Integrating Imperva Cloud WAF/DDoS Services for Internet-Facing RPF Traffic

This article discusses how to integrate the Imperva WAF/DDoS protection service with an Internet-facing public resource located behind a Cato site.


Cato's Remote Port Forwarding (RPF) is primarily designed to expose corporate resources to known corporate users with the Allow List approach. This means that you can restrict the corporate resource to the specific IP addresses that are allowed to connect, otherwise, the traffic is blocked.

Sometimes it's necessary to provide access to unknown users and expose an internal server that is behind a site via RPF publicly over the Internet. This creates a potential security risk because you are allowing public access to internal resources. This article explains how to configure the Imperva Cloud service to provide WAF and DDoS protection in front of the site to secure the RPF traffic.

Diagram of Incapsula Cloud WAF/DDoS with RPF


Integrating the Imperva DDoS Solution to Secure RPF Traffic

This section explains how to configure the RPF resource to only allow the Imperva Cloud WAF/DDoS to access it. This adds a significant layer of security to the resource that you are making available over the public Internet.

Defining the RPF Rule in the CMA

Use the Cato Management Application (CMA) to define an allow list RPF rule to forward the traffic to the Imperva Cloud WAF. The Traffic Sources for the rule are based on the public Imperva IP ranges.

Create a separate rule for each data center and host that are protected by the Imperva Cloud.

The security stack in the Cato Cloud doesn't perform TLS inspection on inbound RPF traffic


To define an allow list RPF rule that forwards traffic to the Imperva Cloud:

  1. From the navigation menu, click Network > Remote Port Forwarding.

  2. Create a new RPF rule with these settings:

    • External IP and External Port Range for Cato public IPs (use separate rules for each public IP)

    • Internal IP and Internal Port Range for the internal host or resource

    • Traffic Type is Allow List

    • Traffic Sources are a range of the public Imperva IP addresses

  3. Click Save.

Defining the Imperva Cloud WAF to Protect the RPF Resource

In the Imperva management console, you can use one of these options to automate creating the site records:

To integrate a third-party security service for RPF traffic:

  1. Create a site record in the Imperva Cloud WAF management console using the FQDN ( of the site you are looking to protect.

  2. Configure SSL for your site leveraging an Imperva provisioned GlobalSign SSL certificate form, or upload a custom SSL certificate.

  3. Get the Imperva provisioned CNAME for your site record.

  4. Add the Cato-allocated public IP addresses used in the RPF rules above as the origin server entries in Imperva Cloud WAF, and select a load balancing option.

  5. In the DNS provider, configure the domain to forward traffic to the Incapsula CNAME in step 3.

Was this article helpful?

0 out of 0 found this helpful


Add your comment