Create and Manage Policies
Create policies to centrally configure settings and apply them to sites in your account.
Note: Starting on June 21, 2020 existing customer accounts will be migrated to Policy Management over a period of several weeks. For more details, see Migration below.
In this topic:
- Create a policy
- Policy types
- Add an exception
- Apply a policy to websites
- Set a policy as default
- View and manage policies
- Policy Management API
Manually configuring a large number of sites can be resource-intensive, time-consuming, and error-prone. Policy Management introduces the ability to centrally configure and manage settings, save them as a policy, and then apply the policy to multiple sites in your account.
At the account (or sub account) level:
- Create and edit policies
- Apply policies to websites in the account
- Set a policy as default to apply it automatically to all new websites created in the specified account
At the website level:
- View and edit policies applied to the website
- Apply policies to the website
- Remove policies from the website
Imperva offers several types of policies. Each type covers a specific area of Imperva functionality, such as access control lists (ACLs) or whitelists, and has its own set of specific fields available to configure. For details, see Policy types.
By default, the account admin user can manage policies for the account and for websites in the account. The following permissions can be added to roles and assigned to other users in the account or in its sub accounts as required.
- View policy
- Add/Duplicate policy
- Edit policy
- Delete policy
- Add exception to policy
- Edit exception in policy
- Delete exception from policy
- Apply policy to assets
The Policies pages are displayed only to users with the appropriate permissions.
On the Cloud Security Console sidebar, click Management > Policies > Create Policy.
Note: The fields available for configuration in the policy vary based on the policy type that you select. For details on the available policy types and their fields, see Policy types.
|Policy Name||A descriptive name for the policy.|
Activates or deactivates the policy for all specified assets (websites).
Select a policy type. For details, see Policy types.
|Available for sub accounts||
This option is available in the account-level page only.
By default, the policy is available to all sub accounts.
You can opt to make it available only to specific sub accounts in your account.
Note: If you opt to select specific sub accounts, or make a change to the list of selected sub accounts, the assets available under the Apply to assets and Enable default policy sections is updated accordingly.
For example, if the policy was applied to sites under "sub account A" and you remove "sub account A", the policy is removed from the websites in "sub account A" to which it was applied.
|Apply to assets||
Applies the policy to the selected assets (websites).
When creating a policy in an account that has sub accounts, the list of available assets includes sites in the account and sites in all of the account's sub accounts.
When creating a policy in a sub account, only sites in the specific sub account are displayed.
|Enable default policy||
Automatically applies the policy to all new websites created in the account and/or in the account's sub accounts.
For more details, see Set a policy as default.
Each policy type covers a specific area of Imperva functionality. When you create a policy, the fields available for configuration vary based on the policy type.
Block specific countries, URLs, or IPs from accessing your sites.
|Block Countries||Restricts traffic based on the geo-location of the visitor. Click inside the Search field and select countries from the list.|
|Block URLs||Restricts traffic to specific resources / URLs.|
Restricts traffic based on the source IP of the visitor.
Single IPs, IP ranges, and subnets are supported. For example, 18.104.22.168, 22.214.171.124-126.96.36.199, or 10.10.10.10/24.
Create a list of trusted IPs that are not inspected by Imperva's WAF and Security settings.
If you would like to whitelist an IP for a specific rule, it is recommended that you add an exception to a specific rule (see below) rather than adding a global whitelist rule.
|Whitelist IPs||Enter IP addresses, IP ranges, or subnets.|
Add an exception
You can add exceptions to any of the rules in a policy.
In the account or sub account level page:
When you create or edit a policy, you can add an exception and apply it as follows:
|Apply to all assets with this policy||The exception is applied to all assets listed under Apply to assets in the policy (all websites in the account).|
|Apply to specific assets||
The exception is applied to the selected assets only.
In the website-level page:
When editing a policy that is applied to your site (Policies page > More > Edit), you can add, edit, or delete an exception.
When viewing the exception settings for a site in a sub account:
- Only exceptions applied to the specific site are displayed.
- Editing or deleting an existing exception affects all assets to which the exception is applied — not only to the specific site.
- When adding an exception, you can apply it only to the specific site.
Note: An exception rule will match only if all match criteria are satisfied. If you want to add an exception for multiple and non-related scenarios, you can add multiple exception rules. Each exception rule is evaluated independently.
For example, suppose you created a Block Countries rule and need to add a few exceptions.
You want to add an exception for IP 188.8.131.52 on a specific URL, and for IP 184.108.40.206 under any circumstance.
If you created one exception rule, it would look like this:
Exception on URL /index.php and IP 220.127.116.11 or 18.104.22.168
This will bypass the block rule for either of the IPs on URL /index.php only.
Instead, you need to create two separate exception rules for this scenario:
Exception on URL /index.php and IP 22.214.171.124
Exception on IP 126.96.36.199
There are several ways to apply a policy to websites in your account:
Account or sub account level:
When creating or editing a policy, you can apply the policy to selected websites in the account, as described above in Create a policy.
- If the account has sub accounts, you can apply the policy to sites in the account and to sites in any of the account's sub accounts.
- When you create a policy in a sub account, you can apply the policy to sites in the specific sub account only.
You can also apply the policy by default for new sites created in your account. For details, see Apply a policy to websites below.
On the Websites > Policies page, click Apply to select existing policies to apply to the website.
You can apply a policy by default on all new sites created in an account. This setting does not affect existing sites in the account.
In the policy, click Enable default policy, and select the parent account and/or any sub accounts under the account.
- When you select the parent account, the setting applies only to new sites created directly under the parent account. It does not apply to new sites created under the sub accounts.
- If you move a site between a parent account and a sub account, or between sub accounts, any policies set as default in the destination account are automatically applied to the site. In addition, policies that were already applied to the site in the source account are still applied.
View and manage policies
View and manage your policies on the Policies page in your account or website:
- Account-level: The Management > Policies page displays all policies created in your account.
- Sub account-level: The Management > Policies page displays all policies created in your sub account or applied to your sub account by the parent account.
- Website-level: The Websites > Policies page displays all policies applied to your website.
|Type||The policy type, which covers a specific area of Imperva functionality.|
|Policy name (ID)||
The name and unique identifier assigned to the policy when it was created.
You can define the policy name. The ID is automatically assigned by the system.
Click the policy name to view or edit the policy.
|Description||Available from: Account or sub account page only.|
|Marked as default||The policy will be automatically assigned to new websites created in the accounts or sub accounts specified in the policy.|
|Applied to||The number of websites to which the policy is currently applied.|
The date the policy was created or last edited, and the user who performed the action.
(For policies that were automatically created from existing site security settings during migration to Policy Management, the name of an Imperva admin user may be listed.)
|Status||Enabled or disabled.|
|Edit (under More)||
Opens the policy and enables you to modify settings.
When you update a policy and click Save, changes are immediately applied.
|Duplicate (under More)||
Creates a copy of the selected policy.
Available from: Account or sub account page only.
|Enable/Disable (under More)||
Enables/disables the policy for all sites in the account to which it is applied.
When a policy is disabled, it is not active and has no impact on your account.
The advantage of disabling a policy as opposed to deleting it from the account or removing it from sites is that you can easily turn it back on.
Available from: Account or sub account page only.
|Delete (under More)||
Deletes the policy from your account.
Note: You cannot delete a policy from the account when the policy is applied to websites.
Available from: Account or sub account page only.
|Remove (under More)||
Removes an applied policy from the website. (The policy is not deleted from the account.)
Available from: Website-level page only
Tip: Use the free-text search to locate policies according to details in the table, such as type or policy name.
Policy Management API
Create and manage policies using the Policies API. For details, see Policy Management API.
Starting on June 21, 2020 customer accounts created before June 7, 2020 will be migrated to Policy Management over a period of several weeks. (Migration of an individual account takes only several minutes.)
- Previously, the following security settings were configured separately for each protected website in your account, on the Security Settings page.
ACL: Under Block Specific Sources
Whitelist: Under Whitelist Specific Sources
- If your websites do not contain any ACLs or whitelisted items, no policies are automatically created during migration.
- If multiple websites contain identical settings of the same policy type, a single policy is created and assigned to the relevant websites. For example, if you had configured identical ACL settings under Block Specific Sources for several websites, one ACL policy is created and applied to those websites.
- After your account is migrated, the ACL and whitelist settings are no longer displayed on the Security Settings page.
Note: For policies that were automatically created from existing site security settings during migration, the Last Modified field on the Policies page may display the name of an Imperva admin user.