Is there a way to discover Imperva WAF (Web Application Firewall)?

RobertoE
Tera Contributor

Wednesday

I am currently running a discovery; however, after reviewing the documentation, it appears that discovery for the Imperva WAF (Web Application Firewall) can only be performed in a generic way. The documentation states that it can only be done via REST API. Does anyone know of any other way to do this?

0 Helpfuls
  • 251 Views
1 REPLY 1

tiagomacul
Giga Sage

Wednesday

In theory, yes....

 

Discovery should handle the inventory.

 

But when we talk about specialized appliances like Imperva via SSH, the 'standard' inventory often hits a wall.

Here is why:

 

  1. Restricted Shells: Many security appliances don't give you a full Bash/Linux shell. You might be dropped into a 'Clish' or a restricted menu where standard commands like uname or df -h don't work. This is why the generic discovery fails—it can't find the 'fingerprints' it expects.

  2. Parsing Complexity: Even if you get access, the data you need (like WAF rules, policies, or virtual heartbeats) isn't in a standard file. You’ll likely need to build a custom Pattern to 'scrape' the CLI output of specific Imperva commands and map them to the CMDB.

  3. The 'Blind Spot' Trap: If you just do a generic SSH discovery, you’ll end up with a 'Linux Server' CI instead of a 'WAF' CI. From an Enterprise Architecture perspective, this is a data quality nightmare.

 

My take: Don't settle for the generic inventory. If the REST API is available, go with a Serverless Pattern. It’s much more reliable than trying to parse unpredictable CLI text via SSH.

 

Remember: A CMDB is only as good as the context it provides. If the inventory doesn't show which Business Services the WAF is shielding

 

 

To go beyond the generic discovery, here are the most effective ways to approach this:

 

1. Integration Service (Service Graph Connector) Check if there is a Service Graph Connector or a specialized spoke in the ServiceNow Store. Often, for SaaS security solutions, the 'Discovery' happens via a scheduled integration that pulls the inventory from the Imperva Management Console API directly into the CMDB.

 

2. Custom Patterns (The 'Non-Generic' Way) If you are discovering an on-premise Imperva appliance, you can create a Custom Discovery Pattern. Instead of relying on the generic classifier:

  • Identify a unique OID (for SNMP) or a specific CLI command (via SSH) that identifies Imperva.

  • Build a Pattern that parses the API responses or CLI output to populate specific attributes in the cmdb_ci_waf_network table.

 

3. API-Based Discovery via MID Server Since the documentation points to REST API, the best practice is to use a Serverless Discovery Pattern. You can configure your MID Server to execute REST calls to the Imperva API, parse the JSON payload, and update the CMDB. This is much cleaner and more 'ServiceNow-native' than external scripts.

 

0 Helpfuls