-
Configuring the Web App Firewall
-
Manual Configuration By Using the Command Line Interface
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Manual configuration By using the command line interface
Note:
If you need to manually configure the Web App Firewall feature, Citrix recommends you to use the NetScaler GUI procedure.
You can configure the Web App Firewall features from the NetScaler command interface. However, there are important exceptions. You cannot enable signatures from the command interface. There are around 1,000 default signatures in seven categories and the task is too complex for the command interface. You can enable or disable features and configure parameters from the command line, but cannot configure manual relaxations. While you can configure the adaptive learning feature and enable learning from the command line, you cannot review learned relaxations or learned rules and approve or skip them. The command line interface is intended for advanced users who are familiar in using the NetScaler appliance and Web App Firewall.
To manually configure the Web App Firewall by using the NetScaler command line, use a telnet or secure shell client of your choice to log on to the NetScaler command line.
To create a profile by using the command line interface
At the command prompt, type the following commands:
add appfw profile <name> [-defaults ( basic | advanced )]
set appfw profile <name> -type ( HTML | XML | HTML XML )
save ns config
Example
The following example adds a profile named pr-basic, with basic defaults, and assigns a profile type of HTML. This is the appropriate initial configuration for a profile to protect an HTML website.
add appfw profile pr-basic -defaults basic
set appfw profile pr-basic -type HTML
save ns config
<!--NeedCopy-->
To configure a profile by using the command line interface
At the command prompt, type the following commands:
-
set appfw profile <name> <arg1> [<arg2> ...]
where<arg1>
represents a parameter and<arg2>
represents either another parameter or the value to assign to the parameter represented by<arg1>
. For descriptions of the parameters to use when configuring specific security checks, see Advanced Protections and its subtopics. For descriptions of the other parameters, see “Parameters for Creating a Profile.” save ns config
Example
The following example shows how to configure an HTML profile created with basic defaults to begin protecting a simple HTML-based website. This example turns on logging and maintenance of statistics for most security checks, but enables blocking only for those checks that have low false positive rates and require no special configuration. It also turns on transformation of unsafe HTML and unsafe SQL, which prevents attacks but does not block requests to your websites. With logging and statistics enabled, you can later review the logs to determine whether to enable blocking for a specific security check.
set appfw profile -startURLAction log stats
set appfw profile -denyURLAction block log stats
set appfw profile -cookieConsistencyAction log stats
set appfw profile -crossSiteScriptingAction log stats
set appfw profile -crossSiteScriptingTransformUnsafeHTML ON
set appfw profile -fieldConsistencyAction log stats
set appfw profile -SQLInjectionAction log stats
set appfw profile -SQLInjectionTransformSpecialChars ON
set appfw profile -SQLInjectionOnlyCheckFieldsWithSQLChars ON
set appfw profile -SQLInjectionParseComments checkall
set appfw profile -fieldFormatAction log stats
set appfw profile -bufferOverflowAction block log stats
set appfw profile -CSRFtagAction log stats
save ns config
<!--NeedCopy-->
To create and configure a policy
At the command prompt, type the following commands:
add appfw policy <name> <rule> <profile>
save ns config
Example
The following example adds a policy named pl-blog, with a rule that intercepts all traffic to or from the host blog.example.com, and associates that policy with the profile pr-blog.
add appfw policy pl-blog "HTTP.REQ.HOSTNAME.DOMAIN.EQ("blog.example.com")" pr-blog
<!--NeedCopy-->
To bind a Web App Firewall policy
At the command prompt, type the following commands:
bind appfw global <policyName> <priority>
save ns config
Example
The following example binds the policy named pl-blog and assigns it a priority of 10.
bind appfw global pl-blog 10
save ns config
<!--NeedCopy-->
To configure session limit per PE
At the command prompt, type the following commands:
set appfw settings <session limit>
Example
The following example configures the session limit per PE.
> set appfw settings -sessionLimit 500000`
Done
Default value:100000 Max value:500000 per PE
<!--NeedCopy-->
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.