the Cedexis Country Report.
We will update once the issue is resolved and the platforms are available again.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2019-01-13 Release
New Features
Troubleshooting Connectivity Report
A new report is available to help resellers troubleshoot connectivity issues for their customers. The report is available
per site and provides information such as ping, dig, trace, and cURL, to assist resellers with initial debugging.
Availability: The report is being rolled out to resellers over the next few weeks. When the feature has been enabled
for an account, a banner displays when logging in to the Management Console.
1. In the Management Console, navigate to the Websites > Dashboard > Performance tab.
2. Scroll down to view the Connectivity Report section.
3. Select a PoP from the list and click Run Report.
This release introduces many new parameters to use when creating custom rules.
What changed: In addition to the existing filter parameters for bot protection, protection against ATO, application
hardening, rate limiting, and advanced access control, here are a few highlights of what the new parameters have to
offer:
Where it’s located: On the Management Console sidebar, click Rules to access. When you add or edit a rule, filter
parameters are listed in the Rule Filter section in the If field.
For details on all the filter parameters, see Rule Filter Parameters.
The new Rules page announced last week in the 2019-01-06 Release is now implemented for all customers.
What changed: The option to add a site to your account without the automated DNS check for the origin IP is now
available in the Management Console. This enables you to prepare the site but configure its DNS records at a later
time.
• In the Management Console: On the Websites page, click Add Site to access the “add site” wizard. Select
Advanced configuration to configure the options. For more details, see Onboarding a Site – Web Protection and
CDN.
• Via the API (existing functionality): When adding a site using the Site Management API > Add site operation, use
the site_ip parameter to manually set your web server IP/CNAME and skip the automated DNS check. For more
details, see Site Management API.
The naming convention for the log files that are pushed to your repository has changed, as announced last week in
the 2019-01-06 Release .
The following CDN platforms are available through the Cedexis Country Report (no login required).:
• Total traffic view removed from Infrastructure Protection Dashboard: The redundant Total option for viewing
overall traffic for your IP Ranges has been removed from the Traffic filter. The All option continues to display
passed and blocked traffic in the graphs.
• Significant performance improvements have been made to the Infrastructure Protection Dashboard.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2019-01-06 Release
New Features
None.
Enhancements
Improved performance with Dynamic Content Acceleration
The new Dynamic Content Acceleration service is designed to improve response time to your origin server by
leveraging Incapsula’s high-quality connectivity between Incapsula network PoPs.
When this service is activated, client requests are sent over the Incapsula network from the receiving PoP to the PoP
with the best connectivity time to your origin server, resulting in improved performance.
What changed: Enterprise plan customers can now opt-in to the Dynamic Content Acceleration Service via the
Management Console.
Where it's located: A new Origin PoP setting is available in the Management Console’s Website Settings > Origin
Servers section, under the Server IPs or Data Center settings.
To activate the service, select the Origin PoP with the lowest round-trip time. A list of recommended PoPs is available
to assist you in selecting the best PoP for a location. For full details, see Dynamic Content Acceleration.
You can also configure the option using the Set Data Center Origin PoP and Get Data Center Recommended Origin
PoP Site Management API operations. For details, see Site Management API.
What changed: IncapRules and Delivery Rules are now configured and managed on one page in the Management
Console. The new Rules page is based largely on the Delivery Rules page with some minor modifications:
• IncapRules are now named Security rules and listed under the Security section. Note that priority is not listed
for security rules (IncapRules). This is because all security rules are run, as opposed to other rule types where
the rules are run according to priority order until the first match for that rule type is found.
• Tabs were added enabling you view all rules of each type separately.
Availability: The new UI is currently being rolled out and will be available to all customers over the next few weeks.
• The page was redesigned to improve the user experience. Easily create and manage all rules in one location,
with a consistent UI. The IncapRules were brought into the more mature UI used for Delivery Rules.
• All rules are displayed in one location, providing you with a clearer view of how the rule mechanism works. For
example, redirect rules are evaluated first. If there are no matches, the security rules are then evaluated, then
rewrite rules, and finally, forward rules.
• The new tabs provide a faster way to view the information you’re looking for. For example, if you’re interested in
Forwarding rules, you don’t need to page through all of the other rules to get to them.
Where it’s located: The new Rules tab is now available on the sidebar after selecting a website.
Attack Analytics
For details on each of these enhancements, see Attack Analytics Release Notes.
Changes include:
You can download the package via the Management Console Logs Setup page, or directly from github: https://
github.com/imperva/incapsula-siem-package-graylog/
Previously, monitoring was performed over HTTP (over port 80) for all sites. This resulted in servers for HTTPS sites
being unnecessarily reported as down when communication failed. As a workaround, our Support team manually
configured sites to use HTTPS (over port 443) for monitoring when necessary.
Moving forward, HTTPS over port 443 will be the default protocol and port for monitoring HTTPS sites. The change
will be implemented for existing HTTPS sites over the next several weeks.
Note that a server that is currently reported with a “down” status may return to an “up” status when the change is
implemented. This can result in traffic being directed to such a server by our load balancing mechanism after a period
of inactivity.
This change affects the push mode of SIEM integration, in which your logs are pushed to your pre-defined SFTP or
Amazon S3 repository,
On January 13, 2019 we will implement a change in our log push process, which required a change in the naming
convention for the log files that are pushed to your repository.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-12-09 Release
New Features
None.
Enhancements
Delete stored data
You can now permanently delete the data stored for your account. This enables you to remove all potentially sensitive
or personal data that is stored in our systems, such as IP addresses.
The deletion process is carried out at the account level. If the account has sub accounts, data from the sub accounts is
also deleted.
Note:
• For an Enterprise plan account that was previously set up as a reseller account in order to implement sub
accounts, data can be deleted at the sub account level only. If this type of account has already been migrated to
the new Sub Account feature as described in Manage Account Resources, data is deleted at the account level.
• For reseller accounts, data can be deleted at the sub account level only.
You can now download Analytics data from all top traffic pattern tables at the same time.
For more details, see Analytics: DDoS Protection for Networks and IPs.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-12-02 Release
New Features
None.
Enhancements
Improved Network Traffic Dashboard
The enhanced Network Traffic Dashboard introduces an improved user interface and improved performance,
including a breakdown by passed and blocked Layer 3/4 traffic.
Where it's located: On the Management Console sidebar, click Network Traffic.
The option to add a site to your account without configuring DNS is now available via the API. This enables you to
prepare the site but configure DNS at a later time.
Where it’s located: When adding a site using the Site Management API > Add site operation, use the site_ip
parameter to manually set your web server IP/CNAME and skip the automated DNS check.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-11-18 Release
New Features
None.
Enhancements
New Purge Cache Permission
A new permission was added for purging the cache for a protected website. This new permission introduces greater
granularity, enabling the account administrator to grant this permission only to developers that require purge
functionality without the ability to modify site security and other settings.
The Purge cache permission enables a user to purge the site’s cache, or purge specific resources in the site cache.
What changed:
The Purge cache permission, and not the Modify site settings permission, is now required for the following
functionality:
• Management Console: Website > Settings > Performance > Purge Cache and Purge Specific Resource
• Site Management APIs: Purge Site Cache and Purge Resources
Backward compatibility:
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-11-04 Release
New Features
None.
Enhancements
New API to retrieve subscription details
Use the new Get Account Subscription API operation to get subscription information for your account, including
details of your plan, usage, and subscribed services.
Note: This functionality was originally introduced on September 2, 2018 and then temporarily disabled to address an
issue that was identified. The feature has now been reopened.
Reduce the workload on your team by safely delegating the onboarding and management of applications to their dev
owners, while limiting user access to the parent account (which includes the Subscription, Users, and other sections
that might require limiting access).
What changed: The Access Parent Account user permission was added to Enterprise plan accounts. This permission
enables users with sub account access to also access the parent account. It is enabled by default.
To limit a user’s access to their assigned sub accounts only, remove this permission. When it is not selected, all other
permissions are disabled.
Where it's located: Log in to the parent account in the Management Console. On the sidebar, click Management >
Users. Click a user row to open the Settings panel.
New Attack Analytics dashboard provides an at-a-glance view of the attacks on your system
What changed: A new dashboard for Attack Analytics was added. The dashboard displays the distribution of top
metrics, enabling you to quickly identify problem areas and drill down for a closer look.
Note: A majority of the dashboard functionality is delivered in this release, while additional drill-down functionality is
scheduled to be added in the coming weeks.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-10-28 Release
New Features
None.
Enhancements
Change in alert notifications for website DDoS attacks
What changed: If your website’s DDoS mitigation mode is set to On or Off, DDoS alerts are no longer logged when an
attack is detected or has ended:
• Alerts are not listed in Websites > Dashboard > Activity Log.
• Email notifications are not sent.
Alerts continue to be logged and sent for DDoS attacks if your site is set to Automatic mode.
Where it’s located: Your website’s DDoS settings are located in the Management Console Websites > Settings > WAF
> DDoS:
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-10-21 Release
New Features
None.
Enhancements
Open source SIEM packages now hosted in GitHub
What changed: SIEM application packages for the Incapsula log integration, previously stored in Incapsula, are now
publicly available and hosted in GitHub. These packages are the responsibility of and can benefit from contributions
by the open source community.
Where it’s located: Links to these SIEM packages in GitHub, as well as links to other SIEM packages for integration
with Incapsula, are located in the Management Console Logs page.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-10-14 Release
New Features
None.
Enhancements
Self-service trial for Attack Analytics
What’s changed: Enterprise plan customers can now launch a free, 14-day trial of Attack Analytics directly from the
Management Console. Attack Analytics correlates and distills thousands of security events into a few readable security
narratives.
Where it’s located: On the Management Console sidebar, click Attack Analytics and then Start Trial.
For more details on Attack Analytics, see Imperva Attack Analytics and Attack Analytics Documentation .
When a DDoS attack has ended, Infrastructure Protection customers are notified by email. The email now includes
additional useful information:
• Attack duration.
• Maximum (peak) blocked traffic during the attack.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-10-07 Release
New Features
None.
Enhancements
Modify the Reference ID field
What changed: The existing Reference ID field is now open for editing by Resellers and Enterprise plan customers.
Reference ID is a free-text field that enables you to add a unique identifier to correlate an object in our service, such as
a protected website, with an object on the customer side.
Where it’s located: This field is available when creating or editing an Incapsula account or website.
• Account-level setting: The Reference ID field is located in Account Settings or Sub Account Settings.
• Site-level setting: The Reference ID field is located in Websites > Settings > General, under Additional
Settings.
API: The ref_id parameter was added to the Modify Account Configuration and Modify Site Configuration operations,
enabling you to set the Reference ID field for an account or site.
Where it’s located: In the Attack Analytics Incident Details, under Events Sample, double-click an event. The encode,
decode, and copy buttons are located next to relevant fields.
Example:
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-09-16 Release
New Features
None.
Enhancements
None.
Fixes
Removing quarantined URLs from the backdoor protection list
A fix was implemented for the Modify Site Security Configuration API parameter that controls quarantined URLs.
You can now use the quarantined_urls parameter to remove a URL from the backdoor protection list.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-09-02 Release
New Features
None.
Enhancements
User isolation in a sub account
Update 2018-09-09: An issue was discovered. To avoid any further inconvenience, the feature has been temporarily
disabled. When fixed, it will be reopened.
Reduce the workload on your team by safely delegating the onboarding and management of applications to their dev
owners, while limiting user access to the parent account (which includes the Subscription, Users, and other sections
that might require limiting access).
What changed: The Access Parent Account user permission was added to Enterprise plan accounts. This permission
enables users with sub account access to also access the parent account. It is enabled by default.
To limit a user’s access to their assigned sub accounts only, remove this permission. When it is not selected, all other
permissions are disabled.
Where it's located: Log in to the parent account in the Management Console. On the sidebar, click Management >
Users. Click a user row to open the Settings panel.
The list of client types and IDs in our client classification database is now published in the online help. This can be
useful when defining IncapRules or Delivery Rules. For details, see Client Classification.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-08-19 Release
New Features
None.
Enhancements
None.
Fixes
Client application fields fixed in W3C format
As part of a recent fix to synchronize log file formats, the values of the Client App field (cs-clapp) and the Browser Type
field (cs-browsertype) in W3C format were temporarily switched between the fields. Based on customer feedback, the
fields have been reverted to their original states. This fix is being gradually rolled out to customers starting today.
Field Description
The name of the client application, such as Firefox
cs-clapp
or Chrome.
The type of client application, such as browser,
cs-browsertype
search bot, or hacking tool.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-07-30 Release
New Features
None.
Enhancements
Infrastructure Protection Analytics
See top traffic patterns for traffic flowing through the Incapsula Infrastructure Protection service.
The Infrastructure Protection service previously provided visibility at the IP range level.
The new Infrastructure Protection Analytics provides significantly enhanced visibility. Destination details identify
specific targeted servers and services, while source details shed light on the attack and attacker.
• View statistics on traffic by source or destination IP, by source or destination port, or by packet size for your
protected network.
• View blocked (DDoS) traffic or clean traffic.
• View historical attack data from the previous 90 days to analyze behavior over time and better understand
traffic patterns affecting your network.
• Easily identify false positives and review specific characteristics of an attack to pinpoint actionable details.
Note: As the Analytics service has just recently started aggregating data, only a limited amount of Analytics data will
be initially visible.
Access Infrastructure Protection Analytics via the Infrastructure Dashboard. For details, see Analytics: DDoS Protection
for Networks and IPs.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-07-22 Release
New Features
None.
Enhancements
New Data Storage Region APIs
• Set site regions by origin geolocation: Sets the data storage region for each new site based on the geolocation
of the origin server.
• Check site regions by origin geolocation: Checks if the data storage region for each new site is based on the
geolocation of the origin server.
For full details on the new operations, see Site Management API.
Attack Analytics: Direct link added from violations to your site settings in the Incapsula Management Console
To enable you to easily adjust your security settings, a direct link was added from violations in the Attack Analytics
Console to your website settings in the Incapsula Management Console.
In the Attack Analytics Console, on the incident details page, under Which violations were discovered? click the info
icon next to a violation.
Note: The link is available only on incidents that occurred after the new functionality was added.
Click a link in the Site list to open the Incapsula Management Console.
For more details on Attack Analytics, see the Attack Analytics Documentation.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-07-15 Release
New Features
None.
Enhancements
Change in Data Storage Region Configuration
To simplify configuration of the data storage location, the new Default data storage region setting was introduced for
selecting the data storage region for all services, including WAF (website) events, logs, DDoS attack data, and IP
addresses.
If you want the system to automatically select the WAF event storage location for each website independently, you
can opt-in by selecting the Override site event data region by origin geolocation option.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-07-01 Release
New Features
None.
Enhancements
None.
Fixes
Account Resources (Sub Accounts)
Problem: An issue was detected for some customers using sub accounts. When moving a site from a parent account to
a sub account, or between sub accounts, security events that occurred before the move were saved but were no
longer displayed in the Management Console’s Events page. To mitigate this issue, new accounts created on or after
May 13, 2018 could not create sub accounts.
Solution: The site move issue was fixed in the 2018-06-24 release. In this release, sub account creation is re-enabled
for new accounts created on or after May 13, 2018.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-06-24 Release
New Features
None.
Enhancements
API Update - Add/Edit Data Center
• The is_standby parameter is deprecated. The functionality was incorrectly labeled. A corrected is_standby
parameter will be added at a later date.
• The is_enabled parameter was added.
Problem: An issue was detected for some customers using sub accounts. When moving a site from a parent account to
a sub account, or between sub accounts, security events that occurred before the move were saved but were no
longer displayed in the Management Console’s Events page.
Solution: This issue is fixed. For existing customers/accounts that have implemented sub accounts, you can now
move sites between accounts or sub accounts. Note that customers who already moved their sites cannot see events
that occurred before the move.
Known Issues
Account Resources (Sub Accounts)
An issue was detected for some customers using sub accounts. When moving a site from a parent account to a sub
account, or between sub accounts, security events that occurred before the move were saved but were no longer
displayed in the Management Console’s Events page.
To prevent any further inconvenience, new accounts created on or after May 13, 2018 cannot currently create sub
accounts. This functionality will be restored in the coming weeks.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-06-17 Release
New Features
None.
Enhancements
API Key Management
Create and manage API keys with granular permissions and sub account access.
API Key Management enables you to integrate Incapsula into your environment and streamline processes while
enforcing permission based access control and sub-account access, resulting in the reduced risk of human error. For
example, an API key can have permissions to make changes to a specific sub account without being able to access
other sub accounts that are outside of the user’s area of responsibility.
Overview
• API keys inherit the user's permissions and sub account access.
• The account admin or any user with the appropriate permissions (Manage users and permissions and Manage
API keys) can create and manage keys for all account users.
• Any user with the Manage API keys permission can create and manage their own API keys (up to five keys per
user account).
• Add a name and description to an API key to indicate what it is used for.
• Export the API key list. This action exports details such as user, name, description, and status in csv format. It
does not export the key itself.
Attack Analytics
For incidents that have a predominant source IP, you can now view the list of all incidents that include this IP as a
source.
In the Attack Analytics Console, select an incident and view the details in the right pane. Click the Find all incidents
icon next to the IP address to view all associated incidents.
An issue was detected for some customers using sub accounts. When moving a site from a parent account to a sub
account, or between sub accounts, security events that occurred before the move were saved but were no longer
displayed in the Management Console’s Events page.
The following changes have been implemented on a temporary basis to prevent any further inconvenience until the
problem is resolved:
• For new accounts created on or after May 13, 2018: You cannot create sub accounts.
• For existing customers/accounts: You cannot move sites between accounts or sub accounts.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-06-10 Release
New Features
None.
Enhancements
Regional Data Storage for Infrastructure Protection Data
By default, data collected by Incapsula Infrastructure Protection is stored in the US. You can now select an alternative
data storage region for Infrastructure Protection data.
Stored data includes network layer 3/4 headers, which contain IP addresses.
An issue was detected for some customers using sub accounts. When moving a site from a parent account to a sub
account, or between sub accounts, security events that occurred before the move were saved but were no longer
displayed in the Management Console’s Events page.
The following changes have been implemented on a temporary basis to prevent any further inconvenience until the
problem is resolved:
• For new accounts created on or after May 13, 2018: You cannot create sub accounts.
• For existing customers/accounts: You cannot move sites between accounts or sub accounts.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-06-03 Release
New Features
None.
Enhancements
New Network Settings page for Infrastructure Protection customers
The details of connections between Incapsula’s network and a customer's origin network were previously displayed in
the Management Console under Infrastructure > Protection Settings. The origin connection details are now
displayed on the Infrastructure > Network Settings page.
Fixes
None.
Known Issues
Account Resources (Sub Accounts)
An issue was detected for some customers using sub accounts. When moving a site from a parent account to a sub
account, or between sub accounts, security events that occurred before the move were saved but were no longer
displayed in the Management Console’s Events page.
The following changes have been implemented on a temporary basis to prevent any further inconvenience until the
problem is resolved:
• For new accounts created on or after May 13, 2018: You cannot create sub accounts.
• For existing customers/accounts: You cannot move sites between accounts or sub accounts.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-05-29 Release
Introducing Attack Analytics: Speed up the security investigation of WAF
alerts
Attack Analytics uses artificial intelligence to automatically consolidate thousands of security alerts to help you
prioritize which critical events to address.
Attack Analytics provides a comprehensive view of attacks and attackers targeting your resources.
The service aggregates and analyzes your account’s security alerts, identifies common characteristics, and groups
them into meaningful security incidents.
The sophisticated analysis can help you achieve the following objectives:
https://www.imperva.com/products/application-security/attack-analytics/
https://docs.imperva.com/management/attack_analytics
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-05-27 Release
New Features
None.
Enhancements
Change in TLS version support
As of May 27 2018, Incapsula will set TLS 1.2 as the minimum supported version, by default, for connectivity between
clients (visitors) and the Incapsula service. Enforcement will be gradually rolled out to customers during the week.
PCI-DSS v3.2 compliance requires disabling the use of TLS 1.0 as of July 1, 2018. To comply with this requirement, and
due to the known vulnerabilities in TLS 1.1, Incapsula has defined TLS 1.2 as the default minimum supported version.
This also applies to the Incapsula Management Console and the Incapsula API.
For our Enterprise and Business plan customers who require continued support of TLS 1.0 or TLS 1.1 while they
prepare their customers, applications, or tools to support TLS 1.2 only, an option to maintain current functionality has
been added to the UI and API.
An issue was detected for some customers using sub accounts. When moving a site from a parent account to a sub
account, or between sub accounts, security events that occurred before the move were saved but were no longer
displayed in the Management Console’s Events page.
The following changes have been implemented on a temporary basis to prevent any further inconvenience until the
problem is resolved:
• For new accounts created on or after May 13, 2018: You cannot create sub accounts.
• For existing customers/accounts: You cannot move sites between accounts or sub accounts.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-05-21 Release
New Features
None.
Enhancements
Change in response time calculation
To improve the accuracy of response time, a change was made to the calculation. Response time for requests sent
from Incapsula to your sites is calculated as follows:
• Previous definition of response time: From the time the Incapsula proxy finishes sending request headers to the
origin, until the origin starts sending the response to the proxy.
• Current definition of response time: From the time the Incapsula proxy has decided to send a request to the
origin (before opening a connection to the origin), until the origin finishes sending the response to the proxy.
Due to this change, the Average response time graph may display increased values.
The Average response time graph is displayed in the Incapsula Management Console for each protected site under
Websites > Dashboard > Performance. Each data point in the graph represents the average of the last 10 minutes.
(This has not changed.)
The following fields were added to Incapsula logs and are being gradually rolled out to customers starting today:
Fixes
Changes in log file format
For consistency between the different file formats, the following changes were made in the format of log fields that
are provided in each log entry:
fileType=3 filePermission=4
cs9= cs9Label=Rule name
fileType=3 filePermission=4
cs9=Test description
cs9Label=Rule name
Known Issues
Account Resources (Sub Accounts)
An issue was detected for some customers using sub accounts. When moving a site from a parent account to a sub
account, or between sub accounts, security events that occurred before the move were saved but were no longer
displayed in the Management Console’s Events page.
The following changes have been implemented on a temporary basis to prevent any further inconvenience until the
problem is resolved:
• For new accounts created on or after May 13, 2018: You cannot create sub accounts.
• For existing customers/accounts: You cannot move sites between accounts or sub accounts.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-05-13 Release
New Features
None.
Enhancements
New CAPTCHA approved for China
When Incapsula security rules require it, visitors to an Incapsula protected website are presented with a CAPTCHA
challenge. However, Google’s reCAPTCHA technology used by Incapsula is blocked in China.
In this release, we introduce an additional CAPTCHA mechanism, which is licensed and approved for China. This new
CAPTCHA will be presented to visitors from China, when required.
The new functionality will be rolled out to customer sites during the coming weeks.
Note: For customers using a custom challenge page, there is no change in functionality.
Fixes
None.
Known Issues
Account Resources (Sub Accounts)
An issue was detected for some customers using sub accounts. When moving a site from a parent account to a sub
account, or between sub accounts, security events that occurred before the move were saved but were no longer
displayed in the Management Console’s Events page.
The following changes have been implemented on a temporary basis to prevent any further inconvenience until the
problem is resolved:
• For new accounts created on or after May 13, 2018: You cannot create sub accounts.
• For existing customers/accounts: You cannot move sites between accounts or sub accounts.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-04-29 Release
New Features
None.
Enhancements
Updated Log Values
To further clarify definitions of blocked events in Incapsula logs, we have replaced the generic Normal value with
more descriptive names that reflect the reason for the block or the outcome of the event.
Values of the Rule Name field have been changed in the following instances:
1. For requests that were suspended in order to present a bot challenge to the client:
2. For requests that were not necessarily suspicious or malicious but were part of a blocked session or visitor:
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-03-25 Release
New Features
Regional Data Storage APIs
New operations were added to view and manage data storage regions for accounts and sites.
The account level operations enable you to view and set the default region for new sites created in the account:
The site level operations enable you to view and set the data storage region for a site:
When creating a new account, resellers can now choose to delay sending the activation email. This enables you to
customize and configure a new account before sending the email to your end-user customer.
A Send Automatic Activation Email option was added to the Add New Account dialog box, and is selected by
default. To send the mail at a later time, clear this option.
When you are ready to send the activation mail, use the Resend now link under Misc in Account Settings.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-03-18 Release
New Features
Regional Data Storage
Regional data storage is now available, providing regional data isolation and control at the site level. Data can be
isolated per region, per site, in accordance with data privacy requirements. The available regions are APAC, EU, and
US.
Data that is collected for a site is assigned to its designated regional PoPs (data centers). By default, Incapsula assigns
a region to a site based on geolocation of the origin server registered for the site.
You can view the region to which a site is currently assigned, and the account administrator can override the default
region. In the Management Console, navigate to Websites > <your site> > Settings > General > Data Storage.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-03-11 Release
New Features
None.
Enhancements
Change in TLS version support
As of April 29, 2018, Incapsula will set TLS 1.2 as the minimum supported version, by default, for connectivity between
clients (visitors) and the Incapsula service.
PCI-DSS compliance requires disabling the use of TLS 1.0 as of July 1, 2018. To comply with this requirement, and due
to the known vulnerabilities in TLS 1.1, Incapsula has defined TLS 1.2 as the default minimum supported version. This
also applies to the Incapsula Management Console and the Incapsula API.
For our Enterprise and Business plan customers who require continued support of TLS 1.0 or TLS 1.1 while they
prepare their customers, applications, or tools to support TLS 1.2 only, an option to maintain current functionality has
been added to the UI and API.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-03-04 Release
New Features
None.
Enhancements
Change in reseller email notification options for customers exceeding bandwidth
Notifications of excess bandwidth usage for an account can now be sent to customers, to resellers, or to both.
Previously, resellers could receive notifications only if the customer option was enabled.
The setting is available to resellers in the Management Console under Management > Account Settings > Email
Settings:
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-02-18 Release
New Features
None.
Enhancements
Email threat alert notifications
The content of threat alert notifications sent via the Incapsula Management Console has been modified.
As announced in the 2017-08-06 Release Notes, a single mail is sent for all alerts occurring within a 5-minute interval.
This release introduces richer sample data in the mail and a more efficient design.
• Up to three session samples, including details on the session ID, client, user agent, entry page, and number of
requests.
• For each session, up to three request samples including details on threat type, action, URL, query string, and
attack pattern, depending on the threat type.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-02-11 Release
New Features
Manage Account Resources (RBAC)
Group your resources to simplify the management of enterprise accounts and manage user access.
The new sub accounts feature enables you to group and manage sites together based on department, function, or
other business criteria, and assign users to only those resources they are responsible for managing or require access
to.
This feature is available for Enterprise plan accounts only. There is no change to Reseller accounts.
To support sub accounts, the following new operations were added to the Incapsula API:
To enable you to move a site to a sub account or between sub accounts, the new Move site API operation was added.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-02-04 Release
New Features
None.
Enhancements
CAA Compliance
As of September 2017, the CA/Browser Forum Baseline Requirements require all Certificate Authorities (CAs) to check
for Certificate Authority Authorization (CAA) records before issuing or renewing certificates. A CAA record enables
domain owners to specify on their DNS which CAs are authorized to issue certificates for their domain.
To ensure the successful issuing of certificates, Incapsula now checks for and requires CAA compliance when
onboarding a new SSL site or enabling SSL support for an existing site. This applies to Incapsula generated certificates
(including multi-domain SAN certificates) only.
If your DNS zone file currently contains CAA records, but does not contain a record for the CA you are requesting
a certificate from, that CA cannot issue or renew a certificate for your domain.
CAA API
• The Check CAA compliance operation was added to enable you to check your site's associated SANs for CAA
compliance.
• A new value for the validation_status parameter was added to the Get Site Status operation:
pending_caa_records_change.
To remove the security overhead of managing and sending private keys over the web, you can now upload a custom
certificate for your site to Incapsula, without providing a private key.
A new API enables you to generate a CSR to submit to the CA, while Incapsula manages the private key.
A link to the SIEM integration package for Sumo Logic is now available from the Logs Setup page in the Management
Console. For details on configuring the Incapsula App for Sumo Logic, see Installing a SIEM Package.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-01-28 Release
New Features
None.
Enhancements
Reduced number of monitoring requests to origin
Previously, load balancing monitoring was conducted by each proxy. To reduce the monitoring load on your origin
servers, Incapsula now conducts monitoring per PoP, significantly reducing the number of monitoring requests sent to
your system.
Dedicated IP renamed
The Dedicated IP service was renamed to Dedicated Network. This change is reflected in the Management Console
Subscription page.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-01-21 Release
New Features
None.
Enhancements
Digitally signed emails
All email sent by the Incapsula management system is now digitally signed. You can take advantage of this
enhancement and boost your email authentication process by verifying DKIM signatures.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-01-14 Release
New Features
None.
Enhancements
Infrastructure Protection Statistics and Events APIs
Two new Infrastructure Protection APIs enable you to get information for an account, IP, or IP range on:
• statistics such as traffic type, showing a breakdown of traffic by packet type, or the global distribution of all
incoming traffic across Incapsula PoPs
• events such as origin connection or IP protection status
For more details, see the Get Infrastructure Protection Statistics and Get Infrastructure Protection Events
operations in the Traffic Statistics and Details API.
A SIEM integration package for Sumo Logic is now available. For details on configuring the Incapsula App for Sumo
Logic, see Installing a SIEM Package.
On January 21, 2018 we will implement DKIM digital signing on all email sent by the Incapsula management system.
You can take advantage of this enhancement and boost your email authentication process by verifying DKIM
signatures.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2018-01-07 Release
New Features
None.
Enhancements
Infrastructure Protection Test Alert APIs
The new Infrastructure Protection Test Alert APIs enable you to send dummy notifications for DDOS attack status,
Infrastructure Protection connection status, IP Protection status, and Infrastructure Monitoring status. For details, see
Infrastructure Protection Test Alerts API.
Examples of IncapRules for some common use cases were added to the documentation, including screenshots and
code snippets illustrating how to implement each of the scenarios. For examples of how to manage scrapers and
comment spammers, block account takeover attempts, implement rate limiting and more, see Security Rule Use Case
Examples.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2017-12-03 Release
New Features
None.
Enhancements
API updates
• List Rules: Pagination parameters were added to the List Rules operation (/api/prov/v1/sites/incapRules/list),
enabling you to configure pagination options for the response. This change impacts the response output of the
API call. The default response contains 50 items per page.
Previously, all items were returned. After the change, only the first 50 are returned. To return the complete list,
you need to iterate using the page_size and page_num parameters.
• List Account Rules: The List Account Rules operation (/api/prov/v1/sites/incapRules/account/list) was
deprecated. The functionality is still available using the List Rules operation.
• Add/Edit Rule: New debugging information was added for IncapRules API Add Rule and Edit Rule operations.
The debug_info field, which is included in the API responses, now contains a list of validation errors for the filter
parameter. The validation_errors field indicates when there is an error in the syntax of the filter, and can provide
you with information as to why a call has failed.
The heuristics algorithm that handles dynamic resource caching was changed to prevent the risk of inadvertently
returning HTML resources that may contain personal information, such as PII, ePHI, and PAN data.
To support this change, the Apply acceleration setting also to HTTPS option, located in the Management Console
under Websites > Settings > Performance > Advanced Settings, was removed. Customers who use the Static +
Dynamic caching mode and had previously enabled the Apply acceleration setting also to HTTPS option may see a
change in caching heuristics for certain resources. Specifically, some dynamic resources, such as HTML in https, which
may previously have been cached, will no longer be cached. For more details on the default behavior for caching
HTTPS traffic or to configure explicit caching rules, see Cache Settings.
The corresponding API parameter was also removed from the Advanced Cache Settings API operation: Site
Management API > Advanced Caching Settings > accelerate_https. There is no API breakage but using the
parameter will have no effect.
The Account Users page has been redesigned and relocated. To view and manage the list of users who have access to
your account, log in to the Management Console and navigate to Management > Users. For more details, see Account
Users.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2017-11-05 Release
New Features
None.
Enhancements
New Infrastructure Protection Dashboard
A revamped Infrastructure Protection Dashboard with major improvements is now available in the Management
Console.
Feature highlights
For full details or to view the quick start slideshow, see Security Dashboard: DDoS Protection for Networks and IPs.
API updates
• Pagination parameters will be added to the List Rules operation (/api/prov/v1/sites/incapRules/list), enabling
you to configure pagination options for the response. This change will impact the response output of the API
call. The default response will contain 50 items per page.
Currently, all items are returned. After the change, only the first 50 will be returned. To return the complete list,
you will need to iterate using the page_size and page_num parameters.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2017-10-29 Release
New Features
None.
Enhancements
New DDoS mitigation Service Level Agreement
A new SLA is applicable to customers who joined or renewed the Incapsula service on or after October 5, 2017.
Incapsula previously offered a 5-minute DDoS mitigation SLA. This is now updated to 10 seconds. See the SLA for
more details.
To download the full SLA, log in to your account in the Management Console, and navigate to the Subscription page:
Management > Subscription.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2017-10-22 Release
New Features
None.
Enhancements
Changes to the Dynamic Resource Caching Algorithm
Within the next few weeks, we are planning to remove the Apply acceleration setting also to HTTPS option, located
in the Management Console under Advanced Settings on the Performance Settings page.
Customers who use the Static + Dynamic caching mode and activated the Apply acceleration setting also to HTTPS
option may see a change in caching heuristics for certain resources. Specifically, some dynamic resources, such as
HTML in https, which may previously have been cached will no longer be cached.
To control explicit cache behavior, configure caching rules on the Performance Settings page. For details, see Cache
Settings.
Fixes
Change in CEF log file format
The values of the Attack Severity field in the CEF log file format were changed to align with the W3C format.
The values represent the different attack types. Incapsula uses the field as it is part of the default CEF and W3C format,
but the values do not represent higher or lower severity.
In two weeks, on November 5th, the response output of the Get Site Status API will be updated as follows:
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2017-10-01 Release
New Features
None.
Enhancements
New Infrastructure Protection Dashboard – Early Availability
Try it out!
On the Management Console’s Infrastructure page, click the Sneak Peek link.
Feature highlights
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2017-09-24 Release
New Features
None.
Enhancements
New variable added for Delivery Rules
The $asn variable was added to the available variables for use in Delivery Rules. It represents the Autonomous System
Number, and can be used to send the client's ASN to the origin in a header. For more details, see Create Rules.
All customer accounts that were still using the classic Incapsula Management Console interface have now been
switched over to the redesigned interface.
The Incapsula Documentation is fully updated to reflect the redesigned Management Console.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2017-09-03 Release
New Features
None.
Enhancements
Redesigned user interface - update
On September 17, 2017, all customer accounts that are still using the classic Incapsula Management Console interface
will be switched over to the redesigned interface.
The Incapsula Documentation is fully updated to reflect the redesigned Management Console.
Client certificates are now supported for SNI sites only. We do not support client certificates for non-SNI sites.
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2017-08-20 Release
New Features
None.
Enhancements
New general API response code
1. When an API call times out, the server now returns a JSON response instead of an HTML response.
2. The JSON response has error code 4.
For example:
{
"res": 4,
"res_message": "Operation timed-out or server unavailable",
"debug_info": {}
}
Fixes
None.
Known Issues
None.
To subscribe to updates about weekly releases, add the following link to your RSS feed reader: https://
docs.incapsula.com/Content/release-notes.rss
2017-08-13 Release
New Features
None.
Enhancements
New general API response code
In the next few weeks we are planning to make two changes in our general API error response:
1. When an API call times out, the server will return a JSON response instead of an HTML response.
2. The JSON response will have error code 4.
For example:
{
"res": 4,
"res_message": "Operation timed-out or server unavailable",
"debug_info": {}
}
$epoch was added to the variables available for use in Delivery Rules. $epoch represents the Unix timestamp - an
integer value representing the number of microseconds that have elapsed since the beginning of the Unix epoch
(January 1, 1970).
Fixes
None.
Known Issues
None.
2017-08-06 Release
New Features
Client certificate support
Client certificate support is now available. For details, see Client Certificate Support.
Enhancements
Email threat alert notifications
The method and content of threat alert notifications sent via the Incapsula Management Console have been modified.
Previously, a mail was sent for each threat alert. After the change, a single mail is sent for all alerts occurring within a
5-minute interval. The mail will include a sample of up to three of the generated alerts, and details of the total number
of alerts and visits. Detailed information on the threats can be found in the Management Console's Events page for
each site.
In addition, the site's activity log will reflect this change (Website > Dashboard > Activity Log). The number of Visits
and Threats for the specified time interval are now displayed, instead of information on individual threats. You can
then drill-down to the more detailed information displayed in the Events page.
The feedback button used to submit feedback and defects on the redesigned Management Console was removed.
Fixes
Delivery Rules "Allow caching" option was removed
The Delivery Rules Allow caching option has been removed (Websites > Delivery Rules > Add Rule/Edit Rule). The
Allow caching option was originally implemented to handle an uncommon rewrite and caching use case. Because we
have modified the process and now perform cache key calculation after the rewrite action, this option is no longer
required.
Known Issues
None.
2017-07-30 Release
New Features
None.
Enhancements
Update to bandwidth consumption displayed in the Sub Accounts table
For managed accounts/resellers: The bandwidth usage displayed in the Sub Accounts table (Management Console
sidebar > Sub Accounts) was split and now displays Always-on BW and On-demand BW consumption of the last 30
days separately.
The information is the same as presented for each account in Management > Subscription.
The $src_port variable was added to the available variables for use in Delivery Rules. $src_port represents the
client's outgoing port number. It can be used, for example, to distinguish users behind NAT.
Fixes
None.
Known Issues
None.
2017-07-23 Release
New Features
None.
Enhancements
Connecting to an SNI site that does not have a valid certificate
To align with internet standards, a change will be implemented within the next few weeks for users browsing to an
Incapsula-protected site that is using SNI but does not have a valid certificate.
Instead of indicating in the browser that there is no valid certificate while enabling the session to continue, the
connection will be blocked, and an error will be displayed. For example:
Fixes
None.
Known Issues
None.
2017-07-16 Release
New Features
Debug headers – XRAY
Gain visibility into Incapsula CDN and caching behavior. XRAY provides a look into Incapsula edge behavior using
predefined response headers, such as the Incapsula POP that handles the request, the cache hit or miss reason, and
the cache key.
The feature is activated by copying an access token from the Management Console to a browser. Once activated, the
XRAY debug headers are available for 10 minutes or until you close the current browser session.
The XRAY access token is available in the Management Console under Websites > <your site> Settings >
Performance.
When a new site is added to Incapsula, notifications will now be sent by default for DDoS and Backdoor Protect
security events only. Notifications will not be sent for other event types. This change does not affect existing sites.
To change notification settings, in the Management Console, navigate to Websites > <your site> > Settings
> Notifications > Real-time Notifications:
Going forwards, all new and existing Pro sites which utilize an Incapsula SSL certificate will be served by Server Name
Indication (SNI) SSL mode.
If you need to support non-SNI compliant browsers for HTTPS content, we recommend upgrading to a Business or
Enterprise plan.
Fixes
None.
Known Issues
None.
2017-07-09 Release
New Features
Direct Protection
We are gradually rolling out changes in the Management Console to support Direct Protection.
Incapsula Direct Protection is a premium Infrastructure Protection feature that allows organizations to connect
directly to Incapsula over a private, high-quality medium. The Direct Protection offering adds 2 new connectivity
options between protected networks and our scrubbing centers:
• Direct Protection - Cross-Connect: A dedicated physical connection to the Incapsula scrubbing center.
• Direct Protection - ECX (Equinix Cloud Exchange): A dedicated virtual connection over a shared fabric using
Equinix Cloud Exchange.
Within the next several weeks, we will be modifying the method and content of threat alert notifications sent via the
Incapsula Management Console.
Currently, a mail is sent for each threat alert. After the change, a single mail will be sent for all alerts occurring within a
5-minute interval. The mail will include a sample of up to three of the generated alerts, and details of the total number
of alerts and visits. Detailed information on the threats can be found in the Management Console's Events page for
each site.
API documentation
The Incapsula API documentation is now available on the documentation site: Cloud Application Security API
Reference. The documentation is publicly available and does not require a login.
Fixes
None.
Known Issues
None.
2017-06-25 Release
New Features
None.
Enhancements
Change in activation process for new accounts
For managed accounts/resellers: When adding a new account in the Management Console, the account activation URL
is no longer displayed on screen. Instead, an activation link, valid for one month, will be sent to the account’s email.
The recipient then clicks the activation link in the email and follows the online instructions as usual. The Send
Automatic Activation Email option was removed from the Add New Account dialog box.
Changes made to cache settings no longer trigger a purge of the cache. To manually purge the cache from the
Incapsula Management Console, navigate to the Website Settings Performance page.
For managed accounts/resellers: The bandwidth usage displayed in the Sub Accounts table (Management Console
sidebar > Sub Accounts) will now show the always-on total bandwidth consumption of the last 30 days. The
Bandwidth column shows the rate of data transferred, in bits per second, between visitors and Incapsula, according
to the 95th percentile, and includes clean traffic only. Previously, both clean and blocked bandwidth were displayed.
Note: The correct data will be displayed starting Monday June 26, 2017.
Check DNS functionality was added, enabling you to verify your DNS configuration.
In the Management Console > Websites page, click the status icon of a site that is not configured or only partially
configured. The Instructions link provides more details on making changes to your DNS configuration. After making
the required changes, you can click Check DNS to verify that the changes were successfully applied.
Fixes
None.
Known Issues
None.
2017-06-18 Release
New Features
None.
Enhancements
Redesigned User Interface - Updates
Fixes
None.
Known Issues
None.
2017-06-11 Release
New Features
None.
Enhancements
IncapRules: Rule Name and Revision Comments Cannot Contain Special Characters
Due to an enhanced security policy for IncapRules, the Rule Name and revision comments can no longer contain
special characters. Only alphanumeric, space, period (“.”), and underscore (“_”) characters are allowed. The change
affects existing rules only when they are modified.
On the Subscription page in your account, we have added the option to view the account bandwidth consumption for
the current and two previous billing cycles. (Management > Subscription > Download Bandwidth History).
On the Websites page, Creation Date information is again available, replacing Cached Bandwidth. (Cached bandwidth
data is still available in the website's Dashboard page.)
Fixes
None.
Known Issues
None.
2017-06-04 Release
New Features
Push SIEM logs via Amazon S3 or SFTP
Incapsula Log Integration enables you to receive your Incapsula access and event logs from the Incapsula cloud
repository and to archive or push these events into your SIEM solution.
New functionality was added to support automatic log integration via SFTP or AWS S3 buckets.
When logs are created, they are pushed to your pre-defined repository - an AWS S3 bucket or an SFTP folder.
The Incapsula Management Console was redesigned to improve the user experience through easier navigation. The
new interface is now implemented for all customers.
The Incapsula Documentation is fully updated to reflect the redesigned Management Console.
You will see a small feedback label on the right side of the new interface. Click to submit your feedback or to report
any issues you encounter.
Enhancements
None.
Fixes
None.
Known Issues
None.
2017-05-14 Release
New Features
Redesigned User Interface.
The Incapsula management console was redesigned to improve the user experience through easier navigation. We
plan to enable the new interface gradually, reaching all of our customers over the next few weeks.
Try it out!
1. In the Incapsula Management Console, click Account at the top of the page.
2. On the Details page, under Personal Details, select the Use new UI (beta) option.
3. Click Save.
4. Log out of your account. When you log in again, the new interface will be displayed.
1. In the Incapsula Management Console, click the user icon and select My Profile.
3. Click Save.
4. Log out of your account. When you log in again, the old interface will be displayed.
You will see a small feedback label on the right side of the new interface. Click to submit your feedback or to report
any issues you encounter.
Enhancements
Change of Default Operator for Rate Filter in Delivery Rules or IncapRules
The default operator for rate filters was changed from “==” to “ >= “.
Fixes
None.
Known Issues
None.
2017-05-07 Release
New Features
None.
Enhancements
reCAPTCHA v2
We are currently making the transition to reCAPTCHA V2, “No CAPTCHA reCAPTCHA”, used in our challenge and Login
Protect pages when other user authentication methods fail. V2 introduces improved usability - just click the checkbox.
When accessing the Incapsula site during the transition, you may encounter either reCAPTCHA V1 or V2. The transition
to reCAPTCHA V2 is expected to be completed within the next few weeks.
The IBM Security Qradar DSM for Incapsula has been released. The RPMs are available for download through Auto
Updates or through IBM Fix Central:
2017-04-02 Release
New Features
None.
Enhancements
Visualization Change in Infrastructure Protection and Network Traffic Graphs
The Infrastructure Protection and Network traffic graphs have been enhanced.
To get up-to-date texts of keys and IDs that are returned in API responses, please use the "Get Texts API" call
(documented in the Integration section).
Fixes
None
Known Issues
None.
2017-03-26 Release
New Features
None.
Enhancements
New IP Address Ranges
The Incapsula service has added new IP address ranges to its network. In case your firewall has restricted access and
is configured to receive traffic only from Incapsula IP ranges, please add the following IP ranges to your firewall
settings.
• 45.60.0.0/16
• 45.223.0.0/16
2017-03-12 Release
New Features
None.
Enhancements
Incapsula Service Level Agreement (SLA)
The Incapsula SLA is now available for download (PDF file) for Enterprise level accounts. The SLA can be accessed
from the account plan view page (Account => Plan).
Fixes
Delivery Rules - Can’t add Header Value Filter
While creating or editing Application Delivery rules, it is not possible to add a Header value filter (Rule Filter => If =
Header value).
2017-03-05 Release
New Features
None.
Enhancements
IncapRules and Delivery Rules Header Value Filter is Non Case-sensitive
Filter header values used within Incap rules or Delivery rules are now non case-sensitive.
While creating or editing Application Delivery rules it is not possible to add a Header value filter (Rule Filter => If =
Header value).
2017-02-26 Release
New Features
None.
Enhancements
Weblogs - Changes in LEEF Format
The following changes related to the LEEF format for web logs were implemented:
1. The “Server IP” field name was changed from “src” to “dst”
2. The “Server Port” field name was changed from “srcPort” to “dstPort”
Customers already using this format received a separate communication two weeks ago.
Fixes
None.
Known Issues
None.
2017-02-19 Release
New Features
API Support for IncapRules
Enterprise customers can now use a new set of APIs to manage their Rules.
The following new APIs can be found under the Site Management API section: https://my.incapsula.com/api/docs/v1/
sites
2017-02-12 Release
New Features
None.
Enhancements
Dashboard Time Frame Changes
The "Today" time frame selection option was changed to “Last 24 hours” to more accurately describe the displayed
time period.
Incapsula proxies now serve SSL certificates with OCSP stapling, which eliminates the need for clients to contact the
CA in order to check the revocation status of the certificate.
This can improve performance for SSL sites using the Incapsula Web Protection service.
Fixes
None.
Known Issues
SIEM Logs - W3C Format
In cases where there is no value defined in the "cs-rule" field, the returned structure does not include this field, rather
than returning an empty string as expected.
2017-01-29 Release
New Features
None.
Enhancements
Time frame for data presented in Site Dashboard and Events page
Under Site=> Dashboard: Traffic , Security, Performance and under Site => Events the data presented for the
predefined time frames - "Today", "last 7 days", "last 30 days", "last 90 days" - are now aligned between the different
views.
In all cases the time frame begins at the current time and collects data for the relevant period.
For example, if a request is made at 9:30 AM, the "Today" time frame will present data for the last 24 hours (e.g., from
9:30 AM on the previous today until the current time) and "last 7 days" time frame will present data from the last 168
(7x24) hours.
Under Account => Infrastructure Protection => Infra. Protect Settings the classification of the IP Range type is
presented in the IP Ranges table under “Bandwidth Type” with possible values of “On demand” or “Always on”.
Fixes
None.
Known Issues
None.
2017-01-22 Release
New Features
New APIs
Enterprise plan customers can now use a new set of APIs to manage origin servers, data centers and delivery rules.
The new APIs can be found under the Site Management API section - https://my.incapsula.com/api/docs/v1/sites
• Add server
• Edit server
• Delete server
Enhancements
W3C File Format Changes for SIEM and Weblogs
The header remains the same, i.e., nothing has been removed or added. The fields marked in red are the ones
influenced by this change.
W3C Header:
#Fields: date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support c-ip s-caip cs-clappsig s-capsupport s-
suid cs(User-Agent) cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-
accountname cs-uri cs-postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-
status s-xff cs-bytes cs-severity cs-attacktype cs-attackid s-ruleName
Previous format:
When a request triggers an ACL rule, the current value of the cs-severity field was the ACL rule name.
New format:
When a request triggers an ACL rule, the value of the cs-severity field is set to -1
Previous format:
When a normal request is logged, the cs-severity field contains an empty string represented by four double
quotes.
New format:
When a normal request is logged, the cs-severity field will contain an empty string, represented by two double
quotes.
Following the discovery of CVE-2016-2183 (Sweet32), it has been advised that DES/3DES ciphers are no longer secure
and it is recommended not to use them.
To ensure our customers' security, we have decided to remove support for these ciphers from our solution as of
February 5, 2017. No action is required from the customer side and
the change is transparent to most modern clients. If following the change customers receive reports that clients
cannot establish an SSL connection to your site, it will be possible to re-enable the ciphers by contacting the
Incapsula support team.
Fixes
None.
Known Issues
None.
2017-01-15 Release
New Features
Encryption of Mail Sent by Incapsula
Mail sent to users by the Incapsula management system will be encrypted by default (encryption in transit TLS).
In cases where the customer's server does not support this encryption method, system mail will continue to be sent
as before (i.e., not encrypted).
2017-01-08 Release
New Features
Detailed Plan View
Users can now see their plan details with add-on usage and bandwidth consumption by going to: Account -> Plan
Detailed explanation on the calculation of the account's bandwidth can be found in here.
Enhancements
None.
Fixes
“Pass to Origin” Value in “Traffic” Dashboard
The “Pass to Origin” value in the site traffic dashboard located at: Site -> Dashboard => Traffic presents the amount
of traffic passed from Incapsula to the origin server. Until now, for historical reasons, this value was calculated based
on the amounts of cached traffic, blocked traffic and other relevant factors. For purposes of simplicity, we are
replacing this calculation with a measurement of the actual traffic passed to the origin server.
Please note that in extreme cases this change may result in minor differences to past values that were displayed prior
to this change.
Known Issues
None.
2017-01-01 Release
New Features
Weblogs Now Include Delivery Rules data
For each request with delivery rules information, the following details will be provided:
Detailed
Description CEF LEEF W3C
Description
JSON describing all
actions that were
Delivery Rule Details cs10 cs10 cs-rule
applied to a specific
request
2016-11-20 Release
New Features
Application Delivery Rules
Application Delivery Rules enable customers to improve site performance and control by manipulating requests
arriving to their origin servers through Incapsula.
Application Delivery Rules are available for Enterprise customers as part of the Load Balancer add-on. Rules are
defined per site under Site=>Settings=>Delivery Rules.
Useful Links:
• Create Rules
• Delivery Rule Use Case Examples
• Blog: Incapsula vs. NGINX Load Balancer: Top 10 Differences https://www.imperva.com/blog/incapsula-
application-delivery-rules/
Enhancements
Infra Protect Monitoring - Notification for NetFlow/Sflow Start
Notification will be sent to the account admin in case a valid NetFlow/Sflow traffic is being monitored by Infra protect
monitoring service.
This is enabled by default for monitored accounts in addition to the existing stop / incorrect traffic notifications.
Notifications would be sent based on the current account configuration by: system message, email, SMS, or phone.
Fixes
None.
Known Issues
None.
2016-11-06 Release
New Features
Native Support for AMP
Google Accelerated Mobile Pages (AMP) have been gaining substantial traction especially among publishing and news
sites. The promise of AMP includes better page load times and higher SEO ranking. In addition, Google labels AMP
pages with a special promotional icon on Google’s mobile search:
One of AMP’s requirements is the lack of 3rd party JavaScript, therefore Incapsula client classification JavaScript
injection is breaking AMP pages which pushes customers to turn-off Inapsula’s JavaScript injection completely.
Incapsula now supports AMP pages natively, which means no injections will be made into AMP pages, for all sites on
all plans by default.
In order for a specific html page to be identified as an AMP page it should starts with “<html amp” or “<html ▪”. Pages
starting with “<html blabla ▪” will not be identified as AMP pages.
Enhancements
Infrastructure Protection Dashboard Enhancements
Enhanced Infrastructure Protection (Infra Protect, Infra Monitoring and IP Protection) dashboard located under
Account => Settings => Infrastructure Protection.
The previous dashboard will remain available for the next few weeks. (link is available in the page below)
Fixes
None.
Known Issues
None.
2016-10-09 Release
New Features
None.
Enhancements
Infrastructure Protection Dashboard Enhancements
Enhanced Infrastructure Protection (Infra Protect, Infra Monitoring and IP Protection) dashboard located under
Account => Settings => Infrastructure Protection.
The new dashboard can be accessed by clicking on the link in the blue ribbon at the top of the dashboard screen.
The previous dashboard will remain available for the next few weeks.
Fixes
None.
Known Issues
None.
2016-10-02 Release
New Features
None.
Enhancements
Incapsula->Origin default connection protocol is now TLS v1.2
Incapsula connections to origin servers now use the higher and more secure version of TLS v1.2 by default.
In case your origin server doesn’t support TLS v1.2, there will be an automatic fallback to TLS v1.1 and TLS v1.0,
respectively.
This change takes effect immediately, and gradually all new connections will use the higher protocol version.
Connections to origin servers that don’t support protocol fallback will not be affected and will continue to use TLS
v1.0.
If for any reason you'd prefer that your origin server will not use TLS v1.2 by default when connecting to Incapsula –
please contact Incapsula support.
Fixes
None.
Known Issues
None.
2016-09-04 Release
New Features
None.
Enhancements
Origin Server Maintenance Mode
In order to support origin server maintenance windows, a new Disabled/Enabled option was added in Site => Settings
=> Origin Servers => Server IPs.
Once a server is disabled, no new connections will be opened to this server. Existing connections will be maintained
until the server becomes unresponsive or a connection idle timeout occurs.
Fixes
None.
Known Issues
None.
2016-08-21 Release
New Features
None.
Enhancements
Trial for Add-ons
Enables Incapsula admin or reseller to add a trial feature on a specific service for an enterprise customer
Supported services:
• IP Protection (1 IP)
• SIEM Logs (Unlimited)
• Site (10 sites)
• Load Balancer (2 DC)
• Monitoring for BGP (A single router)
• Login protect users (5 users)
• Zones (1 Zone)
Activated from Account => Settings => Plan => Start Trial: (Sites for example)
Once Start Trial for a specific service is selected, the user is prompted with a duration message:
If there are unused items from that service, the user will be prompted with the following error message:
Once the trial is set, its end date is indicated on the screen:
The trial duration is set for 2 weeks by default and can be extended if needed by pressing on the date.
An email notification will be sent to the customer with the details of the trial, similar to the email sent in trial account
creation.
Once the customer purchases the SKU, its plan will be updated.
In the event that the trial expires without the customer purchasing the SKUs, the resources allocated for the trial will
be automatically removed.
Fixes
None.
Known Issues
None.
2016-07-03 Release
New Features
None.
Enhancements
Reseller Accounts – New Permissions Settings
Ability to allow \ disallow view permissions for infrastructure protection settings and dashboard for newly created sub
accounts and their users. (Account –> Settings -> New Account Settings)
This applies to accounts which purchased IP Protection \ Infrastructure Protection \ Infrastructure Monitoring services
or trail accounts.
Only users \ accounts with view permissions will able to grant view permissions to their sub-accounts.
In case view permissions are not allowed, the infrastructure protection link will not be visible.
Fixes
None.
Known Issues
None.
2016-06-26 Release
New Features
None.
Enhancements
SIEM Integration - Changes to CEF Format
Customers who use the CEF format and the Splunk package, do not required to replace their Splunk package.
Customer who use other logs processing scripts, need to adjust their scripts accordingly.
The documentation site makes it easier to get updates about weekly releases by providing RSS feed subscriptions.
To subscribe to updates about weekly releases add the following feed link to your RSS Feed reader:
https://docs.incapsula.com/Content/release-notes.rss
Updates will be sent via RSS on every new release when the page for this model is updated.
Fixes
None.
Known Issues
None.
2016-06-05 Release
New Features
None.
Enhancements
Modification in Reseller Accounts Plan Editing Permissions
Ability to remove web-plans (not enterprise) sub-accounts at any time, as long as monthly (not yearly) payment
method is used in that specific account.
The above applies both to actions perform using the UI or via API.
Fixes
None.
Known Issues
None.
2016-05-22 Release
New Features
None.
Enhancements
Logs - New Format - “LEEF”
Added the ability to receive the Web-Logs in LEEF format. (Account => Settings => Logs => Logs Setup=>
Configurations => Log File Format)
Added a new SIEM package - QRadar. This package requires the use the “LEEF” format. (Account => Settings => Logs
=> Logs Setup => Configurations => SIEM Packages)
Logs - Enhanced UI
Enhanced UI is now available for Logs. Functionality remains the same. (Account => Settings => Logs => Logs Setup)
Removed the view of the settings page, while all other functionality remains the same.
2016-05-08 Release
New Features
None.
Enhancements
Enabled Resellers to Access their Sub-Account's Infrastructure Protection Dashboards
Enabled the option for resellers to enter to their sub accounts Infrastructure Protection, IP Protection, and
Infrastructure Monitoring dashboards and settings ( Account =>Sub Account=> Settings => Infrastructure
Protection => New Infrastructure Protection Configuration).
Fixes
None.
Known Issues
None.
2016-05-01 Release
New Features
Enhanced Request Headers
When enabling the Enhanced Request Headers feature, Incapsula will add new headers to every request reaching your
website.
You can use this data to classify user sessions based on the new properties.
You can enable one or more request headers for each of your sites (Account => Site => Settings => General
=>Incapsula Headers)
1. TLS Version
2. Request ID
Added the ability to completely disable and delete all logs for all sites of an account (and for all accounts of a reseller)
under the Logs Setup page (Account => Settings => Logs => Logs Setup)
The API Key/ID which is used for the logs will not be presented under the list of API Keys for the account (Account =>
Settings => API). Viewing or replacing this API can only be done from the Logs Setup page.
Fixes
None.
Known Issues
None.
2016-04-24 Release
New Features
None.
Enhancements
API improvements for supporting custom certificates management:
1. Get Site Status and Upload Custom Certificate APIs now also provide custom certificate information and
errors
2. Get Site Status API now provides DNS instructions in case a custom certificate is present or a certificate
generation process has been started
3. Remove Custom Certificate API has been added
Fixes
None.
Known Issues
None.
2016-04-17 Release
New Features
Web Logs - General Availability
The SIEM integration capability was enhanced to support the collection of all web logs.
The initial setup and configuration is done in the page used for Security Logs (Account => Security Logs => Logs
Configuration).
For resellers, a new configuration page (Account => Settings => Security Logs => Log Configuration) is available
that allows resellers to configure the accounts for which the logs will be collected (the collection is done for all logs
including Security logs). For each account, it is mandatory to set the sites for which logs will be collected and to
choose whether to collect all logs or Security logs only.
https://my.incapsula.com/api/docs/v1/sites#addSite
https://my.incapsula.com/api/docs/v1/sites#modifySiteLogLevel
https://my.incapsula.com/api/docs/v1/accounts#addAccount
https://my.incapsula.com/api/docs/v1/accounts#modifyAccountLogLevel
The SIEM packages now include also “Graylog” support (in addition to Splunk, ArcSight and MacAfee)
One of the Incapsula SIEM solution components is the SIEM Connector, which is provided as a standalone installation
package for different operating systems. Incapsula has decided to decouple the SIEM connector from environment-
specific restrictions and adopt a more flexible and supportable approach.
Incapsula introduces a new “logs-downloader" script that can be found at GitHub. The script is written in Python and
is licensed under an open source license.
Incapsula recommends migrating old SIEM Connector implementations to one of the following alternatives:
The old SIEM connector will be supported through the end of the subscription term and no later than February 10,
2017, provided that the customer continues to use the same environment and technical setup. If a change to the
environment or to a specific technical setup requires migration to one of the new alternatives during the current
subscription term, Incapsula's support team will assist with migration to the new script.
In addition, please note that the SIEM configuration page (Account => Settings => Security Logs => Logs
Configuration) now reflects the above changes with some additional user experience improvements.
The Login Protect setup (Site => Settings => Login Protect), now includes the option to exclude resources defined in
the “Protected Pages” section from being protected by "two-factor authentication". The configuration for these pages
is done in the “Excluded Pages” section.
Example:
In this case, all resources under images will require "two-factor authentication" except from ping.png.
Fixes
None.
Known Issues
None.
2016-04-03 Release
New Features
None
Enhancements
SIEM Integration - New “Splunk” Package and Changes in CEF Format
A new Splunk package is available under the SIEM configuration page (Account => Settings => Security Logs => Logs
Configuration). The package supports the following changes in CEF format in order to align with the CEF RFC
standard:
The publishing of logs in this format will start next week on April 10th.
Customers that use the CEF format and Splunk package are kindly requested to replace their existing Splunk package
with the new version. The new package supports both the new and old CEF format.
Customers that use other log processing scripts need to adjust their scripts accordingly.
When a new user is added to an account, their default permission settings are disabled (Account => Settings => Users
=> Add User).
Fixes
None.
Known Issues
None.
2016-03-06 Release
New Features
None
Enhancements
Reseller accounts - removal of sub accounts
2016-02-21 Release
New Features
HSTS - Strict transport security
Strict transport security (HSTS) ensures that any attempt by visitors to use the unsecure version (http://) of a page will
be forwarded automatically to the secure version (https://).
There are three levels of restrictions for HSTS. Implementing all three restriction levels might not be appropriate for
all sites.
Configuration is done via Site Settings -> General -> Strict Transport Security section.
Resellers (managed accounts) can determine whether or not created sites will have the HSTS option enabled by
default.
Configuration is done via Settings => New Account Settings => “Enable HSTS for newly created SSL sites” field.
Enhancements
None.
Fixes
None.
Known Issues
None.
2016-02-14 Release
New Features
API Key/ID
For accounts which support API calls (Enterprise plans and managed accounts), the account administrator (or user
who has equivalent permissions) can now manage the account API Key and ID.
This includes:
Enhancements have been made to the "Add Site" flow in the SSL support step.
In cases where the site failed the SSL support test, additional information is presented, which indicates the reason for
failure and provides instructions on how to solve the problem.
In addition, the user has the option to select a different port and rerun the test.
Fixes
None.
Known Issues
None.
2016-01-03 Release
New Features
None.
Enhancements
Login Page
The user interface of the Incapsula Login page has been modified. Its functionality remains the same.
https://my.incapsula.com/admin/login
From December 31, 2015 and onwards, the Get Events API is no longer supported (deprecated).
We recommend using the Security Logs API calls from now on, which provide the same functionality as the Get
Events API and more.
2015-12-06 Release
New Features
Upload Custom Certificate API: This new operation uploads a custom certificate for your site. The following SSL
certificate file formats are supported: PFX, PEM and CER.
For a full description of SSL certificates in Incapsula, go to: Web Protection - SSL
2015-11-22 Release
New Features
• Origin Lock: This feature associates a certain IP to a specific account and prevents other accounts on the
Incapsula service from setting up sites that forward traffic to that origin.
Enhancements
Additional fields were added to the Get Visits API command, as follows:
• httpVersion: Specifies the HTTP version number. The value can be 1.0, 1.1 or 2.0.
• httpStatus: Is the HTTP response status code that was received from the origin server. This field is optional.
• securityRuleAction: Indicates the action taken to mitigate the threat.
The CVSS score (Common Vulnerability Scoring System) represents the severity of the vulnerability, with a low of 0
and a high of 10.
A CVE without an official CVE ID is a vulnerability that was identified and mitigated by Imperva that does not yet have
a CVE allocated to it
October 2, 2022
September 4, 2022
August 7, 2022
July 3, 2022
May 1, 2022
April 3, 2022
March 6, 2022
February 6, 2022
January 9, 2022
January 2, 2022
December 5, 2021
November 7, 2021
October 3, 2021
September 5, 2021
August 1, 2021
July 4, 2021
June 6, 2021
May 9, 2021
May 2, 2021
April 4, 2021
March 7, 2021
February 7, 2021
January 3, 2021
December 6, 2020
Account Settings
The account settings let you define different attributes of the account, such as two-factor authentication, account
notification emails, and weekly report settings. You can also define Origin Lock settings.
In this topic:
Note:
Include wildcard SAN in Imperva's certificate for Using a wildcard SAN enables you to add
newly created SSL sites subdomains, such as sub.example.com, without the
need for a certificate change and revalidation.
Data Management
You can view or change the region for any site. For
detail, see Website General Settings.
Delete sites’ security and access event data After you click Delete and then confirm the deletion,
the process begins. Data is permanently deleted
within 48 hours.
Origin Lock
Origin Lock associates a specific IP or certificate fingerprint with your account to prevent other accounts on the
Imperva service from setting up sites that forward traffic to your origin server.
The Imperva cloud service is positioned between the end users (visitors) and your origin server. In this topology, the
origin server IP might be inadvertently accessed by other tenants hosted on the same service.
If tenants on the service configure a site to point to an origin server belonging to another account, they become the
first hop for traffic that arrives from the visitor on its way to the original IP (incoming traffic). This could allow other
application traffic to reach the origin server.
Imperva Origin Lock adds an extra layer of security by associating IP addresses with one specific account. This feature
"locks" the IPs of a given account and prevents them from being used by others.
If your IP or certificate is only used by your account, it is highly recommended that you enable Origin Lock.
Note: If you are using a cloud service provider that issues ephemeral or temporary public IP addresses for your virtual
compute workloads and want to use this feature, you must have your own registered PA or PI IP space allocation.
Contact our support team at https://support.imperva.com. The support team will let you know once the restriction is
set.
When setup is complete, the list of locked IPs/fingerprints is displayed in the Origin Lock table.
Note: Fingerprints are listed without spaces. To search the table for a specific fingerprint, first remove all spaces.
DDoS Protection for Networks and Individual IPs - Sub Accounts
These options are available in accounts subscribed to at least one of the Network Security DDoS Protection services.
Tip: Click in any section of the Account Settings page to download a list in .csv format.
In this topic:
• Overview
• Sample flow
• Manage sub accounts
• Manage sub account users and permissions
Overview
Organizations often have multiple departments or teams that require access to the Imperva account. An organization
may be subdivided based on functional activities, product lines, processes, or geographical location. Each
department may be required to perform a different set of actions, and require different levels of access rights.
Sub accounts enable you to group and manage resources together based on department, function, or other business
criteria, and assign users to only those resources they are responsible for managing or require access to. For example,
a security officer in a large enterprise company can group sites together based on business department, to be
accessed only by the respective team members responsible for those sites.
You can manage resources in a sub account as a group, and set the following at the sub account level:
• Account Settings
• Account Users
• Account Notifications
• Logs
• DNS Protection
Sub accounts are intended to be used to manage resources belonging to the same organizational entity as the parent
account.
Pricing plan and billing data are presented in the parent account only. The parent account's Subscription page
reflects usage of resources from the parent account and all sub accounts.
Sample flow
Create sub accounts. (Account Admin) Create a sub account for each department or group that needs to access the
Imperva account.
Add users to sub accounts. In each sub account, add users as needed and configure the appropriate permissions for
each user.
Add or move sites. Add new sites or move existing resources to each sub account as required.
The Account Admin or any user with the appropriate permissions can add users and resources to a sub account.
View and manage sub accounts 2. On the sidebar, click Sub Accounts.
Delete button.
Note:
Add users to a sub account To add users to a sub account: In the sub account,
open the Account Users page. Click Add User and
select a user from the list.
See also:
Note: For more details on grouping your resources into sub accounts to simplify management of and manage user
access, see Manage Account Resources.
To open the Sub Accounts page, log in to your account in the Imperva Cloud Security Console
• The Sub Accounts page is displayed by default for accounts that have sub accounts.
• Alternatively, on the top menu bar, click Account > Account Management. On the sidebar, click Account
Management > Sub Accounts.
Field Description
The name of the sub account. Click the name to drill
Name down into the sub account details, view dashboards,
and configure settings.
Field Description
See also:
Notifications
This topic provides an overview of email notifications sent to you by Imperva, including real-time threat alerts, and
DDoS Protection for Networks status notifications. Learn how you can sign up for additional alerts, reports, and
updates.
Note: We are currently rolling out the new Notification Settings page. If the new page is enabled in your account,
email addresses for notifications are managed there and not on the Account Settings page, as described below. For
more information, see Notification Settings.
In this topic:
• Overview
• Notification list
• Imperva Status Page Notifications
• Subscribe to release notes
Overview
Imperva sends email notifications about activity in your account and sites. Make sure to set up your account's email
addresses to receive notifications and reports.
Account notification list: The email addresses that are defined in the Cloud Security Console under Account >
Account Management > Account Settings > Account Details > E-mails for Notifications.
Note: The E-mails for Notifications field is grayed-out for users whose notifications are now managed in the
Notification Settings page.
Account escalation notification list: The email addresses and phone numbers that are displayed in Edge > Network
Protection > Flow Monitoring Settings > Attack Notifications. If you are using the DDoS Protection for Networks
service in on-demand mode, you can configure the escalation notification list. For details, see Flow Monitoring
Settings.
Email sent to users by the Imperva management system is TLS encrypted and digitally signed.
Notification list
The following notifications are sent by the Imperva management system:
(Optional) Receive a
Weekly reports Account notification list Per account
weekly report with
general information on
(Optional) Receive
notifications about
threats that were
detected on your site,
such as Layer 7
(application layer) DDoS
and backdoor threats.
Website protection: Real-
Events are aggregated Account notification list Per site
time threat alerts
and a notification email is
sent at 5-minute
intervals.
(Optional) Sign up to
receive a weekly,
monthly, or quarterly
report about changes to
your security rule
Website protection: PCI-
configuration and Account notification list Per site
compliance reports
compliance with PCI 6.6
requirements.
• Account escalation
notification list
(Automatic) Alerts are • Account
Network monitoring:
sent based on receipt and notification list
NetFlow start/stop/bad Per account
viability of NetFlow
data alerts
packets. SMS: Text message sent
to phone numbers in the
account escalation
notification list.
Emails:
(Automatic) Alerts are
sent when a DDoS attack • Account escalation
has started, based on the notification list
detection policy • Account
Network monitoring:
configured for your notification list Per account
DDoS attack detected
network.
SMS: Text message sent
A DDoS start event is to phone numbers in the
generated when Imperva account escalation
has started mitigation notification list.
Activity Notifications
Incident • Investigating
• Identified
• Update
• Monitoring (in some cases)
• Resolved
Activity Notifications
To subscribe to updates about weekly releases, add the following link to your RSS Feed reader:
https://docs.imperva.com/bundle/cloud-application-security/page/release-notes.rss
Notification Settings
The new Notification Settings feature provides you with more granular control over which notifications can be
received, and the list of recipients who receive them.
This topic discusses how you can edit default notification policies and create new notification policies for account and
website activity, application security events, and network security updates.
Note: The Notification Settings page is currently being rolled out and may not yet be enabled for your account.
If you do not see this page in your account, notifications are sent according to email addresses defined on the Account
Settings page. For details about the classic Notification Settings feature and additional notification reports, see
Notifications.
In this topic:
• Overview
• Default notification policies
• Notification types
• Open Notification Settings
• Manage notification policies
• Notification policy settings
• Notification Settings API
Overview
You can manage which notifications to receive and who should receive them. Customizing the notification settings for
your organization helps ensure better awareness of issues to enable the relevant team to take pro-active steps to
mitigate potential security threats.
For accounts with subaccounts, you can also create policies to receive notifications about activity in your
subaccounts.
For more details, see the Accounts section in Notification policy settings below.
Permissions
By default, the account admin user can create and manage notification policies. In addition, the account admin or a
user with the required permissions can assign the Manage notification settings permission to other account users as
required.
Default notification policies
There are default notification policies created in each account. All policies are on by default. For each of the default
notification policies, you can toggle it on/off, edit trigger settings, and modify notification recipients.
Each default notification policy is named Default <subtype>. For example, Default Account Notifications.
Notification types
The following notification types are available.
From the row of the appropriate notification policy, select the desired option:
Option Description
Click (Edit).
Edit a notification policy
Note: Trigger settings in the Account and Website
section cannot be edited once a policy is created.
Option Description
Note:
Delete a notification policy • The deletion of a notification policy cannot be
undone, and recipients will no longer receive
notification.
Note: Notification types and subtypes cannot be modified after the notification policy is created. The other fields can
be modified.
Notification Settings API
You can also manage notification settings using the API.
For instructions on using the Notification Settings API, see Notification Settings API Definition.
The definition file presents a full, formatted, and interactive version of the APIs that you can use to learn about the
APIs, or test them using your API ID and key. You can also download the definition file.
Subscription Status
The Cloud Security Console's Subscription page enables you to:
Note: For more details on usage and billing, see Account Bandwidth Calculation.
Overview
Imperva uses a burstable billing model for calculation of account traffic. This model is based on calculating the 95th
percentile of bandwidth usage for billing clean traffic. This enables peaks in usage that exceed the limits of your
subscription for brief periods of time. This model is quite common with transit providers and with some CDNs,
although many CDNs use an alternative cumulative model, described later in this topic.
Billing for the entire account's monthly traffic is based on the 95th percentile of bandwidth usage, which is calculated
as follows:
• Each bucket collects all the traffic that passes through the Imperva network during those 5 minutes:
• Both incoming traffic (client requests sent to Imperva) and outgoing traffic (responses sent to clients
from Imperva) are taken into account.
• Traffic between Imperva and your origin servers is not taken into account. This includes:
• The traffic sent back from the origin server to be cached in Imperva.
• Both cached bits and non-cached bits are taken into account.
• Blocked traffic is not taken into account. Blocked traffic includes blacklisted traffic, L3/4 DDoS traffic,
L7 DDoS traffic, bad bots, security rules, and others.
• Traffic is aggregated across all services (IP Protection, Website Protection, and Infrastructure
Protection).
• For sites that are protected by Website Protection as well as IP Protection or Infrastructure Protection,
the traffic for those sites is only counted once in the overall calculation of aggregated traffic.
• Total traffic in each bucket is then divided by 300 to convert it to bits per second (bps) format.
• At the end of the month, starting on the billing date, the 5% of buckets with the most bps are dropped, and the
highest bps rate of the remaining buckets represents the 95th percentile value for the account.
• The calculation is performed separately for always-on services and on-demand services.
• The calculation for on-demand services takes into account only those time periods during which traffic was
diverted to Imperva.
For example, if traffic was diverted to Imperva for one week out of the entire month, the calculation drops the
top 5% of the traffic during that week.
Calculation of non-web traffic is performed in exactly the same way as web traffic. Usage is calculated across all IPs
and/or IP ranges into 5-minute buckets which are aggregated with all other services.
The calculation is performed separately for always-on services and on-demand services (separate buckets and
aggregation).
In the Imperva Cloud Security Console, on the sidebar, click Management > Subscription.
Note: Bandwidth calculation displayed on the Subscription page includes both incoming (visitors > Imperva) and
outgoing (Imperva > visitors) traffic.
Alternatively, bandwidth usage displayed in the Cloud Security Console's Network and Infrastructure Dashboards
reflects ingress traffic only (visitors > Imperva). The dashboards display peak values for the selected time period.
The Subscription page displays statistics for the last 30 days. It does not correspond directly to your billing cycle. For
example, if your billing cycle begins on the first of the month and you are looking at the Subscription page on the
15th, the statistics displayed for the last 30 days include both part of the previous billing cycle and part of the current
billing cycle.
The Usage Report provides a view of your account’s bandwidth usage per service over time, enabling you to easily
understand usage trends and quickly detect overages in your account. You can also download the report or access it
via the API. For details, see View Account Usage.
At the beginning of each billing cycle, the system checks whether or not the account exceeded its plan in the last
billing cycle. In the event of an overage, a notification will be sent to the account's owner.
What happens if a site under Web Protection is also protected by IP Protection or BGP-based Infrastructure
Protection? Will Imperva charge for the site's traffic twice?
No. In such a case Imperva will subtract that specific site’s traffic from the total accumulation in the calculation of the
95th percentile.
Many CDNs use the cumulative model for clean traffic billing. Some offer both cumulative and burstable alternatives.
The cumulative model is calculated according to the total bytes that are “consumed” during a given month. It is
usually presented in either GB or TB.
Audit Trail
The Audit Trail displays a log of actions performed in your account by account users, system processes, and Imperva
system administrators and support.
In this topic:
• Overview
• View the audit trail
• Imperva Support activity
• Audit Trail API
Overview
Benefits
• Provides full visibility at all times into which actions were performed, when they were performed, and by whom.
• When viewing the audit trail for an account with sub accounts, activity is displayed for the account and for all
sub accounts, provided that the user has permissions to the sub accounts and to the audit trail.
• When viewing the audit trail for a sub account, only the activity for the sub account is displayed.
Field Description
You can filter for a specific range of dates to view a
Time subset of the activities.
The action that was performed in the account, such
Type as logging in, adding a user, or changing site
settings.
Field Description
• User Action
Context • API (API ID is displayed. For more details on
API IDs, see API Key Management.)
• System
• Internal API
Tips:
• Use the free text filter at the top of the page to filter the displayed data by keyword or ID, such as account ID or
API ID.
• Click Export to CSV to download the audit trail .csv file format. If a filter is currently applied, the download
includes the filtered data only.
Imperva Support activity
The Imperva team has the ability to assume the identity of a specific end-user in a customer account for investigation
and troubleshooting purposes.
This enables Imperva Support, for example, to view the account from the customer perspective, or to perform pre-
approved actions on the customer’s behalf.
When an Imperva employee assumes the identity of a user in your account, the following events are logged in the
Audit Trail:
These audit trail entries indicate the account user whose identity was temporarily taken on. For example: “Imperva
Support logged in as account user user@demo.com”.
In addition, all actions performed by Imperva Support while logged in as a user of your account are also recorded in
the Audit Trail. For example: “API key created. Performed by Imperva Support logged in as user@demo.com”.
Audit Trail API
Get audit events for your account using the Audit Trail API.
For instructions on using the Audit Trail API, see Audit Trail API Definition.
The definition file presents a full, formatted, and interactive version of the Audit Trail APIs that you can use to learn
about the APIs, or test them using your API ID and key. You can also download the definition file.
See also
Types
A-records changed
ABP Account created
ABP Account updated
ABP Website Group priorities updated
ABP Account credentials created
ABP Account credentials deleted
ABP Website Group created
ABP Website Group updated
ABP Website Group deleted
ABP Website created
ABP Website updated
ABP Website priorities updated
ABP Website deleted
ABP Website encryption key created
ABP Website encryption key deleted
ABP Condition created
ABP Condition updated
ABP Condition deleted
ABP Policy created
ABP Policy udpated
ABP Policy deleted
ABP Configuration published
Account 1-day cancellation notification sent
Account activated
Account admin changed
Account bandwidth exceeded
Account data cleanup completed successfully
Account deleted
Account edit event
Account locked
Account moved
Account notifications email changed
Account removed
Account removed due to trial expiration
Account roles deleted
Account signup
Account signup
Types
Account SSO error
Account support of all TLS versions changed
Account unlocked
Add-on trial ended
Add-on trial started
API key created
API key deleted
API key disabled
API key edited
API key enabled
API key reset
ASN added
ASN deleted
Assets added to policy
Assets removed from policy
Available account added to policy
Available account removed from policy
Backdoor added
Backdoor removed
BGP added
BGP changed
Black list item added
Black list item removed
Cache mode changed
Cache purged
Cache rule added
Cache rule disabled
Cache rule edited
Cache rule enabled
Cache rule removed
Cache Shield settings changed
Client CA certificate uploaded
Client CA certificate deleted
Client CA certificate updated
Client CA certificate assigned to website
Client CA certificate removed from website
Client CA certificate site configuration changed
Compress logs settings changed
Configuration changed
Configuration changed to multi data centre
Connection added/created
Types
Connection changed/updated
Connection deleted
Custom SSL added
Custom SSL removed
Data storage region changed
Details changed
Detection policy updated
Domain added
Domain deleted
Domain state changed
Email change verification mail sent
Email changed
Email verified
Encryption disabled
Exception changed
Exception deleted
Failed to change cache mode
Failed to change email
Flow exporter added
Flow exporter changed
Flow exporter deleted
HSTS configuration changed
HTTP/2 configuration changed
IP changed
IP range diverted
IP range reverted
Log configuration created
Log configuration deleted
Log configuration updated
Logged in as customer account user
Logged out of customer account user
Login
Login attempt by unauthorized IP address
Login Protect activated
Login Protect disabled
Login Protect Google Authenticator verification failed
Login Protect Google Authenticator verified
Login Protect invitation
Login Protect phone verified
Login Protect phone verified failed
Login Protect user edited
Types
Login Protect user removed
Login Protect user revoked
Log collector API key changed
Log collector config deleted
Log collector config status changed
Log collector item deleted
Log format settings changed
Manual certificate deleted
Manual certificate uploaded
Max log size settings changed
New CSR generated
New logs collector API key created
New log collector config created
New log collector item created
Password changed
Password forgotten
Password reset by admin user
Policy added
Policy cloned
Policy deleted
Policy modified
Policy status modified
Policy modified, exception added
Policy modified, exception saved
Policy of IP range updated
Protected IP over Layer 2 added
Protected IP over Layer 2 changed
Protected IP over Layer 2 deleted
Remove SSL complete
Remove SSL start
Request for account data cleanup
Role assigned
Role assignment deleted
Role created
Role deleted
Role updated
Rollover time settings changed
Route option deleted
Rule added
Rule disabled
Rule enabled
Types
Rule edited
Rule priority changed
Rule priority fixed
Rule removed
Rule reverted
SAN CAA records fixed
SAN expiration notice sent
SAN undeleted
SAN validation method changed
Seal location changed
Secure Resources settings changed
Security policy updated
Sent unavailable storage email notification
Server added to datacenter
SIEM configuration resources purged
SIEM log integration migrated
SIEM log integration rolled back
SIEM notification email pushed
Single IP added
Single IP changed
Single IP deleted
Site advanced security rule configuration changed
Site cache settings changed
Site configured
Site created
Site delivery settings changed
Site enabled
Site in extended SSL validation
Site is disabled
Site log level changed
Site moved
Site moved account
Site moving process started
Site notifications settings changed
Site origin servers settings changed
Site reached the maximum number of allowed backdoor URLs
Site removed
Site security configuration changed
Site server disabled
Site state changed
Site support of all TLS versions changed
Types
Site's POPs blacklist changed
Site's POPs whitelist changed
Specific resources purged
SSL added
SSL process started
SSL selected
SSO account configuration created
SSO account configuration updated
SSO protocol configuration created
SSO protocol configuration updated
Static route added
Static route changed
Subdomain added
Subdomain deleted
System message set
Two factor authentication by email
Two factor authentication by Google Authenticator failed
Two factor authentication by Google Authenticator verified
Two factor authentication by phone failed
Two factor authentication by phone verified
Two factor authentication by SMS
Two factor authentication disabled
Two factor authentication enabled
Two factor authentication failed
Two factor authentication passed
User added to account
User login via SSO failed
User permissions changed
User removed from account
User roles deleted
User successfully logged in via SSO
Waiting room added
Waiting room deleted
Waiting room updated
Weekly account report read
Weekly account report sent
In this topic:
• Overview
• Open the usage report
• View report details
• Usage Report API
Overview
Usage displayed in the report is per billing plan.
• Monthly usage data is based on the 95th percentile of bandwidth usage for billing clean traffic. To learn more
about how the 95th percentile for billing is calculated, see Account Bandwidth Calculation.
• The report provides a clear indication of overages - where monthly usage has exceeded the bandwidth included
with your plan.
• You can also access the report via the API, or download it in CSV format.
• For accounts with sub accounts, note that the report is available only in the parent account. Usage data for the
account includes all of the sub accounts and their sites.
Monthly usage data is available as of September 2020, when the feature was implemented.
Permissions:
By default, the account admin user and users who are assigned one of the default roles (Administration, Reader) have
full access to the usage report.
The following permissions can be added to roles and assigned to other account users as required:
• View usage report: The user can view the Usage Report in the Cloud Security Console.
• Use usage report API: The user can access the usage report via the API
Open the usage report
Log in to your account in the Imperva Cloud Security Console.
Note: The billing plans listed in the report may also depend on when the plan was purchased. For example, if you have
purchased Always On Infrastructure Protection, it may be listed under the Always On Bandwidth billing plan (for
older subscriptions), or in its own Infrastructure Always On Bandwidth billing plan (newer subscriptions).
This section displays a quick snapshot of your account usage for each billing plan over the past 12 months.
Monthly usage
The lower table drills-down into usage data per billing period for each billing plan that you have purchased. It will
include the entire usage history for the account moving forward.
Column Description
Drill-down by service
Click a row in the Monthly usage table to view a breakdown of usage for each service.
Distribution by service: The monthly usage per service in your account's plan, based on the 95th percentile
calculation.
Bandwidth over time (bits per second): Raw data based on actual usage in each 5-minute bucket.
Note:
• The Used column in the table can display a value of zero (0), while the raw data in the graph for the same billing
period can display a small amount of traffic. This is due to the 95th percentile calculation method that is
reflected in the Used column, which includes rounding of the values.
• There may be a 0.01 discrepancy between the value displayed in the table's Used column and the Total Usage
value displayed under Distribution by service. This is due to the rounding of the values of the individual
services.
Usage Report API
Access usage data via the API:
Billing summary: Retrieve usage details for each billing period in a specified time range (purchased/used/overage).
Actual bandwidth usage: Retrieve actual usage data for each 5-minute bucket in a specified time range.
For instructions on using the Usage Report API, see Usage Report API Definition.
The definition file presents a full, formatted, and interactive version of the Usage Report APIs that you can use to learn
about the APIs, or test them using your API ID and key. You can also download the definition file.
See also:
• Subscription Status
Attack Report
Gain insights into attack trends on your assets over the past year and easily share them across your organization.
The Attack Report provides an overview of attacks on your websites and web applications, including attack
distribution by type, severity, time, source country, source client, and website.
In this topic:
• Overview
• Subscribe to the Attack Report
• Report content
• Attack types
Overview
When you subscribe to the Attack Report, Imperva sends you a monthly email with the report attached, in PDF format.
Data in the report represents activity for websites in your account and its subaccounts that were most targeted over
the past year.
The following descriptions can be useful for understanding the report data:
Item Description
Event A request that triggers a security rule.
A cluster of multiple, related events. An incident is
created when Imperva identifies events of a similar
Incident
attack type from the same source (IP, device) within
a short period of time.
The type of attack, as identified and categorized by
Attack types Imperva Research Labs. For more details, see Attack
types below.
The client application that sent the request, based
Client on Imperva's client classification technology and
database. For more details, see Client Classification.
The size of an attack is based on the number of
Attack size
malicious requests.
Subscribe to the Attack Report
By default, the account admin user automatically receives the report.
To add others to the recipient list, the account admin or any user with the Manage notification settings permission
can configure the notification settings:
Note: With the introduction of this new feature on May 22, 2022, anyone already configured to the receive the Account
and Website: Default Account Notifications will automatically receive the monthly Attack Report.
Report content
The report provides statistics on the following areas over the past year.
Note: The Attack Report covers an extended list of attack types, beyond those presented in the Cloud Security
Console. As a result, the number of reported incidents may differ. Future plans include adding all of the additional
attack types to the Cloud Security Console. At that time, the incident numbers displayed will be identical.
Attack types
Some or all of the following attack types can appear in your report, based on your subscribed services. The list
includes all attack types, as identified and categorized by Imperva Research Labs.
Type Description
API Violation
Unauthorized use of an application’s API.
Type Description
Indicates attacks blocked by Imperva's API Security.
For more details, see Imperva API Security.
Type Description
Cross Site Scripting attempts to run malicious code
XSS
on your website visitor’s browser.
Imperva pushes the event logs to your Amazon S3 bucket, enabling you to import the events into your SIEM solution.
Note: This document introduces Imperva's new Near Real-Time SIEM log integration. For documentation on the
legacy Cloud WAF log integration, see Cloud WAF Log Integration.
In this topic:
When using the Near Real-Time SIEM log integration, you can expect the following:
Attribute Description
Sending rate Files sent every 10-70 seconds
Data freshness File arrives within 3-5 minutes of the event
Security events
File contents
Access events will be added at a later date
Note that the IPs supporting the Near Real-Time SIEM integration are not returned by the API that retrieves the
Imperva ranges, as they are not required by all Cloud WAF customers.
See also:
Note:
• Imperva recently introduced this new Near Real-Time SIEM solution. To learn more before you begin, see Near
Real-Time SIEM Log Integration.
• For details on the legacy log integration for Cloud WAF, see Cloud WAF Log Integration.
This Log Configuration page is currently available for configuring the Near Real-Time SIEM log integration for the
following services:
• DDoS Protection for Networks/IPs (The integration is available per request only. To enable the feature for your
account, contact Imperva Support.)
For Cloud WAF customers who would like to use the Near Real-Time SIEM log integration, you must setup the
integration with the S3 method on the SIEM Logs > WAF Log Integration page. For details, see Cloud WAF Log
Integration.
In this topic:
• Overview
• Open the Log Configuration page
• Create or edit a connection
• Add or edit a configuration
• View your log configuration
• Troubleshoot SIEM storage unavailability
Overview
Send security event logs for Imperva's cloud services to your cloud storage repository.
Imperva pushes the event logs to your Amazon S3 bucket, enabling you to import the events into your SIEM solution.
• A configuration: Select the logs that you want to receive from Imperva based on your subscribed services.
Permissions
The account admin user or any user who is assigned the Administrator role can configure the log integration.
Make sure you have Imperva IP addresses included in your allowlist. IP addresses used by the Near Real-Time SIEM log
integration are listed under Other services on this page: Allowlist Imperva IP addresses & Setting IP restriction rules.
Note that the IPs supporting the Near Real-Time SIEM integration are not returned by the API that retrieves the
Imperva ranges, as they are not required by all Cloud WAF customers.
Open the Log Configuration page
Log in to your my.imperva.com account.
Provide the path to your repository and the access credentials Imperva needs to push the logs.
In the Connections table, click Add new to create a connection, or to edit or delete a connection.
Note: If you choose to update any details of a connection after it is fully defined and saved, you must re-enter the
secret key in order to save your changes.
Field Description
Field Description
Enter the path in the following format: <Amazon S3
bucket name>/<log folder>.
Amazon S3 ARN
For enhanced security, you can define a connection to your S3 bucket using the AWS Amazon Resource Name (ARN)
authentication with an Identity and Access Management (IAM) role.
Create a policy for your S3 bucket and define a role that grants Imperva permission to upload log files.
Required: To enable Imperva to upload log files, define the following in your S3 bucket policy:
Parameter Definition
"AWS": "arn:aws:iam::446351906296:role/prd-
Role
imperva-logs"
"arn:aws:s3:::<CUSTOMER_S3_BUCKET>/
Resource <CUSTOMER_S3_FOLDER>/*"
Parameter Definition
Make sure to replace the bolded text with your
bucket and folder details.
Optional: When you create or update a connection to your S3 bucket, Imperva runs a test by attempting to connect to
your bucket and uploading a test file.
You can define the following permissions to allow Imperva to delete the test file that is uploaded when the connection
to your S3 bucket is tested.
Parameter Definition
"AWS": "arn:aws:iam::446351906296:role/prd-
Role
imperva-logs"
"arn:aws:s3:::<CUSTOMER_S3_BUCKET>/
<CUSTOMER_S3_FOLDER>/
imperva_siem_test_file_*.text"
Resource
Make sure to replace the bolded text with your
bucket and folder details.
The services and log types available to you are based on your subscribed services.
The Add New button is disabled if there is no connection defined for your account, or when all available log types
have already been added to a configuration.
Edit a configuration: In the Configuration table, click the ellipsis next to a configuration and click Edit.
General
Field Description
Add a descriptive name for this configuration. Each
Configuration name
configuration name must be unique.
Select a service for which you want to configure the
Select service
log integration.
Field Description
Connection
Connections table
Connections define the path to your log storage repository and the access credentials for Imperva to use.
Field Description
Name The name assigned to this connection.
Connection type Currently supports connection to Amazon S3 only.
Field Description
• User/Password: Authentication using your
access key ID and secret access key.
Configurations table
Field Description
Name The name assigned to the configuration.
Service The Imperva service specified for this configuration.
Log type The log types specified for this configuration.
Connection name The connection used by this configuration.
When this happens, you will be notified by mail, according to your notification settings. (Make sure that SIEM storage
notifications are configured for your account. For details, see Notification Settings.)
• Are the required Imperva IP addresses allowed access to your bucket? For details, see here.
Imperva continues to attempt to send the logs for 48 hours, after which time there are no further attempts to upload
the logs.
Note that for Cloud WAF customers, past events are also available on the Cloud Security Console’s Security Events
page, or via the API, for a period of 90 days.
DDoS Protection for Networks/IPs customers can view past events on the Network/IP Protection dashboards.
Imperva continues testing the connection. When it is restored and Imperva is able to access your S3 bucket, another
notification is sent to you.
See also:
Imperva pushes the event logs to your Amazon S3 bucket, enabling you to import the events into your SIEM solution.
This integration is based on the new Imperva Near Real-Time SIEM solution, currently rolling out. For details, see Near
Real-Time SIEM Log Integration.
Note: The integration is available per request only. To enable the feature for your account, contact Imperva Support.
In this topic:
• Log files
• Log types
• Events
• Event fields
• Sample events
Log files
Each event is provided in a separate file.
For example:
123456.CONNECTION.7f108651-1258-4177-a3dd-c9f6bb4dccfa.log
Log types
You can choose to enable the integration for any or all of the following log types, based on your subscribed services.
For more details on each event, see Events below.
• IP range reverted
• IP is up
Change in status of your protected
IP (IP Connectivity)
public IP.
• IP is down
Events
Log entries are generated for the following events.
All entries also include the time of the event and the Imperva data center (PoP) from which the event was originally
reported.
• Connection ID
Connection up • Connection name
• Connection type
• Connection ID
Connection down • Connection name
• Connection type
• Exporter customer IP
Flow traffic has stopped
• Exporter description
• Exporter customer IP
Flow traffic has started
• Exporter description
• Exporter customer IP
Incompatible flow traffic
• Exporter description
• IP range
• Imperva data center
DDoS event has ended • Attack duration
• Peak total traffic (bps)
• Peak total traffic (pps)
• IP range
• Traffic volume
• Traffic type
DDoS attack detected
• Main targeted assets (Iist of IP addresses)
• Is automatic divert enabled?
• Range type (Always-on or On-demand)
IP is up • Customer public IP
Event fields
Log entries are presented in the standard JSON key/value pair format of "fieldname":"fieldvalue". For example,
“timestamp”:“1630832131096”.
• ECX
• CROSS_CONNECT
connection-down-event
ddos-start-event
ddos-end-event
incompatible-flow-event
ip-is-up-event
ip-is-down-event
Sample events
Log type Event name Sample event
{"event":{"action":"connection-
down-event"},
"@timestamp":1630832131096,
CONNECTION (Network
Connection down "observer":{"geo":
Connectivity)
{"name":"cdg"}}, "connection":
{"id":1711,"name":"Demo
connection","type":"BGP"}}
{"event":{"action":"flow-start-
event"},
"@timestamp":1630832131095,
NETFLOW (Network Monitoring) Flow traffic has started
"observer":{"geo":
{"name":"mia"}},"server":
{"ip":"1.2.3.4"}}
{"event":{"action":"ddos-start-
event"},
ATTACK (Network and "@timestamp":1630832131095,
DDoS event has started
IP Protection) "observer":{"geo":
{"name":"bom"}},"ip_range":
{"ip_range":"1.2.3.4"}}
{"event":{"action":"ip-is-down-
event"},
"@timestamp":1630832131097,
IP (IP Connectivity) IP is down
"observer":{"geo":
{"name":"dub"}},"server":
{"ip":"1.2.3.4"}}
See also:
Account Users
As an account administrator or other user with the appropriate permissions, you can create additional account users
for your team members, to enable collaboration and co-management of the Imperva service.
You can grant different levels of permissions and sub account access to users, based on the level of visibility and
control that is required.
Note: The Cloud Security Console's new Account Users page is currently being introduced to a limited number of
direct customers (not resellers). We will provide updates in future release notes about the continued rollout.
For more details on the new page, see Manage Account Users
In this topic:
• Overview
• View the account user list
• Add a user
• View and edit user settings
Overview
The Account Users page lists all account users.
Note: If you need to change the account administrator user, contact Support to request the change.
View the account user list
To access the Account Users page:
When a new user is created in an account, a verification mail is sent to the email address listed for the user.
The new user clicks the link in the email to verify their address and set a login password.
Note: If the user does not verify their email address within 15 days after the user was created, the user is locked out.
When the user tries to log in, the user receives an email notification that includes a link to verify and unlock the user.
Notification emails are sent to the user before the user is locked, as a reminder to verify their email address. The
address verification link is included in the mail.
When users are locked out, the account admin user receives an email notification with the list of unverified users in
the account.
View and edit user settings
Click a user row to open the Settings panel.
Note:
See also:
Note: The Cloud Security Console's new Account Users page is currently being introduced to a limited number of
direct customers (not resellers). We will provide updates in future release notes about the continued rollout. To
request access to the new page at an earlier date, contact Support.
This topic replaces the Account Users topic that describes the previous version of the Cloud Security Console's
Account Users page. The new version provides an improved user experience and enhanced management
functionality.
In this topic:
The Account Users page lists the details of all users in the account: Name, Email, Status, Roles and Last login date. You
can sort, search, filter and download the users that are displayed.
Add a user
Click Add User to create a new user for the account and assign it up to 10 roles.
Note: Only the account administrator or an administrator user with the appropriate permissions can add new users.
When a new user is created in an account, a verification message is sent to the email address listed for the user. The
new user then clicks the link in the email to verify the address and set a login password.
Note:
• The user has 15 days after the user account is created to verify the email address on record before it is locked.
• When users are locked out, the account admin user receives an email notification with the list of unverified
users in the account.
• If a user that is locked out tries to log in, Imperva sends an email notification that includes a link to verify and
unlock the user account.
View and edit user settings
Click a user row to open the Settings panel. It displays the name of the user account and the date it was created.
Role management
API keys
Manage API Keys
Create and manage up to 5 API keys per user. For
details, see API Key Management.
Manage approved log-in IP addresses Limit log-in access by providing a specific list of
approved IP addresses from which the user is
permitted to log in.
Unlock user
Actions > Unlock user
Note:
Resend activation email For a user with the status of Pending, Recovery or
Password Expired, send the user an email with a
link to activate the user account.
See also:
Password Policy
The following PCI-compliant policy applies to users logging in to the Cloud Security Console.
Note: This policy does not affect organizations that log in to the Cloud Security Console via their organization's SSO.
Requirement Description
See also:
• User Preferences
• Account Users
User Preferences
The User Preferences page enables you to update your personal details, including name, email address, and
password.
You can also choose to enable two-factor authentication for your user account. When enabled, you are required to
enter a one-time passcode during login, in addition to your username and password.
Note: The Cloud Security Console's new My Profile page is replacing the User Preferences page and is currently
being introduced to a limited number of direct customers (not resellers). We will provide updates in future release
notes about the continued rollout.
In this topic:
Password requirements:
• e-mail
• text messaging
• the Google Authenticator app
Note:
• The account admin can prohibit obtaining the passcode via e-mail.
• The account admin can also force all account users to use two-factor authentication. If that option is enabled,
users that have not yet configured it will be required to do so on their next login attempt.
• If you are an account admin and want to enforce two-factor authentication for all account users, see Account
Settings.
• Two factor authentication is not activated if the user logs in with SSO.
My Profile
The My Profile page displays your personal settings and enables you to update them.
Note: The Cloud Security Console's new My Profile page is currently being introduced to a limited number of direct
customers (not resellers). We will provide updates in future release notes about the continued rollout. To request
access to the new page at an earlier date, contact Support.
This topic replaces the User Preferences topic that describes the User Management > My Profile > User Preferences
page.
The new My Profile page offers an improved user experience and new security measures. It provides users the ability
to enable multi-factor authentication and configure additional delivery methods (i.e., Okta and phone call), view their
roles, as well as both view and add new API keys.
In this topic:
• First name
• Last name
• Phone number
Password requirements:
Click Configure on any of the following factor options to display instructions on how to receive a verification code,
then enter the code and click Verify to complete its setup:
• Email (pre-configured)
• Okta Verify app
• Google Authenticator app
• Phone Call
• SMS text messaging
Note:
• The account admin can prohibit obtaining the passcode via email.
• If you are an account admin and want to enforce MFA for all account users, see Account Settings.
• If the MFA option is enabled, users that have not yet configured it will be required to do so on their next login
attempt.
• MFA is not activated if the user logs in with SSO.
View your roles and associated permissions
For any assigned role, click View role to display its enabled permissions, associated services and types.
Configure up to 5 API keys, which are dependent on their defined roles and permissions:
• Click the ellipsis to edit a key's name and description, delete it, or click Regenerate to update its
expiration period.
API Key Management
Create and manage API keys with granular permissions and sub account access, enabling you to integrate Imperva
into your environment and streamline processes. For example, you can automate security responses, integrate
dashboards and reports, or onboard new sites.
In this topic:
• Overview
• Create and manage API keys
• Examples
• API key expiration
Overview
The account administrator or a user with equivalent permissions can manage API Keys.
• API keys inherit the user's permissions and sub account access.
• Any user with the Manage API keys permission can create and manage their own API keys (up to 5 keys per user
account).
• The account admin or any user with the appropriate permissions (Manage users and permissions and Manage
API keys) can create and manage keys for all account users.
• Add a name and description to an API key to indicate what it is used for.
• Export key details. This action exports details such as user, name, description, and status in csv format. It does
not export the key itself.
Log integration: The API Key/ID which is used for logs is available on the Log Setup page only. It is not listed here.
Create and manage API keys
Add, edit, enable, disable, reset, and delete API keys.
Note: When you reset an API key, the API ID remains the same and a new key is generated that overrides the previous
one.
1. In the Cloud Security Console, open the Account Users page. For details, see Account Users.
4. Copy the details from the popup window. Once the pop up window with the generated ID & key is closed, you
will no longer be able to retrieve the key.
Note: Users with access to the Cloud Security Console's new My Profile page can now manage their API keys on that
page. They are no longer able to access the API Keys page.
1. In the Cloud Security Console top menu bar, click Account > Account Management.
4. Copy the details from the popup window. Once the pop up window with the generated ID & key is closed, you
will no longer be able to retrieve the key
5. Select an option under the More column to edit, enable/disable, reset, or delete a key.
Examples
User Scenario
Reporting. This user does not require special
Marketing administrator permissions and can use an API key to get statistics
and event data for internal reporting purposes.
Site configuration. This user has permissions to
Devops engineer modify site settings and can use an API key for
automating site configuration.
Defining rules. This user has permissions to modify
site settings and can use an API key for configuring
Security engineer
rules to implement their own security, delivery, and
access control rules .
• 3 months
• 6 months
• 1 year
• Never
Grace period
• Expired API key: When an API key has expired, you can still use it for a grace period of two weeks.
• Reset API key: When you reset an existing API key, the previous key will still work for a period of two weeks from
its expiration date or from the time it is reset - whichever comes first.
• Additional reset during the two week grace period: Resetting the key more than once within the grace period
cancels any earlier key resets. The grace period is valid for the last reset only. The keys generated by previous
resets are no longer valid.
Email notifications will be sent to you before the API key expires. The email will include a link enabling you to extend
the validity of the API key for two weeks.
Read More
• Account Users
In this topic:
• Overview
• Create and manage roles
• Assign roles to users
• Default roles
• Migration
• Role Management API
Overview
A role is a set of permissions granting a certain level of access to Imperva cloud assets and services. Role
Management includes creating and managing roles, and assigning those roles to your account users.
Role Management reduces administrative overhead and enables you to improve your organization's security by
granting users only the specific privileges they need to carry out their responsibilities.
For example, an application owner may need permissions to edit settings and view security events for the application,
and a member of the marketing team may need permissions to manage cache settings and purge the cache.
In addition, you can assign multiple roles to a single user. A user may require different levels of access to different
resources. For example, you may want to grant view-only permissions to a user on one sub account, and grant
administrator permissions to that user on another sub account.
Create and manage roles
Open the Roles page to create and manage roles. The Roles page is available to the account administrator or any user
with the Manage user roles permission.
Note:
• The icon next to a permission indicates that the permission can apply to roles used in both parent accounts and
sub accounts.
• Permissions without the icon are relevant to parent accounts only. If it is included in a role assigned to a user in
a sub account, the user is still not granted this permission in the sub account.
• When you assign a role to a user at the parent account level, this grants permissions to sites and settings in the
parent account only. To grant permissions to a sub account, assign the role to the user in the sub account.
• If you do not want to grant permissions for the parent account to a user, do not assign a role to the user in the
parent account. Instead, assign a role to the user in the relevant sub account(s) only.
5. Click a user row. In the right pane, expand the Role Management section. View the role or roles already
assigned to the user, or assign a role.
Role Description
Roles that were created during the migration process are displayed with the name “Automatically created role” and a
role ID. For example, [3] Automatically created role. We recommend that you change the role name after migration,
assigning a name that is more meaningful for your organization.
Role Management API
Create and manage roles using the API.
For instructions on using the Audit Trail API, see Role Management API Definition.
The definition file presents a full, formatted, and interactive version of the Role Management APIs that you can use to
learn about the APIs, or test them using your API ID and key. You can also download the definition file.
See also
Note:
• Imperva’s SSO environment does not automatically provision users based on your IdP environment. All users
that need to log in to the Cloud Security Console using SSO must first be added as users to your Imperva
account. For details on adding users, see Account Users.
In this topic:
Only the account admin user can configure the SSO settings for your account.
• the account admin continues to sign in directly to the Cloud Security Console using the Imperva user and
password, bypassing SSO.
• all other account users log in via SSO.
Enable SSO and configure the settings. Click Save to activate SSO.
SAML 2.0 configuration
Configure the settings and then provide your identity provider (IdP) with the relevant URLs for the Imperva Cloud
Security Console (the service provider or SP).
Give the URLs listed in the Cloud Security Console to your identity provider.
Field Description
The service provider’s (Imperva Cloud Security
Assertion Consumer Service URL Console) SAML 2.0 URL responsible for receiving and
parsing the SAML assertion.
The service provider’s (Imperva Cloud Security
Audience URL (Entity ID)
Console) SAML 2.0 Entity ID.
XML metadata of the service provider (Imperva
Cloud Security Console), including details for IdP
Service Provider Metadata integration, such as entity ID, endpoints, public
X.509 certificate, information on the company, and
contact details.
Advanced Configuration
Field Description
Optional Fields
Field Description
The SAML 2.0 response attribute key name for user's
Assertion Group Attribute Name
group membership. For example, memberOf.
Allow user login only if the SAML 2.0 response states
User's Expected Group Membership that the user is a member of the desired group,
according to the specified Assertion Group Attribute.
Field Description
For example, my_security_group. You may enter one
group name only.
Two factor authentication
Enabling SSO does not impact two factor authentication functionality for the Cloud Security Console login. If two
factor authentication is enabled for your account, the mechanism remains active when SSO is enabled.
• you want to enforce two factor authentication via your SSO Identity provider only, and
• you don't want to disable two factor authentication for the account admin (who bypasses SSO and continues to
log in with Imperva credentials)
then each user must disable two factor authentication in the Cloud Security Console, as follows:
In the Imperva Cloud Security Console, click the user icon and select My Profile.
Disable SSO
You can disable SSO on the Single Sign-On page:
When SSO is disabled, account users can resume logging in to the Cloud Security Console using their Imperva
credentials.
This can be useful, for example, if you are having an issue that you need to troubleshoot before re-enabling SSO.
At the core of Imperva’s Web Protection are our security reverse proxy and Web Application Firewall (WAF) in the
cloud, which are deployed across our globally distributed CDN network. Organizations using Web Protection route
their website traffic through the Imperva network by performing a simple DNS change. This enables Imperva to
inspect each and every request sent to the website and filter out any kind of malicious activity.
Benefits
• PCI certified Web Application Firewall
• Service is backed by Imperva’s security team for updating and tuning security rules
• Easy and quick implementation - usually no rule tuning is required
• Bot mitigation using Imperva’s advanced client classification technology
• Backdoor Protection to identify and quarantine backdoors planted on your website
• Custom security logic using security rules
• Granular access controls based on IPs, URLs, location and client type
• Seamless implementation of two-factor authentication
• Real-time dashboard for traffic monitoring and event analysis
• REST API and SIEM integration of access and security logs
How Does Web Protection Work?
Imperva’s Web Protection is based on a network of secure reverse proxies deployed on our globally distributed
CDN. Web traffic that is routed through the Imperva network is terminated by those proxies, allowing Imperva to
inspect each and every request to the website and identify and block any malicious activity.
Organizations using Web Protection update their domain DNS to point to a unique hostname (CNAME) provided by
Imperva (e.g., mysite.incapdns.net). This hostname is dynamically resolved for every website visitor, making sure
each visitor is served by the closest Imperva data center.
Imperva’s secure proxy and Web Application Firewall (WAF) inspect every request at three levels: the connection level,
the request format and structure level, and the content level. The WAF matches the HTTP/S requests against a set of
security engines, known attack patterns, heuristic rules, anomaly detection and known "good" patterns. Each visitor
is also profiled and matched against a large set of known client signatures. These components allow Imperva to
automatically filter out bad actors and enable organizations to define their access policy for bots.
Imperva's reverse proxies include over 50 patterns used to recognize personal data such as credit card numbers, email
addresses, or phone numbers.
Imperva reverse proxies analyze incoming requests and search for data that matches these patterns. When a match is
found, we immediately perform irreversible masking in memory (RAM), in real-time. Logs generated in the proxy use
the masked data.
These patterns are fully configurable and can be enhanced per customer, per website. Our customers can expand the
list of patterns as needed to cover additional information that they consider to be sensitive.
The current definition and the ability to add new patterns is configured by Support.
DDoS Mitigation
Websites using Imperva DDoS Protection are protected from any type of DDoS attack, including both network (Layer 3
and 4) and application (Layer 7) attacks. Imperva’s secure HTTP proxy terminates TCP connections, acting as a buffer
between the Internet and the origin server and filtering out any kind of DDoS attack, such as SYN floods and UDP
floods. Only legitimate TCP sessions are forwarded to the origin server.
Layer 7 DDoS attacks are mitigated by a dedicated engine that can distinguish between legitimate visitors and DDoS
bots. This engine leverages Imperva’s client classification technology, as well as unique capabilities to challenge
suspected visitors and verify their authenticity, without impacting the website's normal user experience.
Imperva Web Protection is backed up by a team of security experts who are responsible for keeping the Web
Application Firewall and other security engines up to date and accurate. The research team monitors external sources
such as new vulnerability disclosures and analyzes all traffic going through Imperva. Any new attack identified on the
network is automatically analyzed, and new mitigation rules are propagated to all Web Protection customers. All rules
go through a vetting phase in which they are deployed across the network but only generate alerts. Those alerts are
analyzed by the security team and, if required, adjustments are made to make sure that new rules do not create false
positives.
Deployment
Websites that support SSL are required to provision an SSL certificate on Imperva. Imperva maintains two types of
certificates. The first is an Imperva-generated certificate that can be automatically created and integrated using the
new site wizard. Organizations using Web Protection can also upload their own certificate, which will be presented to
SNI-supporting clients instead of the Imperva-generated certificate. See Web Protection - SSL/TLS for more
information.
Web Protection can be deployed as an always-on solution (the most common scenario) or as an on-demand solution
for DDoS mitigation.
Traffic Flow
Understand the behind-the-scenes flow of an end user visit to a website protected by Imperva’s Web Protection.
1. A visitor opens a web browser and types in your website’s URL (for example, http://www.yourdomain.com).
2. The web browser queries its DNS server for the IP address associated with www.yourdomain.com and receives
your origin server IP address.
3. The web browser sends requests to the origin server IP address, which are routed through the Internet to your
ISP or hosting provider.
1. A visitor opens a web browser and types in your website’s URL (for example, http://www.yourdomain.com)
2. The web browser queries its DNS server for the IP address associated with www.yourdomain.com and receives
the Imperva CNAME you configured in your DNS (for example, yourdomain.incapdns.net).
3. The web browser queries its DNS server for the IP address associated with yourdomain.incapdns.net and
receives the IP address of the nearest Imperva data center.
4. The web browser sends requests for http://www.yourdomain.com to the IP address of the nearest Imperva data
center.
5. The request is accepted by the Imperva secure proxy and inspected for any security risk.
6. If the request does not pose any threat, it is either responded to directly from Imperva’s cache or forwarded to
the origin server (if the resource is dynamic and cannot be cached).
7. Responses from the origin server are accepted by the Imperva secure proxy and then forwarded back to the
visitor’s web browser.
How To
Read More
To open the Websites page, log in to your account in the Imperva Cloud Security Console .
To add a new site, click the Add website button and follow the onscreen instructions. For more details, see
Onboarding a Site – Web Protection and CDN.
The following details are displayed for each website. The statistics are generated daily and cover the last 7 days,
except for bandwidth, which covers the last 30 days.
Field Description
Name of the website. Click to drill down into the
specific website's dashboard to view incoming
Name
traffic, security events, and server activity in real-
time. Configure site settings to meet your needs.
The total amount of traffic served from your website,
Bandwidth both from the Imperva cache and from your origin
server.
Number of visits to your website by legitimate
Human Visits
human visitors, typically via a web browser.
Bot Visits Total visits by all good and bad bots.
WAF Sessions Threats to your website detected by Imperva.
Creation Date The date the site was created.
Fully configured:
Partially configured:
Field Description
Not configured:
Disabled:
Note:
Field Description
• Move Site. If your account has sub accounts,
you can move a site from the parent account
to a sub account (or vice versa), or from one
sub account to another. For more details, see
Manage Account Resources.
Tip: Click Export to CSV to download the list of websites in .csv file format.
Read More
Note:
• The General Settings page has been revised in order to improve the customer experience. It is available to all
users who access the new UI.
• The SSL- and HSTS-support options remain on the previous General Settings page and will be moved to a new
location at a later date. For details on the previous General Settings page, see Web Protection - General Settings.
In this topic:
This option enables you to set support for TLS versions earlier than 1.2.
Changing this option requires domain validation by the CA. Follow the instructions in the Websites page Status
column to complete the process. When CA approval is received, the change in supported TLS versions will take effect.
After the TLS change takes place, update the domain's DNS records according to the information in the DNS section of
the Websites General Settings page.
This option is available only if the account-level setting to support all TLS versions is enabled.
For more details and supported TLS versions, see Web Protection - SSL/TLS.
Data Storage
By default, Imperva assigns a region to a site based on geolocation of the origin server registered for the site. If the
account administrator changed the default region for new sites created in your Imperva account, the data storage
region for your site may be different. For details, see Account Settings.
Option Description
Note: Event data is stored for 90 days. To view events from the previous region during that time period, click the pop-
up banner on the Events page.
If you change the data storage region twice within a 90-day period, you will no longer be able to view event data from
the first region.
Example: You changed from region A to region B and then to region C within a 90-day period. When you change to
region C, you will not be able to access event data from region A.
Option Description
DNS settings
This section displays reference information showing your original DNS settings, and the DNS records that were
provided by Imperva for onboarding your site. The instructions for changing your DNS records were provided by
Imperva.
Option Description
The DNS settings detected by Imperva during the
Original DNS Settings
initial onboarding process of the website.
Option Description
TXT records directly to your domain's
DNS configuration. This section enables you to
configure TXT records while simultaneously using a
CNAME record for your domain.
This section lists all domains that are connected to an onboarded website via CNAME reuse.
Imperva detects and adds all domains that are using the Imperva-provided CNAME assigned to the onboarded
(primary) website.
Once ownership of a domain is verified, the domain is protected by Imperva and shares the website settings and
configuration of the onboarded website. Legitimate traffic for all verified domains is allowed.
• To add multiple domains, you can upload a file in csv format, with one domain per line. Click the arrow and click
Upload bulk CSV.
Column Description
The name of the domain. For example,
Name
www.example.com.
Column Description
Possible values:
Wildcard domains
Once a wildcard domain is in Protected status, all domains that match the wildcard domain are added to the list of
allowed domains when traffic to them is detected.
You can choose to "promote" the matching domains to become full domains. On the wildcard domain row, click
and select Detach Wildcard. Each of the matching domains is then listed as a full domain and the wildcard is removed
from the table.
To manage alternative domains using the Imperva API, see Website Domain Management API Definition.
Additional Settings
Miscellaneous
Option Description
Enable content based error responses This option enables you to return an error response
in JSON or XML format, based on the Accept or
Content-Type HTTP request headers. For details,
see Error Responses.
Read More
Note: If you are subscribed via an Imperva partner, your default settings are defined by the partner and may vary from
the descriptions in this documentation.
Read More
Note: We have rolled out a new Website General Settings page that is available to all users who access the new UI. All
Website General settings except SSL- and HSTS-support options have moved to the new page.
For details about the new General Settings page, see Website General Settings.
In this topic:
Option Description
Option Description
other error, then the status displays Active + <the
error>.
You can configure the following options for Imperva to use each time the certificate is renewed.
Option Description
Add wildcard domain SAN Adds the wildcard SAN to the Imperva SSL certificate
instead of the full domain SAN.
Option Description
Example: For www.example.com, the wildcard SAN
is *.example.com and the full domain SAN is
www.example.com.
HSTS support
HTTP Strict transport security (HSTS) ensures that any attempt by visitors to use the unsecure version (http://) of a
page will be forwarded automatically to the secure version (https://). HSTS support is available only for sites that have
SSL support.
There are three levels of restrictions for HSTS. Implementing all three restriction levels might not be appropriate for
all sites. Restrictions are cumulative. Each level includes enforcement of the previous level.
Option Description
(TTL) The amount of time to apply HSTS in the
Max-Age browser before attempting to load the page using
http://.
Enforce HSTS on sub-domains. For example, a page
Include sub-domains listed on xxx.ddd.com uses resources from
images.ddd.com. If HSTS for sub-domains is
Option Description
enabled, the images are also covered. Make sure
that the site and all sub-domains support HTTPS so
that HSTS does not break an internal resource when
rendering the page.
The most secure way to enforce HSTS. Ensures the
first request goes out in a secure tunnel, since the
Pre-load browser already has that URL in the pre-load list.
The domain needs to be listed at https://
hstspreload.appspot.com/.
• For a specific SSL site: In the SSL Support section, under Strict-Transport-Security (HSTS), click Enable.
• For all new SSL sites added to your account: See Account Settings.
Read More
Note:
An application or site should have no more than 10 defined Login Protect users. Exceeding 500 Login Protect users per
account will result in performance issues.
In this topic:
• Overview
• Login Protect for Administrators
• Login Protect Users List
• Login Protect for the Authenticating User
Overview
On top of existing usernames and passwords, Login Protect adds two factor authentication based on a one-time
passcode sent to the authenticating user, without making any changes to your applications or installing any software.
The following methods are available for users to obtain one-time passcodes:
• Email
• Text message (SMS)
• Google Authenticator mobile application
Login Protect for Administrators
To open the Login Protect Settings, log in to your my.imperva.com account.
Protected Pages
Protected Pages refer to sensitive pages on your website, such as an admin login page, for which you want to add an
extra layer of security.
Click on the Add Page button and select either a specific URL to protect or a URL pattern (for example, any page
whose URL ends with /admin). Any number of URLs or URL patterns may be entered, as long as they are all within the
same top-level domain (for example, all start with www.mydomain.com).
Excluded Pages
The option to exclude resources defined in the Protected Pages section from being protected by two-factor
authentication.
Example:
In this case, all resources under wp-admin will require "two-factor authentication" except from admin-ajax.php.
This section lets you define the authentication mechanisms by which users can receive a one-time passcode.
Authorized Users
This section lets you define which users are allowed to access Protected Pages after authentication. Login Protect
enables two methods for selecting the group of Login Protect users that will be authorized to access Protected Pages:
• Authorize all Login Protect users in this account: this option will automatically authorize all existing and
future Login Protect users, even if they are added as users on other sites.
• Select authorized users from list: this option can be used for selecting a subset of Login Protect users from the
Login Protect users list
Login Protect Users List
The Login Protect users list is an account level setting of all the Login Protect users defined for all your Imperva-
protected sites. Users can be invited via email or added as a group by uploading a CSV file.
When adding users you will be prompted to review the invitation email that will be sent out and customize it if
required. You may enter multiple email addresses separated by commas or semicolons.
Any user that has been invited to use Login Protect will receive an email (the same one you have reviewed and
customized as the administrator).
After users have clicked the activation link at the bottom of the invitation email they will be asked to configure the
methods for receiving one-time passcodes. The available methods will be determined by the Login Protect settings for
that site under Methods and Notifications.
Logging In
A user accessing a URL that is protected with Login Protect will be prompted to enter a one-time passcode using the
following screen:
Based on the Login Protect configuration for this website, users can obtain the passcode by either opening their
Google Authenticator mobile application, entering their email address to receive the passcode by email, or by clicking
the Text Me button to receive the passcode in a text message.
After entering a valid passcode, users will be able to proceed to the website. Users remain authenticated for the
remainder of their session, or for 14 days if they select the Trust this computer for 14 days option.
Users who did not complete their Login Protect user activation may do so by clicking the Didn't Activate Login
Protect? link.
Note: Starting June 7, 2020 we are rolling out the new Policy Management feature. If your account was created after
June 7, 2020, or your existing account has been migrated, the Block Specific Sources and Whitelist Specific Sources
settings are now configured using policies. For details, see Create and Manage Policies.
In this topic:
Imperva’s unique classification technology can tell whether your website visitors are humans or bots. Our client
database holds an extensive list of bot classifications and can identify the specific type of bot visiting your website.
Each bot is marked either as a Good Bot or a Bad Bot. Bad Bots are those bots that pose a threat to your website
security. For example, a vulnerability scanner or a DDoS attack bot. Googlebot (and all other search engine bots) is
marked as a good bot and not blocked by the Bad Bots rule.
For the list of the clients and client type categories that Imperva addresses, see Client Classification.
For more details on Imperva's mitigation capabilities for automated threats, see Bot Mitigation.
Option Description
Click the Good Bots link to edit the Good Bots List.
The Good Bots List displays a list of the bots that do
not pose a threat to your website. By default, each of
these bots is marked with a checkmark, which
means that they are not blocked by default.
Option Description
Click the Also block link to add to the Bad Bots List.
Option Description
unwanted crawlers and services, and ensure that
only legitimate visitors can access your website.
Availability: For Advanced Bot Protection and Account Takeover Protection customers only.
By default, the GeeTest CAPTCHA is displayed in Chinese. To display the CAPTCHA in English, contact Imperva Support
to request the change.
For GeeTest, select the difficulty level for the challenge that you want to present to visitors.
1. Click Add exception, or Exceptions if there are already existing exceptions defined.
2. In the Add exception rule on field, select the type of item to be added to the whitelist, such as URL, Client app
ID, IP, or Country.
For IP exceptions, single IPs, IP ranges, and subnets are supported. For example, 2.2.2.2, 3.3.3.3-3.3.3.5, or
10.10.10.10/24.
3. In the field to the right, fill in the value to exclude from the rule.
4. Click Add.
5. You can repeat the steps above to add additional rules.
6. Click Confirm.
Note: An exception rule will match only if all match criteria are satisfied. If you want to add an exception for multiple
and non-related scenarios, you can add multiple exception rules.
Whitelist specific IP sources
This option enables you to create a list of trusted IPs that are not inspected by Imperva's WAF and Security settings
entirely. If you would like to whitelist an IP for a specific rule, it is recommended that you do that from the rule
whitelist settings (see above) rather than adding a global whitelist rule.
Read More
• We are currently rolling out the new WAF Rules policy feature. When it is enabled for your account, the related
settings are no longer available on this page. For more details, see Create and Manage Policies.
• Monitor your Cloud WAF security posture on the go. For details, see Imperva Security Mobile App.
In this topic:
Option Description
A notification is sent to your Imperva account's
administrator/user (according to the Notification
Alert Only
settings) and an alert appears in the Security Events
page. The malicious traffic is not blocked.
Malicious requests are blocked. In addition, an alert
Block Request (Default)
and an event are generated.
Any user that has attacked your website will be
Block User
blocked from sending subsequent requests for 10
Option Description
minutes. In addition, an alert and an event are
generated.
Any IP that has attacked your website will be
blocked from sending subsequent requests for 10
Block IP
minutes. In addition, an alert and an event are
generated.
The event is not listed in the Security Events page
Ignore
and no action (such as blocking) is taken.
Threat types
Threat types include:
• Backdoor Protection
• Remote File Inclusion
• SQL Injection
• Cross Site Scripting
• Illegal Resource Access
Backdoor Protection
Backdoors are widely used by hackers trying to find a way into your site for malicious purposes, such as sending
spam and participating in DDoS attacks on other websites.
Usually the first thing a hacker does after gaining access to a compromised website is to plant a backdoor that can
later be used to obtain full access to the compromised server and to its root capabilities.
Option Description
Any detected backdoor is automatically
Auto-Quarantine (default)
quarantined.
Option Description
A notification is sent to your Imperva account's
Alert Only administrator/user (according to the WAF Settings)
and an alert appears in the Security Events page.
The event is not listed in the Security Events page
Ignore
and no action (such as blocking) is taken.
Remote File Inclusion (RFI) is an attack that targets the web servers that run websites and their applications. It
represents an attempt to manipulate an application into downloading or executing a file from a remote location.
RFI exploits are most often attributed to the PHP programming language, however these exploits can also manifest
themselves in other environments. RFI works by exploiting applications that dynamically reference external scripts
indicated by user input without proper sanitation.
SQL Injection
SQL injection is used to take advantage of non-validated input vulnerabilities to pass SQL commands through a
web application for execution by a backend database. Attackers take advantage of the fact that programmers often
chain together SQL commands with user-provided parameters and can therefore embed SQL commands inside these
parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend
database server through the web application.
Cross Site Scripting (XSS or CSS) is an attack that attempts to run malicious code on your website visitor’s browser.
A Cross Site scripting attack takes advantage of a website vulnerability in which the site displays content that includes
unsanitized user-provided data. For example, an attacker could place a hyperlink with an embedded malicious script
into an online discussion forum. The purpose of the malicious script is to attack other forum users who happen to
click on the hyperlink. Such a script could, for example, copy user cookies and then send those cookies to the
attacker.
An Illegal Resource Access attack attempts to access otherwise private or restricted pages, or tries to view or execute
system files. This is commonly done using URL Fuzzing, Directory Traversal or Command Injection techniques.
Note:
• The whitelist defined for one type of WAF protection does not affect the other types of protection. For example,
whitelisted items in the SQL Injection section do not affect how Illegal Resource Access behaves.
• A whitelist rule will match only if all match criteria are satisfied. If you want to whitelist multiple and non-related
scenarios, you can add multiple whitelist rules.
1. Click the Add whitelist option under the relevant type of WAF protection. For example under the Remote File
Inclusion option. The following displays:
2. In the Add whitelist rule on field, select the type of item to be added to the whitelist, such as URL, Client app
ID, IP, Country, User Agent or HTTP parameter.
3. In the field to the right, fill in the value to be whitelisted.
4. Click the Add button.
5. Multiple rules can be added to this window by following the steps above.
6. Click the Confirm button.
Tip: You can also add an item to the WAF whitelist directly from the Security Events page if you have identified a false
positive event.
Read More
Note: Monitor your Cloud WAF security posture on the go. For details, see Imperva Security Mobile App.
In this topic:
Select the desired WAF DDoS behavior from the drop-down menu:
Option Description
Off All DDoS mitigation rules are disabled.
On All DDoS mitigation rules are enabled.
Advanced settings
Click Advanced Settings to access additional DDoS settings:
Option Description
Option Description
Allowed values: 10-10000 requests per second.
Request rate cannot be empty.
An allowlist rule will match only if all match criteria are satisfied. If you want to allowlist multiple and non-related
scenarios, you can add multiple allowlist rules.
2. In the Add exception rule on field, select the type of item to be added to the allowlist, such as URL, Client app
ID, IP, or Country.
3. In the field to the right, fill in the value to be allowlisted.
4. Click Add.
5. Add additional rules as needed by following the steps above.
6. Click Confirm.
Tip: Alternatively, you can add an item to the WAF allowlist directly from the Events page if you have identified a false
positive event.
Customize Slow HTTP mitigation
Override default mitigation settings for slow HTTP attacks.
Slow HTTP attacks are a type of denial-of-service (DoS) attack in which requests are sent in small chunks, one at a
time. This is problematic because if the HTTP request is incomplete, or if the transfer rate is very slow, server
resources are kept busy waiting for the rest of the information, and legitimate connections cannot be made.
To prevent slow HTTP attacks, we configure a request body timeout which determines the minimal number of bytes
we accept during a specified time period.
Imperva provides DoS mitigation for HTTP methods according to the default rate of a minimum of 5000 bytes received
every 30 seconds.
You can choose to override the default rates for any or all of the following methods: GET, POST, PUT, RPC_IN_DATA,
RPC_OUT_DATA.
Note: Slow HTTP attacks are not currently displayed on the Security Events page.
3. Select the methods for which you want to set different values, and configure the values.
The custom rate will be used only for the methods that you select. Other methods continue to use the default
rate.
Read More
In this topic:
Imperva will notify you by email. A single mail is sent for all alerts occurring within a 5-minute interval. The mail will
include a sample of up to three of the generated alerts, and details of the total number of alerts and visits.
You can view the full list of threat alerts in the Website Security Dashboard > WAF violations section, and then drill
down to more detailed information displayed in the Security Events page.
You can define what actions to take when a threat is identified (per site) in Websites > <your site> > Settings > WAF.
For more details, see Web Protection - WAF Settings.
Request PCI compliance reports
Stay informed about changes to your security rule configuration and compliance with PCI 6.6 requirements.
In accounts where the new WAF Rules policy is available, the report is slightly different. The information provided
reflects the status of the website’s security rule configuration at the time the report is generated.
Permissions
Grant access to a user from another account to view or edit the site.
The user can then see the site listed in the Cloud Security Console Websites page.
The user you add must be an existing user in another account which is on the same or higher level subscription plan.
Note: The Permissions page applies only to users from other accounts. To manage permissions for users in the current
account and its sub accounts, see Account Users.
Access the Permissions settings
To open the Permissions Settings, log in to your my.imperva.com account.
Error Responses
This topic explains how error responses are returned to clients.
In this topic:
• Overview
• Response format
• Response examples
Overview
Error responses are returned to website visitors in each of the following scenarios when a request is blocked:
To return error responses in JSON or XML format, based on the Accept or Content-Type HTTP request headers:
4. Under Additional Settings, enable the Enable content based error responses option.
Accept header: contains json, does not contain html Default JSON error response
{
“incidentId” : “3411854340000000422-34793753560490",
“hostName” : “test.example.com”,
“errorCode” : “20",
“description” : “The proxy failed to connect to the web server, due to TCP connection tim
“timeUtc” : “2019-03-12 12:37:19 UTC”,
“clientIp” : “1.2.3.4",
“proxyId” : “1111",
“proxyIp” : “5.6.7.8"
}
XML error response
<proxyIp>5.6.7.8</proxyIp>
</incident>
Read More
Website Dashboard
Note: The old Website Dashboard is being deprecated. The new Website Dashboards provide an enhanced view for
exploring traffic, security, and performance. For documentation on the new Website Dashboards available in the new
UI, see Website Dashboards.
Dashboard Description
• In the Timeline drop-down, select a time range option or choose custom dates.
Traffic
View overall statistics on traffic flow for the site during the selected time frame.
Section Description
Visits by client/country
The distribution of visits by client or country.
Section Description
For details on Imperva's client classification
database, see Client Classification.
Performance
View statistics related to caching for the site during the selected time frame.
Section Description
The amount of bandwidth saved every time content
Accumulated saved bandwidth was returned from the Imperva cache, instead of
from your origin server.
The rate of change of accumulated bandwidth,
Cached bandwidth
measured in Mb or Gb.
Section Description
Static only: Resources cached according to
standard caching. For more details, see the Cache
Mode section of Cache Settings.
Real-Time
Monitor activity and statistics for your site in real time.
Note: There may be discrepancies between the data displayed on the Real-Time dashboard and the other
dashboards. Full data may not always reach and be presented on the Real-Time dashboard and may therefore be less
accurate than the offline dashboards that reflect complete information.
Section Description
Section Description
Per Data Center: The distribution of requests
according to Imperva PoPs that handled them.
Activity Log
View significant events on the site during the selected time frame, such as:
Activity Description
Events are displayed here according to your Threat
Alert settings on the Websites > Settings
Threat alerts
> Notifications page. For details, see Website
Notification Settings.
Website Dashboards
Website Security Dashboard: See an overview of all the threats that have targeted your protected websites and
applications.
Website Performance Dashboard: View caching and traffic statistics for your Imperva-protected websites and
applications.
Website Real-Time Dashboard: View overall statistics on traffic flow for your websites.
Network Traffic Dashboard: Explore incoming traffic metrics for all websites in your Imperva account. The dashboard
presents data on both legitimate and malicious (DDoS) Layer 3/4 traffic.
In this topic:
Section Description
Distribution
Section Description
All requests Total number of requests for the website.
Requests blocked The number of requests that were blocked.
Security settings
WAF rules:
Section Description
Section Description
DDoS violations and Backdoor Protect: These
violations are always blocked.
Security rules:
Section Description
Section Description
All websites
View statistics for all websites in your account.
The data in the websites table reflects the previous 7 days, from 00:00 on the first day to 00:00 on the 7th day,
regardless of the time range you select at the top of the dashboard.
To view data for multiple websites, select them and click Apply Selection. You can select up to 5 websites, including
those currently selected in the Websites drop-down above.
When multiple websites are selected, the dashboard displays an aggregated view of data for all the selected websites.
Column Description
Website Name of the website.
The total amount of traffic served from your website,
Bandwidth both from the Imperva cache and from your origin
server.
Number of visits to your website by legitimate
Human visits
human visitors, typically via a web browser.
Bot visits Total visits by all good and bad bots.
The number of times that a security rule was
WAF sessions
triggered.
The percentage of requests that triggered a security
Rule hits
rule, out of all requests.
The number of requests that were presented with a
CAPTCHA challenges
CAPTCHA challenge.
Website configuration status. For more details, see
DNS Status
Web Protection - Websites.
Creation date The date the website was configured in Imperva.
View caching and traffic statistics for your Imperva-protected websites and applications.
In this topic:
When multiple websites are selected, the dashboard displays an aggregated view of data for all the selected websites.
Zoom: Click and drag an area of a graph to zoom in. Zooming into any graph updates the data displayed on the entire
dashboard.
Section Description
Section Description
Audit events
Expand graphs
Open an enlarged view of any of the dashboard
graphs.
Requests over time Hover over the graph to display more details. Each
data point represents the average value during the
time range specified in the popup.
Section Description
Caching and traffic flow statistics for the websites in
Performance and Traffic your account. For more details, see Performance
and traffic below.
Status information on your origin data centers and
Data Centers on Imperva data centers. For more details, see Data
centers below.
Lists the rule names, actions and hits for all the
delivery rules defined for the selected sites.
Hover over a graph to display more details. Each data point represents the time range specified in the popup.
Trend data: Shows the change between the current period and the previous period.
Section Description
Section Description
Hover over the event in the graph to see details of the action that was performed, such as changing website settings.
For more details on audit events, see Audit Trail and Audit Trail Event Types.
Data centers
View status information on your origin data centers and servers and response time data for the Imperva data centers.
The status of your origin data centers and servers configured for the selected websites.
Column Description
Column Description
Server status:
• Up
• Down
View the response times, in milliseconds, of the Imperva data centers that handled requests for your websites by
region. Click a location to display the distribution by data center.
Waiting rooms
View statistics on actual usage of your waiting rooms during the specified time range.
Note:
• All statistics include only those users/sessions that match all conditions set for the waiting room.
• This section is displayed only for accounts that have Waiting Rooms configured. The Waiting Room feature is
currently being rolled out and may not yet be enabled for your account.
Column Description
Total user visits The total number of users who visited the website.
All websites
View statistics for all websites in your account.
The data in the websites table reflects the previous 7 days, from 00:00 on the first day to 00:00 on the 7th day,
regardless of the time range you select at the top of the dashboard.
To view data for multiple websites, select them and click Apply Selection. You can select up to 5 websites, including
those currently selected in the Websites drop-down above.
When multiple websites are selected, the dashboard displays an aggregated view of data for all the selected websites.
Column Description
Column Description
The DNS configuration status of the website. For
Configuration
details, see Web Protection - Websites.
In this topic:
Hover over a graph to view more details about any data point.
To filter the data displayed in the graphs, click items in the legends.
Section Description
Section Description
Traffic
View a snapshot of current traffic metrics for your websites. Drill down into more details in the graphs.
Section Description
The total number of requests from humans and
Requests
bots.
The number of requests from humans and the
Human requests
percentage out of total requests.
Section Description
The number of requests that were blocked by
Requests blocked
Imperva.
Visitor samples
To view a sampling of real time requests, click Show visitor samples at the top of the dashboard.
Tags display the challenges presented to visitors at the time of the request (cookie, JavaScript, or CAPTCHA), and well
as the HTTP version used by the visitor.
Click a server row to view more details in the Details pane on the right. You can select multiple servers to view
simultaneously.
Note: The displayed data reflects incoming traffic only (from visitors to Imperva). For CDN usage and billing statistics,
see the Subscription page for your account: Management > Subscription.
In this topic:
Select options for viewing bandwidth and packet rate data. Your selections are reflected in the data displayed in the
bandwidth graph (bits per second) and packet rate graph (packets per second), and in the tables below the graph.
View by
Traffic
In the bandwidth (bits per second) graph, you can compare your data to the blue 95% percentile indicator. The
indicator is displayed when you select the following view settings:
For more details on calculation of the 95th percentile, see Account Bandwidth Calculation.
At the bottom of the graphs, select options to examine the data according to actual values or distribution:
Real-time data
By default, the Network Traffic Dashboard displays real-time data.
Hover over the graph to focus in on a specific point in time. In this example, you can see that 16.87% of the total traffic
was coming in from London.
Historical data
You can view data for the previous 90-days.
At the top of the dashboard, select an option, or choose a custom time period.
The dashboard displays the maximum values reached during the selected time period.
In the graphs, you can zoom in to a maximum data resolution of 15 seconds to analyze short attacks.
Hover over a point in the graph for more details. In this example, the graph is now showing a resolution of 15 minutes
per point.
Grab another area of the graph to zoom in again for a closer look. Here, the maximum resolution of 15 seconds is
displayed.
Website groups
A website group is group of protected websites in your account that share a set of Imperva anycast IPs and other
network resources. (Web traffic is routed to these IPs in the Imperva network instead of to your origin server, enabling
Imperva to inspect each request and detect any malicious activity.)
Most accounts typically have only one website group. Under some circumstances, a different configuration is required
and some of your protected sites are grouped separately. For example, when using a dedicated network or when
network traffic isolation is needed to meet regulatory requirements.
• Expand the website group to view the sites included in the group. The list of sites is available only when viewing
data from a previous or custom time period. It is not available in real-time view.
• Click a Site ID to open a site’s Website Dashboard. For more details, see Website Dashboard.
Advanced analytics
See top traffic patterns for DDoS traffic on your sites that was blocked by Imperva or clean traffic that was routed
through Imperva and passed on to your origin servers.
View a breakdown of traffic by source or destination IP, by source or destination port, or by packet size for a website
group.
2. On the analytics page that opens, select a previous time period or a custom time period. (Analytics are not
displayed in real-time view.)
3. Filter to display blocked or passed traffic.
For more details on the Analytics page, see Analytics: DDoS Protection for Networks and IPs.
Events
View the log of security events detected by Imperva. Each row represents a single session that contains one or more
suspicious requests.
Column Description
Events are created when a security rule is triggered. Rules include built-in security rules, as well as custom security
rules that you have defined for your protected sites.
The Security Events page enables you to view events per session, and then drill down into specific requests.
Note:
• You can also get a list of events using the API. For details, see Get visits in Traffic Statistics and Details API.
• Monitor your Cloud WAF security posture on the go. For details, see Imperva Security Mobile App.
• We are currently rolling out new security event infrastructure. This enhancement may not be immediately
available in your account. Once the new infrastructure is enabled for your account, you may notice the following
changes:
• Newer events are using the new infrastructure, while older events continue to be based on the previous
infrastructure. When you move from a time range that is using the old infrastructure to one that is using
the new infrastructure or back again, a pop up is displayed indicating that the page has been redirected
by Imperva. For example, if you view data for the last 7 days, and then select the option for the last 30
days, the page is redirected.
Data for all time ranges will eventually be based on the new infrastructure and available on the new
page. The page will no longer be redirected.
• Current page: The URL includes events-page in the path. (No change.)
• New page: The URL includes event-page-ng in the path. (Accounts rolled out with new
infrastructure will be temporarily redirected to this new path, depending on the data range
selected. After approximately 90 days of time range data has been collected, the URL redirect
will be removed.)
• When viewing an event on the new page, the Policy ID of a triggered policy is now part of the request
details. Previously, it was part of the session details. Similarly, the Edit policy option is now available at
the request level instead of at the session level.
In this topic:
The banner at the top of the page enables you to select the data you want to view. When you change the selections,
the data on the page is immediately updated.
The statistics here reflect the last 7 days, regardless of the time period selected in the top filter.
View events
Each row under Sessions represents a single, cookie-based session that contains one or more suspicious requests.
Session details:
Field Description
Field Description
If the ID is listed as deleted, this indicates that the
policy was deleted after the event occurred. For
example: Policy ID: 1234 (deleted)
Threat-type indicators Note: The Bad Bots tag does not necessarily mean
that the request came from a bad bot. It indicates
that the client was initially suspected or unknown
and was challenged, in order to verify its
authenticity.
Field Description
challenge it may be classified as legitimate later on
in the process.
Therefore, you may see the bad bot tag that was
generated earlier on in the process, while the Client
Details column lists it as a legitimate client, such as
Chrome. The client listed in the Client Details
column is the final, authoritative classification.
Learn more:
View requests
Requests per event: In the event, click More details to view requests. Each row represents a suspicious request in the
session. Requests in the session that are not suspicious and do not trigger alerts are not displayed.
Request table:
Column Description
Request details:
Field Description
For example:
Field Description
Request actions:
You can perform the following actions for an individual request. Actions affect only the website that received the
specific request.
Action Description
• DDoS
Add exception to rule
• Backdoor protection
• Bad bots
Add exception to policy This action is displayed for requests that violated
the WAF Rules policy. For details, see Create and
Manage Policies.
View rule
View the triggered rule.
Action Description
This action is displayed for requests that triggered
custom (user-defined) rules. For details, see Manage
Rules.
Option Description
Add an exception
To add an exception to a rule, expand a request and click Add exception.
You can add an exception for a specific item in the request, such as its URL, Parameter, IP, or Country. The item then
bypasses the specific rule, such as an Illegal Resource Access violation. This rule will no longer be applied to requests
that meet your defined criteria.
Adding an exception is useful when you want to tweak a rule in order to avoid false positives. Be as specific as possible
with the criteria you define in order to limit exposure.
The three-strike rule
Imperva intelligently analyzes traffic in order to detect suspicious behavior. When a client sends repetitive, clearly
malicious requests, Imperva may block this session to prevent zero-day attacks. The 3-strike rule occurs automatically
when 3 requests in the same session trigger specific WAF rules that we have classified as extremely high-risk.
In this topic:
• SSL certificates
• The SSL process
• TLS version support
• Supported cipher suites
SSL certificates
To support secure websites (HTTPS), Imperva must host a valid SSL certificate for the website domain. Imperva
supports two types of certificates for this purpose:
Imperva-generated certificate
As part of the activation process, Imperva requires that a secure website add its domain to an existing Imperva
certificate. This certificate will be presented to any visitor trying to access your website, indicating that the connection
is secure.
The Imperva certificate is used by default for both SNI and non-SNI supporting clients. Server Name Indication (SNI) is
a TLS extension that enables a client to indicate the hostname it wants to connect to at the start of the handshake
process. Many older browsers do not support SNI. If you choose to provide us with your existing domain certificate in
addition to the Imperva certificate, your certificate is used for SNI-supporting clients, and the Imperva certificate
continues to be used for non-SNI supporting clients.
The process for adding your domain to an Imperva certificate is triggered automatically from the Add Site wizard
when you first onboard your website to Imperva, or using the Add site API. This process requires that you prove that
you are the owner of the domain you are adding to Imperva using one of three available methods:
• Email validation: A validation email will be sent to one of the email addresses associated with your domain. A
list of email addresses is displayed during the process. If the addresses are no longer in use or you wish to use a
different one, contact Support to request the change. The requested email address must be listed in your
domain’s Whois record.
• DNS validation: You will be provided with a unique DNS entry to add to your domain DNS zone.
• Meta tag validation: You will be provided with a unique HTML string to be added to one of the URLs on your
website.
If you did not complete SSL validation during the onboarding process and your site is already onboard with Imperva,
you can validate domain ownership using the email or DNS methods.
Once you have chosen a validation method and completed the validation steps, Imperva automatically adds your
domain to the Imperva certificate and provides DNS instructions. This is the final step in setting up your domain on
Imperva.
Note: If your site uses certificate pinning, it is not recommended to use an Imperva-generated certificate due to
occasional changes that are required on the Imperva side, such as certificate renewals, updates, and migrations. If
you choose to use certificate pinning, upload a custom certificate instead.
You may choose to add your existing domain certificate to Imperva in addition to the Imperva-generated certificate.
This can be done by uploading the certificate and private keys to Imperva via the Cloud Security Console. For details,
see Upload a Custom Certificate for Your Website on Imperva.
It is important to note that these uploaded certificates are presented only to SNI-supporting clients. A list of SNI-
supporting clients can be found here: https://en.wikipedia.org/wiki/Server_Name_Indication.
The Imperva proxy first checks to see if a custom certificate was uploaded to the specific site. If one is not found, the
proxy looks at other sites in your account.
If the proxy identifies a certificate uploaded to another site in your account that has a SAN corresponding to the site in
question, then that custom certificate is used.
For example, suppose a custom certificate was not uploaded for your site support.example.com, but a certificate for
the wildcard domain *.example.com has been uploaded for another site in your account. The custom certificate for
*.example.com is used.
If you do not want the certificate for *.example.com used for your site, you need to upload a separate custom
certificate for the specific site.
If no matching certificate is located in any site in your account, the Imperva-generated certificate is used.
For websites onboarded to Imperva after October 20, 2021, the certificate selection method has changed. To optimize
the selection mechanism, the Imperva proxy now selects a certificate in this order:
3. A custom certificate from another website in your account with a SAN corresponding to the website in question.
The SSL process
HTTPS traffic arrives at Imperva, where Imperva terminates the SSL connection. It decrypts the traffic, analyzes it, and
filters out malicious visitors and requests. The next step for legitimate requests is for Imperva to return a response to
the visitor from the cache, or forward the request on to the origin server if necessary. Imperva encrypts the traffic at
this point before sending it on.
All communication between visitors <--> Imperva (Connection A) is handled by the certificates stored in Imperva.
Communication between Imperva <--> your site (Connection B) is handled by the original domain certificate located
on your web server.
We employ the following advanced techniques, designed to speed up the process and minimize latency:
When traffic arrives at Imperva, can Imperva decrypt it and send me clear traffic?
No. To provide data security and meet PCI requirements, encryption is required during all legs of the journey.
Can our origin server send clear traffic to Imperva and have Imperva encrypt it before sending it back to
visitors?
Do Imperva and your origin servers need to use the same TLS versions and cipher suites?
No. The connection between visitors <--> Imperva, and the connection between Imperva <--> your origin server are
two separate connections. Each segment can use a different TLS version and cipher suite.
TLS version support
TLS 1.3, 1.2, 1.1, 1.0, and SSLv3 are supported for connectivity between clients (visitors) and the Imperva service. TLS
1.2 is the minimum supported version, by default.
Note: As of July 1, 2022 Imperva will no longer support the SSLv3 security protocol and the RC4 cipher.
PCI-DSS compliance requires disabling the use of TLS 1.0 as of July 1, 2018. To comply with this requirement, and due
to the known vulnerabilities in TLS 1.1, Imperva has defined TLS 1.2 as the default minimum supported version. This
also applies to the Imperva Cloud Security Console and the Imperva API.
Connectivity between a website’s origin server and the Imperva service is the responsibility of the Imperva customer.
Opting out
A client with an unsupported TLS version will not be able to establish a connection to Imperva. The client (a browser,
for example) may show the following SSL error message: ERR_SSL_VERSION_OR_CIPHER_MISMATCH, and will not be
able to access the site.
If you need to keep supporting TLS v1.0 and TLS v1.1, you can opt out and choose to enable support for all TLS
versions, on a per site basis. Opting out means that clients will be able to establish connections to your site using TLS
v1.0, v1.1, and v1.2. This is not recommended. To remain PCI compliant, do not enable this option.
Choosing to enable the option to support all TLS versions may require migration of your sites to the new Imperva
service network, which offers additional security options, customization, and visibility. As a result, you may be
required to update the following:
• Update of the A-record for your domain to point to the new IPs provided by Imperva.
• Revalidation of your Imperva-generated certificate/SAN for your opted-out sites: When possible, SSL certificates
currently in use will be moved automatically to the new platform. For certificates that cannot be moved
automatically, you will be required to revalidate ownership of your domain in order to issue new SSL
certificates. This typically requires that you add the relevant authorization string in a DNS TXT record to be
viewed by the CA. You will receive instructions on how to complete the revalidation.
Note: If you want to set TLS 1.1 as the minimum supported version for your site, contact Support.
1. Enable the Support All TLS Versions option for the account. For details, see Account Settings.
2. Enable the Support All TLS Versions option for each site that you want to support versions of TLS earlier than
1.2. For details, see Web Protection - General Settings.
Read More
In this topic:
• Overview
• Open the SSL Certificates page
• Domains pending ownership validation
• Certificates
• SSL Certificates API
Overview
After onboarding a website to Imperva and configuring SSL support, you can view certificate status details here. This
page provides status information for the certificates configured for all websites in your account.
For more details on Imperva's SSL support for your websites, see Web Protection - SSL/TLS.
To view settings or configure SSL support after your site is onboarded, see Web Protection - General Settings.
Permissions
By default, the account admin can view the SSL Certificates page. In addition, any user who is assigned a role that
includes the View SSL Certificates permission can also view the page.
Open the SSL Certificates page
1. Log in to your account in the Imperva Cloud Security Console.
2. On the top menu bar, click Application.
3. On the sidebar, click SSL/TLS > SSL Certificates.
Domains pending ownership validation
This section lists all the domains in your account with SANs that require validation of domain ownership.
SANs (Subject Alternative Names) are used in Imperva-generated certificates, which cover multiple domains. Each
SAN identifies a domain that is covered by the certificate. SANs that require user action are listed here.
You must complete the validation process in order for Imperva to approve your domain and include it in the Imperva-
generated SSL certificate.
Your domains are listed according to the validation method you chose when you started the process to configure SSL
support for the domain — either during website onboarding or after, through website settings.
Column Description
Domain name
The domain requiring validation of ownership.
Column Description
Expand the domain name column to view the SANs
covered by the domain.
Validate by email
Column Description
Column Description
The validity period of the SAN is typically 1 year,
SANs expire after which you are required to revalidate domain
ownership.
Certificates
The list of certificates configured for all websites in your account.
Column Description
Imperva-generated certificate:
Custom certificate:
Column Description
SSL support. This status is activated 60 days
before the expiration date.
SAN details
Expand a certificate row to view details on the SANs covered by the certificate.
Column Description
SAN The Subject Alternative Name (SAN).
Column Description
• Approved pending publication: The SAN is
ready for publication.
SAN added The date that the SAN was added to the certificate.
The date that revalidation of your domain
Revalidation required ownership will be required in order for Imperva to
renew the certificate.
SSL Certificates API
Get certificate details and status for your account using the Imperva API.
For instructions on using the SSL Certificates API, see SSL Certificates API Definition.
The definition file presents a full, formatted, and interactive version of the APIs that you can use to learn about the
APIs, or test them using your API ID and key. You can also download the definition file.
This certificate is presented to SNI-supporting clients only. Adding your domain to an Imperva SAN certificate is
required to handle non-SNI supporting clients, even if you are uploading your existing certificate. A list of SNI-
supporting clients can be found here: https://en.wikipedia.org/wiki/Server_Name_Indication.
The certificate must contain the full chain – root CA , intermediate CA, and the origin server certificates. For details,
see Extracting the Full Chain Certificate Using Qualys SSL Labs.
Note:
• The certificate must include the SAN for the website’s domain.
• Each time you upload a custom certificate to Imperva for your website, the Enable HTTP/2 setting on the
Website Delivery Settings page is reset according to account-level HTTP/2 default settings, located in Account >
Account Management > Account Settings. For details, see Delivery Settings and Account Settings.
Option Description
Permissions
The Manage custom certificates permission is required to upload, replace, and delete custom certificates for your
websites.
This permission is granted to the Account Admin user by default. The Account Admin or any user with Manage users/
Manage user roles permissions can assign this permission to other account users as needed.
Upload a custom certificate to Imperva
In the Imperva Cloud Security Console, open the Website General Settings page:
2. On the sidebar, select Websites > <your site> > Website Settings > General.
4. On the Configure Custom Certificate page, select one of the following options:
Guidelines:
Read More
In this topic:
• Overview
• Upload an ECC certificate
Overview
You can upload your own ECC certificate to Imperva so it can be presented to your website visitors.
ECC certificates have a smaller key size than RSA certificates, so less data is passed to the client during the
TLS handshake. This results in faster page load times, as well as offering better support for mobile devices.
ECC certificates provide a security level comparable to or surpassing that of an RSA 2048 certificate.
Guidelines:
• Connecting clients must support ECC or the TLS handshake cannot be completed with an ECC certificate. If you
want to also support non-ECC supporting clients, upload an RSA certificate as well.
• By default, Imperva supports the prime256v1 (secp256r1) Elliptic Curve Digital Signature Algorithm (ECDSA)
only.
• Imperva presents your ECC certificate to SNI-supporting clients only. Adding your domain to an Imperva SAN
certificate is required to handle non-SNI supporting clients.
Upload an ECC certificate
Upload your certificate and private key to Imperva.
On the Web Protection - General Settings page, under SSL Support > ECC custom certificate, click Configure and
follow the onscreen instructions.
Remove the security overhead of managing and sending private keys over the web. Imperva manages the private key
for you, according to our security standards.
Step Description
In this topic:
• Overview
• Configure the HSM
• HSM details required by Imperva
• Upload your certificate and HSM details
• View certificate status
Overview
When you onboard a secure website to Imperva, there are two alternatives for installing SSL certificates on the
Imperva proxy servers. You can opt to have Imperva generate a new certificate for your site, or you can upload your
own custom certificate.
If you choose to use your own certificate, but regulatory requirements demand that your certificate's private key be
hosted in an HSM, you can upload own certificate without the private key while maintaining the private key in a 3rd
party cloud HSM service.
This topic describes how to upload your custom certificate to Imperva without the private key, and store your key in a
cloud HSM service instead.
Fortanix Data Security Manager (DSM) SaaS is the HSM service currently supported for this integration.
Configure the HSM
Before uploading your certificate to Imperva, you need to have a Fortanix account.
Perform the following steps to set up the Fortanix side of the integration. Refer to the Fortanix documentation for
more details: Fortanix Data Security Manager with Imperva Cloud WAF.
Note: In the event of a Fortanix outage, reliance on a single region can leave the protected site without SSL support. In
addition, if you have end-users around the world, it is recommended to enable the service across multiple regions to
optimize performance. Therefore, at least 2 regions are recommended for reliability of service.
2. Create a group for purposes of this Imperva integration. The group will contain a collection of security objects,
such as your certificate and key, and enable you to assign access policies to these objects.
3. Create an application for Imperva Cloud WAF. The application will be used to authenticate Imperva to Fortanix
Data Security manager using an API key.
4. Create a security object and import your cryptographic key, using Base64 format.
• The URI. This is the location of your assets in the HSM service. In this case, it's the URI (host name) of the
Fortanix region as it appears in the security object. For example, api.amer.smartkey.io.
• The key ID. This is the UUID of the Fortanix security object.
• The API key. This is the REST API authentication key from the Fortanix application you created.
Upload your certificate and HSM details
To configure the integration, upload your certificate and the details of your Fortanix account using the Imperva API.
There are three API operations available for managing your certificate.
• Upload certificate: Upload your certificate and HSM credentials to Imperva. The certificate must use Base64
encoding.
• Test connectivity: When you upload your certificate and HSM credentials, Imperva automatically checks the
connection. If you later make changes in your Fortanix configuration, it is recommended to run this API call to
check that Imperva can still successfully connect to your Fortanix account.
For full details on the API for HSM Support, see Cloud WAF v2 API Definition.
As with all Imperva APIs, you also need to provide your Imperva API key and ID as headers in the request. For more
details, see Authentication.
View certificate status
After you upload your certificate to Imperva, you can see the status in the Cloud Security Console. It is listed on the
Website Settings > General Settings page, under SSL Support custom certificate status.
In the event that you want to remove the certificate from Imperva, you can also delete it on the General Settings
page.
See also:
• API Key Management
• Authentication
For more info on the Imperva-generated certificate, see Web Protection - SSL/TLS.
In this topic:
• Overview
• Validate ownership of your website
• Validation methods
Overview
Typically, when your site's Imperva-generated certificate needs to be renewed, the process is completed
automatically by Imperva. In some instances, you will receive an email notification from Imperva requiring you to
revalidate ownership of your domain.
Subject lines of the mail: "Domain revalidation required" or "Domain revalidation deadline"
It is critical to review the required action and deadline as specified in the email and take prompt action. If your
websites are not revalidated before the deadline, SSL support will be removed and the sites will be unreachable over
SSL.
Validate ownership of your website
1. Log in to your account in the Imperva Cloud Security Console.
After website ownership has been validated, Imperva starts the process of revalidating the SSL certificate for the site
via the CA. An email is sent to you from Imperva when the process is complete.
Note:
• The Revalidate SSL button is displayed until Imperva receives confirmation from the CA that the revalidation
process has completed successfully.
• If you have multiple sites that are handled by one certificate using a wildcard, the Revalidate SSL button is
displayed for each site. For example, you may have two sites named one.example.com and two.example.com,
and your certificate is configured for *.example.com. You do not need to repeat the revalidation process for the
additional sites. When the process is complete, the status for all relevant sites is updated in the Cloud Security
Console.
Validation methods
Validate your website ownership by adding a DNS record
2. Click the Record type dropdown and select one of the following:
▪ CNAME: This option ensures automatic revalidation of the site in the future by Imperva.
▪ TXT: This secondary option is for organizations that do not allow the use of a CNAME for site validation or
do not want Imperva to automatically manage this site's revalidation in the future.
3. Log into your DNS management console and open your DNS Zone file. If you are using a DNS management
service, log into it to make the change.
4. Set the Record type to match what you selected from the dropdown.
5. Copy the Host string into the DNS Record name field:
CNAME example: _delegate_validation.<domain>
This defines your domain's delegation to Imperva.
TXT example:
CNAME example:
TXT example:
7. On the Activate SSL Support page, click I added the records button (it will match your Record type selection).
Imperva verifies that the value of the new record(s) has been added to your DNS zone file. This may take a few
minutes.
2. Select an email address from the drop-down menu where you want to receive the validation link. The drop-
down menu is populated with default emails for the domain (e.g. admin@, administrator@, etc.). To add emails
to this list, see Adding Emails for Ownership Validation.
You can test whether these email addresses are correct by clicking the Send a test email to all the addresses
link which sends test emails to all the listed addresses. This enables you to check whether you receive these
emails, thus indicating that the addresses are correct. The test emails sent in this manner do not contain a
validation link.
3. When you have selected an email address from the drop-down menu, click the Send button. Imperva sends the
validation email to the selected address.
4. Open the email you received and click on the validation link.
5. On the Activate SSL Support page, click the I clicked the link button to indicate that you have clicked the link
in the validation email.
• Configure each email as a DNS TXT record and place it on the "_validation-contactemail" subdomain of the
domain being validated. This subdomain is only used to store additional email addresses that will appear on
this drop-down menu.
• The entire value of this TXT record must be a valid email address, without any additional padding or structure,
as follows:
_validation-contactemail.domain.com 400 IN TXT additionalemail@domain.com.
• You can delete any added email by removing its TXT record.
CAA Compliance
As of September 2017, the CA/Browser Forum Baseline Requirements require all Certificate Authorities (CAs) to check
for Certificate Authority Authorization (CAA) records before issuing or renewing certificates.
A CAA record enables domain owners to specify on their DNS which CAs are authorized to issue certificates for their
domain.
CAA records are not mandatory, but they are recommended. CAA use helps you limit the CAs that can issue certificates
for your domain, and can prevent unauthorized issuance of certificates.
• no CAA records
• a CAA record that names the specific CA
If your DNS zone file currently contains CAA records, but does not contain a record for the CA you are requesting
a certificate from, that CA cannot issue or renew a certificate for your domain.
CAA Checking
When you onboard a new SSL site or enable SSL for an existing site, Imperva checks for CAA compliance to ensure the
successful issuing of certificates. This applies to Imperva-generated certificates (including multi-domain SAN
certificates) only.
What do I need to do?
If your domain is using CAA, make sure you have the
Before onboarding an SSL site:
CAA records required by Imperva.
1. Log in to your DNS management console and access your DNS zone file.
Note:
• Imperva has defined TLS 1.2 as the default minimum supported version. If you need to support earlier versions,
you must enable the Support All TLS Versions option. For details, see the TLS version support section in Web
Protection - SSL/TLS.
• As of July 1, 2022Imperva will no longer support the SSLv3 security protocol and the RC4 cipher.
For the list of supported TLS versions, see Web Protection - SSL/TLS.
In this topic:
TLS 1.2
If the origin server chooses an earlier TLS version, the proxy will accept it.
When TLS version 1.2 or earlier is chosen by the origin server, it can use ciphers from the TLS 1.2 list below that are
available in the TLS version chosen.
TLS 1.3
TLS 1.2
See also:
Note:
• Client certificates are supported for websites configured in Imperva for SSL and using a custom certificate.
• Client certificates are supported for SNI clients only. We do not support client certificates for non-SNI clients.
• Client certificates are supported per domain, not per URL.
In this topic:
• Overview
• Configure client certificate support
• Client certificate validation using a CRL
• Certificate Manager API
Overview
The growing distribution of mobile apps, smart cards, and electronic IDs means you may need to implement a higher
level of protection, such as two-factor authentication.
In addition, IoT services may rely on embedded client certificates on end devices to validate device authenticity.
See also:
Note: To learn more about Imperva client certificate support, see Client Certificate Support.
In this topic:
• Overview
• Open the Client CA Certificates configuration pages
• Upload a CA certificate to your account
• Assign a certificate to a website after upload
• Configure client certificate support settings
• View certificate details
• Send client certificate details to origin server
Overview
To configure client certificate support for a website:
Note: When you first assign a certificate to a website, the client certificate is not required by default, and traffic
is still permitted to access the site without presenting the client certificate. To require the client certificate for
the TLS handshake, see Configure client certificate support settings .
Guidelines:
• The certificate must be in PEM format. Supported file extensions include .pem, .crt, and .cer.
• The “Basic Constraints” section of the certificate must indicate that this is a CA certificate, as shown in this
example.
• If more than one certificate is used for signing, they should be concatenated.
• If the certificate is signed by a recognized CA, it must include the chain up to but not including the root
certificate.
• If the certificate is self-signed by the site owner's CA, the full chain must be provided including the root
certificate. If the certificate is signed by the root itself, no chain is required.
• We recommend that the file you upload contains only one certificate.
• You can add up to 1000 CA certificates to your account.
• You can assign up to 120 certificates per site.
Permissions:
By default, the account admin user can manage client CA certificates for the account and websites in the account.
Other users can be granted the following permissions as required:
The Client CA Certificates pages are displayed only to users with the appropriate permissions.
Open the Client CA Certificates configuration pages
The Client CA Certificates pages enable you to manage the certificates for your account and websites.
Account-level. The account-level Client CA Certificates page enables you to upload your client CA certificates and
then assign them to websites in your account.
2. Click More > Edit for a certificate and modify the list of assigned websites.
Website-level. The Client CA Certificates page located within settings for a specific website enables you to view the
certificates assigned to the website, or assign a certificate from the account to the website.
For accounts with sub accounts: You can upload a client CA certificates to the parent account only. You can then
assign the certificate to any website in the account or in any of the account's sub accounts.
To upload a certificate, open the account-level Client CA Certificates page and click Upload New.
Option Description
Uploaded file The file name of the uploaded certificate file.
Name Give a descriptive name to the certificate.
Assign to websites
Assign this certificate to the selected websites.
Option Description
The drop-down includes all websites in the account
that are configured for SSL and using a custom
certificate.
• On the account-level Client CA Certificates page, click More > Edit for a certificate and modify the list of
assigned websites.
• On the website-level Client CA Certificates page, click Assign and select a certificate from the drop-down.
Configure client certificate support settings
Configure client certificate support settings for a website on the website-level Client CA Certificates page, under
Configuration Settings.
Option Description
Option Description
• Fingerprint: The CA certificate's fingerprint in
SHA1.
• Common name: The CA certificate's common
name (CN).
• Serial number: The CA certificate's serial
number.
Restrict client certificate fingerprints If left blank, all fingerprints are accepted.
• The account-level Client CA Certificates page displays all client CA certificates uploaded to your account.
• The website-level Client CA Certificates page displays all client CA certificates assigned to the website.
Column Description
Column Description
The name of the Certificate Authority (CA) that
Issuer
issued the certificate.
Valid From The first day of the certificate's validity period.
Valid To The last day of the certificate's validity period.
If client authentication by the website is also required, Imperva can send the authentication information to your
origin server in a request header. For details, see Configure client certificate support settings above.
If you need to pass additional client parameters to the origin server, and your service plan includes Delivery Rules, you
can create delivery rules and use the following variables. If not, the Support team can implement it for you.
For more details on using these variables in delivery rules, see Create Rules.
After you receive the client certificate information, you can convert it into a certificate object.
See also:
Upload a CRL
If client certificate support is enabled for your site, you can upload a Certificate Revocation List (CRL) file to verify
whether certificates are valid and trustworthy.
Note: To learn more about client certificate support, see Client Certificate Support.
In this topic:
• Guidelines
• Upload a CRL file
Guidelines
• The CRL file must be in PEM format, using Base64 encoding.
• The CRL file cannot be larger than 1MB.
• You can upload multiple CRLs per site.
• You cannot upload multiple CRL files to a site that include the same issuer.
• To replace an existing CRL, delete the CRL file and upload a new one.
Upload a CRL file
For instructions on uploading a CRL file, see the Certificate Manager API.
The Certificate Manager API definition file provides a full, formatted, and interactive version of the Certificate Manager
API that you can use to learn about the API, or test the APIs using with your API ID and key. You can also download the
definition file.
In this topic:
The definition file presents a full, formatted, and interactive version of the Certificate Manager APIs that you can use
to learn about the APIs, or test them using your API ID and key. You can also download the definition file.
See also:
Note:
• We are currently rolling out the new WAF Rules policy type. It may not yet be available in your account.
• Starting in March 2022, website WAF settings in existing customer accounts will be migrated to the new
WAF Rules policy over a period of several months. (Migration of an individual account takes only several
minutes.)
• The migration process takes the WAF settings (located on the Application > Websites > Website
Settings > WAF page) that were configured for your websites and automatically converts them to
policies.
• If multiple websites contain identical settings, a single policy is created and assigned to the relevant
websites.
For more details on the migration process, see FAQ: WAF Settings Migration.
For more details on the WAF Rules policy, see WAF Rules policy below.
In this topic:
• Overview
• Create a policy
• Policy types
• Upload IP addresses in bulk
• Add an exception
• Apply a policy to websites
• Set a policy as default
• View and manage policies
• Policy Management API
Overview
Manually configuring a large number of sites can be resource-intensive, time-consuming, and error-prone. Policy
Management introduces the ability to centrally configure and manage settings, save them as a policy, and then apply
the policy to multiple sites in your account.
Policy types
Imperva offers several types of policies. Each type covers a specific area of Imperva functionality, such as access
control lists (ACLs) or Allowlists, and has its own set of specific fields available to configure. For details, see Policy
types.
Permissions
By default, the account admin user can manage policies for the account and for websites in the account. The following
permissions can be added to roles and assigned to other users in the account or in its sub accounts as required.
• View policy
• Add/Duplicate policy
• Edit policy
• Delete policy
• Add exception to policy
• Edit exception in policy
• Delete exception from policy
• Apply policy to assets
The Policies pages are displayed only to users with the appropriate permissions.
Create a policy
In the Cloud Security Console:
General tab
Select the type of policy you want to create and fill in the details.
Field Description
Policy Name A descriptive name for the policy.
Description Optional.
Field Description
Policy Type Select a policy type. For details, see Policy types.
Configuration tab
The fields available for configuration in the policy vary based on the policy type that you select. For details on the
available policy types and their fields, see Policy types below.
Applied on tab
Field Description
Field Description
Policy types
Each policy type covers a specific area of Imperva functionality. When you create a policy, the fields available for
configuration vary based on the policy type.
• Simultaneously applied policies: (ACL and Allowlist policies): Multiple policies of these types applied to a
single website. For example, two ACL policies can be assigned simultaneously to the same website.
• Individually applied policies: (WAF Rules policy). Only one policy of this type can be applied to a single
website. If another individually applied policy is applied to the same website, it replaces the policy currently
applied to the website.
ACL policy
Block specific countries, URLs, or IPs from accessing your sites. In each of the sections, you can click
to add an exception to the policy. For more details, see Add an exception below.
Field Description
Note:
Field Description
• Contiguous transcontinental countries, such
as Russia and Turkey, span more than one
continent. At Imperva, Russian Federation and
Turkey appear in the drop-down for Europe,
and not Asia. Nevertheless, selecting the
country will block the country's traffic across
all of its continents. For example, although
Turkey appears under the Europe drop-down
selection, selecting Turkey also blocks Asian
Turkey.
Allowlist policy
Add a list of trusted IPs that are not inspected by Imperva's WAF and Security settings.
If you would like to add an IP to an allowlist for a specific rule, it is recommended that you add an exception to a
specific rule (see below) rather than adding a global Allowlist rule.
Field Description
Allowlist IPs Enter IP addresses, IP ranges, or subnets.
Define how Imperva's Web Application Firewall (WAF) responds to malicious visitors or requests.
Each WAF rule in the WAF Rules policy addresses a different type of threat to your web applications. For each WAF
rule, you can define a mitigation level (such as alert or block), or keep the default settings. By default, the WAF rules
are set to the Block Request option. The only exception is the Cross Site Scripting rule, which is set to Alert Only.
For each rule, you can also click to add an exception to the policy. For more details, see Add an
exception below.
Each Imperva account and sub account includes a default WAF Rules policy.
The default account policy is automatically applied to new websites created in the account or sub account.
A WAF Rules policy is always created in the enabled state, and cannot be disabled.
A website must have exactly one WAF Rules policy applied to it.
• If you apply a WAF Rules policy to a website, it replaces the policy that is currently applied to the website.
• If you remove a WAF Rules policy from a website, the account’s default policy is automatically applied to the
website.
WAF rules
Note: The following WAF rules are defined at the website level on the Website WAF Settings page:
• Backdoor Protect. For more information, see Web Protection - WAF Settings.
• DDoS settings. For more information, see Web Protection - DDoS Settings.
Mitigation level
For each WAF rule, you can define how the Imperva Cloud WAF responds.
Option Description
The event is not listed in the Security Events page
Ignore
and no action (such as blocking) is taken.
A notification is sent to your Imperva account's
administrator/user (according to the Notification
Alert Only
Settings) and an alert appears in the Security Events
page. The malicious traffic is not blocked.
Malicious requests are blocked. In addition, an alert
Block Request
and an event are generated.
Option Description
Any user that has attacked your website will be
blocked from sending subsequent requests for 10
Block User
minutes. In addition, an alert and an event are
generated.
Any IP that has attacked your website will be
blocked from sending subsequent requests for 10
Block IP
minutes. In addition, an alert and an event are
generated.
Upload IP addresses in bulk
You can add a list of IP addresses in .csv format. This is supported everywhere on the Policies pages where IP
addresses are entered.
Guidelines:
• The file can include individual IP addresses, subnets, or ranges. For example:
1.1.1.1/25
2.2.2.2
2001:db8:3333:4444:5555:6666:7777:8888
3.3.3.3-3.3.3.5
• The entries must be listed in a single column - one entry per line.
When you create or edit a policy, you can add an exception and apply it as follows:
Option Description
The exception is applied to all assets listed under
Apply to all assets with this policy Apply to assets in the policy (all websites in the
account).
Apply to specific assets The exception is applied to the selected assets only.
When editing a policy that is applied to your site (Policies page > More > Edit), you can add, edit, or delete an
exception.
Wildcards:
• You can use a wildcard character (*) in an exception on a URL only at the end of the URL path.
• Wildcards are not supported in an exception on a WAF Rules policy HTTP parameter. If used, the asterisk (*) is
considered part of the parameter value. For example, example* will match only example*, but not example.
An exception rule will match only if all match criteria are satisfied. If you want to add an exception for multiple and
non-related scenarios, you can add multiple exception rules. Each exception rule is evaluated independently.
For example, suppose you created a Block Countries rule and need to add a few exceptions.
You want to add an exception for IP 1.2.3.4 on a specific URL, and for IP 5.6.7.8 under any circumstance.
This will bypass the block rule for either of the IPs on URL /index.php only.
Instead, you need to create two separate exception rules for this scenario:
Exception on IP 5.6.7.8
Apply a policy to websites
There are several ways to apply a policy to websites in your account:
When creating or editing a policy, you can apply the policy to selected websites in the account, as described above in
Create a policy.
• If the account has sub accounts, you can apply the policy to sites in the account and to sites in any of the
account's sub accounts.
• When you create a policy in a sub account, you can apply the policy to sites in the specific sub account only.
You can also apply the policy by default for new sites created in your account. For details, see Apply a policy to
websites below.
Website-level:
On the Websites > Security > Policies page, click Apply to select existing policies to apply to the website.
Set a policy as default
You can apply a policy by default to all new websites created in an account. This setting does not affect existing sites
in the account.
In the policy, click Enable as default policy, and select the parent account and/or any sub accounts under the
account.
• When you select the parent account, the setting applies only to new sites created directly under the parent
account. It does not apply to new sites created under the sub accounts.
• If you move a site between a parent account and a sub account, or between sub accounts, any policies set as
default in the destination account are automatically applied to the site. In addition, policies that were already
applied to the site in the source account are still applied.
View and manage policies
On the Policies page in your account or website, you can view and manage your policies:
• Account-level: Application > WAF > WAF Policies. The Policies page displays all policies created in your
account.
• Sub account-level: Application > WAF > WAF Policies. The Policies page displays all policies created in your
sub account or applied to your sub account by the parent account.
• Website-level: Application > Websites > Security > Policies. The Policies page displays all policies applied to
your website.
Field Description
Policy Name (ID) You can define the policy name. The ID is
automatically assigned by the system.
Field Description
The policy type, which covers a specific area of
Type
Imperva functionality.
Description Available from: Account or sub account page only.
The policy will be automatically assigned to new
Marked as default websites created in the accounts or sub accounts
specified in the policy.
The number of websites to which the policy is
Applied to
currently applied.
Field Description
Note: You cannot delete a policy from the account
when the policy is applied to websites.
Tips:
• Use the free-text Search bar at the top of the page to locate policies according to details in the table, such as
type or policy name.
• Use the Filters drop-down to view policies by either Enabled or Disabled policy status.
• Click Download CSV to download the list of policies in .csv file format.
Policy Management API
Create and manage policies for your account using the API.
For instructions on using the Policies API, see Policy Management API Definition.
The definition file presents a full, formatted, and interactive version of the Policies APIs that you can use to learn
about the APIs, or test them using your API ID and key. You can also download the definition file.
See also:
Overview
WAF settings were previously defined separately for each protected website. With Imperva Policy Management, you
can define a policy and apply it to multiple websites.
For existing customers, we need to migrate your existing settings to the new WAF Rules policy.
The WAF Rules policy type enables you to easily manage your mitigation settings for website WAF rules in a central
policy.
The new WAF Rules policy enables you to manage WAF settings for your websites exactly as you do today, but in a
centralized location for your entire account or subaccount.
How do I move from the existing to the new WAF settings policies?
Imperva runs a migration process that moves of all your existing WAF settings into the new WAF Rules policies.
The zero-downtime migration process imports your website-level WAF settings into WAF Rules policies for the account
or subaccount in which the website is defined.
If there are settings that are common to more than one website, a single policy is created. All the relevant websites are
listed in the policy.
• Generated WAF Rules Policy <number>: A policy created from a website's configuration.
• Generated Default WAF Rules Policy for <account id>: The default policy created for the account or sub account.
(Each account and subaccount has its own default policy.)
When will the migration process take place? Will I be notified before the migration?
Migrating is a fully reversible process. Moreover, if the migration process fails, your website-level settings remain
unchanged and accessible.
Unfortunately no.
Once the migration process is complete for all customers, the old (existing) WAF settings will be removed from the
application.
The WAF policy configuration is available in the account or subaccount. After logging in to the Cloud Security Console,
navigate to Application > WAF > WAF Policies.
Can I manage the WAF Settings both at the account and subaccount level?
Yes, you can. You can define and manage central policies for all websites in the account or subaccount in which the
websites are defined.
Yes.
Once the migration process is complete for all customers, the old (existing) website-level WAF settings will be
removed from the application.
In the new WAF Policy feature, you can define a new policy and easily assign it to any of the websites that reside under
your account or subaccount. For details, see Create and Manage Policies.
Is there any change in the APIs I use for managing my WAF settings?
Yes. Once your account is migrated, you can no longer use the following APIs to configure WAF settings and
exceptions:
• /api/prov/v1/sites/configure/allowlists
• /api/prov/v1/sites/configure/whitelists
• /api/v1/sites/{SiteId}/settings/rules/SQL_INJECTION/exception
• /api/v1/sites/{SiteId}/settings/rules/CROSS_SITE_SCRIPTING/exception
• /api/v1/sites/{SiteId}/settings/rules/ILLEGAL_RESOURCE_ACCESS/exception
• /api/v1/sites/{SiteId}/Settings/rules/REMOTE_FILE_INCLUSION/exception
In addition, details of the WAF settings and exceptions will be removed from the following Site Management APIs:
• All other Site Management APIs that return details of the site’s WAF settings configuration
Instead, use the Policies API to configure WAF Rules. For details, see Policy Management API Definition.
Yes. Once your account is migrated, you can no longer use the incapsula_waf_security_rule and
incapsula_security_rule_exception Terraform resources with the following rule_id values to configure WAF settings
and exceptions:
• api.threats.cross_site_scripting
• api.threats.illegal_resource_access
• api.threats.remote_file_inclusion
• api.threats.sql_injection
Note: As of August 1, 2022, following the migration of WAF settings for all customer accounts to the new WAF Rules
policy, the old WAF setting APIs and old Terraform resources mentioned above will be decommissioned.
See also
Bot Mitigation
This topic discusses Imperva's mitigation capabilities for automated threats.
Overview
Automated threats are characterized by unwanted, automated actions that have a detrimental effect on a web
application, often through the misuse of legitimate functionality, rather than by attempting to exploit unmitigated
vulnerabilities. These threats are further discussed here: https://www.owasp.org/index.php/
OWASP_Automated_Threats_to_Web_Applications .
Automated threats are often carried out by the malicious use of bots. A bot is generally defined as an application that
performs an automated task, typically a simple, repetitive task performed at a much higher rate than people
performing these tasks manually could achieve.
• Good bots are used for productive purposes, such as for gathering data for search engines (googlebot), for
commercial purposes (finding you the best deal), or for chatbots (customer service).
• Bad bots are used for malicious purposes, such as to automate attacks such as denial-of-service attacks, to buy
up seats for shows or concerts, or to sabotage gaming sites.
Who are you?
To mitigate automated threats, we first ask the question, "Who are you?". Imperva's bot protection solution is based
on identifying the threat according to our system of client classification.
Imperva’s unique classification technology can tell whether your website visitors are humans or bots. Our client
database holds an extensive list of bot classifications and can identify the specific type of bot visiting your website.
Based on the classification, we can categorize the bot as good, bad, or unidentified. Unidentified bots are ones for
which we don't have a classification and are not listed in our client database. By default, we treat an unidentified bot
as suspicious because it is an unknown, but it may be harmless. For the list of the clients and client type categories
that Imperva addresses, see Client Classification.
Once we have categorized the bot, we are ready to decide whether to challenge suspicious visitors and verify their
authenticity, alert you of suspicious activity, or block requests that pose a threat to your website.
As a customer, you can easily configure bot mitigation options in the Cloud Security Console:
To mitigate these threats, we ask the question, "What are you trying to do?".
For example, requests from a browser can be legitimate or malicious. Consider a brute force attack, in which a large
number of consecutive "guesses" are generated in order to obtain some desired data, such as login credentials. So
even if we determine that the client/source of the request is seemingly legitimate, the goal of the action is not. To
protect against such an account takeover attack, in which there is an attempt to gain unauthorized access to and
control of an account, you can create customized security rules for your web applications.
Examples
Threat What does it do? Imperva mitigation
Malicious, questionable,
undesirable, or unsolicited
Spamming information added to public or Default functionality
private content, databases, or user
messages.
For example:
Read More
Client Classification
Mitigation of malicious bot activity and Layer 7 DDoS attacks starts with identifying the source of the attack. This
mitigation uses Imperva’s advanced client classification technology.
In this topic:
• Overview
• Client types
• Client IDs
Overview
Imperva’s unique classification technology can tell whether your website visitors are humans or bots. Our client
database holds an extensive list of bot classifications and can identify the specific type of bot visiting your website.
Mitigation of Layer 7 DDoS attacks also leverages Imperva’s client classification technology.
Based on this classification system, Imperva determines whether to challenge suspected visitors and verify their
authenticity, alert you of suspicious activity, or block requests that pose a threat to your website.
Note: In addition to Imperva's existing security and application delivery logic, you can create and apply your own
customized security and access control rules for specific client types or applications. For details, see Create Rules and
Rule Filter Parameters.
Client types
The client application type, such as Browser or SpamBot. Note that some bots can be used for multiple purposes and
can fall into more than one category. For example, a Java library can be used for scraping purposes or attack
purposes.
Note: You can also retrieve a list of all the client applications using the API. For details, see Get client application info
in Integration API.
Rules
Use the Imperva rules proprietary scripting language to implement your own security, delivery, and access control
rules on top of Imperva's existing security and application delivery logic.
In this topic:
• Overview
• Filters, triggers, and actions
• Rule management and revisions
• Monitor rule activity
Overview
Custom rules can be manually coded or generated using a dedicated GUI that helps you get acquainted with the rule
generation process.
Web application owners and security engineers can use the rules to improve the security and performance of their
websites and applications. For example, rules can be created to:
In this case, the trigger is a combination of two filters - one to mark the restricted URL and another to prevent access
from all external IPs. Overall, the rules enable you to create policies based on:
The resulting actions may also vary, with options ranging from “Silent Alert”, to initiation of additional challenges
(e.g., CAPTCHA, JS, etc), to absolute blocking of a visitor or even null-routing of all traffic from a specific IP address.
• Alert
• Block Request
• Block Session
Security and access control rules • Block IP
• Require Cookie Support
• Require Javascript Support
• Require CAPTCHA Support
• Redirect URL
Application delivery rules • Rewrite (URL, Header, Cookie)
• Forward
All in all, with its vast number of possible combinations, the rules allow for limitless possibilities, giving you the
flexibility you need to deal with any possible security scenario.
Rule management and revisions
Rules are managed at the site level for every protected web domain. In addition to creating, editing, and deleting
rules, the rules management interface enables revision management. Imperva maintains a list of revisions for every
rule, enabling administrators to review an audit trail of all rule changes and easily revert to a previous rule revision, as
needed.
Monitor rule activity
Similar to other Imperva security features, you can also monitor rule activity in a website's Dashboard and Events
pages.
Read More
• Create Rules
• Manage Rules
Create Rules
Create application delivery rules, or implement your own security and access control rules on top of Imperva's
existing security logic.
In this topic:
• Create a rule
• Define a rule filter
• Delivery actions
• Security actions
Create a rule
To open the Rules page to create a new rule, log in to your my.imperva.com account.
Field/Option Description
Rule Action Define the action you want Imperva to take for every
request that matches the rule.
Field/Option Description
For details, see:
• Delivery actions
• Security actions
• Create Rate Rules
• Create Simplified Redirect Rules
Note:
Send an email notification whenever this rule is Note: Accounts with access to Notification Settings
triggered must also configure Real-Time WAF Alert
Notifications in Notification Settings. For more
details, see Notification Settings.
Field/Option Description
or modified rule in test mode prior to activating
in production.
Example:
Operator
Note: When a server is identified as 'down' by the Imperva Load Balancer, our proxies start to send active monitoring
requests to the origin server that is defined for the site, using the site’s Host header. (Origin servers are defined for the
site in the Cloud Security Console in Websites > Settings > Origin Servers.)
If there are custom delivery rules defined for the site, such as forward or rewrite rules, they are not run.
Therefore, the default origin server itself must be able to receive requests from the proxy so that we can confirm
server availability.
For more details on active monitoring, see Load Balancing Monitoring Settings.
In this section:
• Redirect URL
• Rewrite request
• Rewrite response
• Forward
• Replacement logic and wildcards
• Variables
Redirect URL
Redirect a URL. When a request matches a condition of a redirect rule, Imperva responds with a 30X response code
which redirects the client to a different URL.
The redirected URL can be fixed for all requests matching the rule condition or, alternatively, can be customized based
on the specific request line of each request.
The supported redirect codes are: 301, 302, 303, 307 and 308 (Redirect codes W3C specification ).
Redirect rules are the first type of rules to be evaluated. This means that if a redirect action has been triggered,
Imperva will stop inspecting the request for other rules.
Note: Redirect to FQDN and redirect to HTTPS in Website > Settings > General have a higher priority than rules in the
Rules table. To maximize ease-of-use, it’s recommended to define all redirect rules in the Rules table.
Rewrite request
The rewrite/remove actions can be used to modify, add, and remove different request attributes such as URL,
headers, and cookies. Imperva receives the request from the client, applies the relevant changes, and then forwards
the request to the origin server. Responses to Rewrite actions are cached by default.
Use the Add new if missing option to add a header or cookie that is absent from the original request. Note: You
cannot use this option when the To field contains wildcard variables $1, $2, ..., as Imperva cannot determine the value
of the header.
Action Description
Action Description
Notes:
Action Description
origin server, a Forward rule should be
configured to direct the request to the
appropriate origin server (data center)
Notes:
Action Description
Action Description
Notes:
Remove Request Cookie Removes a specific cookie set on the client, which
means that it won’t be sent to the origin server.
Action Description
Rewrite response
The rewrite/remove actions can be used to do the following, before the response is returned to the client.
Imperva receives the response from the origin server, applies the relevant changes, and then returns the response to
the client.
Use the Add new if missing option to add a header that is absent from the original response.
Note: You cannot use the Add new if missing option when the To field contains wildcard variables $1, $2, ..., as
Imperva cannot determine the value of the header.
Action Description
Action Description
Content-Length, Transfer-Encoding and Content-
Encoding.
Forward
Forward to Data Center GSLB between Data Centers used for Forwarding is
not supported.
When defining delivery actions, such as rewrite or redirect, string replacements can be a useful tool for keeping the
number of rules under control and easy to manage.
Variables
The following variables can be used in the To field, for both redirect and rewrite actions:
Examples:
Use variables to redirect requests to a new path (/football), maintaining the original scheme, domain, and
arguments.
Identify the Imperva data centers that are most frequently used for your visitors. In this example, every
request that reaches your origin server will include the Imperva-PoP header with the value of the Imperva
data center that handled the request.
Security actions
Define the action you want Imperva to take for every request that matches the rule filters:
Read More
For example, you can create a security rule for the following scenario:
If a client accesses /login.html from China more than 20 times per minute, block it.
This new functionality boosts your ability to mitigate brute force or scraping attacks, which use a high rate of activity
to gain unauthorized access to resources. It also helps detect uncommon or irregular user behavior. Custom rate rules
are an extension of our existing mitigation capabilities in which you can create custom security or delivery rules to
meet a specific need.
Note: Due to the asynchronous nature of the system, rate rules may be triggered only after the rate count passes the
threshold by several requests. Therefore, rate rules are recommended for use cases that are tolerant to such events.
For example, you might want to use it to make sure that a specific API is not called more than 500 times in a minute.
In this topic:
A new Count (Rate) action is available in rules. A rate rule counts the number of requests received that match your
specified criteria within a specified amount of time. For example, how many requests for your site's login page are
received per minute.
Once the rate rule is created, you can create a new security or delivery rule, using the rate in the rule filter. For
example, if the login rate you defined above is greater than 12, send an alert.
Note: A custom rate rule that is used by another rule cannot be disabled or deleted.
How to create custom rate rules
To create a rate rule:
For more details, see Create Rules and Rule Filter Parameters.
A rate rule name may not contain special characters, including the underscore ("_") character or periods (".").
Only alphanumeric characters, hyphens ("-"), and spaces are allowed.
In this example, you select a rate you created called Login Rate that measures requests for your site's login
page:
Tip: You can include multiple filters and rates in a single rule.
4. Fill in the remainder of the fields, selecting the Security or Delivery rule action you want, such as Alert.
Using a rate rule in the API
A rate rule name may not contain special characters, including the underscore ("_") character or periods ("."). Only
alphanumeric characters, hyphens ("-"), and spaces are allowed.
When using a rate rule in the API, make sure to follow the accepted syntax for rule filters, as follows.
If the name of your custom rate rule includes spaces, replace the spaces with hyphens ("-") to use the rate rule as a
filter in another rule.
For example, on the Rules page, if a custom rate rule named Login Rate rule is used in another rule, it would look like
this:
Read more
• Create Rules
• Rule Filter Parameters
In this topic:
On the top menu bar, select Account > Account Management to open Account Settings.
Rule Fields
Field Requirements
Field Requirements
https://www.example.com/abc or $scheme://
$host/abc.
• Path may be empty. For example, https://
www.example.com.
• May not include $numeric. For example, $1, $2
that are used in regular redirect rules to
correspond to wildcards in the From field are
not allowed.)
For more details on configuring the From and To fields in redirect rules, see Create Rules.
URL format
The URL in the From field can use any of the following formats
The incoming request is evaluated to see if there is an exact match to one of the simplified redirect rules. If a request
matches more than one rule, the priority goes according to the order above.
For example, a request for www.example.com/stores?blue=1 will be redirected according to rule #3 above, and not #4,
because it is matched to rule #3 first.
Note: To match any request to a given host, the URL must not include a /. For example www.exampe.com/ will only
match requests for /, while www.example.com will match a request for any path.
Create simplified redirect rules using the API
Create and manage simplified redirect rules using the standard API rule operations.
Read More
• Create Rules
• Site Management API
A custom error response rule enables you to replace the default error response and error code that are returned to the
client.
In this topic:
Rule Filter
Rule Action
Field Requirements
Action Select Rewrite Response > Error.
Field Requirements
Accepted formats are JSON or XML. Use the sample
template that is provided or edit as desired.
Error types
Select the error type that you want to trigger the custom error response rule.
See also:
• Rules
• Error Responses
Override WAF Settings
Create a custom rule to override WAF settings for a subset of your protected website, enabling you to apply a more
granular mitigation strategy.
In this topic:
• Overview
• How to override a WAF setting
• Example
Overview
You can create a custom rule to override the global WAF setting defined on the Web Protection - WAF Settings page.
This enables you to define an alternative WAF action for a subset of your domain for a specific threat type.
It can be useful if your domain hosts multiple applications and you want to define a different threat response for one
or more of the applications, such as Alert instead of Block.
How to override a WAF setting
Create a new rule, configured as follows.
Field Description
WAF Setting to Override Select the threat type setting you want to override.
Note: If there is at least one active override rule for a WAF setting, a warning is displayed on the WAF Settings page:
Example
Suppose your domain hosts three versions of your application, used for different geographical areas:
• example.com/NL
• example.com/HK
• example.com/SG
If you want to receive alerts for the relevant requests for the SG application instead of blocking them, you can create a
custom rule as follows:
Syntax Guide
Rule filters are composed by combining predicates using AND/OR operators (&,|). Each predicate is comprised of:
• Parameter / matched object: The part of the request or the sessions to which the filter is applied. For example,
Client IP or Country.
• Operator: Defines how the parameter value is matched. For example, "greater than" or "equals". Each matched
object can have its own unique set of operators based on its characteristics.
• Value: The value to be matched.
Operators
The following operators are available. Most filter parameters support only a subset of the list of operators. For the full
list supported operators for each filter parameter, see Rule Filter Parameters.
Reserved Characters
Syntax Description Example
“ Used to enclose textual values URL == "/admin"
Read More
• Create Rules
• Rule Filter Parameters
Note: You define rule filters in the Add Rule page. For details, see Create Rules.
To define the rule filter, you can select filter options available in the UI, or add filters directly using the native syntax.
For details on the correct syntax, see the Syntax Guide.
For examples of rules you can use to address some common use cases, see Security Rule Use Case Examples and
Delivery Rule Use Case Examples.
Client Parameters
ASN
Example: ASN == 71
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
City
The name of the city where the client sending the request is located.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Client Certificate CN
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
Client ID
When adding or editing a rule in the Cloud Security Console, start entering text in the value field to display a list of
available values.
Example: ClientId == 15
Note: When used in a cache rule, this parameter may be used with the Enrich Cache Key rule action only.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Client IP
Example:
ClientIP == 120.0.0.1
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Client Type
The client application type, such as Browser or SpamBot. Select from the list of available values.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Continent Code
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Country Code
Example: CountryCode == GB
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Declared Client Id
The ID of the client application, according to the declaration in the UserAgent HTTP header.
When adding or editing a rule in the Cloud Security Console, start entering text in the value field to display a list of
available values.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Client type based on the client declaration in the UserAgent HTTP header.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Epoch
The UNIX timestamp of the request - the number of microseconds since midnight January 1, 1970.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is greater than or equal to
<= Value is equal to or smaller than
The risk level posed by this IP, based on the assessment of the Imperva Reputation Intelligence service. For more
details, see Reputation Intelligence.
The risk assessment is based on activity of this IP across the Imperva customer base over the previous 2 weeks (clean
and malicious traffic). Risk is continually evaluated so the risk level for a given IP can change on a daily basis.
The calculation takes into account the number of attacks, the number of Imperva customer accounts that were
attacked, and the severity of attacks by this IP.
• Low: 0-24
• Medium: 25-74
• High: 75+
This will filter for requests from source IP addresses whose risk score is medium or high.
Supported Operators
UI Predicates Description
== Is equal to
>= Value is greater than or equal to
Is Mobile
Distinguishes between requests coming from mobile devices and requests coming from desktop clients based on the
user-agent used in the request.
Example:
This rule is triggered when a request made for URL path “welcome.html” is sent from a mobile device.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Latitude
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is greater than or equal to
<= Value is equal to or smaller than
Longitude
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is greater than or equal to
<= Value is equal to or smaller than
Malicious IP List
The client (source) IP address of the request is identified as an anonymous proxy IP or a Tor exit node.
Possible values
• AnonymousProxyIPs
• TorIPs
Supported Operators
UI Predicates Description
== Is equal to
Postal Code
The postal/zip code of the client sending the request. May be available for requests from specific countries.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Source Port
The client's outgoing port number. It can be used, for example, to distinguish users behind NAT.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is greater than or equal to
<= Value is equal to or smaller than
State
The state, province, or region where the client sending the request is located.
The State parameter must be used together with the CountryCode parameter to identify requests from a specific
state, province, or region of a country.
Examples:
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
User Agent
Checks for the specified string pattern in the User-Agent header in the client request.
Note: This parameter cannot be used with the Cache Resource rule action.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
UI Predicates Description
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
Counter Parameters
API Rate
Measures the rate of API requests in a client session during a one minute period.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
API Rate IP
Measures the rate of API requests from a single IP during a one minute period.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Measures the rate of AJAX requests (x-requested-with) per session over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Measures the rate of GET AJAX requests (x-requested-with) per session over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Measures the rate of POST AJAX requests (x-requested-with) per session over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Attack
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Attack Count
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Attack IP
Measures the rate of malicious (blocked) requests per IP over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Custom Rate
Use a custom, user-defined rate to filter the traffic and trigger your rule when the rate passes a specified threshold.
For example:
Supported Operators
UI Predicates Description
>= Value is equal to or larger than
Measures the rate of requests per IP to known resource-intensive pages over a period of one minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is greater than or equal to
<= Value is less than or equal to
Measures the rate of GET requests per IP address over a period of one minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
UI Predicates Description
<= Value is equal to or smaller than
Measures the rate of requests to the homepage (/) per session over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Measures the rate of requests to the homepage (/) per IP address over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Measures the rate of requests to a SugarCRM login page per IP over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
UI Predicates Description
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Measures the rate of requests to a Zen Cart login page per IP over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Login BF Concrete 5
Measures the rate of requests to a concrete5 login page per IP over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Login BF Drupal
Measures the rate of requests to a Drupal login page per IP over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Login BF Joomla
Measures the rate of requests to a Joomla login page per IP over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Login BF osCommerce
Measures the rate of requests to a osCommerce login page per IP over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Measures the rate of requests to a PHPMyAdmin login page per IP over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Login BF Wp
Measures the rate of requests to a WordPress login page per IP over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Login IP
Measures the rate of requests to a login page per IP over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Measures the rate of requests done with common administrator credentials per IP over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Measures the rate of requests to a login page with a list of common passwords per IP over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is greater than or equal to
UI Predicates Description
<= Value is less than or equal to
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is greater than or equal to
<= Value is less than or equal to
Page Rate
Measures the rate of HTML requests per session over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Measures the rate of HTML requests per IP address over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
UI Predicates Description
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Page Rate IP 5s
Measures the rate of HTML requests per IP address over a period of 5 seconds.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Post IP
Measures the rate of POST requests per IP address over a period of one minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is greater than or equal to
<= Value is less than or equal to
Post IP 5s
Measures the rate of POST requests per IP address over a period of 5 seconds.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Post Rate
Measures the rate of POST requests per session over a period of one minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is greater than or equal to
<= Value is equal to or smaller than
Request Rate IP
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Measures the rate of requests per session over a period of one minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is smaller than
< Value is larger than
>= Value is greater than or equal to
<= Value is less than or equal to
Request Rate Wl IP
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Sessions with more than 5 requests from a specific IP during a 5 minute period.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Measures the RPS (requests per second) for the website over a period of 5 seconds.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Measures the average RPS (requests per second) for the website over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
UI Predicates Description
<= Value is equal to or smaller than
Static Rate IP 5s
Measures the rate of non-HTML requests per IP address over a period of 5 seconds.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Measures the rate of WordPress XML RPC requests (To xmlrpx.php) per IP over a period of 1 minute.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Request Parameters
Accept
Checks for the specified string pattern in the Accept HTTP header value.
Example:Accept == "text/html"
Supported Operators
UI Predicates Description
== Is equal to
UI Predicates Description
!= Is not
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
Accept Charset
Checks for the specified string pattern in the Accept-Charset HTTP header value.
Example:Accept-Charset == "utf-8"
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
Accept Encoding
Checks for the specified string pattern in the Accept-Encoding HTTP header value.
Example:Accept-Encoding == "gzip"
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
Accept Language
Checks for the specified string pattern in the Accept-Language HTTP header value.
Example:Accept-Language == "en-us"
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
Checks for the specified string pattern in the values of all HTTP headers.
Example:AnyHeaderValue == "debug"
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
Checks for the specified string pattern in the values of all parameters in the query string and post body of the client
request.
Example:AnyParamValue == "debug"
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
Checks for the specified string pattern in the parameter names in the post data in the client request.
Example:BodyParamExists != "test"
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
Checks for specified string patterns with a specific parameter value in the post body. In the example, the filter looks
for an exact match of PVAL in the value of the parameter PNAME.
Example:BodyParamValue == {"PNAME";"PVAL"}
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
Connection
Checks for the specified string pattern in the Connection HTTP header value.
Example:Connection == "keep-alive"
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
Content Datacenter ID
Checks for the Imperva ID of the destination origin data center for the request.
This ID is relevant to your data centers that are defined to support only forward rules (data centers that you have
defined in Website Origin Server Settings with the Support only forward rules option enabled).
Tip: To retrieve the Imperva ID of the data center, run the /api/prov/v2/sites/{extSiteId}/settings/origin/datacenters
API. For details, see Load Balancing Settings API Definition.
Example: ContentDcId == 43
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Content Type
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Cookie Exists
Checks for the specified string pattern in the cookie names in the client request.
Example:CookieExists == "SessionID"
Note: This parameter cannot be used with the Cache Resource rule action.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Cookie Value
Checks for the specified string patterns in the cookie name and value in the client request.
Example:CookieValue == {"cookie_name";"cookie_value"}
Note: This parameter cannot be used with the Cache Resource rule action.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
UI Predicates Description
does not end with Does not end with
Full-URL
Checks for the specified string pattern in the full path in the client request, including the query string. The protocol
(http/s) and host name are ignored.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
Note: This filter is applicable when adding a request header in a delivery rule (Rewrite Header rule).
In this example, the filter looks for the cache tag cache-tag-example.
Example:HasCacheTag == "cache-tag-example"
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Header Exists
Example:HeaderExists == "Content-Length"
Note:
• This parameter cannot be used with the Cache Resource rule action.
• This parameter considers the first value only. If additional values are entered, the filter does not work.
For example:
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Header Value
Checks for string patterns with a specific field value in the request headers. In the example, the filter looks for an exact
match of HeaderValue in the value of the header HeaderName.
Example:HeaderValue == {"HeaderName";"HeaderValue"}
Note:
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
HTTP Version
Example:Ver == "1.1"
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
IP Version
Example:IpVersion == 4
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
is HTTPS
Example:is-HTTPS == No
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Is Naked Domain
Example:IsNakedDomain == Yes
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Example:MaxHeaderSize >= 50
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Method
Example:Method == POST
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Num On Session
Example:NumOnSession > 7
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Origin Destination IP
Checks for the IP address of the destination origin server for the request.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Param Exists
Checks for the specified string pattern in the parameter names in the query string and post data in the client request.
Example:ParamExists != "test"
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
To check for the parameter in only the query string or in the post body, see Query String Param Exists and Body Param
Exists.
Param Value
Checks for specified string patterns with a specific parameter value in the request query string or post body. In the
example, the filter looks for an exact match of PVAL in the value of the parameter PNAME.
Example:ParamValue == {"PNAME";"PVAL"}
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
< Value is smaller than
> Value is larger than
>= Value is equal to or larger than
<= Value is equal to or smaller than
To check for the parameter value in only the query string or in the post body, see Query String Param Value and Body
Param Value.
Post Data
Checks for the specified string pattern in the raw post data in the client request.
Supported Operators
UI Predicates Description
contains Value contains
not-contains Does not contain
Example:PostDataExists == Yes
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Post Size
The length of POST body in bytes. If the Content-Length header is present, its value is used.
If the data is chunked, the currently accumulated post size that was read is used.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
< Value is smaller than
>= Value is greater than or equal to
<= Value is equal to or smaller than
Query String
Checks for the specified string pattern in the query string in the client request.
Example:QueryString == "type=gif"
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Checks for the specified string pattern in the parameter names in the query string in the client request.
Example:QueryStringParamExists != "test"
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
Checks for specified string patterns with a specific parameter value in the request query string. In the example, the
filter looks for an exact match of PVAL in the value of the parameter PNAME.
Example:QueryStringParamValue == {"PNAME";"PVAL"}
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
Referer
Checks for the specified string pattern in the Referer header in the client request.
Supported Operators
UI Predicates Description
== Is equal to
!= Does not contain
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
Request Size
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
> Value is larger than
UI Predicates Description
< Value is smaller than
>= Value is equal to or larger than
<= Value is equal to or smaller than
Resource Type
Example:ResourceType == non-html
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Scheduler
The times and days for a custom rule to be active. The rule is triggered when requests arrive during the specified times
and match all other conditions of the rule filter.
Format: {minutes;hours;days_in_month;months;days_in_week}
Example:Scheduler == {30-59;12;*;*;1,4}
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
SSL Cipher
For a full list of possible values, download and install OpenSSL and run the following command: openssl ciphers
-v ALL
Example:SslCipher == "ECDHE-RSA-AES128-GCM-SHA256";"can-add-another-type-here"
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
SSL Version
The SSL(TLS) Version.
Example:SslVersion == tls1_2
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
URL
Checks for the specified string pattern in the path in the client request (without the query string).
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
starts with Starts with
ends with Ends with
does not start with Does not start with
does not end with Does not end with
Response Parameters
ABP Action
Enables you to define an action to take based on the action taken by ABP.
For example, you can create a rule to rewrite responses or to set caching behavior when a specific action is taken by
ABP.
The ABP Action filter parameter is supported for the following rule actions:
Note: The ABP Action filter parameter cannot be used in WAF security rules.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
contains Value contains
not-contains Does not contain
Response Code
Enables you to define an action to take based on the response that Imperva receives from the origin server.
For example:
• Rule: For response code 201, rewrite the response code to 200.
Action: If the response sent by the origin server is 201, this rule rewrites the response to 200 before sending to
the end user.
Action: If the response is a 2xx code (200-299), this rule rewrites the response header that you specify.
Allowed values: An individual response code in the range of 200-599, or a set of response codes by using "xx", such as
2xx.
Allowed rule actions: You can use this filter parameter in a Rewrite/Remove Response rule or a custom cache rule.
Supported Operators
UI Predicates Description
== Is equal to
!= Is not
Response Content-Type
Checks for the value of the HTTP Content-Type header sent by the origin server in the response.
Allowed rule actions: You can use this filter parameter in a Rewrite/Remove Response rule or a custom cache rule.
Supported Operators
UI Predicates Description
contains Contains
Read More
• Create Rules
• Syntax Guide
Scheduler
Use the Scheduler parameter in a rule filter to determine when the rule is active.
For example, you can use it to redirect requests to a backup site during scheduled maintenance to avoid downtime.
The rule is triggered when requests arrive during the specified times and match all other conditions of the rule filter.
Note: All times and dates are according to Coordinated Universal Time (UTC).
Syntax
Format: {minutes;hours;days_in_month;months;days_in_week}
The rule in this example will be active on Mondays and Thursdays, between 12:30 and 12:59.
Supported operators: = or !=
See also:
• Create Rules
Manage Rules
The Rules page displays all of the custom rules defined for a specific site. View, add, and edit rules, or set rule priority.
In this topic:
Main UI Elements Description
Rule tabs View rules by type.
Filter by Keyword or ID Search for rules by keyword or ID.
Export to CSV Download the rules in .csv format.
Add Rule Create a new rule. For full details, see Create Rules.
The rules in the table are grouped by action type: Redirect, Security, Rewrite, Forward.
Each row in the table represents a single rule and provides the following information and options:
Note: Priority is not listed for Security rules. All security rules are run for each request, as opposed to other rule types
where the rules are run according to priority order until the first match for that rule type is found.
Read More
• Create Rules
• Delivery Rule Use Case Examples
• Security Rule Use Case Examples
Delivery Rules
Delivery rule statistics are available in the Websites > Dashboard > Traffic page, in the Delivery Rules table.
Security Rules
View incidents where the rules were triggered in the Websites > Dashboard > Security page, in the Security Rules
table.
See details of security events in the Application > Security Events page. For details, see View Security Events.
Read More
• Rules
• Manage Rules
In this topic:
The first step is to create a dedicated data center for Image server(s). On the sidebar, click Settings > Origin Servers.
Make sure to check the Support only forward rule option.
The second step is to configure a Forward rule. On the sidebar, click Settings > Delivery Rules.
A request from an end user to access /products/shoes.html will fetch the /online/AAA/items-and-categories/
shoes.html resource from the origin.
Read More
• Create Rules
• Security Rule Use Case Examples
In this topic:
• Bot protection
• Account takeover
• Application hardening
• Rate limiting
• Advanced Access Control (ACL)
Bot protection
• Block malicious clients
• Anti-scraper engine - CAPTCHA for bots
• Facebot crawler
Similar to the default Block Bad Bots security setting but more aggressive.
ClientType == VulnerabilityScanner;DDoSBot;ClickBot;CommentSpamBot;HackingTool;SpamBot;Worm
Facebot crawler
In this example, the rule is triggered when the client is Facebook (Crawler), and logon parameters are identified in the
request.
Account takeover
ClientId == 164 & (ParamExists == "Password";"userId";"CardNumber")
This rule is triggered when there are 5 or more POST requests to any URL for a single IP over a one minute time frame
and a request is sent for the /login page.
Some recent attacks involve bot clients attempting credential stuffing at a very slow rate. An alternative to blocking
such an attack is to challenge any non-human visitor to the /login page to avoid degrading the user experience of
legitimate users.
For more details on credential stuffing attacks and additional examples, see Blocking Credential Stuffing Attacks .
Require a CAPTCHA challenge for login requests originating from a specific geographical location, except for search
engines.
Tip: Add the NumOnSession parameter to prevent a misclassification in the first few requests. In this example,
NumOnSession >=3 means that the rule is triggered only after the third HTTP request, to ensure that the Imperva bot
classification process is completed and removing the risk of false positives.
Application hardening
CountryCode != GB & URL contains "LogonForm" & ClientType != Browser;SearchBot;FeedFetcher;
• Restrict HTTP methods
• Prevent a known CSRF in your site
• Malformed ID
Restrict HTTP methods
Block specific HTTP methods. You can also apply the rule to specific IPs or URLs.
Method != PUT;HEAD;OPTIONS;TRACE;POST
Prevent unauthorized connections that are not coming from the site itself, such as email links. This rule would in
effect prevent Cross-Site Request Forgery attempts.
Malformed ID
Block illegal connections to malformed IDs. The rule below gives an example of a URL where the query starts with %
or a space (url decoder). This type of rule can introduce another layer of security for GET methods, but are specific to
each website.
Rate limiting"CategoryDisplay"
URL contains & Full-URL contains "categoryId=%"
In this example, the rule is triggered when the rate of requests per session is 500 or more per minute for a single client
session (between client and Imperva), and the client is not Googlebot (SearchBot). You can also replace the Client ID
with Client Type (SearchBot).
In this example, the rule is triggered when the rate of requests per IP is 20 or more per minute, and the client is not
Googlebot (SearchBot).
It can be used to generate an alert for tracking purposes. Alternatively, you can add a header to the specified clients
using a Delivery Rules rewrite header.
By default, Imperva blocks specific requests, and not the entire user session or IP. The AttacksCount parameter
enables you to add another level of security by deciding to block or create an alert for a single session generating
more than <x> malicious requests.
AttacksCountAccess
Advanced >= 250Control (ACL)
Using the security settings options in the Cloud Security Console (Websites > Settings > Security) you can block
requests from a specific country. This example shows a rule that is configured to alert, and provides a higher level of
granularity by filtering for specific client types.
Set an alert action if someone from outside your office requests your admin panel.
Read More
• Create Rules
• Delivery Rule Use Case Examples
Note:
• The availability of this feature depends on your subscription. For more information or to upgrade your plan,
contact an Imperva Sales Representative.
• Logs will include events that occur after the log integration is activated.
• Near Real-Time SIEM log integration:
• Imperva recently introduced the new Near Real-Time SIEM solution. To learn more, see Near Real-Time
SIEM Log Integration.
• For Cloud WAF customers who would like to use the Near Real-Time SIEM log integration, you must first
setup the integration with the S3 push method according to the instructions below: Set up log
integration.
• The log integration is initially configured on the legacy mechanism described here and is then migrated
to the new Near Real-Time SIEM mechanism within one week.
In this topic:
• Overview
• The log integration process
• Set up log integration
• Enable log encryption
• Download the logs
• Switch integration modes
Overview
Imperva creates the following comprehensive and detailed logs:
• Security logs provide a detailed alert for each suspicious event detected by the Imperva proxy while protecting
your network throughout its globally distributed network. All logs include the account ID and site ID references,
which enables drill down into each individual customer/site.
• Access logs specify every request and response sent between your customers and the Imperva proxy. This is all
the traffic that would have been sent between end users and your origin server, including traffic that Imperva
served from its cache.
Imperva supports CEF, LEEF, and W3C log formats and provides event reporting of in-depth event information, such as
attacker geo-location and client application signature.
Logs are typically synchronized within 10 minutes, although it may take up to 30 minutes depending on system load.
• Retrieve (Pull mode): Log integration API. Your logs are saved in a dedicated Imperva cloud in a repository
created for you. Imperva enables you to upload a public key to encrypt your log files, activate Imperva log
collection, change the logging level, and download log files from the Imperva storage repository to your
network.
Log storage: Logs are aggregated at the Imperva log repository and are kept up to 48 hours or until the stored
logs reach 500MB. (Logs may be retained for up to 5 additional days for internal troubleshooting purposes
before they are permanently deleted.) When one of these limits is reached, the system uses a cyclic override
process in which the first written file is the first to be deleted in order to leave space for a new log file. Logs are
stored per account.
Log index file: Imperva provides a Log Index file that specifies the log files generated for you. This Index file lists
which log files are available to download. The index file is not modified based on which log files have already
been downloaded. It always contains the full list of available log files at any given moment.
• Receive (Push mode): Automatic log integration via SFTP or Amazon S3. Your logs are pushed upon creation
to your pre-defined repository - an AWS S3 bucket or an SFTP folder. Logs are automatically transferred from the
Imperva cloud repository to your repository. No log data is stored in Imperva at any time.
Encryption
You can choose to implement log encryption for Imperva logs. Logs are encrypted by a private-public key pair that
you generate, to help safeguard the privacy of your data when stored in the Imperva cloud repository. The encryption
is done automatically at the Imperva cloud repository. You need to decrypt the log files after download.
If you are using the receive (push) option for log integration, the best practice recommendation discourages using
encryption. As the logs are not written to the Imperva cloud repository, the risk of log exposure is minimal.
Predefined SIEM application packages which automate the loading of events from the Imperva cloud into your SIEM
are available. These predefined packages come ready-made to manipulate and display each Imperva log event in your
SIEM dashboard in order to facilitate reporting automation, prioritized mitigation, and general event handling.
Note: These packages are developed and maintained independently of Imperva, and are therefore not supported by
Imperva.
The functionality differs per package. Any requests for additional functions or bug fixes should be submitted through
GitHub.
• IBM QRadar
• AlienVault USM Anywhere
Connector
If you choose the retrieve mode to access the logs, a sample Python script and configuration file are available for
download to assist you with the process. Imperva does not maintain this script. It is hosted in GitHub and managed by
the open source community.
The log integration process
This section provides an overview of the log integration process. To configure Imperva log integration, do the
following:
Task Instructions
Prerequisites: If you are implementing log integration using the push mode (automatic log integration via SFTP or
Amazon S3), make sure that Imperva IP addresses can access your site. For details, see Imperva IP addresses .
For accounts with sub accounts: Logs for sub accounts can be activated from both the parent account and the sub
accounts, as follows:
configured in the Logs Setup page in the sub
account.
1. Log into your my.imperva.com account and navigate to the Logs Setup page:
On the top menu bar, click Account > Account Management. On the sidebar, click SIEM Logs > WAF Log Setup.
Mode Instructions
Mode Instructions
be removed by Imperva when the transfer is
complete.
Option Instructions
Compress logs Note: If you are using the pull mode to download
your logs using the API Connector (Python script),
compressed files must be used. Uncompressed
files will result in an error (-3).
6. Select a log level for each site to enable logging, or leave disabled. There are two levels of logs:
▪ All Logs comprises a comprehensive log of every request and response (access logs), as well as the
security events log.
7. Verify that the relevant Imperva SIEM package (Splunk, HP ArcSight, McAfee, GrayLog or QRadar) is receiving
events.
Enable log encryption
Imperva uses two layers for encrypting the log events:
1. The private key is created with a .pem extension. Change it to the .key extension.
2. On the machine on which your SIEM application is installed, save the private key with the .key extension
under the config/keys/1 library.
3. Upload the public key to Imperva using one of the following options:
▪ Cloud Security Console: In Log Setup, use the Upload Key button. For details, see Set up log integration.
▪ API: Use the Upload Public Key API, as described in Traffic Statistics and Details API.
Note:
▪ Each time you upload a public key, it is numbered, starting from the single-digit 1. The next time you
upload a public key, it will be number two and so on. This number later appears in the Imperva log file
header, which indicates which key to use to decrypt the file. Always keep a copy of your old key versions,
in case you want to decrypt historical log files.
▪ Each time you upload a public key, store the new private key in the new library at the origin server, as
follows:
• config/keys/1
• config/keys/2
• config/keys/3
• etc.
4. Activate the log encryption feature using one of the following options:
▪ Cloud Security Console: In Log Setup, under Encryption, upload a public key (2048-bits long). For
details, see Set up log integration.
▪ API: Use the Change Log Collector Configuration Status API, as described in Traffic Statistics and
Details API.
This section provides an overview of the process you need to follow to download Imperva logs.
1. In the Imperva Cloud Security Console, in the Logs > Log Setup page, under Connection, locate the Log
Server URL.
2. To access the index file, append logs.index to the end of the Log Server URL, in the format
<Log_Server_URL>/<Specific_Log_File>.
For example:
https://logs1.incapsula.com/1234_5678/logs.index
The index file lists the log entries that are currently available in the Imperva log repository.
Authentication for access to the logs is performed using the API ID and API Key.
2. Send an HTTPS call for each file listed in the index file that you want to download. As new log files are
generated, they are numbered sequentially, but may occasionally skip integers.
1. Decrypt the key value with the appropriate private key, according to the publicKeyId value. For details,
see Log File Structure.
This example shows how to decompress a log file using Linux bash commands:
Read More
The configuration file can be opened using any standard text editor, and includes the following parameters:
Configuration File Parameters
[SETTINGS]
APIID=41986
APIKEY=25a21c10-ebf4-4c4c-8c1e-d588c4050d5d
PROCESS_DIR = /tmp/processed/
BASEURL=https://255.255.255.255/1234_5678/
USEPROXY=NO
PROXYSERVER=
SAVE_LOCALLY=YES
SYSLOG_ENABLE=NO
SYSLOG_ADDRESS=
SYSLOG_PORT=
USE_CUSTOM_CA_FILE=NO
CUSTOM_CA_FILE=
Read More
In this topic:
You can download a predefined package for one of the following SIEM applications. These packages include
predefined rules, custom dashboards, and reports for viewing the incoming data. For download instructions, see
Cloud WAF Log Integration.
• IBM QRadar: IBM provides a Security Qradar DSM for Imperva. The RPMs and configuration instructions are
available in the IBM documentation: IBM Security QRadar DSM for Imperva Incapsula .
• AlienVault USM Anywhere: You can configure Imperva to send log data to USM Anywhere. For configuration
instructions, search for Incapsula in the AlienVault USM Anywhere documentation .
Install the ArcSight Package
Note: Imperva supports ArcSight ESM version 5 or higher and ArcSight Express version 3 or higher.
3. Select Import
4. Browse to the Incapsula.arb file and click Open. This is the file you downloaded from Imperva.
5. After the package is imported, click Install.
6. When the installation completes, click OK. The ArcSight package is now installed and its content is visible as
various resources under the Navigator area: filters, rules, active channels and so on.
Install the Splunk Package
Note: Imperva supports Splunk version 6 or higher.
You can install the Splunk application package using one of the following methods:
1. Save the Incapsula.spl file in a folder accessible by Splunk. Incapsula.spl is located in the package that you
downloaded via the Imperva Cloud Security Console.
5. Click the Choose File button and browse to select the Incapsula.spl file.
The Splunk application now contains the Incapsula Splunk connector. Login to it. For example, as shown below:
• Parser
• Dashboards
• Rules
To install the predefined McAfee package, save the package that you downloaded locally in a folder that is accessible
to McAfee. Then, follow the instructions below.
1. In McAfee Enterprise Security Manager, open the Add Data Source window to add a new data source.
2. In the left pane, select Custom Types and then add the following types:
▪ Incap_Captcha_Support:
• Data Type: Random String
• Event Field: Custom Field 1
▪ Incap_UID:
• Data Type: Random String
• Event Field: Custom Field 2
▪ Incap_JS_Support:
• Data Type: Random String
• Event Field: Custom Field 3
1. In McAfee Enterprise Security Manager, click the button to open the Receiver Policy Editor and then click the
receiver you created.
3. Select File > Import > Policy to import the Parser that you downloaded from Imperva.
1. Download the Graylog package from the Cloud Security Console Log Setup page. For details, see Cloud WAF Log
Integration.
3. Choose Import content pack > Choose file, and navigate to the content pack file that you downloaded to your
computer.
4. Click Upload.
5. In the content packs page, click the Incapsula content pack you have just added, and then click on Apply
content.
6. The Graylog server now contains the Incapsula Graylog Extractor and Dashboard, and it is ready for use.
Install the Imperva App for Sumo Logic
You can install the Imperva App for Sumo logic to use the preconfigured searches and dashboards.
Process overview:
1. Configure logging for your account in the Imperva Cloud Security Console.
2. Configure Sumo Logic:
1. Add a Sumo Logic Hosted Collector.
2. Configure an AWS S3 Source.
3. Install the Imperva App for Sumo Logic.
Instructions for set up are located in the Sumo Logic documentation: Imperva-Incapsula Web Application Firewall .
Consuming Logs
This section describes how to consume logs using one of the following packages: ArcSight, Splunk, McAfee.
Note: The instructions presented in this section should only be used as a guideline, as there may be minor differences
should the ArcSight application change or when using a different operating system.
Logs can be pushed through Syslog using a script, such as the sample Python script for Imperva log integration. For
details, see the Connector section in Cloud WAF Log Integration.
In order to consume the logs via Syslog, the IP of a Syslog server and its port must be defined. This is done in the
configuration file downloaded together with the Python script.
• SYSLOG_ENABLE
• SYSLOG_ADDRESS
• SYSLOG_PORT
3. Select the folder in which to install the reader and click Next. For example, c:\arcsight\incapsula. The following
window displays:
4. Select the Typical radio button and click Next. The following window displays:
5. Select the Don’t create icons radio button and click Next.
7. In the following window, select the Add a connector radio button and click Next.
8. In the Type field, select ArcSight FlexConnector Multiple Folder File and click Next. The following window
displays:
10. Register the connector to the manager by selecting the ArcSight Manager (encrypted) radio button and click
Next.
12. Enter any name for the connector. For example, Incapsula Folder Follower and click Next. The following
window displays:
13. Select the Import the certificate to connector from destination radio button and click Next. The following
window displays:
14. In the following window select the Install as a service radio button and click Next.
18. Select the Exit radio button and then click Next.
19. Start the Service:
▪ For Linux: Run the command - /etc/init.d/arcsight_servicename start.
Logs can be pushed through Syslog using a script, such as the sample Python script for Imperva log integration. For
details, see the Connector section in Cloud WAF Log Integration.
In order to consume the logs via Syslog, the IP and Port of the Syslog server must be defined.
Set Splunk to listen on the port defined in the Python script configuration file. By default, this port should be 443.
2. Double-click the downloaded Splunk Forwarder file. The following window displays:
5. If you have your own CA, change the fields in the window according to your Splunk certificate and click Next.
The following window displays:
6. Select the Local System radio button and click Next. The following window displays:
7. In the Path to monitor field, specify the path where Imperva downloads the log files.
11. In the Hostname or IP field, specify the address of your deployment server and click Next. The following
window displays:
12. In the Hostname or IP field, specify the address of your Receiving Indexer and click Next. The following window
displays:
Consume Logs from Files When the Connector Is Installed on the Splunk Management Machine
Follow the instructions below to consume the security log files using a Splunk Forwarder that points to the folder in
which the processed log files reside.
8. Select an existing index or create a new index by following the instructions below:
1. In the index, click the Create a new index link. This opens a new browser tab.
2. Provide an index name. For example, Imperva.
3. Click Save.
4. Return to the Add Data browser tab and click the refresh link (located below the Create a new index link).
5. Select the index created earlier.
9. Click Review.
10. Review the settings and click Submit.
Consuming the Imperva Logs in McAfee – Importing the Dashboard and Rules
1. In McAfee Enterprise Security Manager, click the Manage Views button and then click the Import
button, as shown below:
1. In McAfee Enterprise Security Manager, click the Policy Editor button to open the Policy Editor.
2. Select File > Import > Rules and then select the file you downloaded from Imperva, as shown below:
The McAfee application displays the Incapsula Package and its content.
Log File Rotation and Maintenance
By default, the Incapsula SIEM connector does not maintain or purge any files exported by the API. All files exported
from the API should be maintained and purged by the applicable platform (Splunk, ArcSight, Graylog or Intel McAfee
ESM).
Read More
In this topic:
• Overview
• Log file name
• Log file structure
• Log fields
Overview
Imperva log files aggregate the access events and security alerts detected by Imperva while protecting your network.
A new aggregated log file is saved in the Imperva Cloud Log Repository.
Any changes made are communicated in the Cloud Application Security Release Notes.
Log file name
The format of each log file name is X_Y, where:
A string of equal signs |==| appears at the bottom of the log file header, which separates it from the log events
described below.
Log Events
Each log file contains multiple log events detected by Imperva while protecting your network throughout the world.
Each event is a paragraph.
The log content is compressed and encrypted with a symmetric key, using an AES algorithm and then encrypted with
the public key that you provide using an RSA algorithm.
Log fields
The following table describes the fields that are provided in each log entry for each access and security event. Each
entry in the log file provides information about a single request. Security events contain all the fields provided for
access events and more. The table indicates the name of the field in the CEF, LEEF, and W3C format.
Detailed
Description CEF LEEF W3C
Description
The numeric
identifier of the
Account ID suid suid s-suid
account of the site
owner.
The account name
Account Name Customer Customer s-accountname
of the site owner.
Account level
reference ID.
Corresponds to the
Reference ID option
Account Reference
tag tag s-tag in the Cloud
ID
Security Console
Account Settings.
For details, see
Account Settings.
The city code of the
City cicode cicode cs-cicode
site visitor.
Detailed
Description CEF LEEF W3C
Description
The client IP that
Client IP src src c-ip
made the request.
Content Length in in cs-bytes The content length.
The country code of
Country Code ccode calCountryOrRegion cs-countrycode
the site visitor.
The HTTP response
HTTP Status Code cn1 cn1 sc-status code returned to the
client.
The unique
ID fileId fileId cs-sessionid
identification.
The request
Method requestMethod requestMethod cs-method
method.
The Imperva PoP
PoP name deviceFacility popName sr-pop that handled the
request.
Protocol app proto cs-version The request protocol
The TLS version and
encryption
Protocol version ver protoVer cs-protver
algorithms used in
the request.
The URL of the
Referrer ref ref cs(Referrer) previous page that
the client visited
Request headers in
JSON format, with
cs-
Request Headers additionalReqHeaders
additionalReqHeaders each field
additionalReqHeaders
represented as a
name-value pair.
A unique identifier
of the request that
can be used to
correlate with
Request ID deviceExternalId deviceExternalId s-externalid
reports and data
from the Imperva
Cloud Security
Console
The method in
which Imperva
processed the
Request Result act cat sc-action request:
• REQ_PASSED:
If the request
was routed to
Detailed
Description CEF LEEF W3C
Description
the site's web
server
•
REQ_CACHED_X:
If a response
was returned
from the data
center's cache
• REQ_BAD_X: If
a protocol or
network error
occurred
•
REQ_CHALLENGED_X:
If a challenge
was returned
to the client
•
REQ_BLOCKED_X:
If the request
was blocked
Response headers in
JSON format, with
each field
cs- represented as a
Response Headers additionalResHeadersadditionalResHeaders
additionalResHeadersname-value pair.
Note: Use of these
fields for CEF and
LEEF formats
Detailed
Description CEF LEEF W3C
Description
require enablement
by Imperva Support.
The numeric
Site ID siteid siteid s-siteid
identifier of the site.
The name of the
Site Name sourceServiceName sourceServiceName s-computername
site.
Site level reference
ID. Corresponds to
the Reference ID
option in the Cloud
Site Reference ID siteTag siteTag s-sitetag Security Console
Website Settings.
For details, see
Website General
Settings.
The client port used
Source Port cpt srcPort c-port to communicate the
request.
The URL of the
URL request url cs-uri
request.
The UserAgent
User Agent requestClientApplication
requestClientApplication
cs(User-Agent)
header value.
The X-Forwarded-
For request header.
For each request that has attack information the following is provided:
Detailed
Description CEF LEEF W3C
Description
Additional
Additional Rule Info cs11 cs11 cs-ruleInfo
information on the
violation that
Detailed
Description CEF LEEF W3C
Description
triggered the rule, in
JSON format.
JSON structure:
{“api_specification_violation_type”:”<typ
name>”}
• INVALID_URL
•
INVALID_METHOD
•
MISSING_PARAM
•
INVALID_PARAM_VALUE
•
INVALID_PARAM_NAME
The
“parameter_name”
is present only if the
violation occurs in
the context of a
parameter. Its value
is the relevant
parameter name.
Detailed
Description CEF LEEF W3C
Description
• Cross Site
Scripting: 1
• Illegal
Resource
Access: 3
• Bot Access
Control: 4
• DDoS: 8
• Backdoor
Protect: 9
• Remote File
Inclusion: 10
• Manual rule
(IncapRule):
11
• API
Specification
Violation: 12
• Account
Takeover
Protection: 13
• Bad Bot
(Advanced Bot
Protection): 14
Detailed
Description CEF LEEF W3C
Description
The post body data
Post Body postbody postbody cs-postbody
of the request.
The query string of
Query String qstr qstr cs-uri-query
the request.
The threat rule
name that this
request triggered.
Rule Name cs9 cs9 s-ruleName
For example, SQL
Injection or Blocked
IP (ACL).
The IP address of
Server IP sip dst s-ip
the server.
The port of the
Server Port spt dstPort s-port
server.
Visitor ID cs4 cs4 cs-vid The ID of the visitor.
For each request that has delivery rules information the following is provided:
Detailed
Description CEF LEEF W3C
Description
JSON describing all
actions that were
applied to a specific
Delivery Rule Details cs10 cs10 cs-rule
request (detailed
JSON structure
below)
Read More
Example Logs
View some examples of Imperva log files.
• CEF Example
• LEEF Example
• W3C Example
CEF Example
The following is an example of an Imperva log file in CEF format.
#Fields: date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support cs-clappsig s-capsupport s-suid
cs(User-Agent) cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-accountname sr-
pop s-sitetag cs-uri cs-postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-
status s-xff cs-bytes cs-start c-port cs-rule c-ip cs-protver cs-end cs-additionalReqHeaders cs-additionalResHeaders
cs-severity cs-attacktype cs-attackid s-ruleName cs-ruleInfo
"2016-01-20" "14:19:47" "" "" "" "" "" "" "" "555" "curl/7.33.0" "" "1177375" "IL" "" "Rehovot" "AccessLevelW3C.test.co"
"mia" "my-site-tag" "" "" "w3cACCESS" "accesslevelw3c.test.co/" "" "HTTP" "" "26210617967913034" "" "" "" "GET" ""
"200" "" "956" "443" "" "12.12.12.12" "TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256" "1566300670892" "{\"Accept\":\"*/
*\"},{\"x-v\":\"1\"},{\"x-fapi-interaction-id\":\"10.10.10.10\"}]" "[{\"Content-Type\":\"text/html; charset\=UTF-8\"}]" ""
"" "" ""
Read More
• error code
• time stamp
• the source IP address of the request
• the IP address and internal ID of the Imperva proxy that handled the request
• the incident ID
For example:
You can use these details, such as the Incident ID, to filter for and investigate the incident on the Security Events page
in the Cloud Security Console. For details, see View Security Events.
Note: The page displayed for errors connecting to your origin server provides additional guidance to you and to your
visitors to help understand and troubleshoot the problem. It is displayed for error codes 8, 20, 30, and 32.
Error codes
SIEM log entry:
REQ_BAD_PARSE_ERROR
SIEM log entry:
REQ_BAD_TIMEOUT
SIEM log entry:
REQ_BAD_CONNECTION_TO_SERVER
SIEM log entry:
REQ_BAD_CLIENT_CLOSED_CONNECTION
SIEM log entry:
REQ_BLOCKED_SESSION
SIEM log entry:
REQ_BLOCKED_SECURITY
SIEM log entry:
REQ_BLOCKED_ACL
This request was blocked by the What can I do? Investigate the
17
security rules incident on the Security Events
page in the Cloud Security
Console. You can filter the events
for one of the details in the error
message, such as Incident ID or IP.
For details, see View Security
Events.
SIEM log entry:
REQ_BLOCKED_VISITOR
The proxy failed to connect to the Imperva could not connect to your
20 web server, due to TCP connection origin server.
timeout
What can I do?
SIEM log entry:
REQ_BAD_TIMEOUT_CONNECTION_TO_SERVER
SIEM log entry:
REQ_UNRESOLVED_SITE_UNKNOWN
SIEM log entry:
REQ_UNRESOLVED_SITE_INVALID_CNAME
SIEM log entry:
REQ_BAD_CONNECTION_TO_SERVER_SSL_FAILURE
SIEM log entry:
REQ_SSL_NOT_SUPPORTED
The proxy failed to connect to the What can I do? Configure your
30 web server, no web server IP is origin server settings on the Origin
defined Servers page. For details, see Load
Balancing Settings.
SIEM log entry:
REQ_NO_IP_FOUND
SIEM log entry:
REQ_ALL_IPS_DOWN
SIEM log entry:
REQ_POST_TIMEOUT
SIEM log entry:
REQ_BAD_SERVER_CERTIFICATE
The site is using an origin server What can I do? Make sure that the
37 which is reserved for another correct origin server is configured
account. in the Cloud Security Console.
SIEM log entry:
REQ_LOCKED_IP_VIOLATION
SIEM log entry:
REQ_ILLEGAL_IP_VIOLATION
SIEM log entry:
REQ_TOO_MANY_CONNECTIONS_TO_ORIGIN
Troubleshoot Website Errors
Gain more visibility into connectivity issues that occur when Imperva data centers cannot reach your origin web
servers.
In this topic:
• Overview
• Open the Troubleshooting page
• Filter the displayed data
• View the test results
• Troubleshooting API
Overview
When website visitors are trying to access your site or application and encounter an error, Imperva displays an error
page with information to help you identify the error in your account in the Cloud Security Console.
The Troubleshooting page provides additional details to help you troubleshoot the following errors:
• Error code 20: The Imperva proxy was unable to connect to the origin web server, due to a TCP connection
timeout.
• Error code 8: The Imperva proxy was unable to connect to the origin web server, due to a TCP connection
rejection (TCP reset).
For more details on these errors, see Cloud WAF Error Pages and Codes.
When one of these errors occurs, Imperva automatically runs standard network connectivity tests and displays the
results on the Troubleshooting page.
Ping: A basic test that indicates if a device or IP address is available and reachable.
MTR: MTR tests can assist with detecting network problems, such as routing issues or packet loss. MTR provides the
functionality of Ping and Traceroute tests. Traceroute provides the path between the sender and the receiver of the
test.
• MTR: Sends ICMP echo request packets from the sender to the receiver and if the receiver is available, it replies
with ICMP echo reply packets.
• MTR over TCP: Uses TCP instead of ICMP, bypassing restrictions on ICMP echo packets.
Aggregation
In the event of an ongoing connection error, Imperva displays one set of connectivity tests per origin server per
Imperva data center during each 10-minute interval, instead of providing repeated tests with the same results. (For
example, if there were multiple errors trying to access a specific origin server in a 10 minute interval, and all requests
were routed through the same Imperva data center.)
This prevents the display of redundant data on the Troubleshooting page, reducing noise and enabling you to access
the information you need about an error more quickly.
Open the Troubleshooting page
1. Log in to your account in the Imperva Cloud Security Console.
2. On the top menu bar, click Application.
3. On the sidebar, click Troubleshooting.
Filter the displayed data
The page displays errors for the website and time range you select. You can also apply filters to further limit the errors
that are displayed.
Option Description
Column Description
Column Description
The definition file presents a full, formatted, and interactive version of the APIs that you can use to learn about the
APIs, or test them using your API ID and key. You can also download the definition file.
Custom error pages give your site a more professional look, and can provide useful information to your visitors.
Note: The custom error page template you provide is restricted to 600K characters.
In this topic:
• Overview
• Configure a custom error page for a website
• Error page guidelines
• Configure a custom error page for all websites in your account
• Conflicts between account settings and website settings
• Website error page API
Overview
You can provide custom HTML error pages for your website to replace the default error pages used by Imperva.
Imperva then displays your custom error pages to website visitors, populating placeholders with the appropriate text
for each type of error page.
You can define a single custom error page for Imperva to display for each of the following error types, or define
separate error pages for any or all of the error types.
Option Description
Option Description
Conflicts between account settings and website
settings.
• <script> tag
• illegal HTML actions, such as these HTML event attributes: onload, onerror, onmessage, onoffline,
ononline, onchange, onfocus, oninput, onsearch, onsubmit, onselect
Configure a custom error page for all websites in your account
If you want to define custom error pages to use for all of the websites in your account, Imperva Support can configure
this for you. You can define a separate page for each error type.
1. Use the template available on the Website Delivery Settings page and follow the guidelines above to create
custom error pages.
2. When the pages are ready, send them to Support for deployment.
Conflicts between account settings and website settings
Which error pages are used when there are custom pages defined in both the website settings and account settings?
If a “more specific” custom error page is defined, it overrides more general pages. For example, if there is a custom
error page defined for an Access denied error at the website level, it overrides a custom error page defined for an
Access denied error at the account level, and is presented in the event of an error of that type.
Custom error pages are displayed according to the following priority order:
Custom default Custom default Custom error page Custom error page RESULT - Which
error page error page for a specific error for a specific error custom error page
(Account) (Website) type (Account) type (Website) is used?
Website custom
Exists Exists Exists Exists error page for a
specific error type
Custom default Custom default Custom error page Custom error page RESULT - Which
error page error page for a specific error for a specific error custom error page
(Account) (Website) type (Account) type (Website) is used?
Account custom
Exists Exists Exists error page for a
specific error type
Website custom
Exists Exists
default error page
Account custom
Exists
default error page
Website error page API
You can also manage custom error pages for your sites using the delivery settings APIs.
See also
For a list of common errors and tips for troubleshooting, see Cloud WAF Error Pages and Codes.
The main premise of a CDN is caching content close to your visitors in order to minimize the time it takes to download
the content to the visitor's browser. Imperva maintains a geographically distributed network of data centers to
minimize content delivery time for any visitor regardless of geographical origin.
The Imperva CDN is uniquely able to identify and cache content that is considered dynamic by other CDNs, but is in
fact static. This is done by profiling the application and detecting resources that are generated by the application as
dynamic content, but in fact have only presentation content (without application content). Such resources can be
cached for short periods of time, optimizing performance, while always displaying fresh content.
Each resource that is served by Imperva is optimized for minimal delivery time. This is done using a variety of
methods (such as image compression and JavaScript minification), as well as session optimization techniques (such
as TCP connection pools and session reuse).
Imperva provides a comprehensive set of tools to customize and control its caching logic. Site administrators can
easily define caching attributes for specific resources, such as whether or not to cache them and their Time to Live
(TTL).
Load Balancing
For organizations with more than a single web server or multiple data centers, Imperva provides a fully customizable
Layer 7 load balancer. Unlike DNS-based load balancers, Imperva’s load balancer is capable of making routing
decisions for every request. This ensures optimal traffic distribution while making sure that every request is served by
the most responsive server.
HTTP/2 Support
Imperva supports HTTP/2, which enables supporting browsers to take advantage of the performance enhancements
provided by HTTP/2. Non-supporting browsers can connect via HTTP/1.0 or HTTP/1.1.
IPv6 Support
Imperva provides complete IPv6 support of both client-side (between your end users and Imperva’s PoP) and server-
side (between Imperva’s PoP and your origin servers) IPv6 traffic. In this way, Imperva acts as your IPv6 gateway, so
that you can retain your IPv4 setups and support clients who send both IPv4 and IPv6.
How To
Cache Settings
Define content caching policies and caching rules for your website.
Note: After making changes to cache settings, you may want to manually clear the cache. For details, see Purge the
cache below.
In this topic:
Note: Imperva Audit Trail tracks and displays the Cache purged and Specific resources purged audit events. For
more details, see Audit Trail.
Debug caching
The XRAY Access URL, located under Operations, enables you to view specialized response headers for a single
browser session.
Gain visibility into Imperva CDN and caching behavior for your sites using Imperva XRAY debug headers. Troubleshoot
inconsistencies in displayed site content.
Note: We remove some non-essential HTTP response headers from your resources before storing them in our cache. If
there are specific response headers that you want sent to clients, you can specify that they should be cached along
with the resource using the Cache Response Headers option. For details, see Response.
Custom caching If there are no custom cache rules defined for the
site, no caching is performed and all requested
content is retrieved from your origin web server.
Note:
• In addition to caching according to the selected mode, content is also cached as specified by any custom cache
rules that are defined for your site. For details, see Create custom cache rules.
• Resources that include explicit caching directives against caching, as defined in the resources themselves using
the Cache-Control or Expires HTTP headers, are not cached.
Create custom cache rules
Custom cache rules let you define specific exceptions to the caching rules that are set by the overall Cache Mode rules
described above. You can define conditions for when and if specific resources should be cached.
Field/Option Description
Rule Filter The filter defines the conditions that trigger the rule
action. If left empty, the rule is always run. For
details, see Define the rule filter.
The following rule filter parameters are available for cache rules:
• Client ID
• Cookie Exists
• Cookie Value
• Header Exists
• Header Value
• Param Exists
• Param Value
• URL
• User-Agent
Select an action
Define the action you want to take for every request that matches the rule.
Action Description
Action Description
To add multiple geolocations to a country
code group, enter a comma separated list,
such as CN,CO,US.
Action Description
and cannot be modified. The custom rules override
the global setting.
Because there may possibly be conflicts between the Cache Rules you define and the logic dictated by the Caching
Mode, the following order of precedence is applied to the various types of rules:
Note: If there is a conflict between the caching durations defined in the Caching Mode and in the Advanced Caching
Rules, the longer period of the two is applied. The same goes for a conflict between the caching rule of a certain
resource and one of its sub-resources.
Set advanced cache settings
The following options let you control HTTP features that may interfere with Imperva's caching behavior, thereby
reducing performance. These are triggered by HTTP request and response headers that instruct the web server or
client not to cache certain content, or by the browser’s behavior.
These caching options are often enabled on web servers or browsers due to misconfiguration, so the default behavior
is to ignore them. You can change this behavior using the settings below, located under Advanced Settings.
Cache key
Response
• Access-Control-Allow-Origin
• Access-Control-Allow-Methods
• Access-Control-Allow-Headers
• Access-Control-Request-Method
• Access-Control-Request-Headers
TTL
Client-side caching
For instructions on using the Cache Settings API, see Cache Settings API Definition.
The definition file presents a full, formatted, and interactive version of the APIs that you can use to learn about the
APIs, or test them using your API ID and key. You can also download the definition file.
Caching Duration
This topic explains how Imperva determines which resources are cached, and for how long.
In this topic:
• Overview
• Caching directives
• Caching duration for static resources
• Caching additional resources
• Caching duration for additional resources
• Client-side caching
• Summary
• Troubleshoot caching
Overview
There are three mechanisms that Imperva uses to determine caching behavior:
For more details, and to define content caching mode and caching rules, see Cache Settings.
Caching directives
The HTTP Cache-Control header enables web servers to return cache directives per resource that control if, and for
how long, browsers and other intermediate caches can cache an individual resource.
Example:
You can choose to enable asynchronous validation to display the current cached version (unfresh) of the resource
without delaying the response, while the cache is refreshed asynchronously. For details, see the Serve Stale Content
option in the Cache Settings.
Example:
Caching [Tue,
max-age= additional
08 2017resources
04:00:00] - [Tue, 08 Aug 2017 03:00:00] = 3600 seconds
When using the Smart caching caching mode, static resources are identified and cached as described above, under
Caching duration for static resources.
In addition, Imperva dynamically profiles website traffic in order to identify additional static resources that can be
cached. This increases cache ratio without the need to add cache directives at the origin.
Some resources are cached although they don't have headers that consider them as cacheable. A resource is
cacheable if:
The decision to cache addition resources is made independently by each Imperva proxy.
Resources configured as dynamic according to their HTTP headers are not analyzed by Imperva's algorithms. See the
example above, under Caching directives.
Caching duration for additional resources
After identifying additional static resources that can be cached, Imperva calculates max-age to determine the length
of time that the resources can be cached.
Imperva uses the Last-Modified response header in the resource to calculate max-age.
• The max-age value is set to one hour for each day since the Last Modified date, with a maximum of up to 24
hours.
• If the resource was modified within the last 24 hours, max-age is determined by the setting defined in the Cloud
Security Console Performance Settings page under Caching Mode.
Client-side caching
Imperva automatically optimizes client-side caching to store as much content as possible on the client browser or
application.
max-age=[max-age in caching directive] - [time since the resource was added to the Imperva cache]
Example:
At 12:00:00, a resource with a max-age of 100 seconds is requested, and is served from the origin server.
At 12:00:10, the same resource is requested and can be returned from Imperva.
100 (max-age) - 10 (length of time the resource was cached on Imperva) = 90 (max-age for caching on the client-side)
Note: You can disable client-side caching on the Performance Settings page.
Summary
Cache-Control header Dynamic Profiling Cache Rule
Imperva cache max-age = X
If [time since last
modified] < 24 hours,
max-age = caching mode
setting on the
Performance Settings
page.
max-age = X - [time since
max-age = TTL*
Client cache the resource was added If [time since last
to the Imperva cache] modified] > 24 hours,
max-age = one hour for
each day since Last
Modified date, up to a
maximum of 24 hours
Troubleshoot caching
The following information in the X-Iinfo HTTP response header is used by Imperva to track and troubleshoot caching
of resources. You can use it as a quick way of checking if a specific resource was cached.
For example:
X-Iinfo: 3-430176-0 NNNN RT(1484836152368 39) q(0 -1 -1 -1) r(0 -1) B13 U2
The first character indicates the status of the connection between Imperva and the origin server. Values include:
• N = New
• E = Existing
• F = From pool - fresh
• P/S = From pool - used
• 0 = No connection
• 2 = From PoP level cache
• X = Unknown
• s/p = (lower case) Through origin PoP
The second character indicates whether the resource was served from the cache. Values include:
• C = Cache hit without validation: The resource is fresh and was returned from the cache without validation by
the origin server.
• c = Stale content served from cache: TTL has expired. Stale content is served from the cache without waiting for
validation from the origin server, while validation is performed in the background. (Indicates that the Serve
Stale Content option or custom cache rule with the Serve Stale Content action is defined in Cache Settings.)
• V = Cache hit after validation: TTL has expired. The resource was returned from the cache after it was validated
with the origin server.
• N = Cache miss: The resource was not returned from the cache.
The third character indicates whether or not the resource (JavaScript, CSS, or HTML) is compressed on the proxy.
Values include:
• Y = Compressed
• N = Not compressed. Indicates that the Dynamically Compress JavaScript, CSS, and HTML Files option on the
Cloud Security Console Delivery page is disabled. For details, see Delivery Settings.
The fourth character indicates whether the connection was taken from pre-pooled TCP connections. Values include:
• Y = A pre-pooled connection was used. Indicates that the Pre-Pool TCP Connections option on the Cloud
Security Console Delivery page is enabled. For details, see Delivery Settings.
• N = A pre-pooled connection was not used.
Read More
• Cache Settings
Cache Shield
Cache Shield adds an intermediate cache between other Imperva PoPs and your origin servers to protect your servers
from redundant requests.
• Reduces spikes on the origin during high request periods, such as after a cache purge
• Increases likelihood of cache hits as all requests go through one PoP
• Reduces outgoing traffic from your public cloud origin and decreases your monthly bill
Note: To enable enhanced performance for dynamic content (resources that are not cached in the Imperva PoPs), see
Dynamic Content Acceleration.
In this topic:
• How it works
• Enable Cache Shield
• FAQ
How it works
Imperva's CDN dynamically profiles website resources in order to identify all cacheable content (dynamic and static).
When a client request is made for a cacheable resource, and that resource is not cached in our system, the request
must be sent on to your origin server.
By default, each of our PoPs can access the origin server directly, and as a result, can overwhelm it with requests. A
client request goes to one of our PoPs, and that PoP requests the resource from the origin. When requests are received
from different locations, they are each handled by a different PoP, and then each PoP passes the request on to origin.
Cache Shield designates a specific PoP to serve as an intermediate cache between our other PoPs and your origin
servers. When enabled, all requests to the origin go through the Cache Shield PoP. If another PoP does not have the
requested content in its cache, it must query the Cache Shield PoP to determine if the resource is already cached
there. This significantly reduces requests to the origin, and increases your cache hit ratio.
When you enable Cache Shield for your site, Imperva selects 3 PoPs to serve as Cache Shield PoPs, and then chooses
one based on best connectivity and availability at the time it is needed. Our performance algorithm chooses the PoP
for optimal performance and memory usage.
Yes. When Cache Shield is enabled, all traffic reaches the origin from a single PoP. If you have implemented a rate
limiting policy per IP on your origin server, the traffic reaching the origin may exceed the threshold and result in
dropped traffic.
Run XRAY Debug Headers and check for the incap-cache-level header. L3 indicates that the Cache Shield PoP was
used.
XRAY Debug Headers
Gain visibility into Imperva CDN and caching behavior for your sites using Imperva XRAY debug headers. Troubleshoot
inconsistencies in displayed site content.
In this topic:
• Overview
• Enable debug headers
• Available headers
• Debug headers API
Overview
When you enable XRAY for a browser session, Imperva adds predefined HTTP response headers to your requests. The
headers provide you with additional information such as cache hits and misses, TTL values, and PoP details.
The debug headers can help you troubleshoot many common issues.
For example:
• How long did it take to fetch the resource from the origin to Imperva?
• How much time was spent on the network?
• What is the server "think time"?
Enable debug headers
Copy the access token into your browser to enable debug headers. Once activated, the XRAY debug headers are
available for 10 minutes.
Note: To ensure that the debug headers work properly, it is recommended to enable cookies in your browser.
1. On the Cache Settings page, under Operations > XRAY Access URL, copy the URL.
2. Paste the URL into any browser. This activates the debug header functionality.
3. Navigate to any page on the site.
4. Open developer tools (for example, using F12 in Chrome or IE on Windows) and refresh the page.
5. Click a resource to view the response headers.
The access token expires after 10 minutes. To generate a new access token, click the refresh button .
Available headers
The following predefined response headers are provided:
Hit reasons:
• Cached according to
response headers: The
origin server's response
headers.
• Cached by rule <111>:
Indicates the ID of the
The reason why there was a cache
advanced caching rule
hit (content returned from the
defined in the site's
cache) or miss (content returned
Performance Settings.
incap-cache-reason from the origin server).
• Cached heuristically: The
content was cached based
For more details on caching, see
on Imperva's caching
Caching Duration.
mechanism.
Miss reasons:
Read More
• Cache Settings
• Delivery Settings
• Caching Duration
Delivery Settings
Delivery options help you optimize your content delivery and improve performance by providing faster loading of
your web pages.
In this topic:
• Compression
• Image Compression
• Network
• Redirection
• Custom Error Page
• Delivery Settings API
Compression
Compress files to shrink file size and reduce load time.
Image Compression
Image compression can be applied only to cached JPEG and PNG images. As such, this option is disabled when
caching is disabled.
Network
Maintain a set of idle TCP connections to the origin
server to eliminate the latency associated with
Pre-Pool TCP Connections
opening new connections for new requests
(TCP handshake).
Options:
Note:
Redirection
Configure default redirection rules in order to improve the site’s performance and security level. Relevant HTTP
requests are then sent a 301 HTTP response code, which redirects them to the relevant URLs.
Option Description
Redirect from site's naked domain to site's full In most cases, we recommend enabling this option
domain in order to redirect all visitors to your site’s full
domain (which includes www).
Option Description
This option is displayed only for a naked domain.
For instructions on using the Delivery Settings API, see Delivery Settings API Definition.
The definition file presents a full, formatted, and interactive version of the APIs that you can use to learn about the
APIs, or test them using your API ID and key. You can also download the definition file.
Read More
• Cache Settings
• XRAY Debug Headers
In this topic:
• How it works
• Configure Acceleration Settings
• No recommended Origin PoP
• Bypass the Origin PoP
• FAQ
How it works
When a client request is made for dynamic resources (resources that are not cached on the Imperva proxy), the
request must be sent on to your origin server. The Dynamic Content Acceleration service routes this traffic across our
network, between Imperva PoPs, resulting in improved performance.
Example:
Your site www.example.com is located in a data center in New York. Standard routing looks like this:
After you have enabled the Dynamic Content Acceleration Service, routing looks like this:
1. A request to www.example.com reaches the Imperva PoP located in Sydney ("Client PoP"). The proxy
determines that the content is dynamic and cannot be served from the cache. (A2 in the image)
2. The proxy routes the traffic to the Imperva PoP with best connectivity to the origin server for www.example.com
("Origin PoP"), located in New York. (B2)
3. The Origin PoP sends the request on to your origin server in New York (C2)
4. When your origin server sends a response, the Origin PoP receives it and sends it back to the Client PoP, which
then responds to the end user.
• TCP optimization: Open PoP to PoP connections on our network are maintained and reused. This eliminates
TCP slow start, in which data transmission is increased gradually until the network's maximum capacity is
determined.
• Reduced latency: The latency resulting from the TLS handshake is reduced. By connecting to your origin server
from the PoP with the lowest RTT, time is saved on each of the four trips required to establish the connection.
Configure Acceleration Settings
To configure Dynamic Content Acceleration, configure the Origin PoP setting for each data center in each of your
protected websites. Select the PoP with the lowest RTT for your origin data center. The selected PoP is used by all
servers in the data center.
Note: Sites that don't use persistent connections (for example, using APIs or sending a Connection:close header) and
sites with connection pooling disabled cannot use the Origin PoP feature.
1. Prerequisite: The Origin Connection Reuse setting on the Delivery Settings page must be enabled to support
Dynamic Content Acceleration. For details, see Delivery Settings.
2. On the Cloud Security Console sidebar, select Websites and navigate to Website Settings > Origin Servers.
3. For each data center, click Help me choose to view the recommended PoPs.
For more details on origin server settings, see Load Balancing Settings.
No recommended Origin PoP
In some cases, the system does not provide a list of recommended PoPs. There are several possible reasons:
• There is no PoP that produces a round-trip time of less than 10 ms between the PoP and your origin server. In
this case, the Dynamic Content Acceleration service will not optimize your dynamic content.
• There are more than 4 PoPs with a round-trip time of less than 10 ms between the PoP and your origin server. In
this case, we suspect that your server is using anycast routing or is located behind another CDN. Selecting an
Origin PoP would not improve response time for your dynamic content.
• Your origin server cannot be reached. Check the configuration of your origin server and try again.
For example:
Performance improvements vary based on the geographic traffic distribution of a site, and on your origin server's
proximity to an Imperva PoP. Our tests have shown an average improvement of 30% in RTT latency.
Yes. If the origin data center isn’t near an Imperva PoP (within <10ms RTT), activating the service may have a negative
impact on site performance.
Yes. When Dynamic Content Acceleration is enabled, all traffic reaches the origin from a single PoP. If you have
implemented a rate limiting policy per IP on your origin server, the traffic reaching the origin may exceed the
threshold and result in dropped traffic.
Can I whitelist just the Origin PoP IPs instead of the Imperva ranges?
No. In the event of a connectivity issue between the origin PoP and your origin data center, Imperva automatically
reverts to the standard traffic flow and sends the traffic from the PoP closest to the client directly to your origin server.
The origin must be able to accept connections from any Imperva PoP, regardless of the Origin PoP setting.
No. Cacheable resources are returned from the PoP closest to the client. Only requests reaching the Origin PoP are
forwarded to the origin.
• The availability of this feature depends on your subscription. For more information or to upgrade your plan,
contact an Imperva sales representative.
• If your site already has one or more load balancers installed, the load balancers’ IP addresses should be entered
as server IPs in the Imperva Load Balancing configuration. Imperva will treat each load balancer as if it were a
single server.
Benefits
• Server load balancing using layer 7 distribution algorithms
• Layer 7 (not DNS) based global server load balancing
• Site failover and disaster recovery scenarios
• Health monitoring and server failover
How Does Load Balancing Work?
Imperva’s Load Balancing is based on a network of secure reverse proxies deployed on our globally distributed CDN.
Web traffic that is routed through the Imperva network is terminated by those proxies. This allows Imperva to act as a
load balancer at the HTTP level by making sure requests are always routed to the origin server with the smallest load,
as well as executing geography-based routing decisions at the request level.
Imperva uses Layer 7 based algorithms to make load balancing decisions at the HTTP request level. The Least Pending
HTTP Requests distribution method measures the number of pending HTTP requests for each origin server and sends
requests to the origin with the lowest number of pending requests. This method offers a very accurate assessment of
the origin servers’ loads and keeps the load evenly distributed among the origin servers.
Imperva is quite unique in its use of Layer 7 based algorithms to make GSLB decisions at the HTTP request level (as
opposed to DNS-based GSLB). Layer 7 GSLB allows for quick (non TTL-reliant) responses to server and data center
malfunctions.
The Imperva Load Balancer can also play a major role in DR planning, acting as an automated solution for site failover
.
By using the health monitoring feature, Imperva immediately detects that the primary site is down and automatically
fails over to the standby site.
Imperva supports advanced health monitoring, constantly checking the origin servers to detect malfunctions and
allow immediate server/site failover.
Customers have complete control over the monitoring system. They can calibrate its sensitivity, configure specific
URLs to be monitored and define the exact responses that are expected to be received.
How To
Read More
Imperva Load Balancer distributes user requests among origin data centers and/or servers to achieve optimal
performance and response time. In addition, it helps to ensure high availability in the case of a malfunctioning server
or data center by routing traffic to a healthy server.
In this topic:
From the drop-down, select the option that reflects your site’s topology:
Note:
• You can only choose a topology that is supported by your current plan. You may want to upgrade your plan in
order to support a different topology or add more data centers/servers.
• You can configure servers to use external CNAMEs (such as Amazon Alias Names) instead of explicit IP addresses,
by entering the CNAME in any IP Address/CNAME field in the server settings.
• You can only enter one CNAME per data center.
Add a server:
Imperva automatically detects your origin server’s IP address and populates the IP Address / CNAME field.
To change the origin server's IP address or CNAME, type the address, CNAME, or alias in the IP address / CNAME field.
Load Balancing and Failover features are not available when the site has only one server.
Multiple Origin Servers (Single Data Center)
To configure load balancing for this topology, add servers and set the load balancing attributes.
There are two modes you can use to determine how Imperva will access your origin servers.
Mode Description
In this section:
Option Description
IP Address / CNAME Enter the IP address, CNAME, or alias.
Select the server role for load balancing - Active
Server or Standby Server. Requests are routed to the
Mode Standby (secondary) server if routing to the Active
(primary) server fails or if the Active (primary) server
is down.
After the server is created, you can click Edit to edit the server's options.
Option Description
The single IP address through which the site will be
IP Address
accessed.
Standby IP Address (Optional) The IP address of an additional server.
Number of Active Servers The number of origin servers in the data center.
The port ranges assigned by Imperva to your origin
servers for HTTP or HTTPS traffic. Each origin server
HTTP or HTTPS Port Ranges
is assigned one of these ports. You must route these
port allocations to your origin servers in your router/
Option Description
firewall by configuring the IP tables. For details, see
Port Forwarding Configuration.
• Mode
• Persistence
Mode: Select a load balancing algorithm to determine the origin server to which the next request will be routed.
Customers that have not purchased the Load Balancing add-on and use the Single Data Center with Multiple Origin
Servers; All Active topology can use the Least Pending Requests load balancing algorithm only.
Option Description
(Default/Recommended option) The next request is
routed to the origin server with the smallest number
of pending HTTP requests. This algorithm is the
most accurate in terms of balancing the load
between the different destination IPs. The impact of
Least Pending Requests pending requests on load is much more direct than
that of open connections, hence it usually serves as
a better criterion for load balancing. This algorithm,
similarly to the previous two, does not support
“Session Stickiness” and therefore may refer clients
to different servers on each request.
The next request is routed to the origin server with
the smallest number of open TCP connections. This
algorithm is better in terms of balancing the load
between the different destination IPs. As opposed to
the previous two algorithms, this algorithm takes
Least Open Connections
into account the actual load (in terms of open
connections) of the different destination IPs when
performing routing decisions. On the downside,
clients may be referred to a different server on each
request.
This rudimentary, simple and effective method is
based on a hashing function that maps the IP
address of the request’s source to one of the origin
servers. Packets that arrive from a specific source IP
are sent to a specific origin server. Since many
Source IP Hash
servers implement session state independently,
clients will always be connected to the same server.
On large sites, load is distributed fairly well using
this method. Destination IP availability is, of course,
evaluated prior to packet allocation.
The next request is routed randomly to one of the
Random
origin servers. This is the most basic algorithm and
Option Description
the one most often used. On large sites load will be
distributed fairly well, though on smaller sites load
may not be balanced well. As opposed to Source IP
Hash, clients may be referred to a different server on
each request.
Load is distributed according to a user-defined ratio.
Weighted
For details, see Weighted Load Balancing.
Persistence: Each user session will be served by a single origin server. Use this option if the session must maintain
stateful information. The load balancing algorithm will only be applied to the first request of each user session and
Imperva will maintain user session continuity by setting a dedicated session cookie in the user’s browser.
Multiple Data Centers
Select this topology setting if you have multiple origin servers in multiple data centers.
Global Server Load Balancing Mode: This option determines how user requests are routed to data centers.
Global Server Load Balancing settings are relevant only if 2 or more active data centers are configured.
Option Description
The average connection times between each
Imperva PoP and each of the site’s data centers are
sampled and updated periodically. When this mode
Best Connection Time
is selected, the PoP will route requests to the data
center that currently provides the shortest
connection time.
Option Description
Note:
If one of the Geo-Targeting options is selected, you must map each region to a single data center. Each continent is a
region, and the United States is divided into U.S. East and U.S. West.
1. Click Add Geography. A new row is added for the new region.
2. In the Geographic Region drop-down, select the region.
3. In the Data Center drop-down, select the data center to which the region’s requests will be routed.
4. Repeat steps (1) to (3) for each region you want to specify. Note that each region can only be mapped to a single
data center, and once a region is mapped, it will not be available when adding another mapping.
5. If not all regions were mapped, select the data center that will handle the requests for the Rest of the World.
Persistence: Each user session will be served by a single origin server. Use this option if the session must maintain
stateful information. The load balancing algorithm will only be applied to the first request of each user session and
Imperva will maintain user session continuity by setting a dedicated session cookie in the user’s browser
These attributes determine when a data center will be considered down, which standby data center to activate in such
a case, and optionally a URL to access in order to activate the standby data center.
Option Description
Option Description
the Standby DC Name will be changed back to None
when the settings are saved.
Add data centers and configure the load balancing mode for each.
2. Select Multiple Public IPs mode or Single Public IP mode for accessing servers in the new data center. For
details on these options, see Multiple Origin Servers (Single Data Center).
When working in Multiple Public IPs mode, click to add additional servers to the data center. For more
details on configuring the server, see Multiple Origin Servers (Single Data Center).
Resume traffic to active data centers
If you have a multi-data center topology configured for Imperva load balancing, and all of your active data centers go
down, traffic is rerouted to your standby data center.
When at least one active data center is back up, the Resume Traffic to Active DCs button is displayed, enabling you to
reroute your traffic back to the active data center. Traffic does not revert automatically to your active data centers.
For instructions on using the Load Balancing Settings API, see Load Balancing Settings API Definition.
The definition file presents a full, formatted, and interactive version of the APIs that you can use to learn about the
APIs, or test them using your API ID and key. You can also download the definition file.
Read More
In this topic:
• Overview
• Guidelines
• How to configure weighted load balancing
• Example
• API
Overview
The weights you assign determine the ratio of traffic distribution.
If a data center or server goes down or is taken offline, the traffic is redistributed according to the initial ratio.
For example, suppose you have 3 data centers configured for a website: DC1, DC2, and DC3, and you define a
distribution of 50:30:20 for them, respectively. If DC1 is down, DC2 gets 60% of the load, and DC3 gets 40%.
The same principle applies to the ratio set for servers within a data center.
Guidelines
You can define a weight distribution for all the data centers configured for your site, and also for the servers within a
data center.
• Weighting is supported only for sites configured with the Weighted global server load balancing mode.
• Define weights for active, enabled data centers only. Weights of enabled data centers must sum up to 100.
• Weighting is not supported on a standby data center
• Weighting is not supported on a data center that supports only forward rules.
• Weighting is supported only for data centers configured with the Weighted mode.
API
You can also configure weighted load balancing for a website via the API.
The default weight when you add a new data center or server is 0.
To configure weighting, use the POST methods for editing data centers or servers.
• The monitoring for ‘down’ status is passive, using real user monitoring. It is based on actual requests from
clients to the server and not on active health check requests by the Imperva proxies.
• The monitoring for ‘up’ status is active. When a server is identified as 'down', our proxies start to actively send
requests to the server to verify its availability. When the server becomes available, the server status is
considered 'up'.
Note: The proxy always sends active monitoring requests to the origin server that is defined for the site, using
the site’s Host header. (Origin servers are defined for the site in the Cloud Security Console in Application >
Websites > <select a website> > Website Settings > Origin Servers.)
If there are custom delivery rules defined for the site, such as forward or rewrite rules, they are not run.
Therefore, the default origin server itself must be able to receive requests sent by our active monitoring
mechanism so that we can confirm server availability.
To define load balancing settings for your origin servers, see Load Balancing Settings.
In this topic:
Parameters Description
If the percentage of failed requests is above this
Percentage of failed requests to mark server “Down” threshold for the defined period of time and for the
minimum defined number of sampled requests, the
Parameters Description
origin server is considered “down”. The types of
errors that are considered failed requests are
defined in the Failed Request Criteria section. For
more details, see Set failed request criteria.
Parameters Description
If a request times out within this configurable
HTTP request timeout
period, it is considered a failed request.
Specific HTTP response error codes or patterns that
are to be counted as request failures. The codes can
be specific errors such as “401”, or patterns with
wildcards such as “4xx”. The codes and patterns
HTTP response error codes to be treated as down
should be separated by commas, or dashes to define
ranges. For example: “401, 404, 407, 5xx” or
“501-599” (to define all values between 501 and
599).
Note:
• TCP timeouts cause the server to be considered "down". They are not counted as regular failed requests.
• All other TCP connection errors are considered failed requests by default.
Verify “Down” / ”Up” status
This section contains parameters for verifying that an origin server is down after failed user requests are identified,
and for determining when an origin server is back up after a failure.
Parameters Description
By default, only the regular site traffic (generated by
users) is monitored for failed requests. If this
parameter is enabled (the default setting) and
Imperva determines that an origin server is down
Use verification checks to mark server as “Down”
according to failed request criteria, it will initiate
another request and test its response to verify that
the origin server is down. The request is defined by
the “URL for Monitoring” parameter, and its
Parameters Description
expected response is defined by the "Expected
receive string" parameter.
Parameters Description
Parameters Description
• DC Down: (selected by default) An alarm is
sent when a data center is determined to be
down and fails over to another active data
center.
• Server Down: An alarm is sent when an origin
server is determined to be down.
For instructions on using the Load Balancing Monitoring Settings API, see Load Balancing Monitoring Settings API
Definition.
The definition file presents a full, formatted, and interactive version of the APIs that you can use to learn about the
APIs, or test them using your API ID and key. You can also download the definition file.
Read More
Description: The Single Origin Server topology is the default configuration, and the simplest to configure. When you
add your site as an Imperva user, your server’s IP address is added automatically to the Server Settings. If necessary,
you can edit the server’s IP address or CNAME at any time.
Obviously, a single server topology cannot support load balancing or failover features.
Use Case 2: Single Data Center with Multiple Origin Servers – All Active
Description: If you have a single data center with multiple servers, select the Multiple Origin Servers (Single Data
Center) topology setting. If all servers should be active at all times, select the Active Server setting for each server that
you add.
You can configure each server to have a separate public IP address, or you can configure only one server with a public
IP address, and route traffic to the other servers using port forwarding.
If one or more servers are identified as down, traffic is routed to the remaining active servers
Multiple Active Servers: Some Servers Down - Load Balancing among Functioning Servers
Availability: Purchase of the Load Balancing add-on is required for setups of three or more servers.
Use Case 3: Single Data Center with Multiple Origin Servers – Two ISPs
Description: The Active and Standby server modes can be used when you have two Internet Service Providers (ISPs) -
one used for normal operations and the other (often a more expensive one) only used as a standby provider.
In this use case, if all servers have public IP addresses, add each server twice: once as Active Server (primary) with an
IP address from the primary ISP, and the second time as Standby Server (secondary) with an IP address from the
“standby” ISP.
If you are using port forwarding, enter the IP address from the primary ISP in the IP Address field, and enter the IP
address from the “standby” ISP in the Standby IP Address field.
Dual ISPs: Active Identities are Used when Primary ISP is Active
Use Case 4: Single Data Center with Multiple Origin Servers – Active & Standby
Description: You may have a single data center with multiple servers, and want some of the servers to act as standby
servers, only receiving traffic when active servers are down or non-responsive.
To support this use case, select the Multiple Origin Servers (Single Data Center) topology setting, and define some
servers as Active Server (primary) and some as Standby Server (secondary). Normally, traffic is load balanced only
among the primary servers. If routing to all primary servers fails, traffic is load balanced among the secondary servers.
Requests may be routed to the secondary server even when monitoring identifies that the primary server is up, but a
TCP connection cannot be established.
If all servers have public IP addresses, there are no constraints on the number of active and standby servers. In the
case of port forwarding, active/standby mode can only be supported if there are equal numbers of active and standby
servers.
Active (Primary) and Standby (Secondary) Servers: Standby Servers Not Used Unless Routing to All Active Servers Fails
Active (Primary) and Standby (Secondary) Servers: Standby Servers Used when Routing to All Active Servers Fails
Description: You may maintain one or more active data centers and one standby data center, which should only serve
site traffic if all active data centers are down.
To support this use case, select the Multiple Data Centers topology setting. Define each data center in the Imperva
configuration, and enter the standby data center’s name in the Standby DC Name parameter of the Failover Attributes
section.
Standby Data Center: Standby Data Center Not Used Unless All Active Data Centers are Down
Standby Data Center: Standby Data Center Used When All Active Data Centers are Down
Description: There can be different reasons for maintaining multiple data centers to serve a single website. One
reason is to provide better performance by serving users from data centers that are geographically close to their
location.
To support this use case, select the Multiple Data Centers topology setting, and select the Best Connection Time mode
(the default). This will cause the load balancing mechanism to serve each user from the data center that provides the
shortest response time to the specific user
Performance: Users are Served from Data Center Providing Best Connection Time
Performance: If Data Center Down, Users Served from Active Data Center with Best Connection Time
Description: Some websites provide localized content, depending on the location from which the site is accessed. For
instance, users from the West Coast of the US might see different articles or advertisements than users from the East
Coast.
To support this use case, select the Multiple Data Centers topology setting, and select the Geo-Targeting Preferred
mode. This means that the load balancing mechanism will serve users from the data center that is geographically
closest to them, as long as that data center is active. However, if the closest data center is down, user requests will be
served from other active data centers, according to the Best Connection Time mode.
To work in Geo-Targeting Preferred mode, you must assign each geographical area to a specific data center. The last
area assigned to a data center will always be Rest of the World. This "catch all" data center will handle requests from
all areas not explicitly assigned to another data center
Geo-Targeting Preferred: If Data Center Down, Users Served from Active Data Center with Best Connection Time
Description: Some websites maintain multiple data centers to comply with local laws and regulations that stipulate
that users from certain areas must only be served locally.
To support this use case, select the Multiple Data Centers topology setting, and select the Geo-Targeting Required
mode. This means that the load balancing mechanism will serve users from the data center that is assigned to them. If
that data center is down, they will not receive service since a standby data center in another geographical region is not
a legal option. To work in Geo-Targeting Required mode, you must assign each geographical area to a specific data
center. The last area assigned to a data center will always be Rest of the World. This "catch all" data center will handle
requests from all areas not explicitly assigned to another data center.
Read More
In order to work in Single Public IP with Port Offsets mode, you will need to configure your firewall to work with port
forwarding, and add the appropriate access and mapping rules to route requests coming through Imperva to the
correct server within your site. This appendix describes how to do this for several commonly used firewalls.
In this topic:
2. In the Firewall Objects tab, select Virtual IP under the Virtual IP group.
3. Click Create New. A window opens in which you can enter details for a virtual IP address for an internal site
server.
Note: If you have not already done so, add an Address object for each internal server in the FortiGate Firewall
Objects\Address page.
1. Open the FortiGate Policy page and click Create New. A window opens in which you can enter details for the new
policy rule.
Following are examples of how to configure port forwarding for the Cisco ASA firewall.
Note: Replace the IP addresses and subnets in the examples with values that are appropriate for your network.
To configure port forwarding for the Cisco ASA Firewall using the CLI:
LAB-ASA5505-01# conf t
LAB-ASA5505-01# exit
LAB-ASA5505-01# exit
4. Configure Network Address Translation (NAT) so your Inside users can browse the web.
5. Create a static NAT entry for your web server to your (single) public IP address and configure static NAT with port
forwarding.
6. Configure an access list to allow Outside traffic to visit port 80 (HTTP) as your Outside interface.
8. 1 (Inside) to (Outside) source static WWW-SERVER interface service tcp www www
translate_hits = 0, untranslate_hits = 2
translate_hits = 6, untranslate_hits = 0
10. Examine the hit count in the access list and verify that it is increasing.
LAB-ASA5505-01# sh access-list
alert-interval 300
access-list Outside_access_in line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x24ee277f
access-list Outside_access_in line 2 extended permit tcp any object WWW-SERVER eq www (hitcnt=4)
0xb7fcf341
access-list Outside_access_in line 2 extended permit tcp any host 172.20.10.100 eq www (hitcnt=4) 0xb7fcf341
To configure port forwarding for the Cisco ASA Firewall Using the ASDM UI application:
2. Click New object to create a new NAT object and click on the NAT drop-down.
3. Enable Add Automatic Address Translation Rules and select Static as the type. In theTranslated Addr drop-
down, select Outside.
7. Enter the Real Port and Mapped Port values (for example, set both values to www, http or 80).
8. Click OK.
3. Define each server and port. (These settings relate to the real IP and port configured on the server.)
4. Configure the NAT policy (specify the NAT pool to which traffic should be translated). This defines both the
destination IP and destination port address.
5. Configure the port forwarding rule for the first origin server.
set security nat destination rule-set dst-nat rule rule1 match destination-address 172.16.1.2/32
set security nat destination rule-set dst-nat rule rule1 match destination-port 2222
set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-192_168_1_5m32
6. Configure the port forwarding rule for the second origin server.
set security nat destination rule-set dst-nat rule rule2 match destination-address 172.16.1.2/32
set security nat destination rule-set dst-nat rule rule2 match destination-port 3389
set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-192_168_1_6m32
7. Configure the security policy. Note that the internal (real) IP address and port of the server are defined within
the policy.
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match destination-address server1
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match application SSH
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match destination-address server2
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match application RDP
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 then permit
Read More
Waiting Rooms
Control the traffic to your website during peak periods when the origin server is unable to handle the load. while
providing a seamless experience to your customers.
Route your website visitors to a virtual waiting room when their requests can't be handled immediately.
In this topic:
• Overview
• Open the waiting room page
• Add/edit a waiting room
• Set activation thresholds
• Customize the waiting room visitor page
• View your waiting rooms
• Track performance statistics
• Waiting Room API
Overview
During peak traffic times, or when there are unexpected spikes in traffic to your website, requests can exceed your
website's capacity and can overload your servers. To prevent loss of business due to server crashes, poor
performance, or the inability to handle the volume, you can configure a waiting room.
A waiting room places your customers in a virtual queue and create a positive user experience. Instead of being
greeted with a "server unavailable" message, customers can see their position in line, and when their turn arrives,
they are redirected to the requested page. While waiting in line, the customer's request are not transferred to the
origin server, preventing overload.
Note:
• All traffic is inspected by the Imperva security mechanism before being routed to the waiting room.
• One waiting room is included with your plan. Additional waiting room licenses are available as an add-on to the
Cloud WAF service. For details, contact your Imperva Sales Representative.
• When browsing from a mobile device, users must keep the waiting room page open to remain in line.
Audit Trail
The following events are logged in the audit trail for your account:
Option Description
Option Description
to the entire website, such as: URL contains "^/
ShoppingCart".
Available options:
Option Description
• Bypass: Bots bypass the waiting room. Use
this option if you are confident that legitimate
bot activity will not affect your origin server
performance.
• Block: Bots are blocked from your website.
Use this option if you want to prioritize human
visitors over bots during peak time.
When a threshold is passed, all new incoming users are placed in a queue. Visitors in the queue are then allowed entry
to the website on a FIFO basis, at the rate defined by the threshold values.
New users/sessions
A new incoming user is defined as a user/session that is trying to access the website for the first time (within the
scope of any conditions set for the waiting room) , before it is assigned a place in the waiting room queue. There are
two types of sessions:
• Cookie-based (human visitor): When the requesting client supports cookies, all requests with the same session
cookie are considered a single user.
• Cookieless: When the requesting client does not support cookies, we identify a user according to IP address.
You must configure at least one of the options, or you can configure both.
When both thresholds are configured, visitors are routed to the waiting room as soon as either one of the thresholds is
passed.
Visitors are then sent on to their requested page according to the defined thresholds - at a rate of x new users/minute
if that option is defined, and/or up to the maximum number of active users, if that option is defined.
Note: If there are conditions defined for the waiting room, only user sessions that match all conditions are counted as
new or active users. For details, see Conditions above, under Add/edit a waiting room.
Option Description
Option Description
threshold has been passed), no new user can
access the site until another user leaves and
frees up space.
Examples
Suppose you set New incoming users per minute to 1000 per minute, and incoming traffic reaches a rate of 1010 new
users per minute.
Result: All new users are sent to the queue. Based on the threshold value you defined, 1000 users are then allowed
entry to the website each minute (redirected to their requested page). Any users above this threshold are routed to
the waiting room.
Suppose you select both options and define the values as follow:
Suppose there are currently 2800 active users, and the rate of incoming traffic is now 200 users per minute. The New
incoming users per minute threshold of 120 has been passed, so new incoming users are routed to the waiting room.
In the first minute, only 120 users will be able to enter the site. So active users at the end of the first minute totals
2920.
In the next minute, let's assume that traffic is still 200 incoming users per minute. Because the total number of active
users is now 2920, only 80 additional users can enter the site.
At this point, the Maximum number of active users (3000) has been reached, so no new users are allowed in to the
site before other users leave.
Customize the waiting room visitor page
You can customize the waiting room page that is displayed to your website visitors when they are placed in the queue.
Option Description
Option Description
user, and reloads the page when the user is
allowed to enter the website from the waiting
room. This parameter is mandatory and
should not be modified or deleted.
• $WAITING_ROOM_WRAPPER$ - Used to
validate the content of the template. This
parameter is mandatory and should not be
modified or deleted.
• $WAITING_ROOM_POSITION_IN_LINE$ - Used
to display the user's position in the waiting
room queue.
• $WAITING_ROOM_LAST_STATUS_UPDATE$ -
Used to display the time of the last status
update.
Click Preview to view the page as your website visitors will see it.
• <iframe> tag
• <script> tag
• <form> tag
• illegal HTML actions, such as these HTML event attributes: onload, onerror, onmessage, onoffline,
ononline, onchange, onfocus, oninput, onsearch, onsubmit, onselect
Note: If there are multiple waiting rooms defined with the same conditions, the first one listed in the table is used and
the others are ignored.
The Waiting Rooms page displays the following fields for each waiting room. For more details on these fields, see
Add/edit a waiting room.
Column Description
Click the name to view or edit the waiting room
Name
settings.
Description The user-defined description of the waiting room.
The maximum number of new users per minute that
Rate threshold/min are allowed access to the website before Imperva
starts routing visitors to the waiting room.
More options
Click the ellipsis to view options to edit or delete
the waiting room.
The definition file presents a full, formatted, and interactive version of the APIs that you can use to learn about the
APIs, or test them using your API ID and key. You can also download the definition file.
Learn more:
DDoS Protection for Networks can be used to protect any online asset such as websites, DNS servers, SMTP servers
and any other IP based application. This service leverages Imperva’s multi-terabit network capacity and packet
processing capabilities to absorb and mitigate the largest and most sophisticated DDoS attacks.
DDoS Protection for Networks can be deployed as an always-on, on-demand or contingency solution, and can be
combined with all Imperva Cloud Application Security services for extending protection and monitoring capabilities.
• Always-on: Your ingress traffic is constantly tunneled through the Imperva network.
• On-demand: Your ingress traffic is tunneled through the Imperva network only during attack time.
• Contingency: Similar to on-demand, but with a limited number of network range diversions to redirect your
traffic through the Imperva network. The Contingency solution is intended as a backup service in the event of
an outage in your primary protection service.
Benefits
• Layer 3 and 4 DDoS protection for IP ranges and subnets hosting any IP based application
• Terabit DDoS scrubbing capabilities
• Attack monitoring and mitigation backed up by 24x7 NOC and SOC teams
• SLA for DDoS mitigation performance
• Real-time dashboard for traffic monitoring and event analysis
How Does DDoS Protection for Networks Work?
Imperva DDoS Protection for Networks allows organizations to tunnel all ingress traffic (traffic from the Internet to the
origin network) through the Imperva network. The organization's edge routers use the Border Gateway Protocol (BGP)
to announce subnets and IP ranges to be advertised by Imperva, forcing all Internet routes pointing at their data
center to point at Imperva instead. DDoS Protection for Networks uses Generic Routing Encapsulation (GRE) tunneling
to forward traffic to the origin network after the traffic has been scrubbed from any DDoS attack.
The Behemoth
At the core of Imperva’s DDoS Protection for Networks service is its proprietary DDoS scrubbing appliance named
Behemoth. The Behemoth performs all Layer 3 and Layer 4 DDoS scrubbing and then tunnels clean traffic over a GRE
tunnel to the origin network. Each of Imperva’s data centers is equipped with one or more Behemoth appliances. In
addition to scrubbing any DDoS attack, Behemoth provides packet level visibility and packet flow control to our 24x7
Operations Center teams.
Traffic Flow
The Border Gateway Protocol (BGP) is used to control the traffic flow and route traffic through the Imperva network.
In order to route traffic sent to the origin network through Imperva, organizations configure their routers to announce
that their IP ranges are to be advertised by the Imperva routers. This is done by establishing BGP peering between the
Imperva router and the organization’s routers.
Once Imperva starts advertising the customer’s IP ranges, all Internet routes for the origin network point at the
Imperva network. Ingress traffic sent to the protected IP ranges is automatically routed to Imperva where DDoS
scrubbing takes place. After the traffic has been scrubbed, Imperva forwards clean traffic to the origin network over a
pre-established GRE tunnel.
DDoS Protection for Networks uses an asymmetric channel in which ingress traffic is routed through Imperva, while
egress traffic (traffic from the origin network to the Internet) is routed through the organization’s ISP.
Imperva’s software-defined network range advertisement announces customer IP ranges from the following
locations:
• When a DDoS attack traverses transatlantic cables, ISPs may null route the attacked IP in order to avoid
congestion of those cables. By advertising the IP ranges from PoPs in each region, Imperva mitigates the DDoS
attack in the continent in which it started.
• More PoPs participate in the mitigation, enabling Imperva to handle larger DDoS attacks without human
intervention.
• Imperva PoPs are connected through high-quality internet connections, resulting in better user-experience.
During an Attack
DDoS Protection for Networks can be deployed as an always-on or an on-demand solution. Organizations choosing to
deploy DDoS Protection for Networks as an always-on solution route their traffic through Imperva at all times.
Organizations choosing to deploy DDoS Protection for Networks as an on-demand solution route their traffic through
Imperva only when they are under a DDoS attack.
DDoS Protection for Networks reacts to DDoS attacks at a micro-second scale by utilizing multiple mechanisms, such
as detecting anomalies in traffic patterns and identifying known attack patterns. Attack mitigation engines are
dynamically adjusted according to the attack severity as well as the state of the origin network. After traffic has been
scrubbed, clean traffic is forwarded to the origin network over a GRE tunnel.
DDoS Protection for Networks is backed up by 24x7 NOC and SOC teams that monitor attacks, adjust detection and
mitigation configuration, and respond to customer requests and enquiries.
Why Does Imperva Use a GRE Tunnel?
Imperva uses a GRE tunnel to route clean traffic to the origin (and also to establish BGP peering for on-demand DDoS
Protection for Networks deployments).
When Imperva advertises the customer’s IPs or IP ranges, all packets targeted to these IPs/ranges are directed to the
Imperva network. The Imperva Behemoth appliances scrub the traffic, filtering incoming packets and dropping any
DDoS attack packets. The remaining “legitimate” packets are passed on to the customer according to their destination
IP through the GRE tunnel.
The GRE tunnel is the only way that the packets can reach the customer at this point, because Imperva is the only
entity advertising the customer’s IPs/ranges. This means that even if Imperva were to send the packets back to the
Internet, they would return to Imperva again.
How To
Read More
On-Demand Flow
This topic describes the flow of events when mitigating a DDoS attack for Infrastructure Protection customers in
on-demand mode.
Before an attack
The following describes the flow of events before an attack occurs:
1. Imperva establishes a Generic Routing Encapsulation (GRE) tunnel between the Imperva Data Center and your
AS edge router.
2. Imperva establishes a BGP peer relationship between your AS edge router and the Imperva edge router via the
GRE tunnel. Imperva does not advertise your IPs to the Internet at this stage. This will only be done during an
attack, as described below.
3. You notify your Internet ISP that Imperva now has permission to advertise your IP range. The Internet ISP then
adds your IP range to Imperva’s ASN, meaning that Imperva now has permission to start advertising this IP
range at any time.
During an attack
The following describes the flow of events when your network is being targeted by a DDoS attack:
1. After Imperva has established a Generic Routing Encapsulation (GRE) tunnel and a BGP peer relationship
between the Imperva Data Center and your AS edge router (as described above), the Imperva Data Center and
your AS edge router keep the GRE tunnel open and continually transmit keep-alive messages between them.
2. The Imperva Behemoth stands vigilant at the edge of this GRE tunnel, waiting for a BGP announcement (call for
help) from your edge router, indicating that your network is under attack.
3. Once an attack on your network is detected (either by your team or by using Imperva’s Infrastructure Monitoring
service), your edge router starts sending BGP announcements to Imperva over the GRE tunnel.
4. Immediately after receiving the BGP announcement, Imperva’s routers start advertising your prefixes and
Internet routes to your network are updated globally.
5. Traffic starts flowing through Imperva instead of directly to your edge router, and typically all traffic is rerouted
within two or three minutes.
6. In parallel, you stop sending BGP announcements to your ISP and stop advertising your prefixes.
7. Traffic reaching the Imperva network is filtered. DDoS traffic is dropped and clean traffic is forwarded to the
origin network via the GRE tunnel.
8. Imperva will continue to advertise your IP range until your router sends a new BGP announcement to stop
advertising its IP range.
Any attack that targets the origin network will be identified by Imperva and customers will be immediately informed
via their preferred channel.
Benefits
• 24x7 network monitoring for detecting DDoS attacks
• DDoS notifications via email, text messaging and phone
• SLA for DDoS detection performance
• Real-time dashboard for traffic monitoring and event analysis
• Multi-terabit DDoS scrubbing capabilities
• Backed up by 24x7 NOC and SOC teams
How Does Flow Monitoring Work?
The Flow Monitoring service requires organizations to send NetFlow, sFlow, or jFlow feeds from their edge networking
devices. These feeds contain information, such as packet types, rates and size, which is used by Imperva to detect
DDoS attacks.
• NetFlow: a network protocol developed by Cisco. NetFlow versions: 5, 9 and 10 (IPFix) are supported.
• sFlow: a protocol similar to NetFlow. It is generally supported on Layer 2 networking equipment, such as
switches and firewalls.
• jFlow: a data flow sampling technology employed by Juniper switches and routers for network monitoring.
Traffic Profiling
When the Flow Monitoring service is enabled, Imperva creates a traffic profile for the origin network that is used as a
baseline for detecting DDoS attacks. From that point on, Imperva compares real-time traffic information with the
established baseline to detect attacks, as well as updating the baseline based on new traffic profiles that are
identified.
Detecting Attacks
Any suspicious traffic will trigger an alert to Imperva's 24x7 NOC, which will immediately analyze the traffic pattern
and determine whether it constitutes a DDoS attack. In the case of a real attack, the NOC will notify the protected
organization according to a pre-defined escalation path and using the preferred method of communication. The
whole process usually takes less than a minute and is backed up by Imperva’s Service Level Agreement (SLA).
Read More
In this topic:
• Overview
• Prerequisites for onboarding
• How to onboard Infrastructure Protection
Overview
The Imperva Infrastructure Protection service can be deployed as either always-on or on-demand and is asymmetric
(ingress traffic flows through the Imperva network; egress traffic goes directly to the Internet). In order to protect the
entire network infrastructure against L3/4 DDoS attacks, Imperva needs to be able to advertise all of the publicly
available IP ranges connected to the protected AS. In addition, a GRE tunnel has to be established between the origin
network and Imperva. On-demand setups also require the establishment of BGP peering between the edge devices on
both ends. The BGP peering is established via the GRE tunnel and is used for announcing ranges to Imperva during an
attack.
Imperva Infrastructure Protection onboarding is not a fully self-service process. It usually takes some time until the
setup is ready and requires effort on both the Imperva and customer sides to see it through (process duration and
Imperva commitments during the process are covered under the Imperva SLA).
Imperva assigns a solution manager to take responsibility for the onboarding process. The solution manager works
with the customer’s networking/operations team to set up Imperva DDoS Protection for the entire network
infrastructure.
Prerequisites for onboarding
• Ownership of at least one /24 network prefix or larger
• Route object configuration for each of the IP ranges in at least one of the IRR databases (for example, RADB)
• TCP MSS adjustment capabilities (if using GRE)
• Experience with utilizing BGP on the network edge (preferred)
How to onboard Infrastructure Protection
The Imperva solution manager will guide you through the following process phases to onboard your network
infrastructure:
1. Feasibility: The Imperva solution manager sends you a Scoping document to be filled in with your basic
network information. This Scoping document enables Imperva to prepare a quotation and verify the feasibility
of providing protection for your infrastructure.
2. Provisioning: Imperva assigns an onboarding team to assist you during the onboarding process.
1. Imperva’s onboarding team provides you with a Provisioning form detailing how you should configure
your network equipment.
2. Configure your network equipment precisely as specified, while filling out the fields of this form.
3. Submit this form to Imperva so that the Imperva team can configure its equipment and define an initial
security profile for you accordingly.
4. The Imperva onboarding team then completes the setup on the Imperva side according to the
information provided by you in the Provisioning form.
3. Provisioning Call: Imperva's onboarding team will initiate a conference call with you and your engineers in
order to verify that the setup is properly configured, both on your equipment and on the Imperva network.
The Imperva team then prepares and sends you a DDoS Playbook, specifying the exact steps you should take
during a DDoS attack. The playbook is specific to your setup. This playbook will also be used to test the setup.
4. Testing: During this phase, the Imperva onboarding team tests the setup with you according to the steps
detailed in the DDoS Playbook. This test simulates a DDoS scenario in which you switch over incoming traffic to
Imperva. Prior to the testing, if not already completed, route objects should be configured for all IP prefixes on
one of the IRR databases. These configuration changes must happen at least 24 hours before testing to allow for
full worldwide propagation. Prefixes configured without route objects may not work properly.
Note: After onboarding to the DDoS Protection for Networks service, you may want to edit or add new connections.
For example, if you change ISP or want to create new GRE tunnels. You can do this via the Cloud Security Console or
API, for GRE-Tunnel type only. Other connection types must be configured by the Imperva team.
Read More
This topology is recommended for both always-on and on-demand DDoS Protection for Networks customers.
In this topic:
• Service Availability
• Service Performance
• Service Functionality
Service Availability
Imperva has a global network of data centers to which you can connect (For the full list, see Imperva Data Centers
(PoPs)).
Each of your data centers should be connected to at least 2 Imperva data centers (also referred to as Imperva PoPs) to
make sure service is available during failure or planned PoP maintenance. At least one of these connections should be
to a high capacity PoP (listed in the onboarding instructions here: Add a GRE tunnel connection).
To ensure 100% availability, each customer data center should be connected to 3 Imperva PoPs.
If you have multiple data centers, you can connect to the same or different Imperva PoPs.
Connecting to multiple Imperva PoPs ensures service availability by Imperva. Failures which would impact service
availability can also occur at the customer end or even at the customer’s ISP. Therefore, it is recommended that you
use redundant endpoint routers and redundant ISP connections when connecting your data centers to Imperva PoPs.
Service Performance
For best performance, consider the following when setting up connections between your data centers and the
Imperva PoPs:
• Choose Imperva PoPs that minimize latency, as well as other performance KPIs such as packet loss and jitter. In
most cases, this is achieved by connecting to Imperva PoPs that are geographically closest to your data centers.
Note: It is also worthwhile considering the ISP, as in some cases, a connection through one ISP has lower latency
than through another, due to peering agreements between transit providers.
• Link performance to different Imperva PoPs can vary between connections. If there are significant performance
differences between the connections, it is recommended to configure more than one connection to the highest-
performing PoPs.
For details on Imperva's link performance monitoring capability, see Configure Performance Monitoring: DDoS
Protection for Networks.
Service Functionality
In most cases minimal connectivity is sufficient to gain the functionality benefits offered by Imperva’s DDoS
Protection for Networks service. However there might be some scenarios where the optimal configuration — multiple
connections between your data centers and Imperva as described above — can have functional impact.
Imperva's link performance monitoring collects performance KPIs of the connections between your data center and
Imperva. This is achieved by continuous polling of your endpoints (using ICMP echo messages) from the Imperva PoP.
Proper performance collection mandates that the ICMP echo replies travel the same path as the ICMP echo requests.
(The Performance Monitoring documentation includes equipment configuration guidelines on how this can be
achieved using static routes or BGP). If multiple connections between the same endpoint in your data center and the
same Imperva PoP are used, proper link performance monitoring cannot be guaranteed. This can lead to inaccurate
KPIs displayed in the performance dashboard. Such topology should be avoided if possible by using multiple
endpoints in your data center.
In this topic:
Imperva defines the security policy based on your traffic rates and patterns. When you first onboard your range to the
DDoS for Networks service, we define an initial security policy according to our internal logic and the network
information you provide in the scoping document. This information enables us to create an initial policy that allows
a reasonable rate of traffic while blocking suspicious rates of traffic, until we have enough information to develop a
more customized profile.
After 7 days of traffic flow, the Imperva SD-SOC analyzes the data and automatically adjusts the security policy based
on your network range's actual traffic patterns. Our Security Operations Center (SOC) reviews the policies as needed.
Mitigation process
The mitigation process built in to the Behemoth technology applies deep packet inspection combined with the
application of advanced security rules and security challenges in order to identify malicious sources and/or content.
Multiple mitigation steps are defined and evaluated independently for each traffic type, such as TCP, UDP, SYN, DNS,
NTP, and so on.
Each step is combined with thresholds in Kpps, Mbps, or both, in order to appropriately flag the traffic as malicious or
legitimate. When the specified threshold is reached, the relevant mitigation step is activated. Mitigation steps are
activated one at a time, as needed. Only the first and last steps are described here:
• Mitigation start: The lowest threshold is designed to let the Behemoth know it should start inspection. This
does not necessarily indicate that traffic will be blocked, rather that we have started taking a closer look.
• Rate limiting: As a final step, and only after all other thresholds are passed, we activate this mitigation level.
Rate limiting involves packet drop, designed to prevent network circuits from becoming too congested and
crashing completely. The rate limiting threshold is generally set up based on your capacity. Our Behemoth
reaches this step extremely rarely, if ever, as traffic is usually blocked at an earlier stage.
Recommendations
Keep us informed
Imperva defines security policies based on the data displayed in the DDoS for Networks (Infrastructure) Dashboard.
This can be based on either actual traffic or on the NetFlow/sflow/jflow feed we receive from you.
In addition, keeping us informed of your preferences, significant changes in traffic volume or patterns, or your
network and connectivity capacity can help us adjust your security policy accordingly and give you the best results.
For example:
• If the traffic flowing through Imperva is lower than the maximum rates you expect or can handle, we would like
to adjust the mitigation start threshold to a higher rate.
• We set rate limiting thresholds based on both your actual traffic, and the onboarding scoping document. If the
traffic pipe size or capacity has changed, or if you would prefer that a higher threshold is set before rate limiting
is triggered, we can adjust these thresholds accordingly.
DDoS attacks typically target specific hosts. Therefore, applying mitigation to a broad range is not the best practice. To
enable us to apply mitigation to the smallest possible portion of your network, it is best to define /24 ranges when
onboarding DDoS Protection for Networks so that we define a separate, custom security profile for each prefix.
Example
DNS response rates were adjusted according to peacetime traffic.
During peacetime:
We see total traffic at 4:02 and see that DNS Response traffic is 2.38 Mbps.
At 4:06, while total DNS Response traffic was 7.29 Gbps, we see here that DNS Response traffic that was passed on to
the origin was about 3 Mbps. This demonstrates that the volume of legitimate traffic that is forwarded to your origin
during the attack is comparable to the volume during peacetime.
Read More
Direct Connection
Imperva supports direct connections for the DDoS Protection for Networks service. Connect directly to the Imperva
network over a private, high-quality connection.
In this topic:
• Equinix Cloud Exchange (ECX): Connect your infrastructure that is located in Equinix facilities and using the ECX
Fabric platform. For details, see Equinix Cloud Exchange (ECX) Direct Connect.
To check which Imperva data centers support these connections, see Imperva Data Centers (PoPs).
In this topic:
As a cloud service provider, Imperva offers the option for you to connect your infrastructure located in an Equinix
facilities and utilizing ECX Fabric to the Imperva DDoS Protection for Networks service by forming a Layer 2
connection using the ECX platform.
Prerequisites
Your infrastructure must be located in Equinix IBX, which offers connectivity over ECX Fabric.
Unlike traditional cross-connect, your infrastructure does not have to be co-located with Imperva in the same Equinix
IBX in order to form a connection. Because ECX can be used to connect two data centers located in different Equinix
facilities, you can connect between your infrastructure located in Equinix in one location and an Imperva PoP (data
center) located in Equinix in a different location.
Imperva PoPs in Equinix facilities
For the list of Imperva PoPs located in Equinix IBX facilities, see Imperva Data Centers (PoPs).
The Process
1. Setting up the Imperva-side endpoint (Z-side).
1. The Imperva team starts by setting up the service in the relevant Equinix IBX.
2. Once ready, the Imperva onboarding team configures the connection for your account.
2. Setting up the customer-side endpoint (A-side).
1. When Imperva informs you that the Imperva-side of the ECX connection is ready, you need to order a
virtual connection from Equinix to Imperva. You submit the connection request using the ECX Fabric
portal. For instructions on creating a connection, see the Equinix ECX Fabric documentation.
2. The Imperva team will then receive, review, and approve the connection request.
3. When the connection is established, the Imperva onboarding team contacts you to continue the
onboarding process.
For more details on the onboarding process, see Onboarding: DDoS Protection for Networks.
When onboarding is complete, you can view your connection in the Cloud Security Console. Navigate to Network >
Network Protection > Connectivity Settings. The connection will be listed under Origin Connectivity.
In this topic:
• Overview
• Supported BGP Communities
Overview
The common use case of BGP communities is the Prepend community. Prepend enables on-demand customers to
minimize exposure time when onboarding Imperva during a DDoS attack. This is done by maintaining a low priority
second route via Imperva at all times. The Imperva route to your network is stored in each edge router in the world,
just as all other routes to your network are stored. Once an attack starts and routes via your ISP are no longer active,
traffic will be routed through Imperva.
Example
The following is an example of the above use case. The BGP Prepend community is used to add the same ASN number
multiple times.
If your ASN is 1, then your ISP will likely advertise the following prefix:
1.2.3.0/24 ASN:1
In order to be considered a secondary route, Imperva will advertise the same address with multiple repetitions. For
example, Imperva might advertise the following to the world using the Prepend option (two ASN hop repetitions are
shown):
This route (advertised by Imperva) appears to have multiple hops between two Autonomous Systems (even though
both of them have the same ASN). This will trigger edge routers to prefer the route announced by your ISP.
When an attack commences, your ISP will stop announcing a route to your network and traffic is then immediately
routed through the Imperva network.
Supported BGP Communities
You can mark routes with the following communities when advertising IP ranges through Imperva:
Use the following communities to inform Imperva that it should prepend your AS:
Community Description
19551:511 Prepend customer’s AS 1x
19551:512 Prepend customer’s AS 2x
Community Description
19551:513 Prepend customer’s AS 3x
No Advertise Communities
Use the following communities to inform Imperva that it should not advertise your IP range:
Community Description
no-export Imperva will not advertise the IP range
19551:XXXX Your customer-specific community
Use the following communities to inform Imperva that it should use local preference with your AS:
Community Description
19551:170 Set local preference to 170
19551:120 Set local preference to 120
19551:110 Set local preference to 110
Note: This process is currently available for the GRE-Tunnel connection type only. Other connection types must be
configured by the Imperva team.
For an overview of the DDoS Protection for Networks onboarding process, see Onboarding: DDoS Protection for
Networks.
In this topic:
• Overview
• Open the Connectivity Settings
• Add your ASN
• Define origin connectivity
• Configure routing options
• Network Settings API
Overview
After you are onboarded to the DDoS Protection for Networks service, you may want to edit or add new connections.
For example, if you change ISP or want to create new GRE tunnels.
Note: If your ASN is already registered in Imperva, you can skip this step and continue to Define origin connectivity.
A unique autonomous system number (ASN) is allocated to each autonomous system by the Internet Assigned
Numbers Authority (IANA), for use in BGP routing.
We register the AS-SET object, which enables us to group AS numbers in a single object. It indicates to our upstream
providers that we are now eligible to announce the ASNs that are listed within the AS-SET object.
When you start the onboarding process, your ASN is added to our AS-SET object, and our system registers your ASN
on each registrar.
Leased IP ranges: If you are leasing an IP range from a 3rd party vendor such as an ISP, you will need to provide a
letter of agreement (LOA) from the owner of the IP range. The range will be announced to Imperva using a private ASN,
and Imperva will announce the route with its own ASN.
Under ASNs, click Add, enter your ASN number, and save.
Note: It can take up to 48 hours for the ASN to be fully registered in our system.
In the ASN table, you can expand the ASN row and view the registries and their registration status. The following
indicators reflect the registration status of the ASN in the specified registry:
Registered
Pending registration
Not registered
Example:
For status details, click the check box next to a registry row and click Check Status.
Define origin connectivity
Configure the tunnel connection between Imperva's network and your origin network. This connection is used for
clean traffic and BGP announcements.
Prerequisite: Make sure that your network range has already been defined by the Imperva team and is listed on the
Protection Settings page.
Guidelines:
• For redundancy purposes, configure a minimum of two connections for each GRE tunnel (each tunnel public IP).
For example:
Add a connection:
Under Origin Connectivity, click Add, and fill in the following fields:
Field Description
Field Description
• APAC: HKG, SIN, TKO
Configure one policy for each connection you defined in the Origin Connectivity section.
Under Routing Options, click Add, and fill in the following fields:
Field Description
Select one of the connections that you defined
Connection Name
under Origin Connectivity.
Select the ASN associated with the connection you
ASN
selected.
Field Description
For instructions on using the Network Settings API, see Connectivity Settings API Definition.
The definition file presents a full, formatted, and interactive version of the Network Settings APIs that you can use to
learn about the APIs, or test them using your API ID and key.
See also:
• To view or edit your settings after onboarding: Connectivity Settings: DDoS Protection for Networks.
View metrics on latency, jitter, and packet loss to assess the stability of your connections, when you're experiencing
network issues, or any time you want to check on the connection status in order to speed up your investigation.
Visible spikes, or high values seen over time may indicate an area that requires further examination.
In this topic:
• How it works
• Enable and configure performance monitoring
How it works
Each Imperva data center (PoP) includes a pair of Performance Monitoring (PM) servers. When performance
monitoring is enabled for a specific GRE tunnel connection, the PM servers located in the PoP on one side of the
connection constantly send ICMP echo request packets (ping) to the remote GRE tunnel endpoint. The PM servers
then collect the echo reply messages, analyze them, and expose their KPIs.
To make sure that the KPIs represent the real traffic traversing through the GRE tunnel, it is imperative that the echo
requests and their replies are also sent via the GRE tunnel.
For the request, this is achieved by using your GRE tunnel endpoint as the destination. This is the private IP address of
your network device. It is listed as Customer Peer for each GRE tunnel connection on the Connectivity Settings page
> Origin Connectivity table.
For the reply, custom routing is required. Configuration instructions are provided below.
Enable and configure performance monitoring
Performance monitoring is disabled by default. You can configure it per GRE tunnel connection by following these
steps:
You can enable monitoring for any GRE tunnel connection defined for your account on the Network Protection >
Connectivity Settings page, under Origin Connectivity.
To enable additional users to configure performance monitoring, the account admin can grant users the Edit Single
IP permission.
The Performance Monitoring setting is available when you add or edit a GRE tunnel connection.
To enable Imperva Performance Monitoring for a GRE tunnel connection, configure your GRE tunnel endpoint router
to accept ICMP echo requests and to route ICMP replies through the GRE tunnel.
By default, DDoS Protection for Networks is asymmetric, in which incoming traffic to the origin network passes
through the Imperva network, and outgoing traffic is sent from the origin directly to the ISP. For the connectivity
performance monitoring to work properly, the PM servers need to receive the ICMP echo reply through the GRE
tunnel. In most cases, this requires custom configuration on your remote endpoint/router.
• Accept ICMP requests from the PM servers in the Imperva data center to which it is connected. Make sure that
the ICMP echo requests are not blocked from reaching your GRE tunnel endpoint by an access control list (ACL).
Note: The PM server IP addresses are listed for each GRE tunnel connection on the Connectivity Settings page,
in the Origin Connectivity table. They are listed in the Details column as PM Server 1 and PM Server 2.
• Route the ICMP echo replies through the GRE interface that the echo request is coming from. You can do this
using static routes or by accepting BGP advertisements sent from Imperva.
For static routes: Configure your device to route traffic to the PM servers through the GRE interface.
For BGP: Imperva sends route advertisements of the PM servers, sending the ICMP echo messages through the
respective GRE tunnel (both /32 and /29 routes are sent).
By accepting these advertisements, an appropriate route to your router’s routing table would be added.
Note: If there are multiple GRE connections between your Autonomous System (AS) and the same Imperva data
center, the routes may be learned from multiple connections.
Make sure to accept only the routes from the interfaces that are directly connected and block inner AS route
propagation.
Multiple connections from the same router to the same Imperva data center may lead to incorrect metrics
displayed in the Performance Dashboard.
See also:
These settings apply to customer using the DDoS Protection for Networks service in on-demand mode. Using flows
that you provide, Imperva monitors your origin network to detect and notify you about DDoS attacks.
Note: Imperva supports NetFlow, sFlow, jFlow, and IPFIX feeds for monitoring. To learn more about Imperva
monitoring, see Flow Monitoring: DDoS Protection for Networks.
In this topic:
• Overview
• Open the Flow Monitoring Settings
• Define exporter details
• Configure attack notifications
• Flow Exporter API
Overview
To configure Imperva flow monitoring, define the details of your exporters. Flow exporters are network devices that
send flow data to Imperva monitoring collectors.
You can also define the list of recipients to receive notifications when a DDoS attack is detected or the status of an
exporter changes.
Section Description
Permissions
To edit the Flow Monitoring Settings, you need the Edit Single IP permission. It is granted to the account admin user
by default. The account admin user can then assign this permission to other account users as needed.
On the Add/Edit Flow Exporters page, enter or edit the following details:
Field Description
Flow status notifications Define when you want attack notification recipients
to be notified about a change in the flow’s status.
Field Description
Leave the default values or enter a value between 4
minutes and 7 days. The value entered must be an
integer.
These recipients will be notified in addition to email notification as defined in Notification Settings (Network Security
> Network Monitoring Notifications). For details, see Notification Settings.
Field Description
First/Last Name The name of the notification recipient.
Field Description
Enter a meaningful description to help you identify
Description
this recipient.
For instructions on using the Flow Exporter API, see Flow Exporter API Definition.
The definition file presents a full, formatted, and interactive version of the APIs that you can use to learn about the
APIs, or test them using your API ID and key. You can also download the definition file.
For instructions on adding a GRE tunnel connection, see Add a GRE tunnel connection.
In this topic:
Column Description
• GRE-Tunnel
• Cross Connect
• Virtual Cross Connect (ECX or Megaport)
Connection Type
Note: You can configure the GRE-Tunnel connection
type via the Cloud Security Console or API. Other
connection types must be configured by the Imperva
team.
PoP Name The Imperva data center used for this connection.
Details The IP addresses configured for this connection.
Status Connection status (up/down).
View/Edit connection
The following additional fields are displayed in the View/Edit Connection page when you click the name of an
existing connection:
Field Description
The public IP address of your network device
(router/firewall).
Tunnel Public IP
Applies to: GRE-Tunnel connection type only.
Routing Options
The routing policy configured for the connections between Imperva's network and your origin network.
Column Description
Column Description
The following additional fields are displayed in the View/Edit Routing Policy page when you click the name of an
existing connection:
Field Description
ASNs
The autonomous systems that Imperva uses for communication between Imperva’s network and the customer’s
origin network.
For each ASN, you can see the registry in which it is registered, registration status, and the last status update.
Registration status:
Registered
Pending registration
Not registered
Click the expand arrow to see more registration details for each registry. For more details, click the check box next to a
registry row and click Check Status.
For instructions on using the Network Settings API, see Connectivity Settings API Definition.
The definition file presents a full, formatted, and interactive version of the Network Settings APIs that you can use to
learn about the APIs, or test them using your API ID and key.
During maintenance, no impact to the service is expected, provided all BGP announcements are configured correctly.
To verify this, perform the following steps before maintenance begins:
1. Make sure that all of your tunnels and BGP sessions are up and running. Verify the status of each tunnel in the
Imperva Cloud Security Console (my.imperva.com) on the Network > Network Protection > Connectivity
Settings page.
To check that you are advertising your prefix/es to a specific connection, you can use the following commands:
For example:
3. Prior to the maintenance, we will change the priority for your prefixes and traffic will be rerouted to the
redundant peer (PoP). If you prefer to reroute the traffic yourself, perform one of the following:
For the list of supported BGP communities, see BGP Community Support Option.
4. If you require further assistance, open a ticket with Imperva Support: https://support.imperva.com.
Status notifications
To receive automated notifications about upcoming maintenance, subscribe via our status page: Imperva status page
.
In this topic:
• How it works
• Divert or revert a range
• Control range diversions with the API
How it works
In the Cloud Security Console, you can independently divert and revert your ranges as needed.
Note:
• This feature is available for accounts working in on-demand or contingency modes only. For more details, see
Introduction: DDoS Protection for Networks or contact your Imperva Sales Representative.
• Only ranges whose diversion is controlled by Imperva are available for manual divert/revert.
Once the service is enabled in your account, you can divert and revert your ranges as needed.
• If you manually diverted a range, it automatically reverts after 72 hours, provided there was no malicious
activity in the last 48 hours.
• If there have not been 48 "clean" hours at the end of the 72-hour period, the range remains diverted. After the
48-hour waiting period ends, the range is automatically reverted.
Note: You can manually revert the range before the end of the waiting period.
Contingency mode: If your account has a limited number of diversions, all ranges diverted within a 72-hour
period are counted as a single diversion. In this case, the ranges all revert automatically 72 hours after the first
range was diverted (or longer, if there has not been a 48-hour waiting period without malicious activity, as
described above).
Contingency mode: If your account has a limited number of diversions, the extension is counted as an
additional diversion.
If you revert a range during an attack, we mark the attack as a false positive.
In order to avoid diverting this range again during the current attack, we change your switchover setting for this range
from Automatic diversion mode to Require confirmation mode until our Security Operations Center (SOC)
evaluates your current policy.
In the event of a DDoS attack during the investigation, you are notified via the notification channels configured for
your account and can then choose to manually divert the range if needed.
After investigation is complete, SOC will change the setting back to Automatic diversion.
When you divert or revert a range, an event is logged and displayed in the Event Log table in the Security Dashboard.
In addition, email notifications are sent to users subscribed to Network Security > Network Protection
Notifications. For more details, see Notification Settings.
Subscription status
You can view the number of diversions remaining in your account plan on the Security Dashboard as described
below, and on the Subscription page under DDoS Diversions.
Divert or revert a range
To manage your ranges:
1. Navigate to the Network Protection Security Dashboard (Network > Network Protection > Dashboard >
Security > Protected Networks tab).
2. The On-Demand Diverted Ranges widget displays the number of currently diverted ranges, and time
remaining until the range is automatically reverted. (This value does not include any post-attack waiting
period.)
Note:
▪ If a range has been diverted for longer than 72 hours, Upcoming revert pending is displayed.
▪ For accounts working in on-demand mode with unlimited diversions: If you have multiple ranges
diverted, the revert time of the first range due to be reverted is displayed. You can view revert times for all
diverted ranges inside the configuration screen.
3. Click Configure to select a range to divert or revert. You can also see the number of remaining diversions
available in your account.
Monitored tab: Your onboarded ranges that you can choose to divert.
Diverted tab: View the ranges that are currently diverted and routed through Imperva, or revert a range back to
your network.
For instructions on using the API, see Network Range Diversion API Definition.
The definition file (Swagger) presents a full, formatted, and interactive version of the APIs that you can use to learn
about the APIs, or test them using your API ID and key. You can also download the definition file.
See also:
IP Protection can be used to protect any online asset such as websites, DNS servers, SMTP servers and any other IP
based application. This service leverages Imperva’s multi-Terabit network capacity and packet processing capabilities
to absorb and mitigate the largest and most sophisticated DDoS attacks .
Imperva IP Protection is an always-on solution and can be combined with all Imperva services for extending
protection and monitoring capabilities.
In this topic:
The Behemoth
At the core of Imperva’s IP Protection service is its proprietary DDoS scrubbing appliance named Behemoth. The
Behemoth performs all Layer 3 and Layer 4 DDoS scrubbing and then tunnels clean traffic to the origin server. Each of
Imperva’s data centers is equipped with one or more Behemoth appliances. In addition to scrubbing any DDoS attack,
Behemoth provides packet level visibility and packet flow control for our 24x7 NOC team.
Traffic Flow
In order to route traffic sent to the origin server through Imperva, organizations update their clients and DNS with a
new IP provided by Imperva. Once all clients are updated with the new IP, all traffic to the protected server will be
routed through Imperva where DDoS scrubbing takes place. After the traffic has been scrubbed, Imperva forwards
clean traffic to the origin network.
IP Protection is deployed with a symmetric channel, in which both ingress and egress traffic are routed through
Imperva.
IP Protection over TCP/IP
To provide IP level protection, Imperva “leases" a global anycast edge IP address out of its own range to you and acts
as your internet-facing IP.
IP Protection over TCP/IP provides easy, self-service onboarding with minimal configuration.
• During Imperva's weekly deployment and periodic maintenance operations, the TCP connections are
reestablished.
IP Protection over GRE/IP-in-IP provides seamless integration without terminating sessions (not a proxy).
Preventing Direct-to-Origin Attacks on Origins Serving Websites along with other non-
HTTP Services
IP Protection over GRE/IP-in-IP can be combined with Website DDoS Protection for preventing direct-to-origin
attacks targeting servers that serve HTTP/S websites along with non-HTTP traffic, such as SMTP or FTP. Organizations
that would like to make their IPs accessible only through Imperva can use Website Protection to protect the website
(HTTP) traffic, together with IP Protection to protect the non-HTTP traffic. The unique and secure IP that is provided
by IP Protection is configured for the non-HTTP service as the origin IP. Doing so ensures that no external entity can
access the origin without being inspected first by Imperva.
Read More
Read More
The IP Protection over TCP/IP service provides complete DDoS protection at the IP level.
Use our self-service onboarding process to start your free trial or contact Imperva Sales to get started with the IP
Protection over TCP/IP service.
In this topic:
• Overview
• Start the free trial
• Open the IP Protection Settings
• Onboard IP Protection over TCP/IP
• API
Overview
IP Protection over TCP/IP is deployed as an always-on service. Traffic flow is symmetric, where both ingress and egress
traffic flow through the Imperva network. To provide IP level protection, Imperva “leases" a global anycast edge IP
address out of its own range to you and acts as your internet-facing IP. IP Protection over TCP/IP supports onboarding
using your origin IP address or by allowing Imperva to dynamically resolve the domain name or CNAME.
Permissions
When IP Protection over TCP/IP has been enabled for your account, the account admin can onboard IPs to the service.
To enable additional users to onboard IPs, the account admin can grant users the Edit Single IP permission.
Start the free trial
The free 14-day trial of IP Protection over TCP/IP includes up to two Protected IPs.
1. On the Settings page, click Add Protected IP, and then select TCP Proxy (the default option).
Your new Imperva Edge anycast IP is generated and displayed on screen. This is the IP that you should now use for any
internet-facing access to your service.
If you onboarded using an IP address, you need to update your site's A record. The IP and instructions are also sent to
you by email.
To avoid direct access to your origin IP, we recommend whitelisting the Imperva IP Ranges in your firewall and
restricting access from any other source IP. The list of ranges is available here.
API
You can also onboard IP Protection over TCP/IP using the Imperva API. For details, see DDoS Protection for Networks
API.
Read More
In this topic:
• Overview
• Open the IP Protection Settings
• Onboard IP Protection over GRE or IP-in-IP
• Configure the tunnel
Overview
IP Protection over GRE or IP-in-IP is deployed as an always-on service and traffic flow is symmetric, where both ingress
and egress traffic flow through the Imperva network. To provide IP level protection, Imperva “leases” an IP address
out of its own range to the customer and acts as the customer's ISP (although the customer is still required to get
additional IP addresses from an ISP to which clean traffic is routed). In addition, a GRE or IP-in-IP tunnel has to be
established between the origin network and Imperva. The tunnel can be connected to different types of equipment on
the customer’s side, depending on the specific topology of the customer’s network. Such devices may include routers,
firewalls, load balancers and Linux servers (physical, virtual, and cloud instances).
In order to process packets received through the tunnel connected to Imperva (and not drop the packets), the
operating system must recognize the destination IP of the packets as an IP address that is associated with one of the
interfaces. For that to happen, this address must be configured on the element in the system on which the tunnel is
established. A loopback can be defined on a physical or logical interface.
Note: Defining a loopback is common practice for networking equipment. It is typically used when a networking asset
must handle IP addresses that are not configured on any of its interfaces.
Open the IP Protection Settings
Log into your my.imperva.com account.
1. On the Settings page, click Add Protected IP, and then select GRE Tunnel or IPinIP Tunnel.
Settings Description
Settings Description
the addresses defined in your account settings.
For details, see Account Settings.
3. Click Save.
Your new Imperva Edge anycast IP is generated and displayed on screen. This is the IP that you should now use for any
internet-facing access to your service.
To avoid direct access to your origin IP, we recommend whitelisting the Imperva IP Ranges in your firewall and
restricting access from any other source IP. The list of ranges is available here.
Configure the tunnel
At the end of the onboarding process, configuration details are displayed, and also emailed to you. Use the details
provided to configure the tunnel between Imperva and your origin.
See the following topics for assistance with configuring these commonly used routers:
Read More
In this topic:
• Prerequisite
• Step 1: Establish the GRE tunnel interfaces on the router
• Step 2: Deploy IP Protection
• Step 3: Configure policy-based routing
Prerequisite
Onboard your IP to Imperva in the Cloud Security Console according to the instructions here: Onboarding IP
Protection over GRE or IP-in-IP.
After you onboard your IP in the Imperva Cloud Security Console, Imperva provides you with three IP addresses,
labeled as follows:
• Imperva Public IP
• Imperva Private IP
• Origin Private IP
These IPs will be used together with your Origin Public IP to configure the GRE tunnel.
In addition, the Imperva Anycast IP is the new protected IP from Imperva that is allocated to your origin server and
used to send and receive filtered traffic.
Note: During configuration, make sure to replace the bold text shown in the examples with the actual IP values.
Step 1: Establish the GRE tunnel interfaces on the router
The first step is to configure your firewall device with the appropriate tunnel interfaces.
1. Make sure that no ACL is blocking GRE protocol (47) from the Imperva Public IP to the Origin Public IP.
2. Use the Cisco IOS command line interface (CLI) to access your router’s global configuration command mode.
3. At your router’s (config) prompt, define a new tunnel interface, as shown in this example. Make sure to
replace the values in bold,
Command syntax:
Note:
▪ Tunnel 1: You can specify any number, but Tunnel is a required component of the interface name. For
example, you can specify Tunnel 98.
▪ description: Enter any free text to make sure you can easily identify the interface.
▪ Origin Private IP, Origin Public IP, and Imperva Public IP: Replace these with the IP addresses.
▪ ip tcp adjust-mss 1436: Include this command to enable TCP maximum segment size adjustments. The
Imperva IP Protection service requires that the operating system of all of your network devices support
TCP MSS adjustments. Do not omit this command.
For more information, see MTU and MSS: What You Need to Know.
After configuring the router, the GRE tunnel should be up. You can verify it by pinging the Imperva Private IP.
Step 2: Deploy IP Protection
The next step is to configure the new, protected IP provided by Imperva on your server, or use network address
translation (NAT). Choose one of the methods below:
Configure the Imperva Anycast IP on your server itself and ensure that traffic is directed toward it.
Static routing sends traffic from the Imperva Anycast IP to a fixed address for your server.
1. Configure the Imperva Anycast IP on your server, using the IP address provided by Imperva.
2. Configure a static route on your router device. This will direct traffic toward the Imperva Anycast IP.
The route’s next hop needs to point to an IP configured on your server. This IP is the one that belongs to your
local area network.
Command syntax:
next-hop-IP is the address used to reach the server, which is usually among the IPs configured on your server NIC
interface.
Configure NAT
Use network address translation (NAT) to translate the Imperva Anycast IP to the current IP address of your server.
With this method, you don’t need to configure the Imperva Anycast IP on the server itself.
There are two ways to configure NAT translation: Full network address translation of the entire address, and port
address translation (PAT) of specific ports. Choose one of the methods below:
NAT configuration:
1. On your router, configure network address translation from the Imperva Anycast IP to your current server IP.
myRouter(config)# ip nat inside source static current server IP Imperva Anycast IP exten
2. Then, make sure to specify which interfaces on the router are “internal” and which are “external”.
Command syntax:
PAT configuration:
1. At your router’s (config-if)# prompt, configure port address translation that translates specific ports from the
Incapsula Protected IP to your current server IP.
myRouter(config)# ip nat inside source static tcp current server IP port_number _ Incapsula Protected IP
port_number extendable
2. Then, make sure to specify which interfaces on the router are internal and which are external.
Command syntax:
If you want to use symmetric routing, you must, as a final step, configure policy-based routing to ensure a symmetric
flow. With symmetric routing, traffic directed to your network through the GRE interface must return through the
same interface.
Enter the following commands on your Cisco router to establish policy-based routing. Make sure to replace bold text
with actual values.
1. Enter the following commands to create an access list that will match traffic from the Imperva Anycast IP to
any destination:
Note: If you configured NAT, use the current server IP address in the above configuration, instead of the
Imperva Anycast IP.
3. Enter the following commands to apply the policy route to the LAN interface, where the server is connected.
Note:
• ACL name: The name of an access list to use for matching traffic sourced by the server and forwarded via the
tunnel. It must be the same in all instances.
• route-map name: The name of the route-map. It can be any value, but must be the same in all instances.
After completing this configuration, you can ping the server to start seeing traffic routed through Imperva.
In this topic:
• Prerequisite
• Step 1: Establish the GRE tunnel interfaces on the router
• Step 2: Deploy IP Protection
• Step 3 (Optional): Configure policy-based routing
Prerequisite
Onboard your IP to Imperva in the Cloud Security Console according to the instructions here: Onboarding IP
Protection over GRE or IP-in-IP.
After you onboard your IP in the Imperva Cloud Security Console, Imperva provides you with three IP addresses,
labeled as follows:
• Imperva Public IP
• Imperva Private IP
• Origin Private IP
These IPs will be used together with your Origin Public IP to configure the GRE tunnel.
In addition, the Imperva Anycast IP is the new protected IP from Imperva that is allocated to your origin server and
used to send and receive filtered traffic.
Note: During configuration, make sure to replace the bold text shown in the examples with the actual IP values.
Step 1: Establish the GRE tunnel interfaces on the router
The first step is to configure your firewall device with the appropriate tunnel interfaces.
1. Make sure that no ACL is blocking GRE protocol (47) from the Imperva Public IP to the Origin Public IP.
2. Use the Juniper Junos command line interface (CLI) to access your router’s global configuration command
mode.
Note: To configure a GRE tunnel on a Juniper network router, the router must be equipped with layer 2 service
capabilities. These capabilities are native in MX, SRX, and J-series routers, and are available through a physical
interface card (PIC) in M-series routers. When the required services are available on the router, you can create a
pseudo-interface called gr-.
In this command, fpc x pic x points to the interface module (line card) whose resources we want to share
for the purpose of tunneling.
4. At your router’s (configuration) prompt, define a new tunnel interface. Make sure to replace the values in
bold, as instructed below the example:
Command syntax:
Note:
▪ In each instance of gr-0/0/0 unit0, you can specify the unit number of the logical interface if other than 0.
▪ description: Enter any free text to make sure you can easily identify the interface.
You can configure NAT on a Juniper device, although that is a more complicated method. For more information,
consult the Juniper documentation. Alternatively, you can configure NAT on some other device along the route.
1. Configure the Imperva Anycast IP on your server, using the IP address provided by Imperva.
2. Configure a static route on your router device. This will direct traffic toward the Imperva Anycast IP. The route’s
next hop needs to point to an IP configured on your server. This IP is the one that belongs to your local area
network.
Command syntax:
next-hop-IP is the address used to reach the server, which is usually among the IPs configured on your server
NIC interface.
Enter the following commands on your router to establish policy-based routing. Make sure to replace the bold text
with actual values.
root@mx# set firewall family inet filter TO_GRE term 1 from source-address Imperva Anyca
root@mx# set firewall family inet filter TO_GRE term 1 then next-ip Imperva Private IP
root@mx# set firewall family inet filter TO_GRE term 2 then accept
▪ The purpose of term 1 is to match traffic from the new IP and direct it to the GRE tunnel.
▪ The purpose of term 2 is to match all other traffic and route it normally by using the global routing table.
root@mx# set interfaces ge-fpc/pic/port unit 0 family inet filter input TO_GRE
ge-fpc/pic/port is the Junos syntax for configuring a ge (gigabit Ethernet) device with a Flexible PIC Controller
(fpc) address, a Juniper Physical Interface Card (pic) address, and a port number (port). For example, ge-0/0/0.
After completing this configuration, you can ping the server to start seeing traffic routed through Imperva.
In this topic:
• Prerequisite
• Step 1: Establish the GRE tunnel
• Step 2: Deploy IP Protection
• Step 3: Configure policy-based routing
• Step 4: Final set up
Prerequisite
Onboard your IP to Imperva in the Cloud Security Console according to the instructions here: Onboarding IP
Protection over GRE or IP-in-IP.
After you onboard your IP in the Imperva Cloud Security Console, Imperva provides you with three IP addresses,
labeled as follows:
• Imperva Public IP
• Imperva Private IP
• Origin Private IP
These IPs will be used together with your Origin Public IP to configure the GRE tunnel.
In addition, the Imperva Anycast IP is the new protected IP from Imperva that is allocated to your origin server and
used to send and receive filtered traffic.
Note: During configuration, make sure to replace the bold text shown in the examples with the actual IP values.
Step 1: Establish the GRE tunnel
The first step is to configure and activate a GRE tunnel on your AWS Ubuntu instance:
1. Use the Amazon EC2 console to determine the EC2 Public IP Address or the EC2 Elastic IP Address assigned to
your Ubuntu server instance.
2. In the AWS security policy, open port 1723 to the Imperva Public IP, and add it to a new Source entry in the
AWS Management Console, setting the TCP port to 1723.
5. Add the following parameters to configure a GRE tunnel. Make sure to replace the bold text with actual values.
auto tun1
iface tun1 inet static
address Origin Private IP
netmask 255.255.255.252
pre-up iptunnel add tun1 mode gre local AWS Internal IP remote Imperva Public IP ttl 255
up ifconfig tun1 multicast
pointopoint Imperva Private IP
post-down iptunnel del tun1
6. After finishing the configuration, press esc :w! to save the file.
8. Verify that the tunnel is operational by pinging the Imperva Private IP.
Step 2: Deploy IP Protection
1. Configure the new Imperva Anycast IP on the loopback interface of your Ubuntu instance. This step is
mandatory.
2. Confirm that you’ve successfully started the service and correctly configured all interfaces by issuing the
following command:
ip addr
Check the output against the following example, paying particular attention to the items highlighted in yellow.
In the example, 107.154.50.1/32 represents the Imperva Anycast IP.
In this step, you configure the Ubuntu instance so that only traffic arriving on the tun1 interface is routed back to
Imperva. All other traffic is routed via your instance’s local link — the default route.
Run the following commands on the Ubuntu machine. Make sure to replace the bold text with actual values.
Add the following commands to the /etc/rc.local script on your Ubuntu instance so that it runs each time you
start the instance. These commands will bring up the tunnel, configure the new Imperva Anycast IP, and configure
policy-based routing.
After completing this configuration, you can ping the server to start seeing traffic routed through Imperva.
In this topic:
Field Description
• Fully configured: The domain is fully
configured and resolves to the new IP.
• Pending: You have not yet updated your A
record.
Possible values:
• UP
• DOWN
• MONITORING DISABLED (Protected IP over
TCP/IP only)
Note:
1. In the IP Protection section, click the Description name for the protected IP you want to configure.
2. Under Advanced Settings, select Enable Proxy Protocol.
API
You can also onboard and edit IP Protection settings for Protected IP over TCP/IP using the Imperva API. For details,
see DDoS Protection for Networks API.
Read More
• Security Dashboard: DDoS Protection for Networks and IPs: Explore metrics, examine emerging attacks in real-
time, or analyze past attacks.
• Analytics: DDoS Protection for Networks and IPs: View analytics data for traffic flowing to your IP or blocked by
Imperva.
Protected IP API
Onboard your IP addresses to the Imperva DDoS Protection for Individual IPs service and manage their configuration
using the API.
Authentication
In order to use the API, the client must be authenticated by Imperva. To authenticate, send your API ID and API key
using the x-API-Key and x-API-Id headers.
You can create and manage API keys with granular permissions and sub account access. For details, see API Key
Management.
Protected IP API Definition
For instructions on using the Protected IP API, see Protected IP API.
The definition file presents a full, formatted, and interactive version of the Protected IP APIs that you can use to learn
about the APIs, or test them using your API ID and key. You can also download the definition file.
See also:
Protected IP API Definition
The displayed data reflects all ingress traffic — from clients to your origin network.
In this topic:
Zoom in
Select a view
Select options for viewing bandwidth and packet rate data. Your selections are reflected in the data displayed in the
bandwidth graph (bits per second) and packet rate graph (packets per second), and in the tables below the graph.
Main view
View data for your protected IPs, protected IP ranges, or monitored ranges.
IP Protection Dashboard:
• In the parent account, the Dashboard presents the data of the parent account and all of its sub accounts.
• In a sub account, the Dashboard presents the data of the specific sub account only.
View by
Traffic
In the bandwidth (bits per second) graph, you can compare your data to the blue 95% percentile indicator. The
indicator is displayed when you select the following view settings:
For more details on calculation of the 95th percentile, see Account Bandwidth Calculation.
Note: The Real-Time view on the Network Protection and IP Protection Dashboards is not yet supported in sub
accounts. You can see real-time data when you drill down into a specific range or IP. For more details on the Analytics
Dashboard, see Analytics: DDoS Protection for Networks and IPs.
You can zoom in to a maximum data resolution of 15 seconds to analyze short attacks.
Click and drag an area of the graph to zoom in. Grab another area to zoom in further.
When zoomed out in the historical graphs, each data point represents the peak values for the time range it covers,
such as for the 15 minutes shown in this example.
Infrastructure Protection:
IP Protection:
Details
In this example, 16 of a total of 20 connections are up, and monitoring is not disabled for any of the connections.
Here, there are two connections. Monitoring for both connections is disabled.
Show values/distribution
Click an IP range to drill down and display data on the dashboard for that range only.
Note: When viewing historical data and filtering for either passed or blocked traffic, you can select up to a total of 5
IP ranges to view and compare. In the Ranges table, select the ranges you want and then click Apply Selection. The
data is updated in the graphs.
Status: Displays attack status information for the last 90 days regardless of the time period selected at the top of the
dashboard.
More: Click to zoom in on analytics for the range. For a range with a previous attack or currently under attack, a
focused view of analytics data for the attack is displayed. For more details, see Analytics: DDoS Protection for
Networks and IPs.
Account: If the range is defined in one of the account's sub account, a link to the sub account is provided.
Divert/revert an IP range on demand
If your account is working in on-demand or contingency mode, you can divert and revert your ranges as needed.
Note:
• This feature is available for accounts working in on-demand or contingency modes only.
• Only ranges whose diversion is controlled by Imperva are displayed. If you are controlling your ranges, by
starting/stopping BGP advertisement or adding/removing the "no-export" community, those ranges are not
displayed.
The On-Demand Diverted Ranges widget displays the number of currently diverted ranges, and time remaining until
the range is automatically reverted.
• If a range has been diverted for longer than 72 hours, Upcoming revert pending is displayed.
• For accounts working in on-demand mode with unlimited diversions: If you have multiple ranges diverted, the
revert time of the first range due to be reverted is displayed. You can view revert times for all diverted ranges
inside the configuration screen.
Click Configure to divert or revert a range. If you are working in contingency mode, you can also see the number of
remaining diversions available in your account.
• Monitored tab: Your onboarded ranges that you can choose to divert.
• Diverted tab: View the ranges that are currently diverted and routed through Imperva, or revert a range back to
your network.
When you divert or revert a range, an event is logged and displayed in the Event Log table in the dashboard.
For more details on on-demand range diversions, see Control Network Range Diversions.
View the Event Log
View the log of security events detected by Imperva.
Tip: Filter to see blocked traffic only. Attacks can be multi-vector; filter out the traffic type with the highest value to
discover other activity.
Example:
4. Check the graph or IP ranges table to identify the range most impacted by the attack.
5. Click the specific range in the IP Ranges table to drill down for a closer look.
Read More
• Monitor your security posture on the go. For details, see Imperva Security Mobile App.
View metrics on latency, jitter, and packet loss to assess the stability of your connections, when you're experiencing
network issues, or any time you want to check on the connection status in order to speed up your investigation.
Visible spikes, or high values seen over time may indicate an area that requires further examination.
In this topic:
The data in the graphs reflects the time range selected at the top of the dashboard. You can select a predefined time
range or define a custom range of dates.
Each data point represents the maximum value seen during the time range specified for the data point. Hover over the
graph to view more details for each data point.
Note:
• For time periods where Performance Monitoring was not enabled, or the Performance Monitoring (PM) servers
did not send ICMP echo requests due to a server failure, no data points are displayed in the graphs.
• If the PM servers sent ICMP echo requests but did not receive replies for the entire data point period, data points
in the Packet Loss graph display the value 100% and the Latency and Jitter graphs do not display any data
points.
Filter:
• Click connection names in the legend below the graphs to filter the data displayed in the graphs.
• In the Origin Connectivity table, select or clear connections. The data displayed in the graphs is updated.
Zoom: Click and drag an area of a graph to zoom in, to a maximum resolution of one minute. Zooming in on any graph
updates the data displayed in the graphs and in the Origin Connectivity table. To reset the view, select an option from
the time range filter.
Metric Description
All Displays all graphs.
To display data for one or more specific connections, select the connections and click Apply Selection. You can select
up to 3 connections. The dashboard graphs above are then refreshed to show data for the selected connections only.
Note:
• Connections that appear greyed out do not have performance monitoring enabled and cannot be selected.
• Empty data points, where ICMP echo messages were not sent, are excluded from the calculation of the Latency,
Jitter, and Packet Loss average values.
Column Description
The connection name, as defined on the
Name
Connectivity Settings page.
Imperva Data Center The Imperva data center defined for the connection.
The average latency value for the selected time
Latency (Average)
range.
Jitter (Average) The average jitter value for the selected time range.
The average percentage of packet loss for the
Packet Loss (Average)
selected time range.
Monitoring State
Indicates if performance monitoring is enabled.
Column Description
If monitoring is disabled, statistics are not collected
for the connection.
For instructions on using the API, see DDoS Protection for Networks: Performance Monitoring API Definition.
The definition file presents a full, formatted, and interactive version of the Network Settings APIs that you can use to
learn about the APIs, or test them using your API ID and key.
See also:
View a breakdown of traffic by source or destination IP, by source or destination port, or by packet size for a specific
IP range.
In this topic:
Infrastructure Protection Analytics show the highest peak values and highest average values for the selected IP or
range during the selected time period.
For a closer look, zoom in on an area on the Bits Per Second or Packets Per Second graphs at the top of the page. You
can zoom in to a maximum resolution of 15 seconds.
By default, analytics are displayed for the region that is currently configured for your account. The drop-down
displays all regions that were configured for your account at some time during the previous 90 days.
Layout
Widget view
Peak/Average
Graph view
Example
Among the top peaks in traffic that occurred during the last 24 hours, we see that there was 244.86M blocked from IP
172.23.131.3, which represents 29% of the blocked traffic at that specific point in time.
In this example, one of the highest peaks was one in which 100% of the traffic was directed at and blocked from IP
172.23.131.3.
The data is downloaded into a single file, according to the value type selected in the tables - peak or average.
Read More
Note: For general information on sub accounts and role-based access, see Manage Account Resources.
In this topic:
Note:
• These options are displayed only in accounts subscribed to at least one of the Network Security DDoS
Protection services.
• You cannot disable these options when there are DDoS Protection assets defined in the sub accounts.
Option Description
Enable protection and monitoring settings for sub • create assets in sub accounts (note that some
accounts DDoS Protection for Networks assets are
created by the Imperva team at your request
during onboarding, such as Protected
Networks.)
Option Description
• move existing assets between the parent
account and its sub accounts, and between
the sub accounts
Permissions
To view and manage DDoS Protection assets in your account's sub accounts, you need the following permissions:
• Edit single IP
Notifications
Notifications of events related to a sub account's assets are sent according to the specific sub account's notification
settings.
• Notifications
• Notification Settings
SIEM log events
SIEM events for a sub account are sent to the S3 bucket defined for the sub account.
For more details on the SIEM log integration, see SIEM Log Integration: DDoS Protection for Networks and IPs.
Connectivity settings
You configure connections on the Connectivity Settings page. For details, see Connectivity Settings: DDoS Protection
for Networks.
There are 2 modes of configuring connections between Imperva and your origin network. You must choose only one
of these for your account:
Mode Description
Protection settings
Protected Networks (ranges) can be configured in a parent account or in its sub accounts. They are configured by
Imperva during your onboarding process.
A range can be defined by the onboarding team for a specific sub account. Once configured, you can view the details
on the Protection Settings page in the sub account (Network > Network Protection > Protection Settings).
Flow monitoring settings
You can view and configure exporters for flow-based monitoring on the Flow Monitoring Settings page in your
account and sub accounts (Network > Network Protection > Flow Monitoring Settings).
In a sub account, the dashboards present the data of the specific sub account only.
Note:
• Limitation: The Real-Time view on the Network Protection and IP Protection Dashboards is not yet supported in
sub accounts. You can see real-time data when you drill down into a specific range or IP. For more details on the
Analytics Dashboard, see Analytics: DDoS Protection for Networks and IPs.
• Events for a given asset are displayed in the Event Log table of the dashboard in the relevant sub account only.
• If an asset was moved from the parent account or another sub account, events that occurred before the move
remain in the previous account.
Move assets between accounts
You can move your DDoS Protection assets between the parent account and its sub accounts, or between the
account's sub accounts.
• Protected IPs
• Protected networks
• Connections between Imperva's network and your origin network, along with their associated resources
(routing options, ASNs).
• Flow exporters
This functionality is available via the API. For instructions, see Asset Migration API Definition. The definition file
presents a full, formatted, and interactive version of the APIs that you can use to learn about the APIs, or test them
using your API ID and key. You can also download the definition file.
Limitation: You cannot move a protected network or IP that is sharing a security or detection policy with another
protected network or IP. These are internal policies configured by Imperva. If you receive an error message about this
issue when running the API, contact Imperva Support for assistance.
See also:
DNS Protection
Imperva's DNS solutions protect you from attack, while providing DNS acceleration and load reduction benefits.
An end-to-end service as DNS hosting provider, offering you complete management of your DNS configuration within
Imperva.
Imperva serves as the DNS records host and authoritative DNS, providing definitive responses to DNS queries, as well
as protecting you from Volumetric and DNS DDoS attack. With this solution, your DNS service is hosted within
Imperva.
Protected DNS
Imperva protects your DNS servers from attack and improves performance through DNS caching.
Imperva serves as a DNS proxy, where DNS queries are first processed by Imperva to filter out DDoS attacks before
being forwarded to your origin name server. With this solution, your DNS service is hosted outside of Imperva.
Benefits
• Increased performance, reducing DNS queries response time via Imperva’s global anycast network
See also:
In this topic:
Open the DNS Zones page
Log into your my.imperva.com account.
Column Description
Pending NS validation You are required to update
the name servers in your domain registrar. Once the
change is completed, DNS queries are routed to
Imperva DNS servers. It may take up to 48 hours for
the change to propagate world-wide.
Fully configured
Configuration status
After adding your DNS zone to Imperva, the configuration status of the zone is displayed in the table.
For more details and instructions on how to complete the required configuration changes, click the DNS Zone name to
view the settings for the DNS zone.
Under DNS zone details, the status and instructions are displayed. Imperva regularly checks the configuration status.
You can click Verify now to trigger an immediate check.
Export the DNS Zones table
Click the Download CSV button at the top of the page to download the table in CSV format.
DNS Protection API
You can also configure and manage DNS zones using the API.
For instructions on using the Protected DNS Zones API, see DNS Protection API Definition.
The definition file presents a full, formatted, and interactive version of the Protected DNS Zones APIs that you can use
to learn about the APIs, or test them using your API ID and key.
Note: Onboarding a domain that is DNSSEC enabled is not currently supported by the Imperva Managed DNS service.
Managed DNS is an end-to-end service as DNS hosting provider, offering you complete management of your DNS
configuration within Imperva.
Imperva serves as the DNS records host and authoritative DNS, providing definitive responses to DNS queries, as well
as protecting you from Volumetric and DNS DDoS attack. With this solution, your DNS service is hosted within
Imperva.
In this topic:
▪ Import your zone file: Upload a zone file in BIND format. Intended for websites with a large number of
records.
DNSSEC
Domain Name System Security Extensions (DNSSEC) adds a layer of security by authenticating DNS responses to
prevent requests from being “hijacked” and diverted to other addresses. This boosts protection against man-in-the-
middle attacks, such as DNS cache poisoning and forged DNS responses.
Once your managed DNS zone is fully configured in Imperva, you can go ahead and configure DNSSEC.
When you enable DNSSEC, Imperva digitally signs your zone, publishes your public signing keys, and generates your
DS record. In addition, Imperva regularly rotates your zone signing key (ZSK) to ensure your zone security.
Note:
• The DNSSEC configuration options are not displayed until the zone is fully configured.
• If DNSSEC is already enabled for this DNS zone in your registrar, you need to first disable it at the registrar before
enabling it in Imperva.
1. On the Add/Edit Managed Primary DNS Zone page, under DNSSEC, click the toggle to enable DNSSEC.
2. Add the DS record details provided by Imperva (under DS Record Information) at your registrar to complete the
configuration. Your website may be inaccessible if the DS record is incorrectly configured at your registrar.
Additional options:
• Verify now: Imperva regularly checks the DNSSEC configuration status with the registrar. You can click Verify
now to trigger an immediate check.
• Cancel DNSSEC: If you want to disable DNSSEC in Imperva, first remove the DS Record from the registrar.
Disabling DNSSEC before removing the DS record from the registrar will result in an unspecified period of
outage and unavailability. Therefore, Imperva will not disable DNSSEC until we verify that the DS record was
removed from the registrar.
DNS Records
Add DNS records for your DNS zones.
To add a new DNS record, click Add new record and fill in the requested details.
To edit, duplicate, or delete a DNS record, click more options in the DNS Records table.
Field Description
Select a TTL value from the list for the specified DNS
record type.
Security Settings
Rate Limiting
Rate limiting is activated when the incoming DNS query rate passes a certain threshold, indicating that you are likely
under attack.
Option Description
Block DNS Zone Caution: This option blocks all DNS traffic for the
zone and may cause your web service to become
unavailable.
Set TTL values for how long the DNS resolver can store responses.
Option Description
• Validate ownership of your domain by adding a TXT record to your DNS settings with the value provided.
• Update the name servers in your domain registrar using the values provided.
You can choose to make the changes and then click Check configuration, or decide to make the changes later.
On the DNS Zones page, click the DNS zone name to view your zone settings. Under General Information, click Check
Status. The status and instructions are displayed.
See also:
Protected DNS protects your DNS servers from attack and improves performance through DNS caching.
Imperva serves as a DNS proxy, where DNS queries are first processed by Imperva to filter out DDoS attacks before
being forwarded to your origin name server. With this solution, your DNS service is hosted outside of Imperva.
In this topic:
To add a new zone: Click Add DNS Zone and select Protected DNS zone (proxy). Fill in the required details.
Field Description
Status is also automatically verified by Imperva at
regular intervals.
Advanced settings
Expand the Advanced Settings section to change default options or configure the additional settings described
below.
DNS Settings > DNS Mode
Select a DNS mode to determine how DNS queries for this zone are handled by Imperva.
Option Description
Default Legitimate queries for this DNS zone are answered.
Block Queries for this DNS zone are not answered.
Queries for this DNS zone bypass Imperva and are
Bypass
served directly by your origin.
The rate limiting settings determine how Imperva handles DNS queries for the DNS zone when the incoming DNS
query rate passes a certain threshold, indicating that you are likely under attack.
• The rate limits on outgoing queries are only used after the Maximum incoming query rate is passed.
• Queries are forwarded to your origin DNS server only when they are not located in the Imperva cache.
Option Description
Option Description
For rates below the lower threshold, all queries that
do not have cached responses are forwarded to your
origin DNS server.
Example:
Requests for addresses with these prefixes are answered until the request rate passes the upper rate limiting
threshold defined above.
To add another prefix, click Add new record and enter a name.
When you onboard a domain to DNS Protection, Imperva automatically detects your DNS servers. You can opt instead
to provide the details of your DNS servers in this section, and then the automatic detection is not carried out.
To add an NS record, click Add new record and enter a record name.
Complete DNS zone configuration
When you onboard a new DNS zone and save your settings, you are presented with instructions for completing two
additional steps:
• Validate ownership of your domain by adding a TXT record to your DNS settings with the value provided.
• Update the name servers in your domain registrar using the values provided.
You can choose to make the changes and then click Check configuration, or decide to make the changes later.
On the DNS Zones page, click the DNS zone name to view your zone settings. Under General Information, click Check
Status. The status and instructions are displayed.
Purge the cache
If you have made changes to your system and prefer not to wait for the caching period to expire, you can purge the
entire DNS cache, or purge only a subset of the zone's cached records.
Note: The purge settings are available only when editing an existing DNS zone.
Option Description
Purge cache Purge the entire cache.
DNSSEC compliance
If your origin name server is configured for DNSSEC, you need to update SOA and NS records and resign the zone to
gain the benefit of Imperva DNSSEC support.
1. Prerequisite: Make sure you have the list of NS records that were provided above. To view the NS settings in the
Cloud Security Console:
1. From the sidebar, select DNS > DNS Zones.
2. Click the relevant domain in the Name column.
2. Update the SOA record in your zone file. Enter the first name server listed in the NS Settings as the primary
master name server for this zone.
3. Update the NS records in your zone file with the list of name servers provided by Imperva.
4. Re-sign the zone with DNSSEC to add the required DNSSEC-related resources.
See also:
• To view or edit your settings after adding DNS zones, see Onboard DNS Protection.
• To manage your Protected DNS Zones via the API, see DNS Protection API Definition.
DNS Protection Dashboard
Explore metrics and advanced analytics for queries flowing through Imperva for your DNS zones.
Under attack? In the event of a current attack on any of your DNS zones, a banner is displayed at the top of the
screen. Click the link to refresh the dashboard with data on the zone under attack.
In this topic:
Widget Description
Total queries (average): The average value of all
passed and blocked queries per second in the
selected time range.
To view the attack: On the DNS Protection Dashboard, in the Attacked DNS zones table, click Analyze Attack.
In addition to the metrics listed above, you can also view the Top Source IPs - details on the IP addresses that
generated the largest number of queries per second during the attack.
Note:
• To better align with REST API standards and best practices, Imperva is gradually rolling out a new version of
APIs, available for your use in managing your Cloud Application Security sites. For details, see API Version 2/3
Overview.
• An API definition file (Swagger) is available for these Cloud Application Security v1 APIs. To view or download
the file, see Cloud Application Security v1/v3 API Definition.
• For more details about Imperva APIs, see Imperva API Documentation.
In this topic:
• Overview
• General request structure
• Pagination
• Time range specification
• General response structure
Overview
The API has the following characteristics:
• Parameters are specified in the request body in HTML form style. For example:
param1=value1&param2=value2
• All requests are in SSL.
• Response content is provided as a JSON document.
• UTF-8 encoding is always used.
General request structure
Authentication
In order to use the API, the client must be authenticated by Imperva. To authenticate, send your API ID and API key
using the x-API-Id and x-API-Key headers. For example:
x-API-Id: 12345
x-API-Key: 123**************789
You can create and manage API keys with granular permissions and sub account access. For details, see API Key
Management.
Most API operations operate on a specific account or site. Use the following parameters to specify the account or site
to operate on:
Name Description
account_id Numeric identifier of the account to operate on.
site_id Numeric identifier of the site to operate on.
Pagination
Some API operations may return a list of objects. Use the following parameters to enable paging:
Maximum: 100
Default: 0
Name Description
Retrieve data from midnight today until the current
today
time.
Retrieve data from midnight of 7 days ago until
last_7_days
midnight today.
Retrieve data from midnight of 30 days ago until
last_30_days
midnight today.
Retrieve data from midnight of 90 days ago until
last_90_days
midnight today.
Retrieve data from midnight of the first day of the
month_to_date
month until midnight today.
Name Description
For example:
custom
• A time range of 14:00 - 20:00 yesterday gives
results for all of yesterday (midnight to
midnight) - a full day.
• A time range of 14:00 last Tuesday to 14:00 last
Wednesday gives results for all of Tuesday and
Wednesday - two full days.
• A time range of 14:00 yesterday to 14:00 today
gives results for all of yesterday starting from
midnight until the current time today.
Note:
Name Description
The numeric result code for the operation. A result
res
code of 0 indicates success.
The textual representation of the result code (for
res_message
example: "OK" - for success).
General information which is not strictly required for
debug_info
using the API, but is helpful to have.
For example:
{
"res": 0,
"res_message": "OK",
"debug_info": {}
}
In this topic:
Use this operation to add a new account that should be managed by the account of the API client (the parent
account). The new account will be configured according to the preferences set for the parent account by Imperva.
Depending on these preferences, an activation e-mail will be sent to the specified e-mail address. The user responds
to the activation e-mail, selects a password, and can then log directly into the Imperva console. The same e-mail
address can also be used to send system notifications to the account. The new account is identified by a numeric
value as provided by Imperva in the response in the field account_id.
/api/prov/v1/accounts/add
Parameters:
Response structure:
{
"account":{
"email":"demo_account@incapsula.com",
"plan_id":ent100,
"account_id":4722,
"user_name":"John Doe",
"account_name":"Demo Account",
"logins": {
"login_id":1243,
"email":"demo_account@incapsula.com",
"email_verified":true
}
},
"res":0,
"res_message":"OK"
}
Use this operation to get the list of accounts that are managed by account of the API client (the parent account).
/api/prov/v1/accounts/list
Parameters:
Maximum: 100
Response structure:
{
"accounts":[
{
"email":"demo_account@incapsula.com",
"plan_id":ent100,
"account_id":4722,
"user_name":"John Doe",
"account_name":"Demo Account",
"logins": {
"login_id":1243,
"email":"demo_account@incapsula.com",
"email_verified":true
}
},
...],
"res":0,
"res_message":"OK"
Add
} a new sub account
Use this operation to add a new sub account to be managed by the account of the API client (the parent account).
/api/prov/v1/subaccounts/add
Parameters:
Response structure:
{
"sub_account":{
"sub_account_id":123456,
"sub_account_name":"My Sub Account",
"is_for_special_ssl_configuration":false,
"support_level":"Standard"
},
"res":0,
"res_message":"OK",
"debug_info":{
"id-info":"999999"
}
}
/api/prov/v1/accounts/listSubAccounts
Parameters:
Maximum: 100
Response structure:
{
"resultList":[
{
"sub_account_id":123456,
"sub_account_name":"My Sub Account",
"is_for_special_ssl_configuration":false,
"support_level":"Standard"
},
{
"sub_account_id":123457,
"sub_account_name":"My Other Sub Account",
"is_for_special_ssl_configuration":true,
"support_level":"Standard"
},
...],
"res":0,
"res_message":"OK",
"debug_info":{
"id-info":"999999"
}
Get account
} status
Use this operation to get information about the account of the API client or one of its managed accounts.
/api/prov/v1/account
Parameters:
Response structure:
{
"account":{
"email":"demo_account@incapsula.com",
"plan_id":ent100,
"plan_name":"Enterprise",
"trial_end_date":"May 28, 2014",
"account_id":4722,
"ref_id":"123456",
"user_name":"John Doe",
"account_name":"Demo Account",
"logins": {
"login_id":1243,
"email":"demo_account@incapsula.com",
"email_verified":true
}
"support_level": "Managed",
"support_all_tls_versions": "false"
},
"res":0,
"res_message":"OK"
Modify
} account configuration
Use this operation to change the configuration of the account of the API client or one of its managed accounts.
/api/prov/v1/accounts/configure
Parameters:
For error_page_template - a
value Base64 encoded template for an
error page.
For
naked_domain_san_for_new_www_sites
- Use this option to determine if
the naked domain SAN will be
added to the SSL certificate for
new www sites. Default value: true
For wildcard_san_for_new_sites -
Use this option to determine if the
wildcard SAN or the full domain
SAN is added to the Imperva SSL
certificate for new sites. Possible
values: true, false, default
(determined by plan) Default
value: default
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info": {
"email": "admin@example.com"
}
}
/api/prov/v1/accounts/setlog
Parameters:
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info": {
"log_level": "full"
}
}
/api/prov/v1/accounts/testS3Connection
Parameters:
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info": {
"message": "Test connection succeeded"
}
Test connection
} with SFTP server
Use this operation to check that a connection can be created with your SFTP storage.
/api/prov/v1/accounts/testSftpConnection
Parameters:
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info": {
"message": "Test connection succeeded"
}
Set S3 configuration
} for log storage
Use this operation to configure your Amazon cloud storage. Once configured, Imperva logs will be uploaded to the
selected location.
/api/prov/v1/accounts/setAmazonSiemStorage
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
account_id Numeric identifier of the account to operate on.
bucket_name S3 bucket name.
access_key S3 access key.
secret_key S3 secret key.
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info": {
"message": "Configuration was successfully updated"
}
Set SFTP
} server configuration for log storage
Use this operation to configure your SFTP server storage. Once configured, Incapsula logs will be uploaded to the
selected location.
/api/prov/v1/accounts/setSftpSiemStorage
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
account_id Numeric identifier of the account to operate on.
host The IP address of your SFTP server.
A user name that will be used to log in to the
user_name
SFTP server.
A corresponding password for the user account used
password
to log in to the SFTP server.
destination_folder The path to the directory on the SFTP server.
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info": {
"message": "Configuration was successfully updated"
}
Set Imperva
} servers for log storage
Use this operation to have your logs saved on Incapsula servers. Once configured, the logs can be retrieved by API
calls.
/api/prov/v1/accounts/setDefaultSiemStorage
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
account_id Numeric identifier of the account to operate on.
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info": {
"message": "Configuration was successfully updated"
}
}
Use this operation to generate a token for an account. The token is valid for 15 minutes.
/api/prov/v1/accounts/gettoken
In order to use the token, the user must use the following link:
https://my.imperva.com/?token={generated_token}
Parameters:
Response structure:
{
"res": 0,
"res_message": "OK",
"generated_token": "344ebcaf34dff34"
Delete
} managed account
Available for Reseller accounts only
/api/prov/v1/accounts/delete
Parameters:
Response structure:
{
"res": 0,
"res_message": "OK"
Delete
} sub account
Use this operation to delete a sub account.
/api/prov/v1/subaccounts/delete
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
sub_account_id Numeric identifier of the sub account to operate on.
Response structure:
{
"res": 0,
"res_message": "OK"
Get account
} subscription details
Use this operation to get subscription details for an account.
/api/prov/v1/accounts/subscription
Parameters:
Response structure:
{
"planStatus": {
"accountId": 12345,
"accountName": "demo_account@incapsula.com",
"websiteProtection": {
"name": "Website Protection",
"planSectionRows": [
{
"name": "Additional Sites",
"purchased": "100",
"used": "2"
},
{
"name": "Load Balancing (old)",
"purchased": "0",
"used": "0"
},
{
"name": "Additional Login Protect Users",
"purchased": "5",
"used": "0"
}
]
},
"infrastructureProtection": {
"name": "Infrastructure Protection",
"planSectionRows": [
{
"name": "On Demand Bandwidth (Clean traffic)",
"purchased": "0",
"used": ""
},
{
"name": "GRE Tunnel Pairs",
"purchased": "0 ",
"used": "0"
}
]
},
"dnsProtection": {
"name": "DNS Protection",
"planSectionRows": [
{
"name": "Additional DNS Zones",
"purchased": "0",
"used": "0"
}
]
},
"additionalServices": {
"name": "Additional Services",
"planSectionRows": [
{
"name": "Always On Bandwidth (Clean traffic)",
"purchased": "10Mbps",
"used": "N/A"
},
{
"name": "DDoS Protection",
"purchased": "None",
"used": ""
},
{
"name": "Support Level",
"purchased": "Standard",
"used": "Standard"
},
{
"name": "SIEM Integration",
"purchased": "10",
"used": "0"
},
{
"name": "Web Attack Analytics",
"purchased": "0",
"used": ""
}
]
}
},
"bandwidthHistory": [
{
"billingCycle": "Current billing cycle",
"onDemandBandwidth": "0bps",
"alwaysOnBandwidth": "3.5kbps"
},
{
"billingCycle": "Previous billing cycle",
"onDemandBandwidth": "0bps",
"alwaysOnBandwidth": "15kbps"
},
{
"billingCycle": "Earlier billing cycle",
"onDemandBandwidth": "0bps",
"alwaysOnBandwidth": "7.7kbps"
}
],
"res": 0,
"res_message": "OK"
}
Set default data storage region
Available for Reseller accounts only
Use this operation to set the default data region of the account for newly created sites.
/api/prov/v1/accounts/data-privacy/set-region-default
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
account_id Numeric identifier of the account to operate on.
data_storage_region The data region to use.
Name Description
APAC Asia Pacific
EU Europe
US United States
Use system default region, based on geolocation of
AU
the origin server registered for a site.
Response structure:
{
"res": 0,
"res_message": "OK"
Get
} default data storage region
Available for Reseller accounts only
Use this operation to get the default data region of the account.
/api/prov/v1/accounts/data-privacy/show
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
account_id Numeric identifier of the account to operate on.
Response structure:
{
region: EU
"res":0,
"res_message":"OK"
In this topic:
Name Description
A site with SSL support was added. Domain approval
pending-select-approver email needs to be selected or a new domain
validation method should be selected.
The site owner needs to approve the SSL certificate
generation by completing a domain validation
pending-certificate action (following a link in the approval email, DNS
change, adding an HTML meta tag, adding a new file,
etc.)
The site is ready for the user to perform the required
pending-dns-changes DNS changes in order to be fully configured on the
service.
fully-configured Site is active on the Imperva network.
1. Call the Add site operation. A successful response will contain the required DNS changes. The site is in pending-
dns-changes state.
2. Perform the DNS changes. The system will detect the DNS changes in a few minutes and will set the site to the
fully-configured state.
3. Call the Get site status operation periodically until the site is in the fully-configured state.
Prerequisite: Imperva must verify that HTTPS is supported by your site, in order to support SSL for your site.
1. Call the Modify site configuration operation and set the SSL domain validation method to email.
2. Call the Get domain approver email addresses operation and select an email address from the list.
3. Call the Modify site configuration operation again and set the selected email address. The system will
send the certificate generation approval email and set the site to the pending-certificate state.
1. Call the Modify site configuration operation and set the SSL domain validation method to html. The
operation will return the required HTML snippet to place in the homepage of the site and set the site to
the pending-certificate state.
2. The site owner needs to place the HTML snippet in the homepage of the site.
3. Call the Get site status operation and use the tests parameter to verify that domain validation was
performed successfully.
1. Call the Modify site configuration operation and set the SSL domain validation method to dns. The
operation will return the required DNS records to set on the site's domain and set the site to the pending-
certificate state.
2. The site owner needs to set the DNS records on the site's domain.
3. Call the Get site status operation and use the tests parameter to verify that domain validation was
performed successfully.
5. Call the Get site status operation periodically until the site is in the pending-dns state. The required DNS
changes will be provided in the response.
6. Perform the DNS changes. The system will detect the DNS changes in a few minutes and will set the site to the
fully-configured state.
7. Call the Get site status operation periodically until the site is in the fully-configured state.
1. Verify that Imperva has detected that HTTPS is supported by your site:
1. Call the Get site status operation and look for the detected field under origin_server.
2. If the detected value is false, add the services test parameters and call the Get site status operation
again.
3. Keep calling the Get site status operation until the detected value changes to true.
2. Call the Modify site configuration operation and set the SSL domain validation method. Then, continue
according to the flow above.
Add site
Add a new site to an account. If the site already exists, its status is returned.
/api/prov/v1/sites/add
Parameters:
The dns section of the responses contains the list of required DNS changes. Each entry contains the following
parameters:
Name Description
dns_record_name Name of a DNS record which needs to be set.
This section contains non-critical configuration warnings. While these warnings are present your site will still be under
Imperva service.
Name Description
Your ftp records are pointing directly to your server
FTP records
instead of to Imperva.
Your mail records are pointing directly to your server
set_type_to
instead of to Imperva.
Response structure:
/api/prov/v1/sites/status
Parameters:
Name Description
Runs the domain validation test on the specified
site. This test will check for HTML meta tag or DNS
domain_validation
records, according to the selected domain validation
method.
Runs the services test on the specified site. This test
services will check the availability of HTTP and HTTPS
connections on the site.
Runs the DNS test on the specified site. This test will
dns check whether the site owner performed the DNS
changes required in order to protect the site.
Response structure:
{
"res": 0,
"res_message": "OK",
"status": "pending_dns_changes",
"ips": [ "34.33.22.1" ],
"dns":
[
{ "dns_record_name": "www.example.com",
"set_type_to": "CNAME",
"set_data_to": "x343.incapdns.net"
},
{ "dns_record_name": "example.com",
"set_type_to": "A",
"set_data_to": "10.200.0.0"
],
"original_dns":[
{
"dns_record_name":"example.com",
"set_type_to":"A",
"set_data_to":[
"66.45.177.11"
]
},
{
"dns_record_name":"www.example.com",
"set_type_to":"A",
"set_data_to":[
"66.45.177.50"
]
}
],
"warnings":
[
{
"type":"FTP",
"dns_record_name": "ftp.example.com",
"set_type_to": "A",
"set_data_to": "10.200.0.0"
},
{
"type":"MAIL",
"mail_record_name": "mail.example.com",
"set_type_to": "A",
"set_data_to": "10.200.0.0"
}
],
"security": {
"waf": {
"rules" : [
{
"id":"api.threats.bot_access_control",
"name":"Bot Access Control",
"block_bad_bots":true,
"challenge_suspected_bots":true
},
{
"id":"api.threats.sql_injection",
"name":"SQL Injection",
"action":"api.threats.action.block_request",
"action_text":"Block Request",
},
{
"id":"api.threats.cross_site_scripting",
"name":"Cross Site Scripting (XSS)",
"exceptions":[
{
"values":[
{
"urls":[
{
"value":"/gsddg",
"pattern":"EQUALS"
}
],
"id":"api.rule_exception_type.url",
"name":"URL"
}
],
"id":244711494
},
...
],
"action":"api.threats.action.alert",
"action_text":"Alert Only",
},
{
"id":"api.threats.illegal_resource_access",
"name":"Illegal Resource Access",
"action":"api.threats.action.block_user",
"action_text":"Block User",
},
{
"id":"api.threats.ddos",
"name":"DDoS",
"activation_mode":"api.threats.ddos.activation_mode.
"activation_mode_text":"Off",
"ddos_traffic_threshold":"api.threats.ddos.ddos_tras
"ddos_traffic_threshold_text":"750",
},
{
"id":"api.threats.backdoor",
"name":"Backdoor Protect",
"action":"api.threats.action.quarantine_url",
"action_text":"Auto-Quarantine",
},
{
"action":"api.threats.action.block_ip",
"action_text":"Block IP",
"id":"api.threats.remote_file_inclusion",
"name":"Remote File Inclusion"
}
]
},
"acls":{
"rules":[
{
"ips":[
"2.3.4.5"
],
"exceptions":[
{
"values":[
{
"urls":[
{
"value":"/home",
"pattern":"EQUALS"
}
],
"id":"api.rule_exception_type.url",
"name":"URL"
},
...
],
"id":493271006
},
...
],
"id":"api.acl.blacklisted_ips",
"name":"Visitors from blacklisted IPs"
},
...
]
}
},
"active": "active",
"acceleration_level": "advanced",
"site_creation_date": 1372573842000
"sealLocation":{
"id":"api.seal_location.bottom_right",
"name":"Bottom right"
},
"ssl" : {
// Example for case HTTPS support was detected on the site
"origin_server":{
"detected":true,
"detectionStatus":"ok"
},
// Example for case HTTPS support was not detected on the site
"origin_server":{
"detected":false,
"detectionStatus":"hostname_mismatch"
},
"custom_certificate" : {
"active":true,
"expirationDate":1460100446000,
"revocationError":false,
"validityError":false,
"chainError":false,
"hostnameMismatchError":true,
"fingerPrint":"SHA1 Fingerprint=A7:89:E5:05:A8:17:A1:22:EA:90:5F:A6:EA:A3:D4:8B:
"serialNumber":"FE:BA:E1:4A:F1:34:ED:60"
}
},
"login_protect":{
"enabled":true,
"specific_users_list":[
{
"email":"john@example.com",
"name":"John Doe",
"status":"INVITATION_SENT"
},
{
"email":"jane@example.com",
"name":"Jane Doe",
"status":"ACTIVATED"
}
],
"send_lp_notifications":true,
"allow_all_users":false,
"authentication_methods":[
"sms",
"ga"
],
"urls":[
"/wp-admin"
],
"url_patterns":[
"PREFIX"
]
},
"performance_configuration":{
"advanced_caching_rules":{
"never_cache_resources":[
{
"pattern":"SUFFIX",
"url":"/test.html"
}
],
"always_cache_resources":[
{
"pattern":"NOT_EQUALS",
"url":"/index.html",
"ttl":5,
"ttlUnits":"SECONDS"
},
{
"pattern":"EQUALS",
"url":"/home.html",
"ttl":6,
"ttlUnits":"DAYS"
}
]
},
"acceleration_level":"advanced",
"async_validation":true,
"minify_javascript":true,
"minify_css":true,
"minify_static_html":true,
"compress_jpeg":true,
"progressive_image_rendering":true,
"aggressive_compression":true,
"compress_png":true,
"on_the_fly_compression":true,
"tcp_pre_pooling":true,
"comply_no_cache":true,
"comply_vary":true,
"use_shortest_caching":true,
"support_all_tls_versions":true,
"prefer_last_modified":true,
"disable_client_side_caching":true,
"cache_headers":[
{
"headerName":"Content-type: application/pdf"
}
]
},
"res":0,
"res_message":"OK"
}
Name Description
status The current status of the site.
ips IP addresses or hostname of the site's servers.
The required DNS changes. Sent when the site is in
dns
pending_dns_changes or fully_configured status.
A list of warnings regarding the configuration of the
warning
site.
security The security settings of the site.
A text string indicating whether the site is active or
active has been moved into bypass mode, one of: active |
bypass.
A text string indicating the acceleration level of the
acceleration_level
site, one of: off | standard | advanced.
The creation date of the site in milliseconds since
site_creation_date
1970.
The current location of the seal. One of:
api.seal_location.bottom_left |
api.seal_location.none |
seal_location api.seal_location.right_bottom |
api.seal_location.right | api.seal_location.left |
api.seal_location.bottom_right |
api.seal_location.bottom
Information regarding the SSL configuration of the
ssl site and the SSL configuration detected on the site's
origin server. For more details see the table below.
login_protect The Login Protect configuration of the site.
performance_configuration The performance configuration of the site.
Name Description
detected Imperva detected HTTPS support on the site.
detectionStatus HTTPS detection status/failure reason for site.
Name Description
ok SSL detected.
ssl_connection_not_established For example: no server certificate found.
hostname_mismatch Hostname in certificate did not match.
Name Description
invalid_server_response Received an invalid response from server.
host_unreachable Could not reach host.
unclassified_error Received an unclassified error.
ssl_network_detection_not_run SSL network detection test did not run.
Name Description
The certificate authority Imperva is using to
ca
generate the certificate for the site.
The domain names that will be added to the
san certificate as part of the Subject Alternative Names
section (SAN).
The SSL domain validation method. One of: email |
validation_method
html | dns.
For e-mail validation the selected approver email
validation_data address, for HTML validation the HTML snippet to
use, for DNS validation the DNS records to set.
validation_data.set_type_to The type of DNS record to set. One of: CNAME | TXT
Name Description
Custom certificate was successfully uploaded for the
active
site.
The expiration date of the custom certificate, in
expirationDate milliseconds, since 1970. For a detailed description,
see Cloud Application Security API Reference.
Name Description
The custom certificate was revoked by the CA (is
revocationError
under the CRL - certificate revocation list).
The custom certificate is either expired or not valid
validityError
yet.
The custom certificate chain is broken / contains
chainError
untrusted intermediate certificate.
The site is not covered by the subject or Subject
hostnameMismatchError
Alternative Names on the custom certificate.
Get domain approver email addresses
Use this operation to get the list of email addresses that can be used when adding an SSL site.
/api/prov/v1/domain/emails
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
The domain name of the site. For example:
domain www.example.com, hello.example.com,
example.com
Response structure:
{
"res": 0,
"res_message": "OK",
"domain_emails": [
"admin@example.com",
"webmaster@example.com"
]
}
/api/prov/v1/sites/configure
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Name of configuration parameter to set. See table
param
below.
value According to the param value. See table below.
Parameter values:
Name Description
Whether the site is active or bypassed by the
active
Imperva network. One of: active | bypass.
Comma separated list of IPs. For example:
site_ip
8.8.8.8,1.2.2.2
Name Description
If the issue does not resolve after a few minutes,
contact Support.
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info": {
"domain_email": "admin@example.com"
}
}
/api/prov/v1/sites/setlog
Parameters:
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info": {
"log_level": "full"
}
Set support
} for all TLS versions
Use this operation to support all TLS versions for the site for connectivity between clients (visitors) and the Imperva
service. To remain PCI-compliant, do not enable this option.
/api/prov/v1/sites/tls
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
support_all_tls_versions Support all TLS versions. Default value: false
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info": {
"support_all_tls_versions": "true"
"new_A_record": "1.2.3.4"
}
Modify }site security configuration
Use this operation to change the security configuration of a site. To modify the configuration for a specific rule,
additional parameters may be required, as documented below.
/api/prov/v1/sites/configure/security
Parameters:
The syntax is as
follows:<rule_id>.activation_mode.<value>
• quarantined_urls:
<URL full path>
• rule_id:
api.threats.backdoor
•
security_rule_action: api.threats.action.quarantine_url
api_id=123
api_key=abcdefg
rule_id=api.threats.bot_access_control
block_bad_bots=true
challenge_suspected_bots=true
api_id=123
api_key=abcdefg
rule_id=api.threats.sql_injection
security_rule_action=api.threats.action.block_request
Name
api.threats.bot_access_control
api.threats.sql_injection
api.threats.cross_site_scripting
api.threats.illegal_resource_access
api.threats.backdoor
api.threats.ddos
api.threats.remote_file_inclusion
Name Description
api.threats.action.disabled Threat is not blocked, site owner is not notified.
api.threats.action.alert Threat is not blocked, site owner is notified.
Threat blocked by stopping the request, site owner
api.threats.action.block_request
is notified.
Threat blocked by stopping the request. Additional
requests by the client application will be
api.threats.action.block_user
automatically blocked for a duration of several
minutes. Site owner is notified.
Threat blocked by stopping the request. Additional
requests from the same IP addresses will be
api.threats.action.block_ip
automatically blocked for a duration of several
minutes. Site owner is notified.
Relevant only for Backdoor Protect. When detecting
api.threats.action.quarantine_url
a backdoor, additional requests to the URL of the
Name Description
backdoor will be automatically blocked. Site owner
is notified.
api_id=123
api_key=abcdefg
rule_id=api.threats.ddos
activation_mode=api.threats.ddos.activation_mode.auto
ddos_traffic_threshold=750
Response structure:
To modify the configuration for a specific ACL rule, its values are required, as documented below.
To delete an entire ACL list, send an empty string as the list values.
/api/prov/v1/sites/configure/acl
Parameters:
Name Description
Visitors from blacklisted countries and/or
api.acl.blacklisted_countries
continents.
api.acl.blacklisted_urls Visitors from blacklisted URLs.
api.acl.blacklisted_ips Visitors from blacklisted IPs.
api.acl.whitelisted_ips Visitors from whitelisted IPs.
api_id=123
api_key=abcdefg
rule_id=api.acl.blacklisted_urls
urls=%2Fadmin%2Fdashboard%2Fstats%3Fx%3D1%26y%3D2%23z%3D3,%2Fadmin
url_patterns=contains,equals
api_id=123
api_key=abcdefg
rule_id=api.acl.blacklisted_countries
countries=CA,US
continents=SA
api_id=123
api_key=abcdefg
rule_id=api.acl.blacklisted_ips
ips=1.2.3.4,192.168.1.1-192.168.1.100,192.168.1.1/24
api_id=123
api_key=abcdefg
rule_id=api.acl.whitelisted_ips
ips=1.2.3.4
api_id=123
api_key=abcdefg
rule_id=api.acl.blacklisted_ips
ips=
Response structure:
/api/prov/v1/sites/configure/whitelists
Parameters:
The following API call adds a whitelist to the SQL injection security rule. SQL injections will not be handled for requests that are either
the specified URLs, IPs, or countries:
api_id=123
api_key=abcdefg
rule_id=api.threats.sql_injection
urls=%2Fadmin%2Fdashboard%2Fstats%3Fx%3D1%26y%3D2%23z%3D3,%2Fadmin
ips=1.2.3.4,192.168.1.1-192.168.1.100,192.168.1.1/24
countries=GT,VN
The following API call updates a whitelist to the countries acl. SQL injections will not be handled for requests that are from the
specified countries:
api_id=123
api_key=abcdefg
rule_id=api.acl.blacklisted_countries
whitelist_id=1234567
countries=CA,US
continents=SA
api_id=123
api_key=abcdefg
rule_id=api.acl.blacklisted_urls
whitelist_id=123456
delete_whitelist=true
Response structure:
/api/prov/v1/sites/delete
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Response structure:
{
"res": 0,
"res_message": "OK"
List
} sites
List sites for an account. If the specified account has sub accounts, the operation returns results of the sites in the
account and in all of its sub accounts.
/api/prov/v1/sites/list
Parameters:
Maximum: 100
Response structure:
{
"res": 0,
"res_message": "OK",
"sites":
[
{Same as Get Site Status},
{Same as Get Site Status},
...
],
"debug_info": {}
}
The time_range parameter is ignored for accounts with the WAF Rules policy feature. For such accounts, the report
returns the current status.
/api/prov/v1/sites/report
Parameters:
Response structure:
{
"res": 0,
"res_message": "OK",
"format" : "pdf",
"report" : "JVBERi0xLjUNCiXvv73vv73vv73vv70NCjEgMCBvYmoNCjw8L1R5cGUvQ2F0YWxvZy9QYWdlcyAy
}
Our Proxy servers keep cached content of your sites in order to accelerate page load times for your users. When you
want this cached content to be refreshed (for example, after making adjustments in your site) you can use this API call.
To purge the entire cached content for this site, use the API call with no parameters.
/api/prov/v1/sites/cache/purge
Parameters:
• Resource_name - Resources
that contain Resource_name
purge_pattern Yes
will be purged
• ^Resource_name-
Resources that start with
Resource_name will be
purged
• Resource_name$ -
Resources that end with
Response structure:
{
"res": 0,
"res_message": "OK"
}
/api/prov/v1/sites/htmlinjections
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Response structure:
{
"html_injections":[
{
"url":"/",
"url_pattern":"prefix",
"location":"head",
"content":"Some content"
},
...
],
"res":0,
"res_message":"OK"
}
/api/prov/v1/sites/configure/htmlInjections
Parameters:
Response structure:
Example: The following API call adds the HTML content "Hello World!" to any URL containing "/index.php", in the
beginning of the HEAD section. If content was already injected for the specified configuration, the existing content will
be replaced by "Hello World!". Note that the text itself is Base64 encoded.
api_id=123
api_key=abcdefg
url=/index.php
url_pattern=contains
location=head
Remove an HTML injection
content=SGVsbG8gV29ybGQh rule
Use this operation to removes an existing HTML injection rule. To confirm the removal, set the parameter
delete_content to true.
/api/prov/v1/sites/configure/htmlInjections
Parameters:
Response structure:
Example: The following API call removes (if exists) the HTML content from any URL ending with ".php", found in the
BODY section. The content itself does not have to be supplied, any content previously injected in the specified URL,
URL pattern, and Location will be removed.
api_id=123
api_key=abcdefg
url=.php
url_pattern=ends_with
location=body_end
Modify caching mode
delete_content=true
/api/prov/v1/sites/performance/cache-mode
Parameters:
Possible values:
• disable
• custom_cache_rules_only
cache_mode • static_only
• static_and_dynamic
• aggressive
Default: 5_min
Default: 1_hr
Response structure:
{
"res": 0,
"res_message": "OK"
}
/api/prov/v1/sites/performance/cache-mode/get
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Response structure:
{
"cache_mode":"static_and_dynamic",
"res":0,
"res_message":"OK",
"debug_info":{
"id-info":"999999"
}
}
/api/prov/v1/sites/performance/secure-resources
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Response structure:
{
"res": 0,
"res_message": "OK"
}
/api/prov/v1/sites/performance/stale-content
Parameters:
Response structure:
{
"res": 0,
"res_message": "OK"
}
/api/prov/v1/sites/performance/stale-content/get
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Response structure:
{
"enabled":true,
"mode":"ADAPTIVE",
"time":11,
"unit":"SECONDS",
"res":0,
"res_message":"OK",
"debug_info":{
"id-info":"999999"
}
}
/api/prov/v1/sites/performance/cache404/modify
Parameters:
/api/prov/v1/sites/performance/cache404
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Response structure:
{
"enabled": true,
"time": 10,
"time_unit": "HOURS",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
/api/prov/v1/sites/performance/purge
Parameters:
Possible values:
Response structure:
/api/prov/v1/sites/performance/caching-rules
Parameters:
Response structure:
/api/prov/v1/sites/performance/advanced
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Name of configuration parameter to set. See table
param
below.
value According to the param value. See table below.
Name Description
Sets Async validation. Pass "true" or "false" in the
async_validation
value parameter.
Sets the Minify JS. Pass "true" or "false" in the value
minify_javascript
parameter.
Sets the Minify CSS. Pass "true" or "false" in the
minify_css
value parameter
Sets Minify static HTML. Pass "true" or "false" in the
minify_static_html
value parameter
Sets the Compress JPEG. Pass "true" or "false" in the
compress_jpeg
value parameter.
Sets the Progressive Image rendering flag. Pass
progressive_image_rendering
"true" or "false" in the value parameter.
Sets the Aggressive compression rendering flag.
aggressive_compression
Pass "true" or "false" in the value parameter.
Sets the Compress PNG flag. Pass "true" or "false" in
compress_png
the value parameter.
Name Description
"On the fly" Compression. Pass "true" or "false" in
on_the_fly_compression
the value parameter.
TCP Pre-Pooling. Pass "true" or "false" in the value
tcp_pre_pooling
parameter.
Comply with no-cache and max-age directives in
comply_no_cache client requests. Pass "true" or "false" in the value
parameter.
Comply with the Vary header. Pass "true" or "false"
comply_vary
in the value parameter.
Use shortest caching duration in case of conflicts.
use_shortest_caching
Pass "true" or "false" in the value parameter.
Prefer 'last modified' over eTag. Pass "true" or
prefer_last_modified
"false" in the value parameter.
Disable client side caching. Pass "true" or "false" in
disable_client_side_caching
the value parameter.
Cache 300X responses. Pass "true" or "false" in the
cache_300x
value parameter.
Use the same cache for full and naked domains. For
unite_naked_full_cache example, use the same cached resource for
www.example.com/a and example.com/a.
cache_empty_responses Cache responses that don’t have a message body.
Cache HTTP 1.0 type responses that don’t include
cache_http_10_responses the Content-Length header or chunking. Pass "true"
or "false" in the value parameter.
Send Cache-Control: max-age and Age headers.
send_age_header
Pass "true" or "false" in the value parameter.
By default, non-SNI clients are supported. Disable
support_non_sni_clients this option to block non-SNI clients. Pass "true" or
"false" in the value parameter.
By default, TCP connections that are opened for a
client request remain open for a short time to
origin_connection_reuse handle additional requests that may arrive. This
option disables that behavior.. Pass "true" or "false"
in the value parameter.
Redirect HTTP requests to HTTPS requests by
redirect_http_to_https
sending an HTTP 301 response.
Redirect requests from your website's naked domain
redirect_naked_domain_to_full to its full domain by sending and HTTP 301
response.
Name Description
requires that SSL is configured for your website.
Pass "true" or "false" in the value parameter
Response structure:
/api/prov/v1/sites/performance/advanced/get
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Name of configuration parameter to set. See table
param
below.
Name Description
Sets Async validation. Pass "true" or "false" in the
async_validation
value parameter.
Sets the Minify JS. Pass "true" or "false" in the value
minify_javascript
parameter.
Sets the Minify CSS. Pass "true" or "false" in the
minify_css
value parameter
Sets Minify static HTML. Pass "true" or "false" in the
minify_static_html
value parameter
Sets the Compress JPEG. Pass "true" or "false" in the
compress_jpeg
value parameter.
Sets the Progressive Image rendering flag. Pass
progressive_image_rendering
"true" or "false" in the value parameter.
Name Description
Sets the Aggressive compression rendering flag.
aggressive_compression
Pass "true" or "false" in the value parameter.
Sets the Compress PNG flag. Pass "true" or "false" in
compress_png
the value parameter.
"On the fly" Compression. Pass "true" or "false" in
on_the_fly_compression
the value parameter.
TCP Pre-Pooling. Pass "true" or "false" in the value
tcp_pre_pooling
parameter.
Comply with no-cache and max-age directives in
comply_no_cache client requests. Pass "true" or "false" in the value
parameter.
Comply with the Vary header. Pass "true" or "false"
comply_vary
in the value parameter.
Use shortest caching duration in case of conflicts.
use_shortest_caching
Pass "true" or "false" in the value parameter.
Prefer 'last modified' over eTag. Pass "true" or
prefer_last_modified
"false" in the value parameter.
Disable client side caching. Pass "true" or "false" in
disable_client_side_caching
the value parameter.
Cache 300X responses. Pass "true" or "false" in the
cache_300x
value parameter.
Use the same cache for full and naked domains. For
unite_naked_full_cache example, use the same cached resource for
www.example.com/a and example.com/a.
cache_empty_responses Cache responses that don’t have a message body.
Cache HTTP 1.0 type responses that don’t include
cache_http_10_responses the Content-Length header or chunking. Pass "true"
or "false" in the value parameter.
Send Cache-Control: max-age and Age headers.
send_age_header
Pass "true" or "false" in the value parameter.
By default, non-SNI clients are supported. Disable
support_non_sni_clients this option to block non-SNI clients. Pass "true" or
"false" in the value parameter.
By default, TCP connections that are opened for a
client request remain open for a short time to
origin_connection_reuse handle additional requests that may arrive. This
option disables that behavior.. Pass "true" or "false"
in the value parameter.
Redirect HTTP requests to HTTPS requests by
redirect_http_to_https
sending an HTTP 301 response.
Redirect requests from your website's naked domain
redirect_naked_domain_to_full to its full domain by sending and HTTP 301
response.
Enables supporting browsers to take advantage of
http_2
the performance enhancements provided by HTTP/2
Name Description
for your website. Non-supporting browsers can
connect via HTTP/1.0 or HTTP/1.1. HTTP/2 support
requires that SSL is configured for your website.
Pass "true" or "false" in the value parameter
Response structure:
{
"value":true,
"res":0,
"res_message":"OK",
"debug_info":{
"id-info":"999999"
}
}
/api/prov/v1/sites/performance/response-headers
Parameters:
Response structure:
/api/prov/v1/sites/performance/response-headers/get
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Response structure:
{
"enabled":true,
"mode":"CUSTOM",
"custom_headers":[
"header1",
"header2",
"header3"
],
"res":0,
"res_message":"OK",
"debug_info":{
"id-info":"999999"
}
}
/api/prov/v1/sites/performance/tag-response
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Specify which origin response header contains the
header
cache tags in your resources. default: "".
Response structure:
/api/prov/v1/sites/performance/tag-response/get
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Response structure:
{
"header":"some_header",
"res":0,
"res_message":"OK",
"debug_info":{
"id-info":"999999"
}
}
This API is for customers who use the same CNAME provided by Imperva for multiple hostnames and would like to
change the CNAME for a particular hostname. Purging the hostname is required for the CNAME change to take effect.
/api/prov/v1/sites/hostname/purge
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
host_name The hostname to purge from the cache.
Response structure:
{
"res": 0,
"res_message": "OK"
}
/api/prov/v1/sites/xray/get-link
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Example request:
Add cache
curl rule
-d api_id=12345 -d api_key=48d69342-eaec-44cf-8a5c-56c4ff1cd5e8 -d site_id=14081980 htt
/api/prov/v1/sites/performance/caching-rules/add
Parameters:
Default: false.
all_params Yes
Relevant for
HTTP_CACHE_IGNORE_PARAMS
action
Name Description
HTTP_CACHE_MAKE_STATIC Cache Resource
HTTP_CACHE_CLIENT_CACHE_CTL Cache Resource on Client
HTTP_CACHE_FORCE_UNCACHEABLE Don't Cache Resource
HTTP_CACHE_DIFFERENTIATE_SSL Differentiate Cache Key by HTTP/HTTPS Scheme
HTTP_CACHE_DIFFERENTIATE_BY_HEADER Differentiate Cache Key by Header
HTTP_CACHE_DIFFERENTIATE_BY_COOKIE Differentiate Cache Key by Cookie
HTTP_CACHE_IGNORE_PARAMS Ignore Paramteres in Cache Key
HTTP_CACHE_IGNORE_AUTH_HEADER CacheRuleAction.HTTP_CACHE_IGNORE_AUTH_HEADER
HTTP_CACHE_FORCE_VALIDATION Force User Authentication
HTTP_CACHE_ADD_TAG Create Tag
HTTP_CACHE_ENRICH_CACHE_KEY Enrich Cache Key
Edit cache rule
Use this operation to edit a cache rule.
/api/prov/v1/sites/performance/caching-rules/edit
Parameters:
Default: false.
Name Description
HTTP_CACHE_MAKE_STATIC Cache Resource
HTTP_CACHE_CLIENT_CACHE_CTL Cache Resource on Client
HTTP_CACHE_FORCE_UNCACHEABLE Don't Cache Resource
HTTP_CACHE_DIFFERENTIATE_SSL Differentiate Cache Key by HTTP/HTTPS Scheme
HTTP_CACHE_DIFFERENTIATE_BY_HEADER Differentiate Cache Key by Header
HTTP_CACHE_DIFFERENTIATE_BY_COOKIE Differentiate Cache Key by Cookie
HTTP_CACHE_IGNORE_PARAMS Ignore Paramteres in Cache Key
HTTP_CACHE_IGNORE_AUTH_HEADER CacheRuleAction.HTTP_CACHE_IGNORE_AUTH_HEADER
HTTP_CACHE_FORCE_VALIDATION Force User Authentication
HTTP_CACHE_ADD_TAG Create Tag
HTTP_CACHE_ENRICH_CACHE_KEY Enrich Cache Key
Delete cache rule
Use this operation to delete a cache rule.
/api/prov/v1/sites/performance/caching-rules/delete
Parameters:
/api/prov/v1/sites/performance/caching-rules/enable
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
rule_id ID of the rule to change.
When true, the rule will be enabled. Set to false to
enable
disable.
/api/prov/v1/sites/performance/caching-rules/list
Parameters:
Maximum: 100
Response structure:
{
"HTTP_CACHE_FORCE_UNCACHEABLE": [
{
"id": "3746",
"name": "rule1",
"action": "HTTP_CACHE_FORCE_UNCACHEABLE",
"filter": "URL == \"/admin\"",
"disabled": "false",
"disabledByCacheMode": "false"
}
],
"HTTP_CACHE_DIFFERENTIATE_BY_COOKIE": [
{
"id": "3749",
"name": "rule3",
"action": "HTTP_CACHE_DIFFERENTIATE_BY_COOKIE",
"filter": "CookieExists == \"xGroup\"",
"differentiatedByValue": "xGroup"
"disabled": "false",
"disabledByCacheMode": "false"
}
],
"HTTP_CACHE_CREATE_TAG": [
{
"id": "3745",
"name": "rule4",
"action": "HTTP_CACHE_CREATE_TAG",
"filter": User-Agent contains \"Iphone\" | User-Agent contains \"Android\"",
"tag": "mobile",
"disabled": "false",
"disabledByCacheMode": "false"
}
],
"HTTP_CACHE_IGNORE_PARAMS": [
{
"id": "3751",
"name": "rule7",
"action": "HTTP_CACHE_IGNORE_PARAMS",
"params": "oid",
"filter": "ParamExists == \"oid\"",
"disabled": "false",
"disabledByCacheMode": "false"
},
{
"id": "3752",
"name": "rule8",
"action": "HTTP_CACHE_IGNORE_PARAMS",
"params": "xid",
"filter": "ParamExists == \"xid\"",
"disabled": "false",
"disabledByCacheMode": "false"
}
],
"HTTP_CACHE_MAKE_STATIC": [
{
"id": "3744",
"name": "rule9",
"action": "HTTP_CACHE_MAKE_STATIC",
"ttl": "1",
"ttlUnit": "MINUTES",
"filter": "URL == \"/admin\"",
"disabled": "false",
"disabledByCacheMode": "false"
}
]
Create
} new CSR
Use this operation to create a certificate signing request (CSR) for your site. For details on how to provide Imperva
with a custom certificate without a private key, see Upload a Certificate without a Private Key.
/api/prov/v1/sites/customCertificate/csr
Parameters:
Response structure:
{
"csr_content":"-----BEGIN CERTIFICATE REQUEST-----\nMIICyTCCAbECAQAwgYMxCzAJBgNVBAYT
"res": 0,
"res_message": "OK",
}
The following SSL certificate file formats are supported: PFX, PEM, CER.
/api/prov/v1/sites/customCertificate/upload
Parameters:
Example request:
#!/bin/sh
CERT_B64=`base64 -i a.crt`
KEY_B64=`base64 -i a.key`
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info":{
"details":{
"active":true,
"expirationDate":1460100446000,
"revocationError":false,
"validityError":false,
"chainError":false,
"coverageError":true
},
"id-info":"999999"
}
}
Custom certificate information is provided under 'debug_info'. See the Get site status response structure,
ssl.custom_certificate section.
/api/prov/v1/sites/customCertificate/remove
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Response structure:
{
"res": 0,
"res_message": "OK"
}
/api/prov/v1/sites/incapRules/add
Parameters:
For RULE_ACTION_REWRITE_URL -
The URL to rewrite.
For
RULE_ACTION_REWRITE_HEADER
- The header value to rewrite.
from Yes
For
RULE_ACTION_REWRITE_COOKIE -
The cookie value to rewrite.
For
RULE_ACTION_SIMPLIFIED_REDIRECT
- Follow guidelines in Create
Simplified Redirect Rules.
to Yes
The pattern to change to.
For
RULE_ACTION_REWRITE_HEADER
- The header value to change to.
For
RULE_ACTION_REWRITE_COOKIE -
The cookie value to change to.
For
RULE_ACTION_SIMPLIFIED_REDIRECT
- Follow guidelines in Create
Simplified Redirect Rules.
Name Description
Redirect the client to a different URL, responding
RULE_ACTION_REDIRECT
with a 30X response.
Redirect the client to a different URL, responding
RULE_ACTION_SIMPLIFIED_REDIRECT with a 30X response. For more details, see Create
Simplified Redirect Rules.
Modify the path to which a specific request is
RULE_ACTION_REWRITE_URL
targeted.
Modify or add a request header before passing traffic
RULE_ACTION_REWRITE_HEADER
to the origin server.
Modify or add cookies that are sent by the client to
RULE_ACTION_REWRITE_COOKIE the origin server. The cookie name and value should
be indicated.
Remove a specific request header, which means that
RULE_ACTION_DELETE_HEADER
it won’t be sent to the origin server.
Remove a specific cookie set on the client, which
RULE_ACTION_DELETE_COOKIE
means that it won’t be sent to the origin server.
Define the data center to which a specific request
RULE_ACTION_FORWARD_TO_DC
will be sent.
Define the port to which a specific request will be
RULE_ACTION_FORWARD_TO_PORT
sent.
Modify or add a header to the response received
RULE_ACTION_RESPONSE_REWRITE_HEADER
from the origin server.
Remove a specific response header, which means
RULE_ACTION_RESPONSE_DELETE_HEADER
that it won't be returned to the client.
Modify the response code received from the origin
RULE_ACTION_RESPONSE_REWRITE_RESPONSE_CODE
server
Name Description
RULE_ACTION_ALERT Generate a non blocking alert for this event.
Block the current request and generate an alert for
RULE_ACTION_BLOCK
this event.
Block the current session and generate an alert for
RULE_ACTION_BLOCK_USER this event. Any subsequent request from the same
Session will be blocked.
Name Description
Block the current IP and generate an alert for this
RULE_ACTION_BLOCK_IP event. Any subsequent request from the same IP will
be blocked for a period of 10 minutes.
Require any client matching the rule filters to
RULE_ACTION_RETRY
support cookies in order to complete the request.
Require any client matching the rule filters to
support javascript in order to complete the request.
RULE_ACTION_INTRUSIVE_HTML Since the Javascript test is embedded in an HTML
page, this action should only be enabled for HTML
resources.
Require any client matching the rule filters to pass a
CAPTCHA test in order to complete the request.
RULE_ACTION_CAPTCHA Since the CAPTCHA test is embedded in an HTML
page, this action should only be enabled for HTML
resources.
Name Description
Count the number of requests received that match
RULE_ACTION_RATE
the rule filter.
Example request:
#!/bin/sh
Edit rule
curl -X POST -d api_id=12345 -d api_key="48d69342-eaec-44cf-8a5c-56c4ff1cd5e8" -d site_id=14
/api/prov/v1/sites/incapRules/edit
Parameters:
For RULE_ACTION_REWRITE_URL -
The URL to rewrite.
For
RULE_ACTION_REWRITE_HEADER
- The header value to rewrite.
from Yes
For
RULE_ACTION_REWRITE_COOKIE -
The cookie value to rewrite.
For
RULE_ACTION_SIMPLIFIED_REDIRECT
- Follow guidelines in Create
Simplified Redirect Rules.
For RULE_ACTION_REWRITE_URL -
The URL to change to.
For
RULE_ACTION_REWRITE_HEADER
- The header value to change to.
to Yes
For
RULE_ACTION_REWRITE_COOKIE -
The cookie value to change to.
For
RULE_ACTION_SIMPLIFIED_REDIRECT
- Follow guidelines in Create
Simplified Redirect Rules.
Name Description
Redirect the client to a different URL, responding
RULE_ACTION_REDIRECT
with a 30X response.
Redirect the client to a different URL, responding
RULE_ACTION_SIMPLIFIED_REDIRECT with a 30X response. For more details, see Create
Simplified Redirect Rules.
Modify the path to which a specific request is
RULE_ACTION_REWRITE_URL
targeted.
Modify or add a request header before passing traffic
RULE_ACTION_REWRITE_HEADER
to the origin server.
Allows the modification and addition of cookies that
RULE_ACTION_REWRITE_COOKIE are sent by the client to the origin server. The cookie
name and value should be indicated.
Remove a specific request header, which means that
RULE_ACTION_DELETE_HEADER
it won’t be sent to the origin server.
Name Description
Remove a specific cookie set on the client, which
RULE_ACTION_DELETE_COOKIE
means that it won’t be sent to the origin server.
Define the data center to which a specific request
RULE_ACTION_FORWARD_TO_DC
will be sent.
Define the port to which a specific request will be
RULE_ACTION_FORWARD_TO_PORT
sent.
Modify or add a header to the response received
RULE_ACTION_RESPONSE_REWRITE_HEADER
from the origin server.
Remove a specific response header, which means
RULE_ACTION_RESPONSE_DELETE_HEADER
that it won't be returned to the client.
Modify the response code received from the origin
RULE_ACTION_RESPONSE_REWRITE_RESPONSE_CODE
server
Name Description
RULE_ACTION_ALERT Generate a non blocking alert for this event.
Block the current request and generate an alert for
RULE_ACTION_BLOCK
this event.
Block the current session and generate an alert for
RULE_ACTION_BLOCK_USER this event. Any subsequent request from the same
Session will be blocked.
Block the current IP and generate an alert for this
RULE_ACTION_BLOCK_IP event. Any subsequent request from the same IP will
be blocked for a period of 10 minutes.
Require any client matching the rule filters to
RULE_ACTION_RETRY
support cookies in order to complete the request.
Require any client matching the rule filters to
support javascript in order to complete the request.
RULE_ACTION_INTRUSIVE_HTML Since the Javascript test is embedded in an HTML
page, this action should only be enabled for HTML
resources.
Require any client matching the rule filters to pass a
CAPTCHA test in order to complete the request.
RULE_ACTION_CAPTCHA Since the CAPTCHA test is embedded in an HTML
page, this action should only be enabled for HTML
resources.
Name Description
Count the number of requests received that match
RULE_ACTION_RATE
the rule filter.
Example request:
#!/bin/sh
Enable or disable
curl -X POST a rule
-d api_id=12345 -d api_key="48d69342-eaec-44cf-8a5c-56c4ff1cd5e8" -d rule_id=62
Note: You cannot disable a rate rule that is used by another rule.
/api/prov/v1/sites/incapRules/enableDisable
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
rule_id Rule ID.
When true, the rule will be enabled. Set to false to
enable
disable.
Example request:
#!/bin/sh
curl -X rule
Delete POST -d api_id=12593 -d api_key="64cc622a-9da5-4911-b389-c98a4997b4a0" -d rule_id=10
Note: You cannot delete a rate rule that is used by another rule.
/api/prov/v1/sites/incapRules/delete
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
rule_id Rule ID.
List rules
Use this operation to list security, delivery, and rate rules for a given site.
/api/prov/v1/sites/incapRules/list
Parameters:
Maximum: 100
Example request:
#!/bin/sh
Response structure:
{
"incap_rules_data": {
"All": [
{
"id": "3660",
"last_7_days_requests_count": "0",
"name": "Ortal",
"action": "RULE_ACTION_ALERT",
"filter": ""
}
]
},
"ad_rules_data": {
"Redirect": [
{
"to": "/home.php",
"id": "3648",
"priority": "1",
"last_7_days_requests_count": "0",
"name": "Test new",
"action": "RULE_ACTION_REWRITE_URL",
"from": "*/home.html",
"filter": "ASN == 1"
}
],
"Forward": [
{
"id": "3628",
"priority": "2",
"last_7_days_requests_count": "0",
"name": "move to rewrite",
"dc_id": "54313",
"action": "RULE_ACTION_FORWARD_TO_DC",
"filter": ""
}
]
},
"rate_rules":{
"Rates":[
{
"id":"4723",
"enabled":"true",
"interval":"120",
"name":"Test Rate IP",
"context":"IP",
"action":"RULE_ACTION_RATE",
"internal_name":"test-rate-ip",
"filter":" ASN == 2"
}
]
}
Set
} rule priority
Use this operation to change a Delivery Rule's priority.
/api/prov/v1/sites/incapRules/priority/set
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
rule_id Rule ID.
priority New priority for the selected rule.
Example request:
#!/bin/sh
/api/prov/v1/sites/dataCenters/add
Parameters:
LB_LEAST_PENDING_REQUESTS -
Server with least pending requests
LB_LEAST_OPEN_CONNECTIONS -
Server with least open
lb_algorithm Yes
connections
LB_SOURCE_IP_HASH - Server by
IP hash
Example request:
#!/bin/sh
Response structure:
{
"status": "ok",
"datacenter_id": "484377"
Edit
} data center
Use this operation to edit a site's data center.
/api/prov/v1/sites/dataCenters/edit
Parameters:
Example request:
#!/bin/sh
Delete
curl -X data center
POST "https://my.imperva.com/api/prov/v1/sites/dataCenters/edit?api_key=48d69342-eae
/api/prov/v1/sites/dataCenters/delete
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
dc_id The data center's ID.
/api/prov/v1/sites/dataCenters/list
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Example request:
#!/bin/sh
Response structure:
[
{
"isActive": true,
"id": "54313",
"enabled": "false",
"isStandBy": "false",
"servers": [
{
"id": "1034487",
"enabled": "true",
"address": "69.61.27.182"
}
],
"contentOnly": "true"
}
Add
] server
Use this operation to add a server to a data center.
/api/prov/v1/sites/dataCenters/servers/add
/api/prov/v1/sites/dataCenters/servers/edit
Parameters:
/api/prov/v1/sites/dataCenters/servers/delete
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
server_id Server ID.
Check CAA compliance
Check site’s associated SANs for CAA compliance. If a given SAN is compliant, its SSL domain validation status is
updated accordingly.
This operation returns an updated list of the site’s associated SANs that are not compliant. An empty list indicates that
all SANs are compliant.
/api/prov/v1/caa/check-compliance
Parameters:
Name Description
api_id API authentication identifier.
Name Description
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Example request:
Response structure:
{
"non_compliant_sans": [
"*.caa.incaptest.co"
],
"res": 0,
"res_message": "OK",
Move
} site
Use this operation to move a site from one account to another. You can move a site from a master account to one of its
sub accounts, or from one sub account to another.
/api/prov/v1/sites/moveSite
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to move.
The numeric identifier of the account which the site
destination_account_id
will be moved to.
Response structure:
{
"dnsInstructions":[
{
"aRecords":[
],
"aaaaRecords":[
],
"dnsComment":""
}
],
"status":"",
"sslInstructions":[
{
"recordName":"",
"recordType":"",
"recordValue":"",
"sslComment":""
}
],
"res":0,
"res_message":"OK",
"debug_info":{
"id-info":""
}
}
Name Description
dnsInstructions.aRecords The new A records for the site.
dnsInstructions.aaaaRecords The new AAAA records for the site.
For sites pending CA approval, indicates whether
dnsInstructions.dnsComment
DNS changes will be required once the site is moved.
/api/prov/v1/sites/data-privacy/region-change
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
data_storage_region The data region to use.
Name Description
APAC Asia Pacific
EU Europe
US United States
Response structure:
{
"res": 0,
"res_message": "OK"
Get
} site data storage region
Use this operation to get the site's data storage region.
/api/prov/v1/sites/data-privacy/show
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Response structure:
{
region: EU
"res":0,
"res_message":"OK"
}
Set site regions by origin geolocation
Use this operation to set the data storage region for each new site based on the geolocation of the origin server.
/api/prov/v1/sites/data-privacy/override-by-geo
Parameters:
Response structure:
{
"res":0,
"res_message":"OK"
Get site}regions by origin geolocation
Use this operation to check if the data storage region for each new site is based on the geolocation of the origin server.
/api/prov/v1/sites/data-privacy/show-override-by-geo
Parameters:
Response structure:
{
"override_site_regions_by_geo": true,
"res":0,
"res_message":"OK"
Set data} center Origin PoP
Set an origin PoP for a given data center.
/api/prov/v1/sites/datacenter/origin-pop/modify
Parameters:
/api/prov/v1/sites/datacenter/origin-pop/recommend
Parameters:
Response structure:
{
"pops":[
{
"id":"ord",
"name":"Chicago, IL",
"region":"US Central",
"rtt":1
},
{
"id":"nyc",
"name":"New York, NY",
"region":"US East",
"rtt":8
}
],
"reason":"N/A",
"res": 0,
"res_message": "OK",
"debug_info": {
}
Enable }Cache Shield
Enable Cache Shield for a given site.
/api/prov/v1/sites/performance/cache-shield/enable
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Use true to enable cache shield on the specified site,
enable
and false to disable it.
Is Cache Shield enabled
Use this operation to get the enablement state of the Cache Shield feature for a given site.
/api/prov/v1/sites/performance/cache-shield
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Modify Error Page
Use this operation to set a custom error page for a given site.
/api/prov/v1/sites/performance/error-page/modify
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
The error page HTML template. $TITLE% and
error_page_template
$BODY$ placeholders are required.
Example requests:
Adding a custom error page: When posting the full HTML file, use single quotation marks around the page code, as
follows:
To remove a custom error page, leave the error_page_template parameter empty, as follows:
/api/prov/v1/sites/performance/error-page
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
site_id Numeric identifier of the site to operate on.
Example request:
When at least one active data center is back up, you can manually reroute your traffic back to the active data center.
Traffic does not revert automatically to your active data centers.
/api/prov/v1/sites/dataCenters/resume
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
Name Description
site_id Numeric identifier of the site to operate on.
In this topic:
/api/prov/v1/ddos-protection/edge-ip/add/ip
Parameters:
Response structure:
{
"origin_ip": "1.2.3.4",
"edge_ip": "172.17.14.1",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
/api/prov/v1/ddos-protection/edge-ip/add/cname
Parameters:
Response structure:
{
"cname": "imperva.test.com",
"edge_ip": "172.17.14.1",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
If DNS check is enabled, the response will include the list of resolved IPs for the provided domain name, and the
operation will only succeed if the provided origin IP will be included in that list.
/api/prov/v1/ddos-protection/edge-ip/add/dns-with-ip
Parameters:
Response structure:
{
"resolved_ips": [
"157.166.226.25",
"157.166.248.11",
"157.166.249.10"
],
"origin_ip": "157.166.249.10",
"edge_ip": "172.17.14.1",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
If DNS check is enabled, the response will include the list of resolved CNAME records for the provided domain name,
and the operation will only succeed if the provided CNAME will be included in that list.
/api/prov/v1/ddos-protection/edge-ip/add/dns-with-cname
Parameters:
Response structure:
{
"resolved_cnames": [
"imperva.test.com"
],
"cname": "imperva.test.com",
"edge_ip": "172.17.14.1",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
This operation is also able to change the type of the entity protected by the provided Edge IP (Any existing
combination of Origin IP/CNAME and DNS name will be overwritten).
WARNING: Any entity already protected by this Edge IP prior to the change will no longer be protected once
modification is successful, unless duplicate protection is used.
/api/prov/v1/ddos-protection/edge-ip/edit/ip
Parameters:
Response structure:
{
"origin_ip": "5.6.7.8",
"edge_ip": "172.17.14.1",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
This operation is also able to change the type of the entity protected by the provided Edge IP (Any existing
combination of Origin IP/CNAME and DNS will be overwritten).
WARNING: Any entity already protected by this Edge IP prior to the change will no longer be protected once
modification is successful, unless duplicate protection is used.
/api/prov/v1/ddos-protection/edge-ip/edit/cname
Parameters:
Response structure:
{
"cname": "imperva.test.com",
"edge_ip": "172.17.14.1",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
This operation is also able to change the type of the entity protected by the provided Edge IP (Any existing
combination of Origin IP/CNAME and DNS name will be overwritten).
If DNS check is enabled, the response will include the list of resolved IPs for the provided domain name, and the
operation will only succeed if the provided origin IP is included in that list.
WARNING: Any entity already protected by this Edge IP prior to the change will no longer be protected once
modification is successful, unless duplicate protection is used.
/api/prov/v1/ddos-protection/edge-ip/edit/dns-with-ip
Parameters:
Response structure:
{
"resolved_ips": [
"157.166.226.25",
"157.166.248.11",
"157.166.249.10"
],
"origin_ip": "157.166.249.10",
"edge_ip": "172.17.14.1",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
This operation is also able to change the type of the entity protected by the provided Edge IP (Any existing
combination of Origin IP/CNAME and DNS name will be overwritten).
If DNS check is enabled, the response will include the list of resolved CNAME records for the provided domain name,
and the operation will only succeed if the provided CNAME is included in that list.
WARNING: Any entity already protected by this Edge IP prior to the change will no longer be protected once
modification is successful, unless duplicate protection is used.
/api/prov/v1/ddos-protection/edge-ip/edit/dns-with-cname
Parameters:
Response structure:
{
"resolved_cnames": [
"imperva.test.com"
],
"cname": "imperva.test.com",
"edge_ip": "172.17.14.1",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
By default, this setting is disabled during onboarding unless explicitly set to 'true'.
WARNING: Do not modify this setting unless you are familiar with the proxy protocol and understand the implications
of enabling or disabling it for your account.
/api/prov/v1/ddos-protection/edge-ip/edit/ha-protocol
Parameters:
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
WARNING: Any entity already protected by this Edge IP will no longer be protected once the operation is successful,
unless duplicate protection was enabled and used.
/api/prov/v1/ddos-protection/edge-ip/remove
Parameters:
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
In this topic:
To fetch data for specific sites, specify their IDs in a comma separated list in the site_id parameter.
To fetch data for all sites of the current account, do not specify the account_id or site_id parameters.
Get statistics
Use this operation to get site statistics for one or more sites. This operation may return multiple statistics, as specified
in the stats parameter.
/api/stats/v1
Parameters:
Name Description
visits_timeseries Number of visits by type (Humans/Bots) over time.
Number of hits by type (Humans/Bots/Blocked) over
hits_timeseries
time and per second.
Amount of bytes (bandwidth) and bits per second
(throughput) transferred via the Imperva network
bandwidth_timeseries
from clients to proxy servers and vice-versa over
time.
Total number of requests routed via the Imperva
requests_geo_dist_summary
network by data center location.
Total number of visits per client application and
visits_dist_summary
country.
Total number of requests and bytes that were
caching
cached by the Imperva network.
Number of requests and bytes that were cached by
the Imperva network, with one day resolution, with
caching_timeseries
info regarding the caching mode (standard or
advanced).
Total number of threats by type with additional
threats information regarding the security rules
configuration.
List of security rules with total number of reported
incap_rules
incidents for each rule.
List of security rules with a series of reported
incap_rules_timeseries
incidents for each rule with the specified granularity.
List of delivery rules with total number of hits for
delivery_rules
each rule.
List of delivery rules with total number of hits for
delivery_rules_timeseries
each rule with the specified granularity.
For all of the time series parameters, the data parameter gives results as follows:
This example shows results for two buckets, with the time stamp and number of human visits for each, with
granularity set to 10 minutes.
"visits_timeseries" : [
{
"id":"api.stats.visits_timeseries.human",
"name":"Human visits",
"data":[
[1344247200000,50],
[1344247800000,40],
...
]
},
The threats statistics provide the number of security incidents per threat type and additional information regarding
the configuration of the site with respect to each threat type. When fetching data for multiple sites or for an account
only, the name and incidents parameters will be returned.
Name Description
name Name of threat.
Total number of security incidents of this threat
incidents type. A negative value represents N/A, indicating
that data is not available.
Name Description
Possible values: View Incidents, Upgrade
Response structure:
{
"res": 0,
"res_message": "OK",
"visits_timeseries" : [
{
"id":"api.stats.visits_timeseries.human",
"name":"Human visits",
"data":[
[1344247200000,50],
[1344247500000,40],
...
]
},
{
"id":"api.stats.visits_timeseries.bot",
"name":"Bot visits",
"data":[
[1344247200000,10],
[1344247500000,20],
...
]
}
],
"requests_geo_dist_summary" : {
"id":"api.stats.requests_geo_dist_summary.datacenter",
"name":"Requests by data-center location",
"data":[
['Tokyo, JA',24365435],
['Los Angeles, CA',98762738],
...
]
},
"caching" : {
"saved_requests":23984923,
"total_requests":48723648,
"saved_bytes":762394786,
"total_bytes":1098349834
},
"caching_timeseries":[
{
"id":"api.stats.caching_timeseries.hits.standard",
"name":"Standard Requests Caching",
"data":[
[
1349647200000,
5
],
...
]
},
{
"id":"api.stats.caching_timeseries.bytes.standard",
"name":"Standard Bandwidth Caching",
"data":[
[
1349647200000,
3440
],
...
]
},
{
"id":"api.stats.caching_timeseries.hits.advanced",
"name":"Advanced Requests Caching",
"data":[
[
1349647200000,
0
],
...
]
},
{
"id":"api.stats.caching_timeseries.bytes.advanced",
"name":"Advanced Bandwidth Caching",
"data":[
[
1349647200000,
0
],
...
]
},
{
"id":"api.stats.caching_timeseries.hits.total",
"name":"Total Requests",
"data":[
[
1349647200000,
5000
],
...
]
},
{
"id":"api.stats.caching_timeseries.bytes.total",
"name":"Total Bandwidth",
"data":[
[
1349647200000,
10000
],
...
]
},
],
"hits_timeseries":[
{
"id":"api.stats.hits_timeseries.human",
"name":"Human requests",
"data":[
[
1360108800000,
131837
],
...
]
},
{
"id":"api.stats.hits_timeseries.bot",
"name":"Bot requests",
"data":[
[
1360108800000,
81804
],
...
]
},
{
"id":"api.stats.hits_timeseries.blocked",
"name":"Blocked requests",
"data":[
[
1360108800000,
629
],
...
]
},
{
"id":"api.stats.hits_timeseries.human_ps",
"name":"Human requests per second",
"data":[
[
1360108800000,
427
],
...
]
},
{
"id":"api.stats.hits_timeseries.bot_ps",
"name":"Bot requests per second",
"data":[
[
1360108800000,
261
],
...
]
},
{
"id":"api.stats.hits_timeseries.blocked_ps",
"name":"Blocked requests per second",
"data":[
[
1360108800000,
0
],
...
]
}
],
"threats" : [
{
"id":"api.threats.bot_access_control"
"name: "Badbot Visits",
"incidents": 12,
"status": "ok",
"status_text_id": "api.threats.action.block_request",
"status_text": "Block Request",
"followup":"api.threats.followup.view",
"followup_text": "View Incidents",
"followup_url": "https://my.incapsula.com/sites/siteVisits?token=1123_103_132344
},
{
"id":"api.threats.sql_injection"
"name": "SQL Injection",
"incidents": 3,
"status": "error",
"status_text_id": "api.threats.rule_support.not_supported",
"status_text": "Not Supported",
"followup":"api.threats.followup.upgrade",
"followup_text": "Upgrade",
"followup_url": "https://my.incapsula.com/billing/selectplan?token=1123_103_1323
},
...
],
"visits_dist_summary":[
{
"data":[
[
"np",
11
],
[
"no",
778
],
...
],
"id":"api.stats.visits_dist_summary.country",
"name":"Visits by country"
},
{
"data":[
[
"lwp-request",
122
],
[
"elkMonitor",
11550
],
...
],
"id":"api.stats.visits_dist_summary.client_app",
"name":"Visits by client application"
}
],
{
"bandwidth_timeseries":[
{
"data":[
[
1361318400000,
13078801085
],
...
],
"id":"api.stats.bandwidth_timeseries.bandwidth",
"name":"Bandwidth"
},
{
"data":[
[
1361318400000,
2520535
],
...
],
"id":"api.stats.bandwidth_timeseries.bps",
"name":"Bits per second"
}
],
"res":0,
"res_message":"OK"
}
"res":0,
"res_message":"OK"
}
"debug_info": {
"timerange": "last_7_days",
"site_id": 123
}
}
/api/visits/v1
The visits are fetched in reverse chronological order, starting with the most recent visit.
Not all visits are recorded - only visits with abnormal activity are recorded, such as a violation of security rules, visits
from black-listed IPs/Countries, etc.
A visit may still be updated even after it was retrieved. Visits are aggregated into a session, and Imperva may use a
suppression mechanism to trim repetitive events. This session is set by the Imperva reverse proxy and does not
correlate with the application session set between the end user browser and the origin server. To retrieve only visits
that will no longer be updated, use the list_live_visits parameter.
Parameters:
Default: true
Visit fields:
Action fields:
Threat fields:
Response structure:
{
"visits":[
{
"id":"133077760038625792",
"siteId":7,
"startTime":1361468485000,
"clientIPs":[
"12.13.14.15"
],
"country":[
"Sweden"
],
"countryCode":[
"SE"
],
"clientType":"Unclassified",
"clientApplication":"Bot",
"clientApplicationVersion":"0",
"httpVersion":"2.0",
"userAgent":"Mozilla/4.0 (compatible; MSIE 5.0; Windows 95; DigExt)",
"os":"Windows",
"osVersion":"Windows",
"supportsCookies":true,
"supportsJavaScript":false,
"hits":1,
"pageViews":1,
"entryReferer":"http://lp.usafis.org/_Incapsula_Resource?CWUDNSAI=9_E1521557&inc
"entryPage":"www.incapsula.com/ddos/ddos-mitigation-services",
"servedVia":[
"Los Angeles,
CA"
],
"securitySummary":{ // The following lists detected threats
"api.threats.sql_injection" : 2,
"api.threats.cross_site_scripting" : 1,
"api.threats.illegal_resource_access" : 3,
"api.threats.remote_file_inclusion" : 2,
"api.threats.customRule" : 3,
"api.threats.ddos=DDoS" : 4,
"api.threats.backdoor" : 2,
Overview
Organizations that purchased the Security Logs Integration SKU can download security events created for their
account and archive or push those events into their SIEM solution.
In both cases, it is highly recommended to encrypt the events using a private-public key pair generated by the
customer.
The Upload Public Key API is used to upload the public key created by the customer.
Once the API is successfully invoked, the new public key is used to encrypt the symmetric key (used for encrypting the
log files). Since the process of replacing/updating the public key may take several seconds, the customer decrypting
the log files should prepare to use the correct private key.
To let the customer know what public key was used for the encryption (and accordingly what private key to use for the
decryption), the Upload Public Key API returns an ID uniquely identifying the key pair. This ID is also added to the log
file’s metadata.
Customers should maintain the mapping between the ID and the key pair.
/api/logscollector/upload/publickey
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
config_id The Logs Collector configuration identifier.
The public key file (2048bit) in base64 format
public_key
(without password protection).
Response structure:
{
"publicKeyId":1,
"res":0,
"res_message":"OK"
}
Use this operation to change the status of the Logs Collector configuration.
/api/logscollector/change/status
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
config_id The Logs Collector configuration identifier.
Response structure:
{
"res":0,
"res_message":"OK"
}
/api/v1/infra/stats
Parameters:
Response structure:
{
"stats":[
{
"objectId":607074,
"payload":[
{
"interval":15000,
"startTime":1509936300000,
"data":[
0,
15,
...
],
"metric":"pps",
"pop":"tko",
"ipPrefix":"192.168.205.0/24",
"ipPrefixType":"bgp",
"traffic":"passed"
},
{
"interval":15000,
"startTime":1509936300000,
"data":[
7968575,
8484564,
...
],
"metric":"bw",
"pop":"tko",
"ipPrefix":"192.168.205.0/24",
"ipPrefixType":"bgp",
"traffic":"passed"
},
...
]
},
...
],
"res": 0,
"res_message": "OK",
"debug_info": {
}
Get
} Infrastructure Protection Events
Use this operation to get Infrastructure Protection event information for an account.
/api/v1/infra/events
Parameters:
Maximum: 100
Response structure:
{
"events":[
{
"eventTime":"2017-12-08 10:54:59 UTC",
"eventType":"DDOS_STOP_IP_RANGE",
"bwTotal":9000,
"ppsTotal":90,
"bwPassed":200,
"ppsPassed":87,
"bwBlocked":8800,
"ppsBlocked":3,
"eventTarget":"103.28.250.93/32",
"itemType":"IP_RANGE",
"reportedByPop":"zrh",
},
...
],
"res": 0,
"res_message": "OK",
"debug_info": {
}
Get
} Infrastructure Protection Top Items (Table View)
Use this operation to view the highest peak values and highest average values for a protected IP range during a
selected time period.
/api/v1/infra/top-table
Parameters:
Name Description
EU Europe
US United States of America
APAC Asia Pacific
Response structure
{
"stats":[
{
"object":"100.13.0.1",
"value":334229.33,
"total":1111616
},
{
"object":"100.13.0.3",
"value":334160,
"total":1109938
},
...
],
"res":0,
"res_message":"OK",
"debug_info":{
}
Get
} Infrastructure Protection Top Items (Graph View)
Use this operation to view the highest peak values and highest average values for a protected IP range during a
selected time period.
/api/v1/infra/top-graph
Parameters:
Name Description
EU Europe
US United States of America
APAC Asia Pacific
Response structure
{
"stats":[
{
"objectId":200,
"time":1522761000000,
"payload":[
{
"interval":15000,
"startTime":1522761000000,
"data":[
4627,
4067,
4245,
...
],
"metric":"pps",
"dataType":"ip",
"item":"100.13.0.1",
"traffic":"blocked"
},
{
"interval":15000,
"startTime":1522761000000,
"data":[
331656,
333291,
333387,
...
],
"metric":"pps",
"dataType":"ip",
"item":"100.13.0.3",
"traffic":"blocked"
},
...
]
}
],
"res":0,
"res_message":"OK",
"debug_info":{
}
Get
} Infrastructure Protection Histogram
Use this operation to view the highest packet size values for a protected IP range during a selected time period.
/api/v1/infra/histogram
Parameters:
Name Description
EU Europe
US United States of America
APAC Asia Pacific
Response structure
{
"stats":{
"PL_100":366450640,
"PL_200":305475960,
"PL_300":0,
"PL_400":0,
"PL_500":0,
"PL_600":0,
"PL_700":0,
"PL_800":6053680,
"PL_900":0,
"PL_1000":0,
"PL_1100":0,
"PL_1200":0,
"PL_1300":0,
"PL_1400":0,
"PL_1500":0
},
"res":0,
"res_message":"OK",
"debug_info":{
}
}
In this topic:
• Overview
• Add Login Protect User
• Edit Login Protect User
• Get Login Protect User
• Remove Login Protect User
• Send SMS to User
• Modify Site Login Protect Configuration
• Configure Login Protect on Admin Areas
Overview
What is Login Protect?
Imperva’s Login Protect feature lets online businesses implement strong two-factor authentication on any website or
application without integration, coding, or software changes.
Single-click activation lets you protect administrative access to any page or URL, secure remote access to corporate
web applications, and restrict access to a particular webpage.
Login Protect manages and controls multiple logins across several websites in a centralized manner. Two-factor
authentication is supported using either email, SMS, or Google Authenticator.
User Provisioning
Login Protect users are the users that will be allowed to access the protected pages. They are added to the account’s
Login Protect users list. Access permissions for specific sites can be decided during configuration of the site's
protected pages. Login Protect users can be provisioned using the Add Login Protect User API call.
If user details are available they can be associated with each user using the name, email and phone parameters.
If the details are not available the should_send_activation_email parameter should be set to True, in which case
users will get an activation email in which they will be able to enter their details.
(The “Send SMS” API call can be used in order to validate a user’s phone number, in case the
should_send_activation_email option is not used. In that case, it is advised to generate a random code, and send it
to the user’s phone using the Send SMS to User API call ).
Protected pages are added using the Modify Site Login Protect Configuration API call. The URLs of the protected pages
can be entered, in comma separated format, using the “urls” parameter. In order to define URL patterns (e.g. “URL
starts with” or “URL contains”) use the “url_patterns” parameters in accordance with the entered URLs.
It is also possible to allow access to specific users out of the account’s Login Protect users list using the
“specific_users_list” parameter. In order to get notifications on successful user logins to the protected pages use the
“send_lp_notifications“. Allowed authentication methods for the site can be decided using the
“authentication_methods” parameter.
Add Login Protect User
Use this operation to add a Login Protect user for a site.
/api/prov/v1/sites/lp/add-user
Parameters:
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info": {
"user E-Mail": "admin@example.com"
}
}
/api/prov/v1/sites/lp/edit-user
Parameters:
api_id=123
api_key=your key
account_id=1234
email=user@example.com
phone=1-8662507659
is_phone_verified=true
Response structure:
{
"res": 0,
"res_message": "OK",
"debug_info": {
"user E-Mail": "admin@example.com"
}
}
/api/prov/v1/sites/lp/users
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
account_id Numeric identifier of the account to operate on.
Response structure:
{
"res":0,
"users":[
{
"phone":"617-9876543",
"creation_date":"Jun 17, 2014 10:20:04 AM",
"email":"John@example.com",
"name":"John Doe",
"status":"INVITATION_SENT"
},
{
"phone":"972-38887778",
"creation_date":"May 15, 2012 08:01:11 PM",
"email":"Jame@example.com",
"name":"Jane Doe",
"status":"REVOKED"
}
]
"res_message":"OK"
}
/api/prov/v1/sites/lp/remove
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
account_id Numeric identifier of the account to operate on.
email Email address. For example: "joe@example.com"
/api/prov/v1/sites/lp/send-sms
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
account_id Numeric identifier of the account to operate on.
email Email address. For example: "joe@example.com"
sms_text Text that will be sent in SMS.
/api/prov/v1/sites/lp/configure
Parameters:
Default: false
Default: true
api_id=123
api_key=your key
site_id=1234
specific_users_list=user1@example.com,user2@example.com,user3@example.com
allow_all_users=false
api_id=123
api_key=your key
site_id=1234
urls=/admin,index.php
url_patterns=equals,contains
Response structure:
{
"res": 0,
"res_message": "OK"
}
/api/prov/v1/sites/lp/configure-app
Parameters:
api_id=123
api_key=your key
site_id=1234
protected_app=wordpress
Integration API
The following operations may be used to implement various integration scenarios with the Imperva service.
In this topic:
/api/integration/v1/ips
Parameters:
Response format.
Default: json
Response structure:
// JSON format
{
"ipRanges":[
"199.83.128.0/21",
"198.143.32.0/19",
...
],
"ipv6Ranges":[
"2a02:e980::/29"
],
"res":0,
"res_message":"OK"
}
// Nginx format
allow 199.83.128.0/21;
allow 198.143.32.0/19;
...
// iptables format
iptables allow host
tcp:in:d=80:s:199.83.128.0/21
tcp:in:d=80:s:198.143.32.0/19
...
// text format
199.83.128.0/21
198.143.32.0/19
/api/integration/v1/texts
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
Response structure:
{
"texts" : {
"api.stats.visits_timeseries.human":"Human visits",
"api.stats.visits_timeseries.bot":"Bot visits",
...
"api.threats.followup.view":"View Incidents"
},
"res": 0,
"res_message": "OK",
}
/api/integration/v1/geo
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
Response structure:
{
"countriesCodes":{
"BD":"Bangladesh",
"BE":"Belgium",
...
},
"continentsCodes":{
"AF":"Africa",
...
},
"res": 0,
"res_message": "OK",
Get
} client application info
Use this operation to retrieve a list of all the client applications.
/api/integration/v1/clapps
Parameters:
Name Description
api_id API authentication identifier.
api_key API authentication identifier.
Response structure:
{
"clientApps":{
"1":"Firefox",
...
},
"clientAppTypes":{
"1":"Browser",
...
},
"res": 0,
"res_message": "OK",
}
Note: Make sure your account settings are set up to send notifications to the correct recipients. For details, see
Notifications.
In this topic:
Infrastructure Protection
Infrastructure Protection IP Protection
Monitoring
DDoS Start
Use this operation to send a test notification informing you that an Infrastructure Protection DDoS attack has started.
You can optionally provide additional parameters to determine the magnitude of the attack.
/api/v1/infra-protect/test-alerts/ddos/start
Parameters:
Response structure:
{
"ip_prefix": "100.1.2.0/24",
"status": "DDoS start notification sent successfully",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
/api/v1/infra-protect/test-alerts/ddos/stop
Parameters:
Response structure:
{
"ip_prefix": "100.1.2.0/24",
"status": "DDoS stop notification sent successfully",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
/api/v1/infra-protect/test-alerts/connection/up
Parameters:
Response structure:
{
"connection_name": "CONNECTION_NAME",
"status": "Connection up notification sent successfully",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
/api/v1/infra-protect/test-alerts/connection/down
Parameters:
Response structure:
{
"connection_name": "CONNECTION_NAME",
"status": "Connection down notification sent successfully",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
/api/v1/infra-protect/test-alerts/ip-protection-status/up
Parameters:
Response structure:
{
"ip": "100.1.2.1",
"status": "IP Protection - status up notification sent successfully",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
/api/v1/infra-protect/test-alerts/ip-protection-status/down
Parameters:
Response structure:
{
"ip": "100.1.2.1",
"status": "IP Protection - status down notification sent successfully",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
/api/v1/infra-protect/test-alerts/monitoring/start
Parameters:
Response structure:
{
"exporter_ip": "100.1.2.1",
"status": "Monitoring start notification sent successfully",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
/api/v1/infra-protect/test-alerts/monitoring/stop
Parameters:
Response structure:
{
"exporter_ip": "100.1.2.1",
/api/v1/infra-protect/test-alerts/monitoring/bad-data
Parameters:
Response structure:
{
"exporter_ip": "100.1.2.1",
"status": "Monitoring - bad data notification sent successfully",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
/api/v1/infra-protect/test-alerts/monitoring/attack-start
Parameters:
Response structure:
{
"ip_prefix": "100.1.2.1",
"status": "Monitoring attack start notification sent successfully",
"res": 0,
"res_message": "OK",
"debug_info": {
"id-info": "999999"
}
}
All existing version 1 APIs, as documented in the Cloud Application Security API Reference, continue to be supported.
The APIs documented in this section either provide an alternative to existing APIs, or provide APIs with new
functionality.
In this topic:
See also:
For more details about Imperva APIs, see Imperva API Documentation.
In this topic:
• Events, as displayed on the Events page in the Cloud Security Console, and the associated threat alerts based
on the events.
Threat alerts are generated by the Imperva Cloud Security Console and are also stored temporarily in the
selected region. For more details on threat alerts, see Web Protection - WAF Settings, Website Notification
Settings, and Notifications.
Note: If log integration is enabled for a site, and you do not want data stored in the US, you must use the push
method (SFTP or Amazon S3). When using the pull method (Imperva Cloud Application Security API), Imperva
logs are temporarily stored in the Imperva cloud repository located in the US. For more details on log
integration, see Cloud WAF Log Integration.
The account administrator or a user with the appropriate permissions can set the default data storage region for new
sites created in the account, and also change the region for individual sites.
Account-level settings
The account-level data region setting sets the default storage region for new sites created in your account, and also
determines where network layer data is stored.
By default, network layer data collected for your account by Imperva is stored in the US. You can select an alternative
data storage region.
In the Cloud Security Console, open the Account Settings page and scroll to the Data Management section.
Setting Description
Site-level setting
The site-level data region setting determines the geographical region for storing your Layer 7 (application layer)
Imperva data.
By default, data that is collected for a site (events, logs) is assigned to its designated regional PoPs (data centers).
Imperva assigns a region to a site based on geolocation of the origin server registered for the site. You can override the
default storage region defined for your account.
On the Website General Settings page, scroll to the Data Storage section.
Setting Description
Data storage regions
APAC EU US AU
APAC EU US AU
• Miami, FL, United
States (MIA)
• Mumbai, India • Newark, NJ, United
(BOM) • Paris, France (CDG) States (NYC)
• New Delhi, India • Stockholm, Sweden • San Jose, CA,
(NDL) (STO) United States (SJC)
• Osaka, Japan (OSK) • Vienna, Austria (VIE) • São Paulo, Brazil
• Singapore (SIN) • Warsaw, Poland (GRU)
• Taipei, Taiwan (TPE) (WAR) • Seattle, WA, United
• Tel Aviv, Israel • Zürich, Switzerland States (SEA)
(MED) (ZRH) • Toronto, ON,
• Tokyo, Japan (TKO) Canada (TOR)
• Vancouver, BC,
Canada (VAN)
Data masking
You can choose to enable the hashing method for masking fields in your sites' logs and in the Events page, instead of
default (XXX) data masking. For details, see Website General Settings.
Delete stored data
You can permanently delete the data stored for your account. This enables you to remove all potentially sensitive or
personal data that is stored in our systems, such as IP addresses.
Feature Description
SIEM logs If you are using the pull mode for log integration, the
logs created before the deletion are no longer
Feature Description
available for download from the Imperva cloud
repository.
On the Cloud Security Console sidebar, select Management and navigate to Account Settings > Data Management >
Delete sites’ security and access event data and click Delete.
After you click to confirm the deletion, the process begins and an email confirmation is sent to you.
Note: Email notifications are sent to the email addresses listed under E-mail for notifications in your account
settings. For details, see Account Settings.
During the deletion process, a notification banner is displayed when you log in to your Imperva account, indicating
that the deletion is underway. Data is permanently deleted within 48 hours.
• Non-HTTP traffic needs to be passed to the origin server with no WAF inspection (e.g., proprietary protocols).
• HTTP/S traffic needs to bypass WAF inspection and tunnel directly to a specific origin server (impacting all
domains sharing the IP).
• Non-SNI clients, such as APIs, need to be served with a custom SAN certificate for multiple customer domains.
• Non-SNI clients need to be served with a custom cipher-list or TLS versions.
• Only your domains are allowed to appear on the Imperva-generated SAN certificate list, such that no other
brands or competitors will share the same certificate.
Set up of a dedicated network is configured by the Imperva support team. Note that some dedicated network settings
require a Professional Services engagement.
CNAME Reuse
This topic describes how to link multiple domains under the same Imperva site configuration and policy.
Note: The availability of this feature depends on your subscription. For more information or to upgrade your plan,
contact an Imperva sales representative.
In this topic:
• Overview
• The Imperva CNAME reuse flow
• CNAME reuse and third-party CDNs
• CNAME reuse examples
Overview
Imperva enables the use of site settings for several different domains that share the same IP address. This is
implemented by using a CNAME.
Using a CNAME is the most common way to “symlink” one DNS record to another. Queries asking for a specific
destination are referred by domain name to the target destination, which may be located somewhere else on the
internet.
This setup is called CNAME reuse. When you reuse a CNAME, Imperva proxies make a public DNS query in order to find
the host and resolve it to the original site.
To reuse a CNAME, use the CNAME provided by Imperva for all relevant domains that you want to link under the same
site configuration and policy used by the target record.
• Any domain can use the CNAME of any other domain that is configured as a Website in the Imperva Cloud
Security Console (Cloud WAF).
• The domains sharing the CNAME will also share the Imperva console configuration (dashboards, statistics,
settings, WAF, etc), of the website configured in Imperva.
• CNAME reuse can be used only for domains hosted by the same origin server (same IP address).
• SSL support:
• Imperva-generated certificate (valid for SNI and non-SNI clients): CNAME reuse requires the
multiple domains to be under the same wildcard SAN (e.g. *.somedomain.com) configured on the
Imperva-generated certificate for the website that is configured in Imperva. Otherwise, each domain
should be registered as a separate website.
• Custom certificate (valid for SNI Clients only): CNAME reuse requires the multiple domains to be
listed in the custom certificate uploaded for the website that is configured in Imperva.
example.com.
3600 IN A 8.8.8.8
www.example.com.
3600 IN CNAME incap.abc123.com.
blog.example.com.
3600 IN CNAME incap.abc123.com.
e-
3600 IN CNAME incap.abc123.com.
store.example.com.
In this example:
Note: There can be a situation in which a site is already configured on Imperva and in addition, also points to a
CNAME value of a different site on Imperva. In this case, the Imperva proxy sends the request to the Host which is
explicitly configured on Imperva, and not to the derived site that the CNAME value belongs to.
CNAME reuse examples
Use Case 1 - SUPPORTED: Non-SSL sites, different domains, all served by the same origin IP
In this example, an Imperva customer onboards one site only, such as www.somedomain.com, gets an Imperva
CNAME such as xyz.x.incapdns.net, and points all of their domains to the same CNAME.
Use Case 2 - SUPPORTED: SSL sites, all subdomains covered by same wildcard, served by the same origin IP
Wildcard: *.somedomain.com
Sites:
In this example, an Imperva customer onboards one site only, such as www.somedomain.com, performs wildcard
domain validation for SSL, gets an Imperva CNAME such as xyz.x.incapdns.net, and points all their sites to the same
CNAME.
HTTP/2 FAQ
Answers to some common questions about HTTP/2 and Imperva.
What is HTTP/2?
Hypertext transport protocol (HTTP) is how browsers communicate with web servers and how pages are rendered in
them since the 90s.
HTTP/2 is the latest update to HTTP. It provides multiple new features that enhanced website performance by
resolving HTTP’s inherent limitations.
• Multiple Requests Served by a Single Server Connection: When HTTP is used to surf a website, the initial
request retrieves the page. Additional items attached to the page, such as JavaScript or images, must each be
retrieved by a separate additional request.
HTTP/2 provides browser multiplexing so that multiple requests can be passed through a single server
connection. This enables the server to push several resources at once, which causes the pages to load more
efficiently and reduces network load.
• Transmission in Binary Code: Older HTTP versions send data via text, which is then translated by the host
through parsing. HTTP/2 transfers information in binary code, which speeds up the connections by offloading
the data transformation efforts.
Increasing Security
Current browsers only support HTTP/2 through an encrypted connection, making it safer than alternative protocols.
Imperva acts as a reverse proxy between end-user browsers and the website origin servers.
Imperva serves HTTP/2 to browsers that support it without changing anything between the Imperva proxy and the
origin server.
Imperva HTTP/2 support is not required on the customer web server. Browsers that support HTTP/2 all enforce
encrypted connections and therefore SSL must be enabled.
Dashboard
5. On the Dashboard page, click the Perfomance tab and scroll down to the HTTP versions graph:
On the Dashboard page, click the Real-Time tab, then click the Show visitor samples button to display the details of
specific visitors.
Events Log
3. On the sidebar, click Security Events. The names of the traffic protocols are displayed.
• Account Settings
• Delivery Settings
IPv6 Support
Imperva provides IPv6 support for websites on Imperva’s service.
In this topic:
• What is IPv6?
• The transition from IPv4 to IPv6
• Imperva as your IPv6 gateway
• Providing the end user’s IP address
• IPv4/IPv6 load balancing
• Compressing IPv6 zeros
What is IPv6?
IPv6 (Internet Protocol Version 6) is the successor to Internet Protocol Version 4 (IPv4). IPv6 is being deployed to fulfill
the need for more Internet addresses. The growth of the Internet will soon use up the IPv4 addresses.
IPv6 uses 128-bit addresses that enable up to 2128 addresses (three hundred and forty trillion, trillion trillion unique
IP addresses), which is a lot more than IPv4.
2005:db5:5555:5:555:5555:5555:5555
IPv6 is designed to allow the Internet to grow significantly, both in terms of the number of connected hosts and the
total amount of data traffic transmitted.
The transition from IPv4 to IPv6
Currently, IPv4 is still the prevalent Internet Protocol used for addresses. Only a small percentage of traffic is currently
transmitted via IPv6 (maybe less than 5% of total Internet traffic). A variety of Internet leaders, governments and
regulation entities throughout the world are leading the migration to IPv6.
The new IPv6 will coexist with the older IPv4 for some time, possibly for many years. The two protocols are not
designed to be interoperable, thus complicating the transition to IPv6. However, several IPv6 transition mechanisms
have been devised to permit communication between IPv4 and IPv6 hosts.
Imperva as your IPv6 gateway
Imperva provides IPv6 support of both client-side and server-side IPv6 traffic. This means that IPv6 is supported both
for traffic between your end users and Imperva’s PoP and also for traffic between Imperva’s PoP and your origin
servers.
In this way, Imperva can act as an IPv6 gateway for you, so that you can retain your IPv4 setups and Imperva will
service your clients who send IPv4 and IPv6, as needed. This saves you the significant investment of updating your
origin servers’ set up to support IPv6 and allows you to service your clients without having to upgrade your servers.
When a client connects via IPv6, we attempt to connect to the IPv6 origin address. If it is not available or does not
exist, we connect to the origin’s IPv4 address. For example, if your origin server only services IPv4 and an end user
sends an IPv6 message, then Imperva acts as an IPv6 gateway. Imperva receives the IPv6 message and forwards the
message to your origin server according to the server’s unique IPv4 address.
For this purpose Imperva adds an RFC HTTP X-Forwarded-For header to each end user request before forwarding it to
your origin server. This is done in a similar manner to how each HTTP proxy adds another X-Forwarded-For header
before forwarding. An X-Forwarded-For (XFF) HTTP header is an existing standard (not originating from IPv6) for
identifying the originating IP address of a client connecting to a web server through an HTTP proxy.
Note: A Request for Comments (RFC) is a formal document from the Internet Engineering Task Force (IETF) that is the
result of committee drafting and subsequent review by interested parties.
Imperva uses the X-Forwarded-For header to append the actual IP address of your end user.
Imperva can append X-Forwarded-For headers that contain the end user’s IPv6 addresses. Appending this X-
Forwarded-For header enables your origin server to see the actual IP address of the end users. Otherwise, the origin
server does not see end users’ IP addresses, but only sees Imperva’s IP address.
Imperva does not activate this functionality by default because, some parsers on the origin side (mostly the ones used
by logging and statistics applications), may not be able to parse IPv6 addresses and will not function properly.
Therefore, in order to get this functionality, you must open a ticket and request it.
In general, an end user’s IP address is not required by applications on your origin server. This is because these
applications can communicate with end users using Imperva’s proxy IP (that was sent in the request). However, if
these applications require an end user’s IP address, then it can be extracted from the X-Forwarded-For header. For
example, an application might require an end user’ s IP address for statistical purposes, marketing purposes or other
purposes that detect the geolocation of the end user.
IPv4/IPv6 load balancing
The following describes how Imperva handles the situation where you have multiple origin servers. In this case some
of your origin servers are IPv4 only, some are IPv6 only and some are dual stack (IPv4 and IPv6).
The dual stack server is treated as if it is two different servers even if they are running on the same physical device.
Imperva also enables you to configure load balancing so that IPv6 traffic is only sent to IPv6 servers and IPv4 traffic is
only sent IPv4 servers. Alternatively, you can configure that Imperva sends traffic to any origin server, regardless of
whether it is IPv4 or IPv6.
Note: Each IP address, regardless of whether it is IPv4 or IPv6 appears separately in the Imperva dashboard. Traffic is
not separated by server in any way. For example, in the scenario described above, each request from a different user
(meaning each IP address) to any server appears separately in the Imperva dashboard. The dual stack server appears
in the Imperva dashboard as if it is two different servers even if they are running on the same physical device.
Compressing IPv6 zeros
Imperva supports both compressed-zeroes format and non-compressed zeros format for entering IPv6 addresses
Many IPv6 addresses contain long sequences of zeros. Imperva simplifies the representation of such IPv6 addresses,
by removing contiguous sequences of zeros according to RFC conventions and using the standard library to do these
conversions.
A Domain Name System (DNS) server contains a registry that maps each human-readable domain name (e.g.
www.yourdomain.com) to its IP address (e.g. 123.123.123.123), thus enabling visitors to access the relevant site from
anywhere in the world.
DNS Resolution
DNS is a distributed and hierarchical network of servers distributed all over the world. Each end user’s DNS server
does not hold a registry mapping for every domain in the world.
However, each DNS server does know how to navigate through the hierarchy of DNS servers in the world in order to
find that single Authoritative Name Server that contains the mapping of the requested domain to its IP address.
An Authoritative Name Server is the single DNS server responsible for resolving the DNS requests of a specific domain.
In most cases, the Authoritative Name Server of your site is located at your web hosting provider, although some
domains maintain their own Authoritative Name Server.
DNS Caching
Web servers and CDNs maintain a cache of DNS records. Thus, most DNS replies are retrieved from cache and do not
need to refer to the original DNS server. Requests that cannot be resolved using this cached information are passed on
to the original DNS server.
The IP address of each DNS domain request is cached in each DNS server as it is routed through the global hierarchy
of DNS servers in order to find the IP of its single Authoritative Name Server. The visitor’s browser also caches the DNS
in order to improve site performance for repeat visits.
Each such DNS record comes with a Time to Live (TTL) setting that specifies the amount of time that this DNS record
will be cached by each server. After the TTL expires, that DNS record is discarded and a new DNS query is sent to
retrieve the updated address.
DNS Zone
A DNS Zone represents the domain name space that is managed by a single Authoritative Name Server. A DNS Zone
resides on its Authoritative Name Server and contains multiple DNS entries for each sub-domain.
'A' record
An A (address) record is a DNS Zone record that maps a domain name to an IP address.
CNAME record
A CNAME (Canonical Name) record specifies that a domain name is an alias for another domain name.
Naked Domain
A naked domain is simply a domain name without the subdomain prefix. For example, without the www, docs, or help
prefix. At most DNS service providers, only A records are allowed for naked domains.
Attack Analytics
Attack Analytics is a tool to help speed up the security investigation of WAF alerts. It provides a comprehensive view of
attacks and attackers targeting your resources. The Attack Analytics service aggregates and analyzes your account’s
security alerts, identifies common characteristics, and groups them into meaningful security incidents.
For more information, see Attack Analytics and Attack Analytics Documentation .
• Cloud WAF protection for up to 10 sites. An always-on service that mitigates attacks targeting your websites
and web applications.
• Content Delivery Network (CDN). Improve your website performance while lowering bandwidth costs.
• SIEM integration. Integrate Imperva logs with your SIEM solution.
• Attack Analytics. Simplify your application security event investigations to quickly mitigate and respond to real
threats.
Subscribe
The Imperva FlexProtect Pro service is available through the AWS Marketplace.
Imperva Cloud Security Console
Once you subscribe to the Imperva FlexProtect Pro service, you can log in to your Imperva account.
• gain visibility into attacks on your websites and web applications, with live views of incoming traffic, security
events, and server activity.
• manage your account and WAF settings. Define general site attributes and options related to security, web
scraping protection, performance, and availability of your website.
• create up to 4 additional account users for your team members, to enable collaboration and co-management of
the Imperva service.
Billing and usage
You can view your billing and usage details in the AWS Management Console.
Billing is based on pure volume of usage in a calendar month, rounded up to the nearest gigabyte.
At the end of each month, billing is calculated and the usage count is reset to 0.
For example:
For total usage in a month of 94.3 GB, usage is rounded up to the nearest GB (95) and calculated as follows:
1 GB at Rate A
9 GB at Rate B
85 GB at Rate C
Total = (1 X A) + (9 X B) + (85 X C)
Additional examples
No. Billing is done only via AWS. No features can be added at this point, but this may change moving forward.
There is no way to do that using this plan. You need to unsubscribe via AWS and contact Imperva sales to purchase a
new plan.
I subscribed in AWS, but never completed the Imperva registration process. Will I be charged?
If you did not complete the process of creating your account and configuring your sites to work with Imperva, you will
not be charged. Billing is calculated based on bandwidth usage for traffic to your sites.
We will terminate your account and send the final data usage to AWS within one hour.
Can I resubscribe?
Yes. If you decide to resubscribe within 30 days of the time you unsubscribed, we will enable your old account and you
will be able to login as usual. All the settings of your account will be saved.
If you resubscribe after 30 days, your old account will have already been removed, and you will need to go through the
full process of setting up your account.