Web Protection - Security Settings

Define granular access control policies for your website.

In this topic:

Access the Security settings

  1. Log in to your my.incapsula.com account.
  2. On the sidebar, click Websites (default).
  3. Click a site name to access the site's dashboard.
  4. On the sidebar, click Settings.
  5. Click Security .

Set bot access control policy

Bot Access Control lets you define an access control policy for each client that accesses your website.

For more details on Incapsula's mitigation capabilities for automated threats, see Bot Mitigation.

Incapsula client classification

Incapsula’s unique classification technology can tell whether your website visitors are humans or bots. Our client database holds an extensive list of bot classifications and can identify the specific type of bot visiting your website.

Each bot is marked either as a Good Bot or a Bad Bot. Bad Bots are those bots that pose a threat to your website security. For example, a vulnerability scanner or a DDoS attack bot. Googlebot (and all other search engine bots) is marked as a good bot and not blocked by the Bad Bots rule.

For the list of the clients and client type categories that Incapsula addresses, see Client Classification.

Handling good bots

All good bots are allowed to access your website by default. You can customize the list of good bots from the Bot Access Control settings.

Note: Requests from good bots are also filtered by the WAF. This is because some legitimate services might be manipulated to send malicious requests to your website.

Good Bots List

The Good Bots List displays a list of the bots that do not pose a threat to your website. By default, each of these bots is marked with a checkmark, which means that they are not blocked by default.

To edit the Good Bots List:

  1. Click the Good Bots link on the right. The following displays:

  2. To block a bot that appears in this list, clear its checkbox and click Save.

Note: To add additional good bots to the list, such as your own API client or mobile app, contact Incapsula support.

Handling bad bots

All bad bots are denied access to your website by default. You can customize the list of good bots from the Bot Access Control settings. For example, you may want to whitelist a specific vulnerability scanner your organization subscribes to.

Bad Bots List

The following describes how to add additional bots to the Bad Bots List in order to instruct Incapsula to block them.

To add to the Bad Bots List:

  1. Click the Also block link on the right. The following displays:

  2. To add a bot to the list, start typing its name. A dropdown menu is then displayed enabling you to select from Incapsula’s predefined list of bad bots, as shown below:

    Only bad bots that are in Incapsula’s database can be added. If you would like to add an additional bot to this list, contact Incapsula support.

Handling unclassified bots

If a bot cannot be classified by Incapsula, it is considered a Suspected Bot. In many cases these bots are operated by legitimate service providers, and in some cases these are malicious bots.

You can configure Incapsula to filter out any suspected bot by requiring the client to complete a CAPTCHA test. This will filter out bad bots, reduce unnecessary load from unwanted crawlers and services, and ensure that only legitimate visitors can access your website.

Block specific sources (access control / ACL)

Block Countries Enables you to restrict traffic based on the geo-location of the visitor.
Block URLs Enables you to restrict traffic to specific resources / URLs.
Block IPs

Enables you to restrict traffic based on the source IP of the visitor.

The IP and related session are blocked for 10 minutes.

Define exceptions

To add an item to the Exceptions list for any of the security rules:

  1. Click Add exception, or Exceptions if there are already existing exceptions defined. The following displays:

  2. In the Add whitelist rule on field, select the type of item to be added to the whitelist, such as URL, Client app ID, IP, or Country.
  3. In the field to the right, fill in the value to be whitelisted.
  4. Click Add.
  5. You can repeat the steps above to add additional rules.
  6. Click Confirm.

Note: A whitelist rule will match only if all match criteria are satisfied. If you want to whitelist multiple and non-related scenarios, you can add multiple whitelist rules.

Whitelist specific IP sources

This option enables you to create a list of trusted IPs that are not inspected by Incapsula's WAF and Security settings entirely. If you would like to whitelist an IP for a specific rule, it is recommended that you do that from the rule whitelist settings (see above) rather than adding a global whitelist rule.

Read More