-
Getting Started with Citrix ADC
-
Deploy a Citrix ADC VPX instance
-
Optimize Citrix ADC VPX performance on VMware ESX, Linux KVM, and Citrix Hypervisors
-
Apply Citrix ADC VPX configurations at the first boot of the Citrix ADC appliance in cloud
-
Install a Citrix ADC VPX instance on Microsoft Hyper-V servers
-
Install a Citrix ADC VPX instance on Linux-KVM platform
-
Prerequisites for Installing Citrix ADC VPX Virtual Appliances on Linux-KVM Platform
-
Provisioning the Citrix ADC Virtual Appliance by using OpenStack
-
Provisioning the Citrix ADC Virtual Appliance by using the Virtual Machine Manager
-
Configuring Citrix ADC Virtual Appliances to Use SR-IOV Network Interface
-
Configuring Citrix ADC Virtual Appliances to use PCI Passthrough Network Interface
-
Provisioning the Citrix ADC Virtual Appliance by using the virsh Program
-
Provisioning the Citrix ADC Virtual Appliance with SR-IOV, on OpenStack
-
Configuring a Citrix ADC VPX Instance on KVM to Use OVS DPDK-Based Host Interfaces
-
-
Deploy a Citrix ADC VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Configure a Citrix ADC VPX instance to use SR-IOV network interface
-
Configure a Citrix ADC VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a Citrix ADC VPX instance on Microsoft Azure
-
Network architecture for Citrix ADC VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a Citrix ADC VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Configure a Citrix ADC VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the Citrix high availability template with Azure ILB
-
Configure a high-availability setup with Azure external and internal load balancers simultaneously
-
Configure address pools (IIP) for a Citrix Gateway appliance
-
Upgrade and downgrade a Citrix ADC appliance
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
On-premises Citrix Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 12: Configure Citrix Virtual Desktops for load balancing
-
Use case 13: Configure Citrix Virtual Apps for load balancing
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
Use case 15: Configure layer 4 load balancing on the Citrix ADC appliance
-
-
-
IP Reputation
-
-
-
-
-
Authentication and authorization for System Users
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Citrix ADC Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
IP Reputation
IP reputation is a tool that identifies IP addresses that send unwanted requests. Using the IP reputation list you can reject requests that are coming from an IP address with a bad reputation. Optimize Web Application Firewall performance by filtering requests that you do not want to process. Reset, drop a request, or even configure a responder policy to take a specific responder action.
The following are some attacks that you can prevent by using IP Reputation:
- Virus Infected personal computers. (home PCs) are the single biggest source of Spam on the internet. IP Reputation can identify the IP address that is sending unwanted requests. IP reputation can be especially useful for blocking large scale DDoS, DoS, or anomalous SYN flood attacks from known infected sources.
- Centrally managed and automated botnet. Attackers have gained popularity for stealing passwords, because it doesn’t take long when hundreds of computers work together to crack your password. It is easy to launch botnet attacks to figure out passwords that use commonly used dictionary words.
- Compromised web-server. Attacks are not as common because awareness and server security have increased, so hackers and spammers look for easier targets. There are still web servers and online forms that hackers can compromise and use to send spam (such as viruses and porn). Such activity is easier to detect and quickly shut down, or block with a reputation list such as SpamRats.
- Windows Exploits. (such as Active IPs offering or distributing malware, shell code, rootkits, worms, or viruses).
- Known spammers and hackers.
- Mass e-mail marketing campaigns.
- Phishing Proxies (IP addresses hosting phishing sites, and other fraud such as ad click fraud or gaming fraud).
- Anonymous proxies (IPs providing proxy and anonymization services including The Onion Router aka TOR).
A Citrix ADC appliance uses Webroot as the service provider for a dynamically generated malicious IP database and the metadata for those IP addresses. Metadata might include geolocation details, threat category, threat count, and so on. The Webroot threat Intelligence engine receives real-time data from millions of sensors. It automatically and continuously captures, scans, analyses and scores the data, using advanced machine learning and behavioral analysis. Intelligence about a threat is continually updated.
The Citrix ADC appliance validates an incoming request for its bad reputation using the Webroot’s uses IP reputation database. The database has a huge collection of IP address classified based IP threat categories. Following are the IP threat categories and its description.
- Spam Sources. Spam Sources includes Tunneling Spam messages through proxy, anomalous SMTP activities, Forum Spam activities.
- Windows Exploits. The Windows Exploits category includes active IP Address offering or distributing malware, shell code, rootkits, worms, or viruses
- Web Attacks. The Web Attacks category includes cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force attack
- Botnets. The Botnet category includes Botnet C&C channels, and infected zombie machine controlled by Bot master
- Scanners. The Scanners category includes all reconnaissance such as probes, host scan, domain scan and password brute force attack
- Denial of Service. The Denial of Services category includes DOS, DDOS, anomalous sync flood, anomalous traffic detection
- Reputation. Deny access from IP addresses currently known to be infected with malware. This category also includes IPs with average low Webroot Reputation Index score. Enabling this category prevents access from sources identified to contact malware distribution points.
- Phishing. The Phishing category includes IP addresses hosting phishing sites, other kinds of fraud activities such as Ad Click Fraud or Gaming fraud
- Proxy. The Proxy category includes IP addresses providing proxy and def services.
- Mobile Threats. The Mobile Threats category includes IP addresses of malicious and unwanted mobile applications. This category leverages data from the Webroot mobile threat research team.
- Tor Proxy. The Tor Proxy category includes IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.
When a threat is detected anywhere in the network, the IP address is flagged as malicious and all appliances connected to the network are immediately protected. The dynamic changes in the IP addresses are processed with high speed and accuracy by using advanced machine learning.
As stated in the data sheet from Webroot, the Webroot’s sensor network identifies many key IP threat types, including spam sources, Windows exploits, botnets, scanners, and others. (See the flow diagram on the data sheet.)
The Citrix ADC appliance uses an iprep
client process to get the database from Webroot. The iprep
client uses the HTTP GET method to get the absolute IP list from Webroot for the first time. Later, it checks delta changes once every 5 minutes.
Important:
Make sure that the Citrix ADC appliance has Internet access and DNS is configured before you use the IP Reputation feature.
To access the Webroot database, the Citrix ADC appliance must be able to connect to api.bcti.brightcloud.com on port 443. Each node in the HA or cluster deployment gets the database from Webroot and must be able to access this Fully Qualified Domain Name (FQDN).
Webroot hosts its reputation database in AWS currently. Therefore, Citrix ADC must be able to resolve AWS domains for downloading the reputation db. Also, the firewall must be open for AWS domains.
Note:
Each packet engine requires at least 4 GB to function properly when the IP Reputation feature is enabled.
Advanced policy Expressions. Configure the IP Reputation feature by using advanced policy expressions (default syntax expressions) in the policies bound to supported modules, such as Web Application Firewall and responder. The following are two examples showing expressions that can be used to detect whether the client IP address is malicious.
- CLIENT.IP.SRC.IPREP_IS_MALICIOUS: This expression evaluates to TRUE if the client is included in the malicious IP list.
- CLIENT.IP.SRC.IPREP_THREAT_CATEGORY (CATEGORY): This expression evaluates to TRUE if the client IP is malicious IP and is in the specified threat category.
Following are the possible values for the threat category:
SPAM_SOURCES, WINDOWS_EXPLOITS, WEB_ATTACKS, BOTNETS, SCANNERS, DOS, REPUTATION, PHISHING, PROXY, NETWORK, CLOUD_PROVIDERS, MOBILE_THREATS, TOR_PROXY.
Note:
The IP reputation feature checks both source and destination IP addresses. It detects malicious IPs in the header. If the PI Expression in a policy can identify the IP address, the IP reputation check determines whether it is malicious.
IPRep log message. The /var/log/iprep.log
file contains useful messages that capture information about communication with the Webroot database. The information can be about the credentials used during Webroot communication, failure to connect with Webroot, information included in an update (such as the number of IP addresses in the database).
Creating a blocklist or allowlist of IPs using a policy data set. You can maintain an allow list to allow access to specific IP addresses that are blocklisted in the Webroot database. You can also create a customized block list of IP addresses to supplement the Webroot reputation check. These lists can be created by using a policy data set. A data set is a specialized form of pattern set that is ideally suited for IPv4 address matching. To use data sets, first create the data set and bind IPv4 addresses to it. When configuring a policy for comparing a string in a packet, use an appropriate operator and pass the name of the pattern set or data set as an argument.
To create an allow list of addresses to treat as exceptions during IP reputation evaluation:
- Configure the policy so that the PI expression evaluates to False even if an address in the allow list is listed as malicious by Webroot (or any service provider).
Enabling or disabling IP reputation. IP reputation is a part of the general reputation feature, which is license based. When you enable or disable the reputation feature, it enables or disables IP Reputation.
General procedure. Deploying IP reputation involves the following tasks
- Verify that the license installed on the Citrix ADC appliance has IP reputation support. Premium and standalone application firewall licenses support the IP reputation feature.
- Enable the IP reputation and application firewall features.
- Add an application firewall profile.
- Add an application firewall policy using the PI expressions to identify the malicious IP addresses in the IP Reputation database.
- Bind the application firewall policy to an appropriate bind point.
- Verify that any request received from a malicious address gets logged in the
ns.log
file to show that the request was processed as specified in the profile.
Configure the IP reputation feature using the CLI
At the command prompt, type:
enable feature reputation
disable feature reputation
The following examples show how you can add an application firewall policy using the PI expression to identify malicious addresses. You can use the built-in profiles, or add a profile, or configure an existing profile to invoke the desired action when a request matches a policy match.
Examples 3 and 4 show how to create a policy dataset to generate a block list or an allow list of IP addresses.
Example 1:
The following command creates a policy that identifies malicious IP addresses and block the request if a match is triggered:
add appfw policy pol1 CLIENT.IP.SRC.IPREP_IS_MALICIOUS APPFW_BLOCK
Example 2:
The following command creates a policy that uses the reputation service to check the client IP address in the X-Forwarded-For
header and reset the connection if a match is triggered.
> add appfw policy pol1 "HTTP.REQ.HEADER(\"X-Forwarded-For\").TYPECAST_IP_ADDRESS_AT.IPREP_IS_MALICIOUS" APPFW_RESET**
Example 3:
The following example shows how to add a list to add exceptions that allow specified IP addresses:
> add policy dataset Allow_list1 ipv4
> bind policy dataset Allow_list1 10.217.25.17 -index 1
> bind policy dataset Allow_list1 10.217.25.18 -index 2
Example 4:
The following example shows how to add the customized list to flag specified IP addresses as malicious:
> add policy dataset Block_list1 ipv4
> bind policy dataset Block_list1 10.217.31.48 -index 1
> bind policy dataset Block_list1 10.217.25.19 -index 2
Example 5:
The following example shows a policy expression to block the client IP in the following conditions:
- It matches an IP address configured in the customized Block_list1 (example 4)
- It matches an IP address listed in the Webroot database unless relaxed by inclusion in the Allow_list1 (example 3).
> add appfw policy "Ip_Rep_Policy" "((CLIENT.IP.SRC.IPREP_IS_MALICIOUS || CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Block_list1\")) && ! (CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Allow_list1\")))" APPFW_BLOCK
<!--NeedCopy-->
Using Proxy server:
If the Citrix ADC appliance does not have direct access to the internet and is connected to a proxy, configure the IP Reputation client to send requests to the proxy.
At the command prompt, type:
set reputation settings –proxyServer <proxy server ip> -proxyPort <proxy server port>
Example:
> set reputation settings proxyServer 10.102.30.112 proxyPort 3128
> set reputation settings –proxyServer testproxy.citrite.net –proxyPort 3128
> unset reputation settings –proxyserver –proxyport
> sh reputation settings
Note:
The Proxy Server IP can be an IP address or a fully qualified domain name (FQDN).
Configure IP reputation by using the Citrix ADC GUI
- Navigate to the System > Settings. In the Modes and Features section, click the link to access the Configure Advanced Features pane and enable the Reputation checkbox.
- Click OK.
To configure a proxy server by using the Citrix ADC GUI
- On the configuration tab, navigate to Security > Reputation. Under Settings, click Change Reputation Settings to configure a proxy server. You can also enable or disable the reputation feature. Proxy Server can be an IP address or a fully qualified domain name (FQDN). Proxy port accepts values between [1–65535].
Create an allow list and a block list of client IP addresses using the GUI
- On the Configuration tab, navigate to AppExpert > Data Sets.
- Click Add.
- In the Create Data Set (or Configure Data set) pane, provide a meaningful name for the list of the IP addresses. The name must reflect the purpose of the list.
- Select Type as IPv4.
-
Click Insert to add an entry.
- In the Configure Policy dataset binding pane, add an IPv4 format IP address in the Value input box.
- Provide an index.
- Add a comment that explains the purpose of the list. This step is optional, but is recommended because a descriptive comment is helpful in managing the list.
Similarly, you can create a block list and add the IP addresses that are to be considered malicious.
Also see, Pattern sets and data sets for more details regarding using data sets and configuring default syntax policy expressions.
Configure an application firewall policy by using the Citrix ADC GUI
- On the Configuration tab, navigate to Security > Application Firewall > Policies > Firewall. Click Add to add a policy using the PI expression to use IP reputation.
You can also use the Expression editor to build your own policy expression. The list shows preconfigured options that are useful for configuring an expression using the threat categories.
Highlights
- Quickly and accurately stop bad traffic at the network’s edge from known malicious IP addresses posing different types of threats. You can block the request without parsing the body.
- Dynamically configure IP reputation functionality for multiple applications.
- Secure your network against data breach without a performance penalty, and consolidate protections onto a single service fabric using fast and easy deployments.
- You can do IP Reputation checks on source and destination IPs.
- You can also inspect the headers to detect malicious IPs.
- IP reputation check is supported in both forward proxy and reverse proxy deployments.
- The IP Reputation process connects with Webroot and updates the database every 5 minutes.
- Each node in the High Availability (HA) or Cluster deployment gets the database from Webroot.
- The IP reputation data is shared across all partitions in admin-partition deployments.
- You can use an AppExpert data set to create lists of IP addresses to add exceptions for IPs blocklisted in the Webroot database. You can also create your own customized block list to designate specific IPs as malicious.
- The iprep.db file is created in the
/var/nslog/iprep
folder. Once created, it is not deleted even if the feature is disabled. - When the reputation feature is enabled, the Citrix ADC Webroot database is downloaded. After that, it is updated every 5 minutes.
- The Webroot database version is 1.
- The minor version gets updated every day. The update version is incremented after every 5 minutes and is reset back to 1 when the minor version is incremented.
- PI expressions enable you to use IP reputation with other features, such as responder and rewrite.
- The IP addresses in the database are in decimal notation.
Debugging tips
- If you cannot see the reputation feature in the GUI, verify that you have the right license.
- Monitor the messages in
var/log/iprep.log
for debugging. -
Webroot connectivity: If you see the
ns iprep: Not able to connect/resolve WebRoot
message, make sure that the appliance has internet access and DNS is configured. -
Proxy server: If you see the
ns iprep: iprep_curl_download: 88 curl_easy_perform failed. Error code: 5 Err msg:couldnt resolve proxy name
message, make sure that the proxy server configuration is accurate. - IP Reputation feature not working: The IP Reputation process takes about five minutes to start after you enable the reputation feature. The IP reputation feature might not work for that duration.
- Database download: If the IP DB data download is failing after enabling the IP Reputation feature, the following error is seen in the logs.
iprep: iprep_curl_download:86 curl_easy_perform failed. Error code:7 Err msg:Couldn't connect to server
Solution: Allow the out-bound traffic to the following URLs or configure a proxy to resolve the issue.
localdb-ip-daily.brightcloud.com:443
localdb-ip-rtu.brightcloud.com:443
api.bcti.brightcloud.com:443
localdb-ipv6-daily.brightcloud.com:443
ipce-daily.brightcloud.com:443
ipce-rtu.brightcloud.com:443
<!--NeedCopy-->
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.