ADC

Manual configuration by using the NetScaler GUI

If you need to manually configure the Web App Firewall feature, Citrix recommends you to use the NetScaler GUI procedure.

To create and configure signatures object

Before you can configure the signatures, you must create a signatures object from the appropriate default signatures object template. Assign the copy a new name, and then configure the copy. You cannot configure or modify the default signatures objects directly. The following procedure provides basic instructions for configuring a signatures object. For more detailed instructions, see Manually Configuring the Signatures Feature.

  1. Navigate to Security > NetScaler Web App Firewall > Signatures.
  2. In the details pane, select the signatures object that you want to use as a template, and then click Add.

    Your choices are:

    • Default Signatures. Contains the signatures rules, the SQL injection rules, and the cross-site scripting rules.
    • XPath Injection. Contains all of the items in the Default Signatures, and in addition, contains the XPath injection rules.
  3. In the Add Signatures Object dialog box, type a name for your new signatures object, click OK, and then click Close. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), and underscore (_) symbols.
  4. Select the signatures object that you created, and then click Open.
  5. In the Modify Signatures Object dialog box, set the Display Filter Criteria options at the left to display the filter items that you want to configure.

    As you modify these options, the results that you specify are displayed in the Filtered Results window at the right. For more information about the categories of signatures, see Signatures.

  6. In the Filtered Results area, configure the settings for a signature by selecting and clearing the appropriate check boxes.
  7. When finished, finished, click Close.

To create a Web App Firewall profile by using the GUI

Creating a Web App Firewall profile requires that you specify only a few configuration details.

  1. Navigate to Security > NetScaler Web App Firewall > Profiles.
  2. In the details pane, click Add.
  3. In the Create Web App Firewall Profile dialog box, type a name for your profile.

    The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.

  4. Choose the profile type from the drop-down list.
  5. Click Create, and then click Close.

To configure a Web App Firewall profile by using the GUI

  1. Navigate to Security > NetScaler Web App Firewall > Profiles.
  2. In the details pane, select the profile that you want to configure, and then click Edit.
  3. In the Configure Web App Firewall Profile dialog box, on the Security Checks tab, configure the security checks.
    • To enable or disable an action for a check, in the list, select or clear the check box for that action.
    • To configure other parameters for those checks that have them, in the list, click the blue chevron to the far right of that check. In the dialog box that appears, configure the parameters. These vary from check to check.

      You can also select a check and, at the bottom of the dialog box, click Open to display the Configure Relaxation dialog box or Configure Rule dialog box for that check. These dialog boxes also vary from check to check. Most of them include a Checks tab and a General tab. If the check supports relaxations or user-defined rules, the Checks tab includes an Add button, which opens yet another dialog box, in which you can specify a relaxation or rule for the check. (A relaxation is a rule for exempting specified traffic from the check.) If relaxations have already been configured, you can select one and click Open to modify it.

    • To review learned exceptions or rules for a check, select the check, and then click Learned Violations. In the Manage Learned Rules dialog box, select each learned exception or rule in turn.

      • To edit the exception or rule, and then add it to the list, click Edit & Deploy.
      • To accept the exception or rule without modification, click Deploy.
      • To remove the exception or rule from the list, click Skip.
    • To refresh the list of exceptions or rules to be reviewed, click Refresh.
    • To open the Learning Visualizer and use it to review learned rules, click Visualizer.
    • To review the log entries for connections that matched a check, select the check, and then click Logs. You can use this information to determine which checks are matching attacks so that you can enable blocking for those checks. You can also use this information to determine which checks are matching legitimate traffic, so that you can configure an appropriate exemption to allow those legitimate connections. For more information about the logs, see Logs, Statistics, and Reports.
    • To completely disable a check, in the list, clear all of the check boxes to the right of that check.
  4. On the Settings tab, configure the profile settings.
    • To associate the profile with the set of signatures that you previously created and configured, under Common Settings, choose that set of signatures in the Signatures drop-down list.

      Note:

      You may must use the scroll bar on the right of the dialog box to scroll down to display the Common Settings section.

    • To configure an HTML or XML Error Object, select the object from the appropriate drop-down list.

      Note:

      You must first upload the error object that you want to use in the Import pane.

    • To configure the default XML Content Type, type the content type string directly into the Default Request and Default Response text boxes, or click Manage Allowed Content Types to manage the list of allowed content types.

  5. If you want to use the learning feature, click Learning, and configure the learning settings for the profile. For more information, see Configure and Learning feature.

  6. Click OK to save your changes and return to the Profiles pane.

Configuring a Web App Firewall rule or relaxation

You configure two different types of information in this dialog box, depending upon which security check you are configuring. In most cases, you configure an exception (or relaxation) to the security check. If you are configuring the Deny URL check or the Field Formats check, you configure an addition (or rule). The process for either of these is the same.

To configure a relaxation rule by using the NetScaler GUI

  1. Navigate to Security > NetScaler Web App Firewall > Profiles.
  2. In the Profiles pane, select the profile you want to configure, and then click Edit.
  3. In the Configure Web App Firewall Profile page, click Relaxation Rule from Advanced Settings section. The Relaxation Rule section contains the complete list of Web App Firewall relaxation rules.
  4. Click a security rule that you want to configure, and then click Edit.
  5. The URL Relaxation Rules page contains a list of actions and that you can configure for this rule and a list of existing relaxations or rules. The list might be empty if you have not either manually added any relaxations or approved any relaxations that were recommended by the learning engine. Beneath the list is a row of buttons that allow you to add, modify, delete, enable, or disable the relaxations on the list.
  6. To add or modify a relaxation or a rule, do one of the following:

    • To add a new relaxation, click Add.
    • To modify an existing relaxation, select the relaxation that you want to modify, and then click Open.

    The Start URL Relaxation Rule page is displayed. Except for the title, these dialog boxes are identical.

  7. Fill in the dialog box as described below. The dialog boxes for each check are different. The list below covers all elements that might appear in any dialog box.

    • Enabled check box—Select to place this relaxation or rule in active use; clear to deactivate it.
    • Attachment Content Type—The Content-Type attribute of an XML attachment. In the text area, enter a regular expression that matches the Content-Type attribute of the XML attachments to allow.
    • Action URL—In the text area, enter a PCRE-format regular expression that defines the URL to which data entered into the web form is delivered.
    • Cookie—In the text area, enter a PCRE-format regular expression that defines the cookie.
    • Field Name—A web form field name element may be labeled Field Name, Form Field, or another similar name. In the text area, enter a PCRE-format regular expression that defines the name of the form field.
    • From Origin URL—In the text area, enter a PCRE-format regular expression that defines the URL that hosts the web form.
    • From Action URL—In the text area, enter a PCRE-format regular expression that defines the URL to which data entered into the web form is delivered.
    • Name—An XML element or attribute name. In the text area, enter a PCRE-format regular expression that defines the name of the element or attribute.
    • URL—A URL element may be labeled Action URL, Deny URL, Form Action URL, Form Origin URL, Start URL, or simply URL. In the text area, enter a PCRE-format regular expression that defines the URL.
    • Format—The format section contains multiple settings that include list boxes and text boxes. Any of the following can appear:

      • Type—Select a field type in the Type drop-down list. To add a new field type definition, click Manage—
      • Minimum Length—Type a positive integer that represents the minimum length in characters if you want to force users to fill in this field. Default: 0 (Allows field to be left blank.)
      • Maximum length—To limit the length of data in this field, type a positive integer that represents the maximum length in characters. Default: 65535
    • Location—Choose the element of the request that your relaxation applies to from the drop-down list. For HTML security checks, the choices are:

      • FORMFIELD—Form fields in web forms.
      • HEADER—Request headers.
      • COOKIE—Set-Cookie headers.

      For XML security checks, the choices are:

      • ELEMENT—XML element.
      • ATTRIBUE—XML attribute.
    • Maximum Attachment Size—The maximum size in bytes allowed for an XML attachment.
    • Comments—In the text area, type a comment. Optional.

    Note: For any element that requires a regular expression, you can type the regular expression, use the Regex Tokens menu to insert regular expression elements and symbols directly into the text box, or click Regex Editor to open the Add Regular Expression dialog box, and use it to construct the expression.

  8. To remove a relaxation or rule, select it, and then click Delete.
  9. To enable a relaxation or rule, select it, and then click Enable.
  10. To disable a relaxation or rule, select it, and then click Disable.
  11. To configure the settings and relationships of all existing relaxations in an integrated interactive graphic display, click Visualizer, and use the display tools.

    Note:

    The Visualizer button does not appear on all check relaxation dialog boxes.

  12. To review learned rules for this check, click Learning and perform the steps in To configure and use the Learning feature
  13. Click OK.

To configure the Learned Rules by using the NetScaler GUI

  1. Navigate to Security > NetScaler Web App Firewall > Profiles.
  2. In the Profiles pane, select the profile, and then click Edit.
  3. In the NetScaler Web App Firewall Profile page, click Learned Rules from Advanced Settings. In the Learned Rules section you can see a list of security checks that are available in the current profile and that support the learning feature.
  4. To configure the learning thresholds, select a security check, and click Settings.
  5. In the Dynamic Profiling and Learning Rules Settings page, you can set the settings. For more information, see Dynamic profile settings

    • Minimum number threshold. Depending on which security check’s learning settings you are configuring, the minimum number threshold might refer to the minimum number of total user sessions that must be observed, the minimum number of requests that must be observed, or the minimum number of times a specific form field must be observed, before a learned relaxation is generated. Default: 1

    • Percentage of times threshold. Depending on which security check’s learning settings you are configuring, the percentage of times threshold might refer to the percentage of total observed user sessions that violated the security check, the percentage of requests, or the percentage of times a form field matched a particular field type, before a learned relaxation is generated. Default: 0

  6. To remove all learned data and reset the learning feature, so that it must start its observations again from the beginning, select Remove All Learned Data action.

    Note:

    This button removes only learned recommendations that have not been reviewed and either approved or skipped. It does not remove learned relaxations that have been accepted and deployed.

  7. To restrict the learning engine to traffic from a specific set of IPs, click Trusted Learning Clients, and add the IP addresses that you want to use to the list.
    1. To add an IP address or IP address range to the Trusted Learning Clients list, click Add.
    2. In the AppFirewall Profile to Trusted Clint Binding page, click Add.
    3. Select the Enabled check box to enable the feature.
    4. In Trusted Learning Client** box, type the IP address or an IP address range in CIDR format.
    5. In the Comments text area, type a comment that describes this IP address or range.
    6. Click Create and Close.
  8. To modify an existing IP address or range, click the IP address or range, and then click Edit. Except for the name, the dialog box that appears is identical to the Add Trusted Learning Clients dialog box.
  9. To disable or enable an IP address or range, but leave it on the list, click the IP address or range, and then click Disable or Enable, as appropriate.
  10. To remove an IP address or range completely, click the IP address or range, and then click Delete.

  11. Click Close to return to the NetScaler Web App Firewall Profile page.

To create a NetScaler Web App Firewall policy by using the NetScaler GUI

  1. Navigate to Security > NetScaler Web App Firewall > Policies.
  2. In the Policies page, click NetScaler Web App Firewall Policy link.
  3. In the NetScaler Web App Firewall Policies page, click Add.
  4. In the Create NetScaler Web App Firewall Policy page, set the following parameters.

    1. Name. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 128 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.
    2. Profile. Select the profile that you want to associate with this policy from the Profile drop-down list. You can create a profile to associate with your policy by clicking New, and you can modify an existing profile by clicking Modify.
    3. Expression. In the Expression text area, create a rule for your policy.
    4. Log Action. Add a log action or you can modify an existing log action.
    5. Comments. A brief description about the policy.
  5. Click Create or OK, and then click Close.

To create or configure a Web App Firewall rule (expression)

The policy rule, also called the expression, defines the web traffic that the Web App Firewall filters by using the profile associated with the policy. Like other NetScaler policy rules (or expressions), Web App Firewall rules use NetScaler expressions syntax. This syntax is powerful, flexible, and extensible. It is too complex to describe completely in this set of instructions. You can use the following procedure to create a simple firewall policy rule, or you can read it as an overview of the policy creation process.

  1. If you have not already done so, navigate to the appropriate location in the Web App Firewall wizard or the NetScaler GUI to create your policy rule:

    • If you are configuring a policy in the Web App Firewall wizard, in the navigation pane, click NetScaler Web App Firewall Wizard, then in the details pane click NetScaler Web App Firewall Wizard, and then navigate to the Specify Rule tab page.
    • In the Specify Rule page, choose the prefix for your expression from the drop-down list. Your choices are:

    • HTTP. The HTTP protocol. Choose this if you want to examine some aspect of the request that pertains to the HTTP protocol.
    • SYS. One or more protected websites. Choose this if you want to examine some aspect of the request that pertains to the recipient of the request.
    • CLIENT. The computer that sent the request. Choose this if you want to examine some aspect of the sender of the request.
    • SERVER. The computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request.

    After you choose a prefix, the Web App Firewall displays a two-part prompt window that displays the possible next choices at the top, and a brief explanation of what the selected choice means at the bottom.

  2. Choose your next term.

    If you chose HTTP as your prefix, your only choice is REQ, which specifies the Request/Response pair. (The Web App Firewall operates on the request and response as a unit instead of on each separately.) If you chose another prefix, your choices are more varied. For help on a specific choice, click that choice once to display information about it in the lower prompt window.

    When you have decided which term you want, double-click it to insert it into the Expression window.

  3. Type a period after the term you just chose. You are then prompted to choose your next term, as described in the previous step. When a term requires that you type a value, fill in the appropriate value. For example, if you choose HTTP.REQ.HEADER(“”), type the header name between the quotation marks.

  4. Continue choosing terms from the prompts and filling in any values that are needed, until your expression is finished.

    Following are some examples of expressions for specific purposes.

    • Specific web host. To match traffic from a particular web host:

HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

For shopping.example.com, substitute the name of the web host that you want to match.

  • Specific web folder or directory. To match traffic from a particular folder or directory on a Web host:

HTTP.REQ.URL.STARTSWITH("https//www.example.com/folder")

For www.example.com, substitute the name of the web host. For folder, substitute the folder or path to the content that you want to match. For example, if your shopping cart is in a folder called /solutions/orders, you substitute that string for folder.

  • Specific type of content: GIF images. To match GIF format images:

HTTP.REQ.URL.ENDSWITH(".gif")

To match other format images, substitute another string in place of .gif.

  • Specific type of content: scripts. To match all CGI scripts located in the CGI-BIN directory:

HTTP.REQ.URL.STARTSWITH("https//www.example.com/CGI-BIN")

To match all JavaScripts with .js extensions:

HTTP.REQ.URL.ENDSWITH(".js")

For more information about creating policy expressions, see Policies and Expressions.

Note:

If you use the command line to configure a policy, remember to escape any double quotation marks within NetScaler expressions. For example, the following expression is correct if entered in the GUI:

HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

If entered at the command line, however, you must type this instead:

HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

![Policy expression configuration](/en-us/citrix-adc/media/waf-rule.png)

To add a firewall rule (expression) by using the Add Expression dialog box

The Add Expression dialog box (also referred to as the Expression Editor) helps users who are not familiar with the NetScaler expressions language to construct a policy that matches the traffic that they want to filter.

  1. If you have not already done so, navigate to the appropriate location in the Web App Firewall wizard or the NetScaler GUI:
    • If you are configuring a policy in the Web App Firewall wizard, in the navigation pane, click Web App Firewall, then in the details pane click Web App Firewall Wizard, and then navigate to the Specify Rule screen.
    • If you are configuring a policy manually, in the navigation pane, expand Web App Firewall, then Policies, and then Firewall. In the details pane, to create a policy, click Add. To modify an existing policy, select the policy, and then click Open.
  2. On the Specify Rule screen, in the Create Web App Firewall Profile dialog box, or in the Configure Web App Firewall Profile dialog box, click Add.
  3. In the Add Expression dialog box, in the Construct Expression area, in the first list box, choose one of the following prefixes:
    • HTTP. The HTTP protocol. Choose this if you want to examine some aspect of the request that pertains to the HTTP protocol. The default choice.
    • SYS. One or more protected websites. Choose this if you want to examine some aspect of the request that pertains to the recipient of the request.
    • CLIENT. The computer that sent the request. Choose this if you want to examine some aspect of the sender of the request.
    • SERVER. The computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request.
  4. In the second list box, choose your next term. The available terms differ depending on the choice you made in the previous step, because the dialog box automatically adjusts the list to contain only those terms that are valid for the context. For example, if you selected HTTP in the previous list box, the only choice is REQ, for requests. Because the Web App Firewall treats requests and associated responses as a single unit and filters both, you do not need to specific responses separately. After you choose your second term, a third list box appears to the right of the second. The Help window displays a description of the second term, and the Preview Expression window displays your expression.
  5. In the third list box, choose the next term. A new list box appears to the right, and the Help window changes to display a description of the new term. The Preview Expression window updates to display the expression as you have specified it to that point.
  6. Continue choosing terms, and when prompted filling in arguments, until your expression is complete. If you make a mistake or want to change your expression after you have already selected a term, you can simply choose another term. The expression is modified, and any arguments or more terms that you added after the term that you modified is cleared.
  7. When you have finished constructing your expression, click OK to close the Add Expression dialog box. Your expression is inserted into the Expression text area.

To bind a Web App Firewall policy by using the NetScaler GUI

  1. Do one of the following:
    • Navigate to Security > Web App Firewall, and in the details pane, click application firewall policy manager.
    • Navigate to Security > NetScaler Web App Firewall > Policies > Firewall, and in the “NetScaler Web App Firewall Policies” pane, click Policy Manager.
  2. In the Application Firewall Policy Manager dialog, choose the bind point to which you want to bind the policy from the drop-down list. The choices are:
    • Override Global. Policies that are bound to this bind point process all traffic from all interfaces on the NetScaler appliance, and are applied before any other policies.
    • LB Virtual Server. Policies that are bound to a load balancing virtual server are applied only to traffic that is processed by that load balancing virtual server, and are applied before any Default Global policies. After selecting LB Virtual Server, you must also select the specific load balancing virtual server to which you want to bind this policy.
    • CS Virtual Server. Policies that are bound to a content switching virtual server are applied only to traffic that is processed by that content switching virtual server, and are applied before any Default Global policies. After selecting CS Virtual Server, you must also select the specific content switching virtual server to which you want to bind this policy.
    • Default Global. Policies that are bound to this bind point process all traffic from all interfaces on the NetScaler appliance.
    • Policy Label. Policies that are bound to a policy label process traffic that the policy label routes to them. The policy label controls the order in which policies are applied to this traffic.
    • None. Do not bind the policy to any bind point.
  3. Click Continue. A list of existing Web App Firewall policies appears.
  4. Select the policy you want to bind by clicking it.
  5. Make any additional adjustments to the binding.
    • To modify the policy priority, click the field to enable it, and then type a new priority. You can also select Regenerate Priorities to renumber the priorities evenly.
    • To modify the policy expression, double-click that field to open the Configure Web App Firewall Policy dialog box, where you can edit the policy expression.
    • To set the Goto Expression, double-click field in the Goto Expression column heading to display the drop-down list, where you can choose an expression.
    • To set the Invoke option, double-click field in the Invoke column heading to display the drop-down list, where you can choose an expression.
  6. Repeat steps 3 through 6 to add any additional Web App Firewall policies you want to globally bind.
  7. Click OK. A message appears in the status bar, stating that the policy has been successfully bound.