Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
In this article, we will explain how to easily switch from Imperva Incapsula to CloudGuard WAF as a Service without compromising security during the transition process.
Understanding the Transition Challenge
Suppose you have a web application that is currently protected by Imperva Incapsula. You want to migrate to using CloudGuard WAF as a Service for your web application firewall protection. However, CloudGuard WAF requires an initial Learning Mode period to understand your application's typical traffic patterns before it can reliably block malicious activity in Prevent Mode.
The challenge is clear: how can you transition to CloudGuard WAF without exposing your application to potential threats during the learning phase?
The answer lies in keeping Imperva Incapsula as the active protection layer while CloudGuard WAF operates in the background in Learning Mode. Once the learning phase is complete, you can safely switch CloudGuard WAF to Prevent Mode and phase out Imperva Incapsula.
Step-by-Step Migration Plan
1. Configure CloudGuard WAF in Learning Mode
Start by configuring a new asset in CloudGuard WAF to protect your web application in Learning mode.
If you are not familiar with setting up CloudGuard WAF as a Service for protecting your web application, follow this guide: WAF as a Service Tutorial | Complete Walkthrough & Deployment.
Create an exception rule that will drop traffic to the CloudGuard WAF that is not coming from Imperva Incapsula ip ranges , for the most update list check this page
2. Maintain Imperva Incapsula as a Security Layer
While CloudGuard WAF is in Learning Mode, continue using Imperva Incapsula to protect your application. Do not remove or modify the existing Imperva Incapsula DNS CNAME record at this stage.
3. Configure DNS Routing via CNAME
To maintain full protection during the transition:
- Keep Imperva Incapsula as your primary entry point for your application.
Update the Origin Server configuration in Imperva Incapsula to point to the CNAME record of the CloudGuard WAF (from step 1) instead of pointing directly to your frontend application server (Origin Server).
This setup ensures that Imperva Incapsula continues to provide its protection layer while CloudGuard WAF learns the application traffic.
4. Transition to Prevent Mode and Final Switch
Once the CloudGuard WAF has completed its learning phase:
- Switch the WAF to Prevent Mode.
- Remove the exception rule from step 1 that allow access only from Imperva Incapsula ip ranges.
- Replace the CNAME value for the record shop.mywaf.net in your DNS provider to the value from step 1.
At this point, your application will be fully protected by CloudGuard WAF in Prevent Mode, and Imperva Incapsula will no longer act as an active intermediary.
Summary
Switching from Imperva Incapsula to CloudGuard WAF should be done gradually and strategically to avoid exposure and service interruptions. By layering the WAF in Learning Mode behind Imperva Incapsula and only making the final switch after sufficient learning, you ensure a secure, smooth transition.
