Whitelist Incapsula IP addresses & Setting IP restriction rules

Created at:
Avatar
Updated
With Incapsula deployed on the edge of your network, and serving as a proxy for all incoming traffic, there should be absolutely no reason to accept traffic from anywhere but our network.
 
Whitelist Incapsula IPs 
 
Please make sure that:
·         Incapsula IPs are whitelisted in your web server firewall and in the firewall deployed in front of your web server.
·         Server modules that enforce IP rate limiting are not set to Incapsula IPs.
 
Restrict access to non-Incapsula IPs
 
We recommend setting IP restriction rules to block all traffic from non-Incapsula IP addresses. Setting IP restrictions (i.e. using your firewall or iptables) will block all illegal requests that try to circumvent the Incapsula WAF. 
Here is a list of IP address ranges that are used by Incapsula:

199.83.128.0/21
198.143.32.0/19
149.126.72.0/21
103.28.248.0/22
45.64.64.0/22
185.11.124.0/22
192.230.64.0/18
107.154.0.0/16
45.60.0.0/16
45.223.0.0/16

2a02:e980::/29

We have converted the above values to simple IP ranges for your convenience:

199.83.128.1 - 199.83.135.254
198.143.32.1 - 198.143.63.254
149.126.72.1 - 149.126.79.254
103.28.248.1 - 103.28.251.254
185.11.124.1 - 185.11.127.254
45.64.64.0 - 45.64.67.255
192.230.64.1 - 192.230.127.254
107.154.0.0 - 107.154.255.254
45.60.0.1 - 45.60.255.254
45.223.0.1 - 45.223.255.254
 

2a02:e980:0:0:0:0:0:0 - 2a02:e987:ffff:ffff:ffff:ffff:ffff:ffff

 

This list may change from time to time. We recommend that you subscribe to this item to receive notifications on any future updates. Important Notes:

- If you create such IP restrictions, make sure to back them up if you disable Incapsula on your site or revert your DNS to its original settings.

- Please pay attention to the /21 and /22 networks: For example, the proper range for 149.126.72.0/21 will be 149.126.72.0 - 149.126.79.254

 

These ranges can be retrieved via API using the following URL:

https://my.incapsula.com/api/integration/v1/ips with parameter resp_format

This will determine the format of the output from one of the following:  json | apache | nginx | iptables | text

(for example: curl -k -s --data "resp_format=apache" https://my.incapsula.com/api/integration/v1/ips)

 

If you do not have access to a network firewall, check out solutions for:

Apache (.htaccess):

order deny,allow
deny from all
allow from 199.83.128.0/21
allow from 198.143.32.0/19
allow from 149.126.72.0/21
allow from 103.28.248.0/22
allow from 185.11.124.0/22
allow from 45.64.64.0/22
allow from 192.230.64.0/18
allow from 107.154.0.0/16
allow from 45.60.0.0/16
allow from 45.223.0.0/16
allow from 2a02:e980::/29

http://support.incapsula.com/entries/20716913-setting-up-htaccess-restrictions

 

Nginx:

Nginx comes with a simple module called ngx_http_access_module to allow or deny access to IP address. 

location / {
# allow Incapsula
allow 199.83.128.0/21;
allow 198.143.32.0/19;
allow 149.126.72.0/21;
allow 103.28.248.0/22;
allow 185.11.124.0/22;
allow 45.64.64.0/22;
allow 192.230.64.0/18;
allow 107.154.0.0/16;
allow 45.60.0.0/16;
allow 45.223.0.0/16;
allow 2a02:e980::/29;

# drop rest of the world
deny all;
}


IPtables: 

#Incapsula proxies access restriction
#Allow HTTP (port 80) from Incapsula
iptables -A INPUT -s 199.83.128.0/21 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 198.143.32.0/19 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 149.126.72.0/21 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.28.248.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 185.11.124.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 45.64.64.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 192.230.64.0/18 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 107.154.0.0/16 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 45.60.0.0/16 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 45.223.0.0/16 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 2a02:e980::/29 -p tcp --dport http -j ACCEPT

#Block HTTP from other sources
iptables -A INPUT -p tcp --dport http -j DROP

#Allow HTTPS (port 443) from Incapsula
iptables -A INPUT -s 199.83.128.0/21 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 198.143.32.0/19 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 149.126.72.0/21 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 103.28.248.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 185.11.124.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 45.64.64.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 192.230.64.0/18 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 107.154.0.0/16 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 45.60.0.0/16 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 45.223.0.0/16 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 2a02:e980::/29 -p tcp --dport https -j ACCEPT

#Block HTTPS from other sources
iptables -A INPUT -p tcp --dport https -j DROP

 

 

 

Was this article helpful?
64 out of 66 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    Trident

    Please send me a complete list of all IP being used by Imperva (Encapsula) to send traffic to the protected sites.   Please post the IP address on this forum or where from Admin site we can find the list. 

  • Avatar
    techforumnetbuzz

    Please update this one also 156.54.73.1 I was getting 403 errors after checking the error logs found this ip to be blocked

    In the error logs 156.54.73.1 User Agent is showing it is Incapsula uptime monitor so please update if this belongs to incapsula or not.

  • Avatar
    techforumnetbuzz

    Staff please provide me the 156.54.73.1 range ips

  • Avatar
    joomdrew

    Sites are forbidden 403- have the following in the htaccess which has been fine until this morning...

    199.83.128.0/21
    198.143.32.0/19
    149.126.72.0/21
    103.28.248.0/22
    185.11.124.0/22

  • Avatar
    uri

    Hi,

    we have added another range : 192.230.64.0/18

    so the list is:
    199.83.128.0/21
    198.143.32.0/19
    149.126.72.0/21
    103.28.248.0/22
    185.11.124.0/22
    192.230.64.0/18

  • Avatar
    jose.saraiva

    Would be nice to have this IP list available through a simple machine friendly url that could be called to update the list automatically...

  • Avatar
    uri

    Please note that we added 45.64.64.0/22 to the list

  • Avatar
    marcusadolfsson

    Thanks can you please ensure you add the new IP range here at least 48 hrs before it is used in production?

  • Avatar
    Ace

    I agree with @marcusadolfsson. If you make these changes on your side prior to informing us, it blocks users from accessing our sites. We definitely need to know about this enough in advance to schedule a maintenance update to our web servers. If that is possible going forward, it would be much appreciated! Thx.

  • Avatar
    hlynam

    I was surprised that no leadtime was given for these critical firewall changes. It would be better to give at least 7 days notice to allow for testing etc.

  • Avatar
    jmottle

    Agree. There should be a lot more notice. These also should be emailed to customers, not just added to the comments of a support thread! When it comes to a site not being available, this should be treated a bit less trivially! Some of us earn ALL of our money by having 100% uptime and being available.

  • Avatar
    uri

    All,
    Even after we add this to the list, it does not mean that we use it in a way that will impact you business. These address are publish here in advanced and are currently not being used to access you servers.

    We will soon publish a way to get these ranges via our API so you can automate this process.

  • Avatar
    stoja

    Agree. Appreciate the API but would appreciate a simple email alert to customers when this occurs so we can prepare for any updates.

  • Avatar
    Rotem

    Follow

  • Avatar
    RippleWise

    What is the point of having an API if you change it without any notice? Your API always returned IPs as "199.83.128.0/21", then few weeks ago you changed it to "199.83.128.1-199.83.135.254". We made adjustment to our software and now it's back to previous version and no notice again. Changes like this result in downtime for our website!

  • Avatar
    uri

    All,

    I apologize for the unexpected change in the API. This was a result of some changes made which was not tested correctly for backward comparability. We already updated our automated tests to ensure such cases will not occur again.
    Please note that the actual list was not changed. We understand the importance of this list and make sure that new ranges are will be used only couple of months after they are first published to this list.

  • Avatar
    zzzzzzz

    Uri - Why doesn't the API support a simple GET method? This would allow us to monitor its change much much more easily.

    Now we'll have to continue monitor this thread which isnt quite productive...

  • Avatar
    bj

    See the script at http://pastebin.com/EGdBG5ae
    Call it like every hour from cron and it will notify you when the addresses change.

  • Avatar
    Bill

    Follow

  • Avatar
    Lee

    BJ can you repost the script? it got removed by pastebin

  • Avatar
    bj

    Sure. I pasted it to a non-expiring pastebin, now.
    http://paste.debian.net/hidden/55a94a30/

  • Avatar
    Todd Thornhill

    Great article. Is there someway you can link this to an external file of IP ranges or something instead of adding new IPs within the comments? Would be a lot easier to manage.

  • Avatar
    bj

    Well, the list of ip addresses is being downloaded to the temporary file ${TMPFILE}, each line containing a single ip address. Basically you can do anything with this information, then, e.g. feed it to another script that updates your firewall configuration, export it to another file format etc.

  • Avatar
    Mat

    When i deleted incapsula, its still controlling my website even i restored DNS files.

    Even FTP is down for me. When i track my domain i can see that incapsula ip number is
    still still activated.. How can fix this?

  • Avatar
    Yael

    The range 107.154.126.0/24 was added to the Incapsula IP ranges.

  • Avatar
    Yaniv

    Please note that the range  107.154.126.0/24 was updated to 107.154.0.0/16

    Edited by Yaniv
  • Avatar
    Andrew Aitken-Fincham

    Can I just reinforce some previous comments here - 3 hours notice is NOT ENOUGH. We were in the fortunate position that I am working in the UK for a branch of a New Zealand-based company. Therefore, I could update our whitelists - but had I not, this would have changed in the middle of the night, and potentially caused some widespread problems.

    I know we can do some sort of automation, but even then, three hours is not necessarily enough time for all of our crons to run to apply the patch.

    Surely you know about these things, say, 24 hours in advance? At the very least??

  • Avatar
    drizs

    I agree with Andrew. Can we either het more notice or work on some sort of automation? Considering that we need to engage third parties, it can be problematic for clients.

  • Avatar
    Eric

    if it helps someone I can explain how we handle it and what feature request we made to Incapsula. We mostly needs these ip ranges to update security groups and WAF rules in AWS so we have:
    1. an email registered to updates on this page
    2. The email notification is received by AWS SES which populate an AWS SNS topic
    3. Multiple AWS accounts in multiple regions have Lambda functions with triggers registered on these SNS notifications
    4. When triggered they call the Incapsula api and update security groups that have specific tag and also specific WAF rules

    So less than 5 minutes after a page update dozens of environments have been updated

    Shortcomings:
    a) we get notifications even on page comments. Nothing is updated since there is no change but the code is triggered nonetheless
    b) we need to use a custom Incapsula user.

    Features requested:
    1) we should be able to configure the notification email for these updates as part of the account settings. That email doesn't need to be a user with a login
    b) it would be smart to also support REST calls for notifications

    ps: it would be even nicer if Incapsula provided an SNS topic for this. Google Cloud and Azure most probably have similar features that can also be supported. They could also supply sample code for automation is most popular cloud environments. That would be a very nice move indeed and it is a very small project

    and I agree 3 hours is way to short. With automation it doesn't bother me but without it I would yell

  • Avatar
    Eugene

    Please note that the ranges 45.60.0.0/16 & 45.223.0.0/16 will be added to Incapsula network on May 1st, 2017.

Powered by Zendesk