Home > FAQ 

Imperva Incapsula FAQ

We are committed to providing the best online experience for all our customers.


Through a simple change to your website DNS records (and with no hardware or software required), your website traffic will be seamlessly routed through Incapsula’s globally distributed network of high powered servers. Incoming traffic is intelligently profiled in real-time, blocking the latest web threats (e.g., SQL injection attacks, scrapers, malicious bots, comment spammers) and thwarting triple-digit gigabit DDoS attacks. Meanwhile outgoing traffic is accelerated and optimized with Incapsula’s global CDN, for faster load times, keeping welcome visitors speeding through.

Incapsula’s experts understand the world of enterprise web applications and work closely with IT teams to address their specific integration and customization requirements. Backed by an enterprise-grade uptime SLA and premium support, Incapsula’s end-to-end Application Delivery service maximizes the security and performance of websites and web applications. At the same time, it enables enterprises to simplify IT operations and reduce costs by consolidating multiple appliances and services into a single cloud-based solution.

Here are some of the ways enterprises benefit from Incapsula’s cloud-based Application Delivery service:

  • Security expertise – Based on our unmatched web application security experience, Incapsula provides award-winning DDoS Protection and WAF functionality, with custom security rules, to leading enterprises around the world. Our company was spun out of and subsequently acquired by Imperva (NYSE:IMPV), a world-leading provider of data security solutions.
  • Premium 24×7 Support – Our experienced NOC engineers and security experts are available round-the-clock to give you the support you need, when you need it.
  • Real-time visibility and control – Incapsula’s real-time dashboards provide accurate visibility into Layer 7 traffic. This allows enterprises to monitor Layer 7 DDoS attacks in real time, analyze the malicious traffic flow and adjust security measures, while also benefiting from live and accurate feedback on every action taken.
  • Fast and easy onboarding – Incapsula’s service can be rolled out without the need for any additional hardware or software. This enables effortless and near-instant deployment, while also allowing our clients to maintain their existing hosting and application infrastructures.
  • API for Provisioning, Management & Events – Our easy-to-use API streamlines integration with your customer provisioning and account management systems. Export security events to your log management and SIEM systems and create customized reports for your target audience.

No. Incapsula leverages a distributed network of data centers (Points of Presence or POPs) that ensures that every user and website are serviced by the closest POP. This is the same principal technology that is used by most large websites to accelerate content delivery through a Content Delivery Network (CDN). In fact, Incapsula will make your site run faster and consume less computing and bandwidth resources by caching site data and applying other acceleration techniques. The website performance enhancing characteristics of the CDN more than offset the extra hop introduced by routing traffic through our network. The net result is lower latency and faster loading webpages.

Yes. From your Incapsula dashboard you can disable and enable Incapsula anytime you want. When Incapsula is disabled, visitors will not pass through Incapsula and will reach your website directly.

Fact is, your website probably has already been attacked. You just didn’t know it because common analytics tools (like Google Analytics) don’t pick up such attacks. Moreover, while these attacks may have failed in the past, without an effective solution in place, there is nothing to keep hackers from trying again – and succeeding.

Web Application Firewall and PCI Compliance

According to OWASP (Open Web Application Security Project), a web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many types of web attacks can be identified and blocked.

Incapsula’s WAF secures your application from any type of application layer hacking attempt, such as SQL injection, cross site scripting, illegal resource access, and other OWASP Top 10 threats. Advanced client classification technology detects and blocks malicious bots that are often used for application DDoS attacks, scraping and vulnerability scanning. Learn more about Incapsula’s WAF.

Yes. Incapsula’s service is certified by the PCI Security Standards Council. It delivers cost-effective compliance with PCI DSS requirement 6.6 without the need for any changes to your application. A periodic PCI compliance report audits security rules configuration changes and reports on your compliance with PCI 6.6 requirements.

Yes. The WAF has an “Application Awareness” capability which automatically detects the application stack of the website and applies pre-defined templates both to apply specific mitigation rules and to apply exceptions that will eliminate the need for fine tuning. For example, the WAF automatically detects WordPress sites and applies security rules, such as a mitigation rule for the TimThumb WordPress plugin vulnerability.

Incapsula enables the implementation of integrated two-factor authentication for any website or application without integration, coding or software changes. It can be deployed on-the-fly, requires no coding or database management and can be used to protect any type of web resource: login pages, secure corporate web applications and other online resources. Incapsula enables two-factor authentication using either email, SMS or Google Authenticator, and allows organizations to manage and control multiple logins across several websites in a centralized manner.

Reflecting our expertise in application security, Incapsula’s WAF supports several advanced security features that provide additional protective measures. These include:

  • A custom rule engine for easy creation of security rules that apply your organization’s security policies.
  • Backdoor shell detection to identify and block attempts to install or operate a pre-existing backdoor on your site.
  • Advanced bot protection that distinguishes between “good” (e.g., search engine crawlers) and “bad” bots

DDOS Protection

A botnet is a network of Internet-connected computers (“zombies”) that can be commanded as a single group entity by a command and control system. Botnets receive instructions from command and control systems to launch DDoS attacks

DDoS stands for “Distributed Denial of Service.” A DDoS attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet. Unlike a Denial of Service (DoS) attack, in which one computer and one internet connection is used to flood a targeted resource with packets, a DDoS attack uses many computers and many Internet connections.

Incapsula will protect your website against all types of DDoS attacks, including volumetric network (Layer 3-4) DDoS attacks and Application (Layer 7) DDoS attacks. Incapsula’s’ Anti-DDoS solution combines smart signature and behavior identification algorithms with a global network of high-powered servers. This multi-layer solution provides protection against all types of DDoS attacks, either by filtering or by absorption.

Yes. Incapsula’s 700+ Gbps network of scrubbing centers is built to mitigate the largest network DDoS attacks, such as SYN flood and DNS amplifications, many of which exceed 100 Gbps. Incapsula’s global network of scrubbing centers scales, on demand, to counter massive volumetric DDoS attacks. This ensures that mitigation is applied outside your own network, allowing only filtered traffic to reach your hosts.

Yes. Using a combination of behavior and reputation analysis, crowdsourcing, rate-based heuristics and a series of progressive challenges, Incapsula’s traffic inspection technology differentiates legitimate website visitors from malicious bots. This capability is critical with respect to application layer (Layer 7) attacks, where the DDoS requests look like legitimate visitors. Real-time threat monitoring enables true real-time detection of application attacks, while an easy-to-use rule engine (IncapRules) enables quick creation and instant propagation of custom security rules to block these attacks. Incapsula DDoS Protection is supported by a 24×365 Security Operations Center (SOC) manned by security experts.

Yes. As long as your traffic is being sent through our network, the system will proactively notify you if you come under a DDoS attack.

Unlike most DDoS protection service providers, who integrate third-party solutions over which they don’t have any control and are infrequently updated, Incapsula DDoS Protection solution was built from the ground up using proprietary, self-developed technologies. This includes dedicated hardware (i.e., scrubbing servers) with the highest levels of scalability and resiliency, as required to handle the largest network DDoS attacks.

Based on Incapsula’s security expertise and using proprietary technology developed specifically for this purpose, these servers perform robust deep packet inspection (DPI) identify and block malicious packets based on the most granular of details. This new technology lets us inspect all attributes of each incoming packet, while serving hundreds of gigabits of traffic at an inline rate.

By using our own best-in-class technologies, we have the flexibility to evolve our DDoS protection at DevOps speed, enabling us to provide customers with the best protection against massive volumetric attacks, as well as highly sophisticated application layer (Layer 7) attacks.

Yes. Incapsula collects and displays traffic data in real-time, enabling immediate detection and response to DDoS attacks. Being able to respond in seconds rather than minutes is critical for effective mitigation. Incapsula’s true real-time monitoring capabilities give you live visibility into incoming traffic streams, with detailed information about suspicious visitors and abnormal behavior. In addition, once an attack is detected, the “IncapRules” custom rules engine lets you create and propagate security rules within seconds for reacting to advanced DDoS vectors or customer-specific requirements. Rule propagation can take up to one hour using other so-called “real-time” DDoS Protection services.

Yes. Incapsula offers Instant Protection services for organizations currently under a DDoS attack. This includes a free trial. Call us at +1 (866) 250-7659 for assistance.

Incapsula Anti-DDoS solution relies on smart visitor identification algorithms and a high-capacity global network. This combination of ‘brains and brawn’ – advanced software and powerful hardware – provides organizations with a complete Anti-DDoS solution that can mitigate any type of DDoS attack. Still we know that DDoS prevention in itself is not enough. We fully understand the need for a seamless DDoS solution and this is why our DDoS mitigation technique is also designed around the ideas of precision and transparency. To our clients this means: less than 0.01% “false-positives”, no delay screens or CAPTCHAs for their users and no manual activation. With its delicate and decisive efficiency, Incapsula will not only protect your sites and your servers, but also your business and reputation.

Incapsula has a very high success rate for blocking DDoS attacks. 99% of all DDoS attacks are automatically blocked by our system. The other 1 percent can be manually mitigated by our 24×7 SOC team within minutes following analysis.

Incapsula does not typically generate false positives. The technology behind our DDoS protection also involves a user identification and classification system which is able to accurately determine whether users are human or automated and whether their purpose is legitimate or malicious. This classification technology helps ensure that legitimate traffic or legitimate web requests are not blocked even while undergoing massive DDoS attacks.

We offer full 24×7 support either via phone, email or online chat. For enterprise plan customers, Incapsula offers managed DDoS protection services supported by a dedicated team of experienced SOC (Security Operations Center) engineers. Their responsibilities include proactive response and event management, continuous real-time monitoring, adept policy tuning, summary attack reports and 24×7 support.

Yes. Incapsula DNS Protection safeguards DNS servers from DDoS attacks, preventing these servers from becoming a single point of failure. Deployed as an always-on service, DNS Protection automatically identifies and blocks attacks seeking to target DNS servers, while also accelerating DNS responses. The service complements Incapsula’s other DDoS Protection services, which help safeguard web applications and network infrastructures from Application and Network Layer DDoS attacks.

Yes. Our Infrastructure Protection service is specifically designed to protect all elements of your critical infrastructure (e.g., Web, email, FTP) across entire subnet ranges. Leveraging BGP routing, this on-demand service provides blanket DDoS protection for all types of services (UDP/TCP, SMTP, FTP, SSH, VoIP, etc.). BGP routing also protects against “origin attacks”, whereby an attacker might otherwise be able to launch a DDoS attack directly to a web server IP address without the use of DNS resolution.

This service works in the following manner: in the event of an attack, traffic is re-routed through Incapsula’s scrubbing centers using BGP announcements. From this point on, Incapsula acts as the “ISP” and advertises all protected IP range announcements. All incoming network traffic is inspected and filtered, and only legitimate traffic is securely forwarded to the enterprise network via GRE tunneling.

CDN and Optimization

Yes. Based on its global CDN, Incapsula offers a complete solution for cross-datacenter load balancing, with full support for data center failover (disaster recovery) scenarios as well as Global Server Load Balancing. Incapsula’s unique Layer 7 approach to cross-datacenter load balancing substantially improves upon the routing capabilities of DNS-based solutions, enabling organizations to replace their DNS routers and on-premises appliances with a single integrated solution.

Yes. Incapsula’s Layer 7 Load Balancing provides a highly efficient solution for global failover and in-datacenter failover. In DR scenarios, as soon as Incapsula detects that the primary site has gone down, it automatically kick-starts the standby data center. Incapsula’s real-time health monitoring enables immediate detection of outages to ensure high availability even in the case of a catastrophic failure.

Yes. Incapsula’s Global Server Load Balancing can be configured to support geo-targeting. This method is used to route traffic to specific data centers, based on the visitor’s geo-location, with an option to redirect to another data center in case of failover. In this way, organizations can setup dedicated regional data centers to selectively provide content (e.g., ads) to visitors from specific locations, or to comply with internal policies or regional regulations.

Users can choose between several load distribution methods – from randomized Round Robin-like distribution to advanced options based on networking factors like server load and connection times. For in-datacenter load balancing, Incapsula supports methods such as:

  • Least Pending Requests – Next request is routed to the origin server with the smallest number of pending HTTP requests.
  • Least Open Connections – Next request is routed to the origin server with the smallest number of open TCP connections.
  • Source IP Hash – Hashing function persistently maps the visitor’s IP address to one of the origin servers.

For global server load balancing (GSLB), Incapsula’s algorithm supports methods such as:

  • Best Connection Time – Choosing the most effective route, based on periodic sampling of servers’ response times.
  • Geo-Targeting – Routing traffic to specific data centers, based on the visitor’s geo-location, with an option to redirect to another data center in case of failover.

Real-time health and performance checks of server activity are used to detect outages and eliminate downtime. Incapsula leverages its global multi-datacenter infrastructure for accurate health monitoring, based on redundant readings from multiple geo-locations. Furthermore, Incapsula users can take advantage of the flow of incoming health checks to customize their monitoring policies, choose preferred methods of notification and configure system behavior in failover scenarios. Incapsula’s Real-time view enhances monitoring capabilities by giving you a live view of the incoming traffic, as it’s being balanced between the different servers. This gives operators further control over traffic distribution, enabling on-the-fly, data-driven decision making.

Yes. Incapsula’s solution supports various load balancing methods. By default, all of these methods are also session-persistent, meaning the same HTTP session will always return to the same preferred server (if it is responsive). This is true for both local and global load balancing scenarios.

Incapsula offers a true Layer 7 GSLB solution that significantly improves upon current DNS-based alternatives. DNS was never really intended for load distribution or failover tasks – it is prone to TTL-related delays and uneven performance, and typically requires multiple in-datacenter appliances. Incapsula, on the other hand, implements routing changes using its own global network of reverse proxies. This ensures instantaneous routing independent of DNS/ISP cache issues, better distribution mechanics and optimized resource utilization through full Layer 7 visibility, while reducing costs based on a 100% cloud-based infrastructure.

Yes. Incapsula can be used to load balance the traffic however, it is required that Incapsula is “behind” or “parallel” to Akamai’s CDN.

Real-time health and performance checks of server activity are used to detect outages and eliminate downtime. In this way, Incapsula’s service ensures that traffic is always routed to a viable web server.

Passive monitoring is used to evaluate server responses to the actual traffic that is forwarded to them. The determination that a server is down is based on an extensive set of user-configurable parameters, which can be fine-tuned to the specific needs/policies of each organization. These include, for example, what is considered an error, the amount of errors in a given time period that constitute a “failure”, etc.

Once a server has been flagged as “down”, Incapsula performs active verification checks to determine whether the server has resumed operation. Active verification is based on sending a dedicated HTTP request to a predefined URL and checking whether the expected response is received. If so, the load balancer will renew the flow of traffic to it.

Users can receive email alerts to notify them of virtually any possible failover scenario. Incapsula’s management console allows users to fine-tune the sensitivity of the precise scenarios that will trigger an alert. For example:

  • Specific server is down
  • Data center is down
  • Flexible parameters such as number of proxies re-routing traffic, etc.

DNS Changes

Your DNS records direct your visitors to your web server IP. To start routing traffic through Incapsula and to take advantage of our security and acceleration services, your DNS records should instruct visitors to send requests to the Incapsula servers. By making two simple DNS changes, your traffic will first be filtered by Incapsula and then forwarded to your web server. There will be no downtime during the transition.

When you add your site to Incapsula you get a CNAME for your subdomains (www.example.com, blog.example.com) and an IP address for your top level domain (example.com). You will be instructed to replace your exiting DNS entries for those domains with the entries you received from Incapsula. In order to make these changes, all you need to do is log into your DNS management console. If you are using one of the popular DNS management services (GoDaddy, 1&1 Hosting, etc.), we have prepared step by step instructions on how to make the necessary changes.

No. With Incapsula your hosting will remain the same. The only thing you are changing is the A record and a CNAME in your DNS records.


Yes. Incapsula automatically identifies when websites that support SSL traffic (HTTPS) are added to the service. In such a case, Incapsula will lead you through a simple process of supporting SSL. In order to enable Incapsula to support SSL traffic for your website, we will need to generate a certificate for your domain that will be hosted on our servers. In this process you are requested to approve the creation of such a certificate by our certificate provider.

The process of adding SSL support involves three simple steps:

  1. Within 24 hours of adding the website you will receive an e-mail from GlobalSign, our SSL certificate provider, requesting approval to generate an SSL certificate for your domain. To approve this request simply reply with “yes” in the message body.
  2. After your approval Incapsula will provision the service to support SSL on your domain. This process can take up to 24 hours.
  3. Once the process is completed, you will be notified through an e-mail and you will be able to proceed to the final step of adding your website to the Incapsula service

You can also choose to add your website to Incapsula without SSL support. In this event, any user that browses your site using SSL may receive a warning from his browser.

In order to support SSL traffic, Incapsula needs to host an SSL certificate for your site on each one of our proxies. Incapsula has partnered with one of the leading certificate providers, GlobalSign, and implemented a simple and automated process for generating certificates. Currently, Incapsula offers this service at no additional charge for plans that support SSL traffic (Personal, Business and Enterprise). If you are using this service, your visitors will see the certificate we generated for your website. Our Enterprise plans also include an option to host your existing certificate on Incapsula (for example your EV certificate.

Incapsula Setup

Once you choose your plan from our Pricing & Signup page, you’ll arrive at the sign up page, where you will submit your details and open an account. Once you open an account, you will be asked to submit the domain URL of the website you want to add to Incapsula’s service. We will then scan your DNS records and provide you with instructions to change your DNS records. Once you complete the DNS records change, traffic to your website will gradually be routed through Incapsula’s network of servers. Within 48 hours, all of your traffic will route through Incapsula’s network of servers.

Absolutely not. We make sure you won’t lose even a single visit.

Plans & Pricing

Sure. You can either sign up for Incapsula’s Free plan, or start a 14-day free trial with one of Incapsula’s paid plans.

If you have a low traffic personal website, you can sign up for Incapsula’s Free plan.. To get all optimization features and our enterprise-grade Web Application Firewall plus live stats, or if your website has SSL – you should you sign up for the Pro plan. For limited DDoS Protection or if your website has custom SSL – the Business plan would be best. And for unlimited bandwidth, premium support and DDoS protection, or multiple websites – contact us to get a quote for the Enterprise plan.

No. If you are a paying customer, once you remove your website from Incapsula’s service or switch to the Free plan, we will stop the next charge to your credit card.