Web Protection - Security Settings
Define granular access control policies for your website.
Note: Starting June 7, 2020 we are rolling out the new Policy Management feature. If your account was created after June 7, 2020, or your existing account has been migrated, the Block Specific Sources and Whitelist Specific Sources settings are now configured using policies. For details, see Create and Manage Policies.
In this topic:
- Access the Security settings
- Set bot access control policy
- Select CAPTCHA provider
- Block specific sources (access control / ACL)
- Define exceptions
- Whitelist specific IP sources
- Log in to your my.imperva.com account.
- On the sidebar, click Websites (default).
- Click a site name to access the site's dashboard.
- On the sidebar, click Settings.
- Click Security .
Bot Access Control lets you define an access control policy for each client that accesses your website.
Imperva client classification
Imperva’s unique classification technology can tell whether your website visitors are humans or bots. Our client database holds an extensive list of bot classifications and can identify the specific type of bot visiting your website.
Each bot is marked either as a Good Bot or a Bad Bot. Bad Bots are those bots that pose a threat to your website security. For example, a vulnerability scanner or a DDoS attack bot. Googlebot (and all other search engine bots) is marked as a good bot and not blocked by the Bad Bots rule.
For the list of the clients and client type categories that Imperva addresses, see Client Classification.
For more details on Imperva's mitigation capabilities for automated threats, see Bot Mitigation.
Set the bot access control options
|All Good Bots (like Google and Pingdom) will be allowed to access your site||
All good bots are allowed to access your website by default. You can customize the list of good bots from the Bot Access Control settings.
Note: Requests from good bots are also filtered by the WAF. This is because some legitimate services might be manipulated to send malicious requests to your website.
Click the Good Bots link to edit the Good Bots List. The Good Bots List displays a list of the bots that do not pose a threat to your website. By default, each of these bots is marked with a checkmark, which means that they are not blocked by default.
Note: To add additional good bots to the list, such as your own API client or mobile app, contact Imperva support.
|Block Bad Bots (like comment spammers and scanners)||
All bad bots are denied access to your website by default. You can customize the list of bad bots from the Bot Access Control settings. For example, you may want to whitelist a specific vulnerability scanner your organization subscribes to.
Click the Also block link to add to the Bad Bots List.
To add a bot to the list, start typing its name. A drop-down menu is displayed enabling you to select from Imperva’s predefined list of bad bots, as shown below:
Only bad bots that are in Imperva’s database can be added. If you would like to add an additional bot to this list, contact Imperva support.
|Require all other suspected bots to pass additional challenges||
If a bot cannot be classified by Imperva, it is considered a Suspected Bot. In many cases these bots are operated by legitimate service providers, and in some cases these are malicious bots.
You can configure Imperva to filter out any suspected bot by requiring the client to complete a CAPTCHA test or additional challenges. This will filter out bad bots, reduce unnecessary load from unwanted crawlers and services, and ensure that only legitimate visitors can access your website.
|Exceptions||See Define exceptions.|
Select CAPTCHA provider
You can choose to use GeeTest CAPTCHA instead of the default reCAPTCHA.
Availability: For Advanced Bot Protection and Account Takeover Protection customers only.
By default, the GeeTest CAPTCHA is displayed in Chinese. To display the CAPTCHA in English, contact Imperva Support to request the change.
For GeeTest, select the difficulty level for the challenge that you want to present to visitors.
|Auto||GeeTest AI technology determines the appropriate difficulty level for the visitor.|
|Normal||A challenge with a standard level of difficulty is presented to the visitor.|
|Hard||A more difficult challenge is presented to the visitor.|
|Extra Hard||The most difficult challenge is presented to the visitor.|
|Block Countries||Enables you to restrict traffic based on the geo-location of the visitor.|
|Block URLs||Enables you to restrict traffic to specific resources / URLs.|
|Block IPs||Enables you to restrict traffic based on the source IP of the visitor.|
To add an item to the Exceptions list for any of the security rules:
Click Add exception, or Exceptions if there are already existing exceptions defined.
In the Add exception rule on field, select the type of item to be added to the whitelist, such as URL, Client app ID, IP, or Country.
For IP exceptions, single IPs, IP ranges, and subnets are supported. For example, 184.108.40.206, 220.127.116.11-18.104.22.168, or 10.10.10.10/24.
- In the field to the right, fill in the value to exclude from the rule.
- Click Add.
- You can repeat the steps above to add additional rules.
- Click Confirm.
Note: An exception rule will match only if all match criteria are satisfied. If you want to add an exception for multiple and non-related scenarios, you can add multiple exception rules.
This option enables you to create a list of trusted IPs that are not inspected by Imperva's WAF and Security settings entirely. If you would like to whitelist an IP for a specific rule, it is recommended that you do that from the rule whitelist settings (see above) rather than adding a global whitelist rule.