How To Setup Imperva Incapsula With Sucuri WAF

by Sunny Hoi
Why Setup And Use Imperva Incapsula CDN And WAF With Another Cloud-Based WAF Like Sucuri CloudProxy Firewall?

Imperva Incapsula’s Web Application Firewall employs proprietary technology.

Since Incapsula’s WAF is a proprietary solution, Incapsula is equipped with the advantage of being far more sturdy against malicious threat actors’ counter-intelligence. Moreover, Incapsula’s WAF tends to generate less false positives which make it an ideal pairing with a CDN or WAF.

Since Incapsula’s WAF is a proprietary solution, Incapsula is equipped with the advantage of being far more sturdy against malicious threat actors’ counter-intelligence.

Since many cloud-based WAFs are based on a variation of the popular open source Web Application Firewall ModSecurity (also occasionally referred to as Modsec), they tend to be more vulnerable to potential advanced adversaries. Akamai making use of ModSecurity CoreRule Set goes to 2011. Notably, in the middle of 2013, Akamai has since adopted their own proprietary Kona Rule Set to enhance their WAF.

Numerous security vendors like Sucuri, CloudFlare, and Akamai have devised many revisions and implemented them due to the number of bypasses demonstrated by the community. As a result, these vendors tend to yield higher false positives since they possess strict signatures/rule-sets.

When the source code of anything can be viewed by the public online, there are substantial opportunities for interested parties to scrutinize it. One action tends to lead to another.

Using Imperva Incapsula’s CDN and WAF creates an additional security layer when used in conjunction with Sucuri CloudProxy Firewall.

Incapsula’s CDN is fast, and the WAF is excellent. Sucuri Firewall is also fantastic, of course. Having two distinct WAFs inspect your HTTP/HTTPS web traffic before it goes to your origin server is nice. Of course, a tradeoff is that there will be a trivial reduction in page speed since traffic is inspected twice. If an attack is missed by one of the WAFs, the other one can potentially detect and block it since the products are distinctively different.

Did the hacker manage to bypass Imperva Incapsula’s WAF? No problem. Now also bypass Sucuri CloudProxy Firewall.

When you implemented two of these WAFs, the adversary has to bypass both of them. If he successfully bypasses, Imperva Incapsula’s WAF then he has to also deal with signatures of Sucuri CloudProxy Firewall. This gives the system admin or webmaster the opportunity to conduct forensic analysis of the web server logs and utilize any defensive measures available to defend against future attacks.

Incapsula & Sucuri Can Be Cost-Effective

Can’t afford to buy Incapsula’s monthly Business Plan and receive DDoS protection? No problem. Just buy Incapsula’s Pro Plan and Sucuri CloudProxy Firewall Plan. If your website gets DDoSed, Incapsula can simply route the malicious traffic to your origin server IP which is Sucuri’s server and not your origin website server IP address. Sucuri will soak up all of the traffic and mitigate the DDoS effectively. FYI, Sucuri has no limit in DDoS, unlike Incapsula and Cloudflare. Cloudflare claims a flat-rate price, but if the DDoS is seriously affecting everyone else, they can legally shut their services on you. They reserve the rights to do so. Really, read the legal details.

As a bonus, Incapsula will save you server bandwidth. Incapsula has a fantastic ability to block malicious bots that Sucuri misses and can challenge suspicious bots accordingly via captcha.

I sound like a professional salesman from FutureShop now.

How To Deploy Incapsula And Sucuri Together
Put Incapsula In Front of Sucuri CloudProxy Firewall

Incapsula has the capability of acting as a first tier in front of Sucuri, handling all of the initial web traffic flowing in. This setup is recommended for sites that need full security coverage. This is achieved by pointing the domains to Imperva Incapsula and setting Sucuri’s Server IP address as the origin server in Incapsula’s dashboard.

When you place Incapsula In Front of Sucuri Firewall, the web visitor is referred to Incapsula first then to Sucuri for further inspection prior visiting the web page.

Thus, Web Visitor > Incapsula > Sucuri > Site. (If I’m not a malicious bot, a script kiddie, or relatively low-level adversary, then I can visit your site now.)

Anyone can sign up for a free trial of Incapsula’s Business or Pro Plan here (7 days for Business and 14 days for Pro).

Also, you can take a look at Sucuri CloudProxy plans here (I strongly suggest you consider any of these plans as they provide extreme value for the price.)

After you have signed up, entered your domain into Incapsula, Incapsula will scan the records, and provide you with 2 Incapsula IP addresses for your A records and one DNS for your CNAME.

You need to add/edit two A records and one CNAME in your provider’s DNS panel.

To illustrate this, I provide a setup I’ve used with Namecheap:

Set Single Origin Server To Sucuri’s IP Address.

  1. Login to Imperva Incapsula’s Dashboard
  2. Click on Your Website’s Domain Name in the Websites Selection.
  3. Click on ‘Settings‘ section.
  4. In ‘Origin Servers‘ section, type in Sucuri’s Server IP Address and click Save.

Set Sucuri Behind External CDN (Imperva Incapsula):

  1. Login to Sucuri’s Firewall Dashboard.
  2. Click on ‘General‘ section.
  3. Click on ‘CDN Support‘ section.
  4. Choose Other from the box. Then click Proceed.

Prevent Firewall Bypass Imperva Incapsula’s WAF and Sucuri CloudProxy WAF.

It is extremely important to prevent Incapsula’s Firewall and Sucuri’s Firewall from being bypassed if the threat actor manages to find your web server’s origin IP address.

If the hacker manages to connect directly to the server’s origin IP and you haven’t implemented any restrictions on blocking all IPv4 and IPv6 addresses except for a selected few, then there is likely to be a significant detrimental impact on the site’s web application security.

For how to accomplish preventing firewall bypass, please refer to one of the tutorials I’ve written here.

How To Know If Imperva Incapsula And Sucuri Are Working Correctly?

If your website has a search bar, you can go into it and type in the search box: <script>Hello</script>.

Hence, something like:<script>Hello</script>.

The Cross-Site Scripting Attack (XSS) should be immediately blocked by Incapsula. You will be shown a blocked page like this:

If you haven’t changed the default XSS block setting to Block Request in Incapsula’s Dashboard, you should do so prior to testing this.


Furthermore, the XSS attempt will be recorded for future reference in Incapsula’s dashboard for you to look at if you want to. An incident ID is generated.

To test if Sucuri’s WAF protection is still working, type in your address bar:

You will be presented with a blocked page like this:

Remember that if an attack or malicious bot gets blocked by Imperva Incapsula’s WAF, then Sucuri’s Real Time Server Logs won’t record, show these actions, and indicate their presence.

Ping your website’s domain and it should start returning one of Imperva Incapsula’s IP addresses you have changed in your records rather than one of Sucuri’s IP addresses.

Also to check whether Incapsula is indeed fully configured, type in your address bar:

A blank page stating “No Parameters” should appear.

You will also soon start seeing the user agent Incapsula Connection Learning in your Sucuri’s Real Time Server Logs In Sucuri’s Dashboard.


Also be sure to check out my Sucuri CloudProxy Firewall review here.

Related Posts