Configuring Web App Firewall profiles
To configure a user-defined Web App Firewall profile, first configure the security checks, which are called deep protections or advanced protections in the Web App Firewall wizard. Certain checks require configuration if you are to use them at all. Others have default configurations that are safe but limited in scope; your websites might need or benefit from a different configuration that takes advantage of more features of certain security checks.
After you have configured the security checks, you can also configure some other settings that control the behavior, not of a single security check, but the Web App Firewall feature. The default configuration is sufficient to protect most websites, but you must review them to make sure that they are right for your protected websites.
The profile name length and all import object name length can be set up to 127 characters.
For more information about the Web App Firewall security checks, see Advanced Protections.
To configure an Web App Firewall profile by using the command line
At the command prompt, type the following commands:
set appfw profile <name> <arg1> [<arg2> ...]
<arg1>= a parameter and any associated options.
<arg2>= a second parameter and any associated options.
- … = additional parameters and options.
For descriptions of the parameters to use when configuring specific security checks, see Advanced Protections.
save ns config
The following example shows how to enable blocking for the HTML SQL Injection and HTML Cross-Site Scripting checks in a profile named pr-basic. This command enables blocking for those actions while making no other changes to the profile.
set appfw profile pr-basic -crossSiteScriptingAction block -SQLInjectionAction block <!--NeedCopy-->
Bind relaxation rule to a Web App Firewall profile
When Web App Firewall detects a violation, the user has the ability to bypass the action applied through relaxation rules. Relaxation rule is an exception applied to the detected security violation. For example, the Start URL relaxation rules protect against forceful browsing. Known web server vulnerabilities that are exploited by hackers can be detected and blocked by enabling a set of default Deny URL rules. Commonly launched attacks, such as Buffer Overflow, SQL, or Cross-site scripting can also be easily detected.
To bind security exemption or relaxation rules by using the CLI
At the command prompt, type:
bind appfw profile <name> ((-startURL <expression> [-resourceId <string>]) | -denyURL <expression> | (-fieldConsistency <string> <formActionURL> [-isRegex ( REGEX | NOTREGEX )]) | (-cookieConsistency <string> [-isRegex ( REGEX | NOTREGEX )]) | (-SQLInjection <string> <formActionURL> [-isRegex ( REGEX | NOTREGEX )] [-location <location>] [-valueType <valueType> <valueExpression>.... <!--NeedCopy-->
To bind security exemption or relaxation rules by using the GUI
- Navigate to Security > Citrix Web App Firewall > Profiles.
- In the details pane, select a profile and click Edit.
- In the Citrix Web App Firewall Profile page, click Relaxation Rules from the Advanced Setting section.
- In the Relaxation Rules section, click StartURL and click Edit.
- In the Start URL Relaxation Rules page, click Add.
In the Start URL Relaxation Rule page, set the following parameters:
- Enabled. Select the checkbox to enable the relaxation rule
- Start URL. Enter the regular expression value
- Comments. Provide a short description about the relaxation rule.
- Click Create and Close.
To configure an Web App Firewall profile by using the GUI
- Navigate to Security > Citrix Web App Firewall > Profiles.
- In the details pane, select the profile that you want to configure, and then click Edit.
In the Configure Web App Firewall Profile dialog box, on the Security Checks tab, configure the security checks.
To enable or disable an action for a check, in the list, select or clear the check box for that action.
To configure other parameters for those checks that have them, in the list, click the blue chevron to the far right of that check. In the dialog box that appears, configure the parameters. These vary from check to check.
You can also select a check and, at the bottom of the dialog box, click Open to display the Configure Relaxation dialog box or Configure Rule dialog box for that check. These dialog boxes also vary from check to check. Most of them include a Checks tab and a General tab. If the check supports relaxations or user-defined rules, the Checks tab includes an Add button, which opens yet another dialog box, in which you can specify a relaxation or rule for the check. (A relaxation is a rule for exempting specified traffic from the check.) If relaxations have already been configured, you can select one and click Open to modify it.
To review learned exceptions or rules for a check, select the check, and then click Learned Violations. In the Manage Learned Rules dialog box, select each learned exception or rule in turn.
- To edit the exception or rule, and then add it to the list, click Edit & Deploy.
- To accept the exception or rule without modification, click Deploy.
- To remove the exception or rule from the list, click Skip.
To refresh the list of exceptions or rules to be reviewed, click Refresh.
open the Learning Visualizer and use it to review learned rules, click Visualizer.
review the log entries for connections that matched a check, select the check, and then click Logs. You can use this information to determine which checks are matching attacks, so that you can enable blocking for those checks. You can also use this information to determine which checks are matching legitimate traffic, so that you can configure an appropriate exemption to allow those legitimate connections. For more information about the logs, see Logs, Statistics, and Reports.
To completely disable a check, in the list, clear all of the check boxes to the right of that check.
- On the Settings tab, configure the profile settings.
To associate the profile with the set of signatures that you previously created and configured, under Common Settings, choose that set of signatures in the Signatures drop-down list.
You may must use the scroll bar on the right of the dialog box to scroll down to display the Common Settings section.
- To configure an HTML or XML Error Object, select the object from the appropriate drop-down list.
You must first upload the error object that you want to use in the Imports pane. For more information about importing error objects, see Imports.
- To configure the default XML Content Type, type the content type string directly into the Default Request and Default Response text boxes, or click Manage Allowed Content Types to manage the list of allowed content types. »More….
- If you want to use the learning feature, click Learning, and configure the learning settings for the profile, as described in Configuring and Using the Learning Feature.
- Click OK to save your changes and return to the Profiles pane.