Binding Web App Firewall policies
After you have configured your Web App Firewall policies, you bind them to Global or a bind point to put them into effect. After binding, any request or response that matches an Web App Firewall policy is transformed by the profile associated with that policy.
When you bind a policy, you assign a priority to it. The priority determines the order in which the policies you define are evaluated. You can set the priority to any positive integer. In the NetScaler OS, policy priorities work in reverse order - the higher the number, the lower the priority.
Because the Web App Firewall feature implements only the first policy that a request matches, not any additional policies that it might also match, policy priority is important for achieving the results that you intend. If you give your first policy a low priority (such as 1000), you configure the Web App Firewall to perform it only if other policies with a higher priority do not match a request. If you give your first policy a high priority (such as 1), you configure the Web App Firewall to perform it first, and skip any other policies that might also match. You can leave yourself plenty of room to add other policies in any order, without having to reassign priorities, by setting priorities with intervals of 50 or 100 between each policy when you bind your policies.
For more information about binding policies on the NetScaler appliance, see “Policies and Expressions.”
To bind an Web App Firewall policy by using the command line interface
At the command prompt, type the following commands:
bind appfw global <policyName>
bind appfw profile <profile_name> -crossSiteScripting data
Example
The following example binds the policy named pl-blog and assigns it a priority of 10.
bind appfw global pl-blog 10
save ns config
<!--NeedCopy-->
Configure log expressions
The log expression support for binding Web App Firewall is added to log HTTP header information when violations occur.
Log expression is bound to the Web App Firewall profile. This log expression is evaluated and sent to the logging framework when a violation occurs.
The Web App Firewall violation log record with HTTP header information is recorded. You can specify a custom log expression and that helps in analysis and diagnosis when violations are generated for the current flow (request/response).
Example configuration
bind appfw profile <profile> -logexpression <string> <expression>
add policy expression headers "\" HEADERS(100):\"+HTTP.REQ.FULL_HEADER"
add policy expression body_100 "\"BODY:\"+HTTP.REQ.BODY(100)"
bind appfw profile test -logExpression log_body body_100
bind appfw profile test -logExpression log_headers headers
bind appfw profile test -logExpression "\"URL:\"+HTTP.REQ.URL+\" IP:\"+CLIENT.IP.SRC"
<!--NeedCopy-->
Example logs
Dec 8 16:55:33 <local0.info> 10.87.222.145 CEF:0|Citrix|NetScaler|NS12.1|APPFW|APPFW_LOGEXPRESSION|6|src=10.217.222.128 spt=26409 method=POST request=http://10.217.222.44/test/credit.html msg= HEADERS(100):POST /test/credit.html HTTP/1.1^M User-Agent: curl/7.24.0 (amd64-portbld-freebsd8.4) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.3^M Host: 10.217.222.44^M Accept: /^M Content-Length: 33^M Content-Type: application/x-www-form-urlencoded^M ^M cn1=58 cn2=174 cs1=test cs2=PPE1 cs4=ALERT cs5=2017 act=not blocked
<!--NeedCopy-->
Dec 8 16:55:33 <local0.info> 10.87.222.145 CEF:0|Citrix|NetScaler|NS12.1|APPFW|APPFW_LOGEXPRESSION|6|src=10.217.222.128 spt=26409 method=POST request=http://10.217.222.44/test/credit.html msg=BODY:ata\=asdadasdasdasdddddddddddddddd cn1=59 cn2=174 cs1=test cs2=PPE1 cs4=ALERT cs5=2017 act=not blocked
<!--NeedCopy-->
Dec 8 16:55:33 <local0.info> 10.87.222.145 CEF:0|Citrix|NetScaler|NS12.1|APPFW|APPFW_LOGEXPRESSION|6|src=10.217.222.128 spt=26409 method=POST request=http://10.217.222.44/test/credit.html msg=URL:/test/credit.html IP:10.217.222.128 cn1=60 cn2=174 cs1=test cs2=PPE1 cs4=ALERT cs5=2017 act=not blocked
<!--NeedCopy-->
Other violation logs
Dec 8 16:55:33 <local0.info> 10.87.222.145 CEF:0|Citrix|NetScaler|NS12.1|APPFW|APPFW_STARTURL|6|src=10.217.222.128 spt=26409 method=POST request=http://10.217.222.44/test/credit.html msg=Disallow Illegal URL. cn1=61 cn2=174 cs1=test cs2=PPE1 cs4=ALERT cs5=2017 act=not blocked
<!--NeedCopy-->
Dec 8 16:55:33 <local0.info> 10.87.222.145 CEF:0|Citrix|NetScaler|NS12.1|APPFW|APPFW_SAFECOMMERCE|6|src=10.217.222.128 spt=26409 method=POST request=http://10.217.222.44/test/credit.html msg=Maximum number of potential credit card numbers seen cn1=62 cn2=174 cs1=test cs2=PPE1 cs4=ALERT cs5=2017 act=not blocked
<!--NeedCopy-->
Note
Only auditlog support is available. Support for logstream and visibility in security insight would be added in future release versions.
If auditlogs are generated, then only 1024 bytes of data can be generated per log message.
If log streaming is used, then the limits are based on maximum supported size of log stream/ipfix protocol size limitations. Maximum support size for log stream is larger than 1024 bytes.
To bind an Web App Firewall policy by using the GUI
- Do one of the following:
- Navigate to Security > Web App Firewall, and in the details pane, click Web App Firewall policy manager.
- Navigate to Security > Web App Firewall > Policies > Firewall Policies, and in the details pane, click Policy Manager.
- In the Web App Firewall Policy Manager dialog, choose the bind point to which you want to bind the policy from the drop-down list. The choices are:
- Override Global - Policies that are bound to this bind point process traffic from all interfaces on the NetScaler appliance, and are applied before any other policies.
- VPN Virtual Server - Policies that are bound to a VPN virtual server are applied to the processed traffic or a specific web app in the policy expression. After selecting the VPN virtual server, you must also select the specific VPN virtual server to which you want to bind this policy. By binding a security policy to the VPN virtual server, you can protect all the applications behind it.
- LB Virtual Server. Policies that are bound to a load balancing virtual server are applied only to traffic that is processed by that load balancing virtual server, and are applied before any Default Global policies. After selecting LB Virtual Server, you must also select the specific load balancing virtual server to which you want to bind this policy.
- CS Virtual Server. Policies that are bound to a content switching virtual server are applied only to traffic that is processed by that content switching virtual server, and are applied before any Default Global policies. After selecting CS Virtual Server, you must also select the specific content switching virtual server to which you want to bind this policy.
- Default Global. Policies that are bound to this bind point process all traffic from all interfaces on the NetScaler appliance.
- Policy Label. Policies that are bound to a policy label process traffic that the policy label routes to them. The policy label controls the order in which policies are applied to this traffic.
- None. Do not bind the policy to any bind point.
- Click Continue. A list of existing Web App Firewall policies appears.
- Select the policy you want to bind by clicking it.
- Make any additional adjustments to the binding.
- To modify the policy priority, click the field to enable it, and then type a new priority. You can also select Regenerate Priorities to renumber the priorities evenly.
- To modify the policy expression, double click that field to open the Configure Web App Firewall Policy dialog box, where you can edit the policy expression.
- To set the Goto Expression, double click field in the Goto Expression column heading to display the drop-down list, where you can choose an expression.
- To set the Invoke option, double click field in the Invoke column heading to display the drop-down list, where you can choose an expression
- Repeat steps 3 through 6 to add any additional Web App Firewall policies you want to globally bind.
- Click OK. A message appears in the status bar, stating that the policy has been successfully bound.