Imperva SecureSphere v13.0 WAF On AWS Deployment Kit BYOL Configuration Guide
Imperva SecureSphere v13.0 WAF On AWS Deployment Kit BYOL Configuration Guide
BYOL
Configuration Guide
13.0
March 2018
Copyright Notice
© 2002 - 2018 Imperva, Inc. All Rights Reserved.
Follow this link to see the SecureSphere copyright notices and certain open source license terms:
https://www.imperva.com/sign_in.asp?retURL=/articles/Reference/SecureSphere-License-and-Copyright-Information
This document is for informational purposes only. Imperva, Inc. makes no warranties, expressed or implied.
No part of this document may be used, disclosed, reproduced, transmitted, transcribed, stored in a retrieval
system, or translated into any language in any form or by any means without the written permission of Imperva,
Inc. To obtain this permission, write to the attention of the Imperva Legal Department at: 3400 Bridge Parkway,
Suite 200, Redwood Shores, CA 94065.
Information in this document is subject to change without notice and does not represent a commitment on the
part of Imperva, Inc. The software described in this document is furnished under a license agreement. The software
may be used only in accordance with the terms of this agreement.
This document contains proprietary and confidential information of Imperva, Inc. This document is solely for the
use of authorized Imperva customers. The information furnished in this document is believed to be accurate and
reliable. However, no responsibility is assumed by Imperva, Inc. for the use of this material.
TRADEMARK ATTRIBUTIONS
Imperva and SecureSphere are trademarks of Imperva, Inc.
All other brand and product names are trademarks or registered trademarks of their respective owners.
PATENT INFORMATION
The software described by this document is covered by one or more of the following patents:
US Patent Nos. 7,640,235, 7,743,420, 7,752,662, 8,024,804, 8,051,484, 8,056,141, 8,135,948, 8,181,246, 8,392,963,
8,448,233, 8,453,255, 8,713,682, 8,752,208, 8,869,279 and 8,904,558, 8,973,142, 8,984,630, 8,997,232, 9,009,832,
9,027,136, 9,027,137, 9,128,941, 9,148,440, 9,148,446 and 9,401,927.
Imperva Inc.
3400 Bridge Parkway
Redwood Shores, CA 94065
United States
Tel: +1 (650) 345-9000
Fax: +1 (650) 345-9004
Website: http://www.imperva.com
General Information: [email protected]
Sales: [email protected]
Professional Services: [email protected]
Technical Support: [email protected]
Imperva-SecureSphere-v13.0-WAF-on-Amazon-AWS-BYOL-Configuration-Guide-v1
Name Description
KeyPairName The AWS Key pair for connecting to the NAT instances and SecureSphere servers.
MXPassword The password used to log in as an admin user to the Management Server UI.
ProtectedSite The address of a site that the user would like SecureSphere to protect.
Note: If you encounter an error that states, Your requested instance type (<instance>) is not
supported in your requested Availability Zone (<zone_x>). Please retry your request by not specifying
an Availability Zone or choosing <zone_y>, <zone_z>, perform the following:
a. Open the json file.
b. Find the section RegionToZoneMap.
c. In the row that begins with the region specified by availability zone <zone_x>, replace the
problematic availability zone <zone_x> with either <zone_y> or <zone_z>.
d. Save the file.
e. Redeploy SecureSphere WAF with the AWS Development Kit.
Note: If you are using an S3 bucket to host the license file, verify that the permissions are as follows:
Grantee: Everyone
Open/Download: checked
View Permissions: not checked
Edit Permissions: not checked
ManagementURL: The link to the Management Server UI, that enables you to manage your SecureSphere
system.
ProtectedSite: The link to the protected site.
Notes:
The AWS development kit creates a forwarding rule in the NAT instance to allow external access to
the Management Server port. For production environments, remove this and ensure that the
Management Server is accessible by internal connections (e.g. jump server) only.
The NAT instance's DNS name may change after reboot. This new DNS name will not appear in the
value of the ManagementURL. You can find the new name in the EC2 console.
Moving to Production
If you want to make your deployment kit setup into a production setup, you should consider carrying out the
following tasks:
Remove external access to the Management Server: The AWS development kit creates a forwarding rule in
the NAT instance to allow external access to the Management Server port. For production environments,
remove this and ensure that the Management Server is accessible by internal connections (e.g. jump server)
only.
Protect internal servers: You need to configure your web application servers so that they receive traffic via the
WAF only. The WAF should then be connected to the web servers' VPC. this can be achieved by VPC peering.
For more information, see VPC Peering.
Move to protection: For more information, see Configuring Operation Mode.
Configure XFF: For more information, see XFF.