This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Shay_Levin
Admin
Admin
‎2025-05-23 02:16 AM

Guide for Switching from Imperva Incapsula to CloudGuard WAF as a Service

In this article, we will explain how to easily switch from Imperva Incapsula to CloudGuard WAF as a Service without compromising security during the transition process.

Understanding the Transition Challenge

Suppose you have a web application that is currently protected by Imperva Incapsula. You want to migrate to using CloudGuard WAF as a Service for your web application firewall protection. However, CloudGuard WAF requires an initial Learning Mode period to understand your application's typical traffic patterns before it can reliably block malicious activity in Prevent Mode.

The challenge is clear: how can you transition to CloudGuard WAF without exposing your application to potential threats during the learning phase?

The answer lies in keeping Imperva Incapsula as the active protection layer while CloudGuard WAF operates in the background in Learning Mode. Once the learning phase is complete, you can safely switch CloudGuard WAF to Prevent Mode and phase out Imperva Incapsula.

Step-by-Step Migration Plan

1. Configure CloudGuard WAF in Learning Mode

Start by configuring a new asset in CloudGuard WAF to protect your web application in Learning mode.

If you are not familiar with setting up CloudGuard WAF as a Service for protecting your web application, follow this guide: WAF as a Service Tutorial | Complete Walkthrough & Deployment.

Shay_Levin_0-1747991399846.png

 

Shay_Levin_1-1747991447971.png

 

Create an exception rule that will drop traffic to the CloudGuard WAF that is not coming from Imperva Incapsula ip ranges , for the most update list check this page

Shay_Levin_2-1747991474202.png

 

2. Maintain Imperva Incapsula as a Security Layer

While CloudGuard WAF is in Learning Mode, continue using Imperva Incapsula to protect your application. Do not remove or modify the existing Imperva Incapsula DNS CNAME record at this stage.

 

3. Configure DNS Routing via CNAME

To maintain full protection during the transition:

  • Keep Imperva Incapsula as your primary entry point for your application.

Update the Origin Server configuration in Imperva Incapsula to point to the CNAME record of the CloudGuard WAF (from step 1)  instead of pointing directly to your frontend application server (Origin Server).

Shay_Levin_3-1747991505778.png

 

This setup ensures that Imperva Incapsula continues to provide its protection layer while CloudGuard WAF learns the application traffic.

4. Transition to Prevent Mode and Final Switch

Once the CloudGuard WAF has completed its learning phase:

  • Switch the WAF to Prevent Mode.

Shay_Levin_4-1747991527774.png

 

  • Remove the exception rule from step 1 that allow access only from Imperva Incapsula ip ranges. 
  • Replace the CNAME value for the record shop.mywaf.net in your DNS provider to the value from step 1.

Shay_Levin_5-1747991573122.png

 

At this point, your application will be fully protected by CloudGuard WAF in Prevent Mode, and Imperva Incapsula will no longer act as an active intermediary.

Summary

Switching from Imperva Incapsula to CloudGuard WAF should be done gradually and strategically to avoid exposure and service interruptions. By layering the WAF in Learning Mode behind Imperva Incapsula and only making the final switch after sufficient learning, you ensure a secure, smooth transition.

(1)
Who rated this post