ADC

Manage global lists to bypass WAF or deny requests

November 7, 2024

Contributed by:

C B S

An application can receive requests from trusted and untrusted sources. You might want to bypass the NetScaler Web App Firewall for the requests from a trusted source. And, when the requests come from certain untrusted sources, you want to strictly block those requests.

In a NetScaler Web App Firewall profile, you can configure global lists to bypass Web App Firewall or deny requests. If the incoming requests match the global bypass list, they skip the Web App Firewall in NetScaler. If the incoming requests match the global deny list, NetScaler Web App Firewall blocks those requests and applies the defined action.

The bypass and deny lists support URL, IPv4, and IPv6 addresses. You can specify them using literals, PCRE, and expressions.

Configure the global bypass and deny list using the CLI

Before you begin, create a Web App Firewall profile and enable bypass and deny lists in the profile settings.

Create a Web App Firewall profile.
```
add appfw profile <profile-name>

```
Example
```
add appfw profile example-profile

```
Note

By default, bypass list and deny list are disabled. To view profile settings, run the following command:

sh appfw profile <profile-name>

Run the following command to enable bypass list and deny list.

set appfw profile <profile-name> -bypasslist on -denylist on
<!--NeedCopy-->

Bind the Web App Firewall profile with a global bypass list

Run the following command to bind the rules to a global bypass list:

bind appfw profile <profile-name> -bypasslist <String|PCRE|Expression|IP-address> -valuetype <literal|PCRE|expression> -ruleaction log -location <url|ipv4|ipv6>
<!--NeedCopy-->

Example-1:
```
 bind appfw profile example-profile -bypasslist http://www.example.com -valuetype literal -ruleaction log -location url
 
```
This example uses a literal value. When the incoming request URL contains http://www.example.com, the request bypasses the WAF checks and logs an event in the NetScaler appliance.
Example-2:
```
 bind appfw profile example-profile -bypasslist http://www.example[n] -valuetype PCRE -ruleaction log -location url
 
```
This example uses a PCRE value. When the incoming request URL contains http://www.example and followed by the letter n, the request bypasses the WAF checks and logs an event in the NetScaler appliance.
Example-3:
```
 bind appfw profile example-profile -bypasslist http.req.url.contains("example") -valuetype expression -ruleaction log
 
```
This example uses an expression. When the incoming request URL contains example anywhere in the URL, the request bypasses the WAF checks and logs an event in the NetScaler appliance.

Important

Do not enter the location value when you specify the expression value type.
Example-4:
```
 bind appfw profile example-profile -bypasslist 10.10.10.10 -valuetype expression -ruleaction log -location ipv4
 
```
This example uses an IPv4 address. When the incoming request URL contains an IP address 10.10.10.10, the request bypasses the WAF checks and logs an event in the NetScaler appliance.

Similarly, you can specify the IPv6 address. To do so, set the location value to ipv6 in this command.
Example-5:
```
 bind appfw profile example-profile -bypasslist cookie -valuetype literal -ruleaction log -location headervalue
 
```
This example uses a header value. When the incoming request contains an header value as cookie, the request bypasses the Web App Firewall checks and logs an event in NetScaler.
Example-6:
```
 bind appfw profile example-profile -bypasslist token -valuetype literal -ruleaction log -location headername
 
```
This example uses a header name. When the incoming request URL contains an header name as token, the request bypasses the Web App Firewall checks and logs an event in NetScaler.

Bind the Web App Firewall profile with a global deny list

Run the following command to bind the rules to a global deny list:

bind appfw profile <profile-name> -bypasslist <String|PCRE|Expression|IP-address> -valuetype <literal|PCRE|expression> -ruleaction <log|none|REDIRECT|RESET> -location <url|ipv4|ipv6>
<!--NeedCopy-->

Example-1:
```
 bind appfw profile example-profile -denylist http://www.example.com -valuetype literal -ruleaction log -location url
 
```
This example uses a literal value. When the incoming request URL contains http://www.example.com, the NetScaler Web App Firewall blocks the request and logs an event in the NetScaler appliance.
Example-2:
```
 bind appfw profile example-profile -denylist http://www.example[n] -valuetype PCRE -ruleaction none -location url
 
```
This example uses a PCRE value. When the incoming request URL contains http://www.example and followed by the letter n, the NetScaler Web App Firewall blocks the request.

Note:

When you specify the -ruleaction as none, NetScaler Web App Firewall performs the default action. The default action for bypass and deny list is allow.

For more information on rule action, see Overview of security checks.
Example-3:
```
 bind appfw profile example-profile -denylist http.req.url.contains("example") -valuetype expression -ruleaction REDIRECT
 
```
This example uses an expression. When the incoming request URL contains example anywhere in the URL, the NetScaler Web App Firewall blocks and redirects the request.
Example-4:
```
 bind appfw profile example-profile -denylist 10.10.10.10 -valuetype expression -ruleaction RESET -location ipv4
 
```
This example uses an IPv4 address. When the incoming request URL contains an IP address 10.10.10.10, the NetScaler Web App Firewall blocks the request and resets the connection.

Similarly, you can specify the IPv6 address. To do so, set the location value to ipv6 in this command.
Example-5:
```
 bind appfw profile example-profile -denylist cookie -valuetype literal -ruleaction log -location headervalue
 
```
This example uses a header value. When the incoming request contains an header value as cookie, NetScaler Web App Firewall blocks request.
Example-6:
```
 bind appfw profile example-profile -denylist token -valuetype literal -ruleaction log -location headername
 
```
This example uses a header name. When the incoming request contains an header name as token, NetScaler Web App Firewall blocks request.

Configure the global bypass and deny list using the GUI

Before you begin, create a Web App Firewall profile and enable bypass and deny lists in the profile settings.

Navigate to Security > NetScaler Web App Firewall > Profiles.
Select the profile for which you want to add the global bypass and deny lists.
In the NetScaler Web App Firewall Profile page, click Profile Settings under Advanced Settings.
In Common Settings, select the following options:
- Enable Bypass List
- Enable Deny List
Click OK and Done.

Add a global bypass list

Complete the following steps to add a global bypass list:

Navigate to Security > NetScaler Web App Firewall > Profiles.
Select the profile for which you want to add a global bypass list.
In the NetScaler Web App Firewall Profile page, click Global Bypass/Deny list under Advanced Settings.
In Global Bypass List, click Add.
Specify the following in the Create AppFirewall Bypass List Binding page:
- Bypass List Value Type: It supports literals, PCREs, and expressions.
- Bypass List Value: Specify a value depending on the value type.
- Bypass List Action: After the request bypasses the WAF checks, the defined action applies for the request. If the action is set to Log, it logs an event in the NetScaler appliance.
- Bypass List Location: Set the location value. If you specify IPv4, the profile looks for the IPv4 address in the incoming request.
Click Create.

Add a global deny list

Complete the following steps to add a global deny list:

Navigate to Security > NetScaler Web App Firewall > Profiles.
Select the profile for which you want to add a global deny list.
In the NetScaler Web App Firewall Profile page, click Global Bypass/Deny list under Advanced Settings.
In Global Deny List, click Add.
Specify the following in the Create AppFirewall Deny List Binding page:
- Deny List Value Type: It supports literals, PCREs, and expressions.
- Deny List Value: Specify a value depending on the value type.
- Deny List Action: After the NetScaler Web App Firewall blocks the request, the defined action applies for the request. If the action is set to Reset, the Web App Firewall resets the connection.
- Log: It logs an event in the NetScaler appliance whenever the NetScaler Web App Firewall blocks the request.
- Deny List Location: Set the location value. If you specify IPv4, the profile looks for the IPv4 address in the incoming request.
Click Create.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Manage global lists to bypass WAF or deny requests

November 7, 2024

Contributed by:

C B S

November 7, 2024

Contributed by:

C B S

Manage global lists to bypass WAF or deny requests

Configure the global bypass and deny list using the CLI

Bind the Web App Firewall profile with a global bypass list

Bind the Web App Firewall profile with a global deny list

Configure the global bypass and deny list using the GUI

Add a global bypass list

Add a global deny list

In this article