ADC

Manage global lists to bypass WAF or deny requests

An application can receive requests from trusted and untrusted sources. You might want to bypass the NetScaler Web App Firewall for the requests from a trusted source. And, when the requests come from certain untrusted sources, you want to strictly block those requests.

In a NetScaler Web App Firewall profile, you can configure global lists to bypass Web App Firewall or deny requests. If the incoming requests match the global bypass list, they skip the Web App Firewall in NetScaler. If the incoming requests match the global deny list, NetScaler Web App Firewall blocks those requests and applies the defined action.

The bypass and deny lists support URL, IPv4, and IPv6 addresses. You can specify them using literals, PCRE, and expressions.

Configure the global bypass and deny list using the CLI

Before you begin, create a Web App Firewall profile and enable bypass and deny lists in the profile settings.

  1. Create a Web App Firewall profile.

    add appfw profile <profile-name>
    <!--NeedCopy-->
    

    Example

    add appfw profile example-profile
    <!--NeedCopy-->
    

    Note

    By default, bypass list and deny list are disabled. To view profile settings, run the following command:

    sh appfw profile <profile-name>

  2. Run the following command to enable bypass list and deny list.

    set appfw profile <profile-name> -bypasslist on -denylist on
    <!--NeedCopy-->
    

Bind the Web App Firewall profile with a global bypass list

Run the following command to bind the rules to a global bypass list:

bind appfw profile <profile-name> -bypasslist <String|PCRE|Expression|IP-address> -valuetype <literal|PCRE|expression> -ruleaction log -location <url|ipv4|ipv6>
<!--NeedCopy-->
  • Example-1:

     bind appfw profile example-profile -bypasslist http://www.example.com -valuetype literal -ruleaction log -location url
     <!--NeedCopy-->
    

    This example uses a literal value. When the incoming request URL contains http://www.example.com, the request bypasses the WAF checks and logs an event in the NetScaler appliance.

  • Example-2:

     bind appfw profile example-profile -bypasslist http://www.example[n] -valuetype PCRE -ruleaction log -location url
     <!--NeedCopy-->
    

    This example uses a PCRE value. When the incoming request URL contains http://www.example and followed by the letter n, the request bypasses the WAF checks and logs an event in the NetScaler appliance.

  • Example-3:

     bind appfw profile example-profile -bypasslist http.req.url.contains("example") -valuetype expression -ruleaction log
     <!--NeedCopy-->
    

    This example uses an expression. When the incoming request URL contains example anywhere in the URL, the request bypasses the WAF checks and logs an event in the NetScaler appliance.

    Important

    Do not enter the location value when you specify the expression value type.

  • Example-4:

     bind appfw profile example-profile -bypasslist 10.10.10.10 -valuetype expression -ruleaction log -location ipv4
     <!--NeedCopy-->
    

    This example uses an IPv4 address. When the incoming request URL contains an IP address 10.10.10.10, the request bypasses the WAF checks and logs an event in the NetScaler appliance.

    Similarly, you can specify the IPv6 address. To do so, set the location value to ipv6 in this command.

  • Example-5:

     bind appfw profile example-profile -bypasslist cookie -valuetype literal -ruleaction log -location headervalue
     <!--NeedCopy-->
    

    This example uses a header value. When the incoming request contains an header value as cookie, the request bypasses the Web App Firewall checks and logs an event in NetScaler.

  • Example-6:

     bind appfw profile example-profile -bypasslist token -valuetype literal -ruleaction log -location headername
     <!--NeedCopy-->
    

    This example uses a header name. When the incoming request URL contains an header name as token, the request bypasses the Web App Firewall checks and logs an event in NetScaler.

Bind the Web App Firewall profile with a global deny list

Run the following command to bind the rules to a global deny list:

bind appfw profile <profile-name> -bypasslist <String|PCRE|Expression|IP-address> -valuetype <literal|PCRE|expression> -ruleaction <log|none|REDIRECT|RESET> -location <url|ipv4|ipv6>
<!--NeedCopy-->
  • Example-1:

     bind appfw profile example-profile -denylist http://www.example.com -valuetype literal -ruleaction log -location url
     <!--NeedCopy-->
    

    This example uses a literal value. When the incoming request URL contains http://www.example.com, the NetScaler Web App Firewall blocks the request and logs an event in the NetScaler appliance.

  • Example-2:

     bind appfw profile example-profile -denylist http://www.example[n] -valuetype PCRE -ruleaction none -location url
     <!--NeedCopy-->
    

    This example uses a PCRE value. When the incoming request URL contains http://www.example and followed by the letter n, the NetScaler Web App Firewall blocks the request.

    Important

    When you specify the -ruleaction as none, the NetScaler Web App Firewall performs the default action.

  • Example-3:

     bind appfw profile example-profile -denylist http.req.url.contains("example") -valuetype expression -ruleaction REDIRECT
     <!--NeedCopy-->
    

    This example uses an expression. When the incoming request URL contains example anywhere in the URL, the NetScaler Web App Firewall blocks and redirects the request.

  • Example-4:

     bind appfw profile example-profile -denylist 10.10.10.10 -valuetype expression -ruleaction RESET -location ipv4
     <!--NeedCopy-->
    

    This example uses an IPv4 address. When the incoming request URL contains an IP address 10.10.10.10, the NetScaler Web App Firewall blocks the request and resets the connection.

    Similarly, you can specify the IPv6 address. To do so, set the location value to ipv6 in this command.

  • Example-5:

     bind appfw profile example-profile -denylist cookie -valuetype literal -ruleaction log -location headervalue
     <!--NeedCopy-->
    

    This example uses a header value. When the incoming request contains an header value as cookie, NetScaler Web App Firewall blocks request.

  • Example-6:

     bind appfw profile example-profile -denylist token -valuetype literal -ruleaction log -location headername
     <!--NeedCopy-->
    

    This example uses a header name. When the incoming request contains an header name as token, NetScaler Web App Firewall blocks request.

Configure the global bypass and deny list using the GUI

Before you begin, create a Web App Firewall profile and enable bypass and deny lists in the profile settings.

  1. Navigate to Security > NetScaler Web App Firewall > Profiles.
  2. Select the profile for which you want to add the global bypass and deny lists.
  3. In the NetScaler Web App Firewall Profile page, click Profile Settings under Advanced Settings.
  4. In Common Settings, select the following options:

    • Enable Bypass List
    • Enable Deny List

    Enable bypass and deny lists

  5. Click OK and Done.

Add a global bypass list

Complete the following steps to add a global bypass list:

  1. Navigate to Security > NetScaler Web App Firewall > Profiles.
  2. Select the profile for which you want to add a global bypass list.
  3. In the NetScaler Web App Firewall Profile page, click Global Bypass/Deny list under Advanced Settings.
  4. In Global Bypass List, click Add.
  5. Specify the following in the Create AppFirewall Bypass List Binding page:

    • Bypass List Value Type: It supports literals, PCREs, and expressions.
    • Bypass List Value: Specify a value depending on the value type.
    • Bypass List Action: After the request bypasses the WAF checks, the defined action applies for the request. If the action is set to Log, it logs an event in the NetScaler appliance.
    • Bypass List Location: Set the location value. If you specify IPv4, the profile looks for the IPv4 address in the incoming request.
  6. Click Create.

Add a global deny list

Complete the following steps to add a global deny list:

  1. Navigate to Security > NetScaler Web App Firewall > Profiles.
  2. Select the profile for which you want to add a global deny list.
  3. In the NetScaler Web App Firewall Profile page, click Global Bypass/Deny list under Advanced Settings.
  4. In Global Deny List, click Add.
  5. Specify the following in the Create AppFirewall Deny List Binding page:

    • Deny List Value Type: It supports literals, PCREs, and expressions.
    • Deny List Value: Specify a value depending on the value type.
    • Deny List Action: After the NetScaler Web App Firewall blocks the request, the defined action applies for the request. If the action is set to Reset, the Web App Firewall resets the connection.
    • Log: It logs an event in the NetScaler appliance whenever the NetScaler Web App Firewall blocks the request.
    • Deny List Location: Set the location value. If you specify IPv4, the profile looks for the IPv4 address in the incoming request.
  6. Click Create.
Manage global lists to bypass WAF or deny requests