Manual configuration By using the command line interface
Note:
If you need to manually configure the Web App Firewall feature, Citrix recommends you to use the NetScaler GUI procedure.
You can configure the Web App Firewall features from the NetScaler command interface. However, there are important exceptions. You cannot enable signatures from the command interface. There are around 1,000 default signatures in seven categories and the task is too complex for the command interface. You can enable or disable features and configure parameters from the command line, but cannot configure manual relaxations. While you can configure the adaptive learning feature and enable learning from the command line, you cannot review learned relaxations or learned rules and approve or skip them. The command line interface is intended for advanced users who are familiar in using the NetScaler appliance and Web App Firewall.
To manually configure the Web App Firewall by using the NetScaler command line, use a telnet or secure shell client of your choice to log on to the NetScaler command line.
To create a profile by using the command line interface
At the command prompt, type the following commands:
add appfw profile <name> [-defaults ( basic | advanced )]
set appfw profile <name> -type ( HTML | XML | HTML XML )
save ns config
Example
The following example adds a profile named pr-basic, with basic defaults, and assigns a profile type of HTML. This is the appropriate initial configuration for a profile to protect an HTML website.
add appfw profile pr-basic -defaults basic
set appfw profile pr-basic -type HTML
save ns config
<!--NeedCopy-->
To configure a profile by using the command line interface
At the command prompt, type the following commands:
-
set appfw profile <name> <arg1> [<arg2> ...]
where<arg1>
represents a parameter and<arg2>
represents either another parameter or the value to assign to the parameter represented by<arg1>
. For descriptions of the parameters to use when configuring specific security checks, see Advanced Protections and its subtopics. For descriptions of the other parameters, see “Parameters for Creating a Profile.” save ns config
Example
The following example shows how to configure an HTML profile created with basic defaults to begin protecting a simple HTML-based website. This example turns on logging and maintenance of statistics for most security checks, but enables blocking only for those checks that have low false positive rates and require no special configuration. It also turns on transformation of unsafe HTML and unsafe SQL, which prevents attacks but does not block requests to your websites. With logging and statistics enabled, you can later review the logs to determine whether to enable blocking for a specific security check.
set appfw profile -startURLAction log stats
set appfw profile -denyURLAction block log stats
set appfw profile -cookieConsistencyAction log stats
set appfw profile -crossSiteScriptingAction log stats
set appfw profile -crossSiteScriptingTransformUnsafeHTML ON
set appfw profile -fieldConsistencyAction log stats
set appfw profile -SQLInjectionAction log stats
set appfw profile -SQLInjectionTransformSpecialChars ON
set appfw profile -SQLInjectionOnlyCheckFieldsWithSQLChars ON
set appfw profile -SQLInjectionParseComments checkall
set appfw profile -fieldFormatAction log stats
set appfw profile -bufferOverflowAction block log stats
set appfw profile -CSRFtagAction log stats
save ns config
<!--NeedCopy-->
To create and configure a policy
At the command prompt, type the following commands:
add appfw policy <name> <rule> <profile>
save ns config
Example
The following example adds a policy named pl-blog, with a rule that intercepts all traffic to or from the host blog.example.com, and associates that policy with the profile pr-blog.
add appfw policy pl-blog "HTTP.REQ.HOSTNAME.DOMAIN.EQ("blog.example.com")" pr-blog
<!--NeedCopy-->
To bind a Web App Firewall policy
At the command prompt, type the following commands:
bind appfw global <policyName> <priority>
save ns config
Example
The following example binds the policy named pl-blog and assigns it a priority of 10.
bind appfw global pl-blog 10
save ns config
<!--NeedCopy-->
To configure session limit per PE
At the command prompt, type the following commands:
set appfw settings <session limit>
Example
The following example configures the session limit per PE.
> set appfw settings -sessionLimit 500000`
Done
Default value:100000 Max value:500000 per PE
<!--NeedCopy-->