NetScaler App Delivery and Security service

Add security protection

NetScaler App Delivery and Security service provides an intent-based security protection for your web applications and APIs from OWASP Top-10 attacks and exploits. With NetScaler App Delivery and Security security protection, you can define your desired business intent without having to understand the complexities of OWASP Top-10, network, policies, and other application security configuration that the traffic passes through. In addition to the web application firewall and bot management, the service also provides visibility into security insights that provide real-time monitoring of traffic violations and vulnerabilities.

NetScaler App Delivery and Security service supports both 2017 and 2021 versions of OWASP Top 10 security checks. You can enable one or both the checks. OWASP Top 10 2017 is a subset of OWASP Top 10 2021. If you enable OWASP Top 2021, then the security checks belonging to 2017 are enabled by default. If you do not select any version, then the default security checks are enabled.

The following table lists the security checks available under 2017 and 2021 versions.

OWASP Top 10 - 2017 OWASP Top 10 - 2021
Allow and block list Allow and block list
Geo blocking Geo blocking
IP reputation IP reputation
SQL injection SQL injection
Buffer overflow Buffer overflow
Cookie consistency Cookie consistency
Cross-site scripting Cross-site scripting
Command injection Command injection
Cross-Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF)
Field format Field format
Field consistency Field consistency
Signatures Signatures
Data leak prevention Data leak prevention
- Rate limit
- HTTP Security Headers
- Bot signatures
- Bot trap
- Device fingerprint

Enabling the 2017 or 2021 version automatically enables the security checks in the version. Use the Security Protections tab to add any exceptions, or to change the configuration.

Benefits

  1. Automatically assigns the business intent to security policies.
  2. Translates high-level security requests into relevant configuration changes.
  3. Simplify deployment and management of security for applications.
  4. Get valuable insights and visibility into security events and automate remediation actions.
  5. Get continuous protection with auto-update of WAF or bot signature and IP reputation feed.

Prerequisites

Complete the following prerequisites before you add security protection to your application. By default, security protection is disabled.

  1. Sign up for Citrix Cloud.
  2. Request for NetScaler App Delivery and Security service – NetScaler managed entitlement.
  3. Set up application environment.

For more information, see Get started with NetScaler App Delivery and Security service topic.

How NetScaler App Delivery and Security service – NetScaler managed security protection works

The NetScaler App Delivery and Security service – NetScaler managed security protection has a collection of security checks that protect your application from malicious attacks, software vulnerabilities, SQL database vulnerabilities, errors in the code design, and failures to secure websites that host or can access sensitive information. You can enable and configure security checks to protect your application from various security attacks.

Security check

A security check is a check that inspects malicious or unknown attacks on your web applications. The security check use heuristics, positive security, and other detection techniques to identify attacks. You can configure a security check by first enabling it and then configuring it to block requests, log request details, add exceptions, or define rules to examine traffic.

The NetScaler App Delivery and Security security checks are classified into the following categories:

  • Basic security check. Web security protection applicable to any content type.
  • HTML security check. Web security protection applicable only to HTML-based websites and to HTML portions of Web 2.0 sites that contain both HTML and XML content.
  • JSON security check. Web security protection applicable only to JSON-based websites and to JSON content type in Web 2.0 sites.

Signatures

Signatures are configurable rules to simplify the task of protecting your websites from attacks. A signature represents a pattern of a component attack on an operating system, web server, website, or other resources.

The NetScaler App Delivery and Security Security Protection has a built-in default signature object consisting of more than 1,300 signature rules. The NetScaler App Delivery and Security Security Protection and Bot signatures can be customized by adding new rules. A signature rule can have multiple patterns and can flag a violation only when all the patterns are matched to avoid false positives.

Actions

All security checks have a set of configurable actions which control how NetScaler App Delivery and Security Security Protection can handle a request or response.

Block action

The block action prevents vulnerabilities from attacking your application. By default, security checks have the block action disabled. You must enable if you want to block a request that contains a malicious attack. If block action is not enabled, the NetScaler App Delivery and Security service only logs the request data.

Log action

The log action enables you to collect request details that have a malicious attack. The log details can be further investigated for monitoring and analytics purposes. When you enable a security check that the log-only action is auto-enabled for the feature.

Exception (rule)

For security check, an exception is a rule written to allow access to specific data and block the rest. Exceptions are applicable only for a few security checks such as SQL injection, cross-site scripting, Cross-Site Request Forgery (CSRF), Field Consistency, and Cookie Consistency. These rules are written to bypass security validation for false-positive scenarios.

You can configure an exception to bypass security checks for legitimate requests. A security check is performed on the incoming traffic payload and malicious requests, patterns are identified even if they are spread across multiple lines. When examining the traffic, you can apply exceptions to bypass the security check for the following criteria:

  • Incoming traffic with SQL injection attacks that are malicious.
  • Incoming traffic with cross-site scripting attacks that are vulnerable to your web applications.
  • Incoming traffic with cookie consistency attacks to gain access to a legitimate session of the target user.
  • Incoming traffic with field consistency attacks that send unauthorized web from data.
  • Incoming traffic with CSRF attacks induces a user to perform actions that are not intended to perform.

The ADS security protection not only enables you to create an exception but also manages exceptions for the security check through the ADS GUI or API interface.

Example use case 1: Exception for Cross-Site Scripting protection:

Consider a form field dpasswd in the URL, https://adcsvc.example.com/login.php not prone to cross site scripting. The corresponding field can be exempted from the cross-site scripting protection. To configure this exception, you can add a rule in which the URL pattern must be defined as https://adcsvc.example.com/login.php(regex), field type must be Form Field, and form field name must be “^dpasswd$(regex)”.

Sample payload URL Field type Form field
https://adcsvc.example.com/login.php?uname=test&dpasswd= foo<script>alert(document.cookie)</script> https://adcsvc\. example\.com/ login\.php Form Field ^dpasswd $

Example use case 2: Exception for cookie consistency validation:

False positives occur when a cookie mismatch is incorrectly flagged as a vulnerability by a scanning tool. To handle such scenarios, you can add an exception for the header cookie that can be exempted from cookie validation. Consider a client sending a login request to the server. On successful login, the server response includes the set-header cookie that contains the JSESSIONID and its value.

Set-Cookie: JSESSIONID=abc123; Path=/; HttpOnly
<!--NeedCopy-->

The client sends the cookie ID in its subsequent request to the server. To handle a false positive or legitimate request, you can add an exception to bypass cookie validation for JSESSIONID for any request coming from the client.

Conditions

Conditions are characteristics that you want to examine in an incoming request. Following are some conditions for which a NetScaler App Delivery and Security service – NetScaler managed evaluates the traffic.

  1. Malicious scripts embedded in a request.
  2. IP addresses or address ranges that requests originate from.
  3. Country or geographical location that requests originate from.
  4. Length of a specified portion of the request, such as the query string.

Get started with NetScaler App Delivery and Security service security checks

The NetScaler App Delivery and Security service security protection features are classified into three categories, General, WAF, and Bot.

General

  • Allow and block list—Inspects the incoming traffic with rules defined to Allow or Block a client’s access to web application resources, based on parameters such as IP address, subnet, or HTTP request headers.
  • Geo blocking—Restricts unauthorized access based on user’s geographical location.
  • IP reputation—Blocks traffic coming from an IP address with a bad reputation score
  • Rate Limit—Limits the amount of network traffic. For example, if the feature limits the number of incoming requests to 100, then more requests to the web application are blocked. Rate limiting controls traffic flow based on client IP address, client subnet, URL, or URL pattern, and HTTP headers.

WAF

  • SQL injection—Examines HTTP or HTTPS requests and blocks HTML-based, and JSON-based SQL attacks that can affect your web applications.
  • Buffer overflow—Examines if an incoming traffic can cause a buffer overflow on the web server. If the service detects a URL, a cookie, or a header longer than the specified maximum length in a request, it blocks a JSON-based request or HTML based requests to prevent a buffer overflow attack.
  • Cookie Consistency—Examines the cookie sent by the browser and blocks the request if the cookie does not match the cookie in the web application. To resolve a false positive and bypass the security check, you can add an exception.
  • Cross-site scripting—Examines if an attacker inserts malicious code into an incoming request that can have huge implications, such as compromising website security or user authentication. To resolve a false positive and bypass the security check, you can add an exception.
  • Command Injection—Examines if an incoming request has any vulnerable commands. To resolve a false positive and bypass the security check, you can add an exception.
  • CSRF—Inspect HTTP or HTTPS requests and blocks HTML-based, or JSON-based CSRF attacks that can affect your web applications.
  • Field Format-Examine both the length and type of web form data to ensure that it is appropriate for the field. If inappropriate web form data is found in a user request, you can configure the NetScaler App Delivery and Security service to block the request.
  • Field Consistency—Examines web forms returned by users for your application and verifies that web forms were not modified inappropriately by the client. The security check is only for HTML requests that contain a web form, with or without data.
  • WAF Signatures—A list of signature rules is available under different categories to protect your web application against security attacks. The NetScaler security protection examines the traffic and blocks the request if it matches a signature pattern. By default, all signatures are enabled.
  • HTTP Security Headers—HTTP response headers can be used to prevent security attacks on the web application by controlling the browser behavior during application access.
  • Data Leak Prevention-Identifies if the responses coming from the webserver contain any user-specific sensitive information. When a match is found, the NetScaler App Delivery and Security service takes the configured action to avoid leakage of such information.

Bot

  • Bot Signatures—A list of bot signature rules is available under different categories to protect your web application against security attacks. The NetScaler security protection examines the traffic and blocks the request if it matches a signature pattern. By default, all bot signatures are enabled.
  • Bot Trap-Detects and blocks automated bots by inserting a random trap URL in the server response.
  • Device Fingerprint-Detects the incoming traffic as a bot by inserting a JavaScript script in the HTML response to the client.
  • Bot TPS- Detects the incoming traffic as a bot, based on the number of transactions.

Before you enable a security check, you must create a security protection profile or use an existing security profile.

Add a security protection profile

If you already have a security protection profile, you can select and add the profile for your application, otherwise you can create a profile.

Complete the following steps to add a security protection by using the GUI:

  1. Navigate to Applications > New Application > Security Protection.
  2. Click Select.

    Add NetScaler App Delivery and Security security protection profile

  3. In the Add Security Protection slide, select a security protection profile and click Add.
  4. The profile is added to the security protection summary table.
  5. Select and bind the profile to a service.

    Bind NetScaler App Delivery and Security security protection to a service

Note:

You can add only one security profile to an application service.

The security protection profile is now added to the application before it is ready to be deployed in the cloud. If you do not see an existing profile in the list, you can create a one.

Create a security protection profile

As a first-time user, you can create a profile for your application. Complete the following steps by using the GUI.

  1. Navigate to Applications > New Application > Security Protection.
  2. Click Create. On the General tab, type a Name.

    Create a security protection profile

  3. Select 2017 or 2021 OWASP Top 10 security protection. Based on the version selected, a predefined set of security checks are enabled.

    Create a security protection profile

  4. Click Create.

    You can view the newly created security protection profile.

  5. Select and bind the profile to a service.

Note:

You can add only one security profile to an application.

Security protection profile summary list

The profile is added to your application.

Edit a security protection profile

If you already have a security protection profile and you prefer to update its details, you can use the edit functionality.

Complete the following steps to update a security protection profile by using the GUI:

  1. Navigate to Applications > Security Protection.
  2. Click Select.
  3. In the Add Security Protection slide, select a security protection profile and click the pencil icon to update.
  4. In the Update Security Protection page, modify details and click Update. The Add Security Protection page displays the updated profile.
  5. Select the profile and click Add. The profile is added to the security protection summary table.
  6. Select and bind the profile to a service.

    Update a security protection profile

Allow and block list

The Allow and block list functionality enables you to create a security rule to allow or block requests based on user parameters such as IP address, subnet address, or HTTP header.

Allow list. A rule that allows user requests to access internal resources if all conditions configured for the rule match the request.

Block list. A rule that blocks user request to internal resources if all conditions configured for the rule match the request.

Update a security protection profile

Enable allow and block list protection

Before you create a security rule, as a first step, you must enable the security check toggle. If you disable the toggle, the NetScaler App Delivery and Security service – NetScaler managed does not inspect the traffic.

Enable allow and block list protection

Create a rule

As a first-time user, if you do not see a security rule for allow or block list, you can create one. Complete the following steps to create a rule by using the GUI.

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click Allow and Block list.
  4. Select Enable Allow and Block list protection and click Add Rule.
  5. In the Allow and Block list section, set the following parameters:
    1. Rule name. Name of the rule for an allow list or a block list.
    2. If the following conditions are met. The conditions to define based on user parameters such as IP address, subnet address, or HTTP header. You can add multiple conditions for a rule using either AND Condition or OR Condition. A combination of AND Condition and OR Condition is not supported. The NetScaler App Delivery and Security service – NetScaler managed security evaluates traffic based on the conditions that you define.
      1. HTTP Request Method. Request method for create, read, update, or delete operations.
        1. Operator. Logical condition to evaluate the HTTP request method.
        2. Value. HTTP request method operation.
      2. HTTP Request Header. Header used in an HTTP request to provide information about the request.
        1. Operator. Logical condition to evaluate the value of specific headers.
        2. Name. Name of the HTTP request header field.
        3. Value. Request header field value.
      3. HTTP Request host name. HTTP host header that has the host name of the client request.
        1. Operator. Logical condition to evaluate the request host name.
        2. Value. Host name value.
      4. HTTP Request URL. HTTP request made by a client to a named host located on the back-end server.
        1. Operator. Logical condition to evaluate the request URL.
        2. Path. Request URL path.
      5. IP Allow and Block list.
        1. Operator. Logical condition to evaluate the IP address of the client request.
        2. Value. IP address or subnet address.
    3. Then do the following Action. Action to apply based on evaluation. Action types are as follows:
      1. Allow. Allow user request to access internal resources.
      2. Drop. Drop user request without sending a response.
      3. Reset. Reset client connection by closing it.
    4. Click Add Rule.

    Create allow or block list rule

You can view the newly created rule on the Allow and Block list page.

Allow or block list summary view

Click the pencil icon to modify rule details.

Edit an allow or block rule

Complete the following steps to update a rule by using the GUI:

  1. Navigate to Applications > Security Protection.
  2. Click the pencil icon under the Actions column corresponding to the security protection that you want to edit.
  3. Navigate to the Security Protections tab and click Allow and Block list.
  4. In the Allow and Block list page, click the pencil icon in the Actions column corresponding to the required rule.
  5. Edit the rule as required and click Update Rule.

Geo blocking

The geo blocking security check enables you to allow or block requests based on a geographical location from where the request originates from. The filter works based on a geo match condition that has a list of countries in an allow list and a block list. If a request matches a geo match condition, then the request is either allowed or blocked based on the location the request originates from.

Enable geo blocking protection

Before you configure geo-blocking, you must enable the security check. When disabled, the NetScaler App Delivery and Security service – NetScaler managed does not allow, or block requests based on the client’s geo location.

Classify geo locations

Complete the following steps to classify geo locations under an allowed or blocked country list:

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click Geo Blocking.
  4. Select Enable Geo Blocking.
  5. In the Geo Blocking section, classify countries under Allowed Countries or Blocked Countries list.

    Geo blocking

IP reputation

IP reputation security check blocks unwanted requests coming from an IP address that has a bad reputation score. The security check enables you to classify IP address threat categories as an allowed list and blocked list. If a request matches a condition, the request is either allowed or blocked based on its IP address and its threat category. Some of the key threat categories are spam sources, Windows exploits, botnets, scanners, and so forth.

Enable IP reputation protection

Enable the IP reputation security check to examine traffic for the IP reputation. When disabled, the NetScaler App Delivery and Security service – NetScaler managed does not inspect the traffic for its IP address and threat category.

Classify IP address threat category

Complete the following steps to classify the threat categories as an allowed list or a block list:

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click IP Reputation.
  4. Select Enable IP Reputation.
  5. In the IP Reputation section, classify the threat categories under allowed list and blocked list.

    Classify IP address threat category

Rate limit

The rate limit security check limits network traffic and protects your application from security vulnerabilities and bot attacks. The filter limits traffic by restricting the number of user requests that an application can receive within a time frame.

The filter uses rate limit conditions that measure the number of requests received within a time frame. If there are too many requests within a time frame, the check blocks requests that exceed the threshold limit. By doing this, the NetScaler App Delivery and Security service – NetScaler managed protects your application from excess traffic.

You can either select a single condition using the Limit Requests option or select multiple conditions using the Add Conditions option.

Example use case: Rate limiting requests per URL for a ticket booking website Consider a ticket booking website www.adcsvc.example.com that receives huge traffic every 2 minutes. To limit traffic to the website, you can limit the number of requests per URL to 200 for 120 seconds. If there are more than 200 requests received per URL within 120 seconds, then the rate limit security check validation fails, and the check blocks the excess requests per URL.

Enable rate limit protection

Before you configure the rate limit policy you must enable the security check. When disabled, the NetScaler App Delivery and Security service does not rate limit traffic to your application.

Configure rate limit policy

Complete the following steps to configure the rate limit policy for enhanced application security.

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click Rate Limit.
  4. Select Enable Rate Limit.
  5. In the Rate Limit section, click New Policy.
  6. In the Configure Rate Limit Policy page, set the following parameters:

    1. Policy Name. Name of the rate limit policy.
    2. Limit Requests. Logical condition to rate limit traffic.

      Server

      • For overall app. Logical condition to rate limit traffic on the server-side.
      • Per URL. Logical condition to rate-limit traffic if it matches the pre-defined URL on the server-side.
      • Per URL matching the pattern. Logical condition to rate-limit traffic only if the incoming request URL exactly matches the pre-defined URL on the server-side.
      • Matching the URL pattern. Logical condition to rate-limit traffic only if the incoming request URL matches the URL syntax pattern on the server-side.

      Client

      • Per client IP. Logical condition to rate limit traffic based on client IP address.
      • Per client matching the following client pattern. Logical condition to rate-limit traffic if the response URL matches the predefined URL on the client side.
      • Matching the client pattern. Logical condition to rate-limit traffic if the response URL matches the predefined client or subnet address.
      • Per client identified by a specified HTTP header. Logical condition to rate-limit traffic per client identified by a specific HTTP header.
      • Per client identified by values in an HTTP header. Logical condition to rate-limit traffic per client identified by a specific HTTP header value.
      • Per client identified by a cookie. Logical condition to rate-limit traffic per client identified by a cookie.
      • Per client identified by a user agent. Logical condition to rate-limit traffic per client identified by a user agent.

      Server and Client

      • Per client matching the specific URL. Logical condition to rate-limit traffic per client matching exactly the URL.

      Configure rate limit policy without any condition

    3. Add Conditions. (Optional) A list of logical conditions to rate limit traffic.

      Condition Description Operators Values
      HTTP Request URL Identifies an element in the URL portion of an HTTP request. Contains, Equals, Startswith, Endswith,Not contains, Not equals, Not startswith, Not endswith  URL Path
      HTTP Request URL Query Identifies an element in the URL query of an HTTP request. Contains, Equals, Startswith, Endswith, Not contains, Not equals, Not startswith, Not endswith  Query Name, Query Value
      HTTP Request URL Suffix Identifies an element in the URL suffix of an HTTP request. Contains, Equals, Startswith, Endswith, Not contains, Not equals, Not startswith, Not endswith  URL Suffix Value
      HTTP Request Method Identifies an element in the HTTP request or response by using a method in the HTTP request to evaluate HTTP request data. Equals, Not equals GET, PUT, POST, DELETE
      Client IP Address Identifies the client IP address. Identify and return a client IP address in a TCP/IP packet.  Between, Equals, Insubnet, Not between, Not equals, Not insubnet IP Addresses, Subnet IP Addresses, Range Start, Range End.
      HTTP Request Header Identifies the HTTP request data to determine if the data contains a specific header. Contains, Exists, Not contains, Not exists Header Names, Header Value
      HTTP Request Hostname Identifies the HTTP request data to determine if the data contains a specific host name. Contains, Equals, Startswith, Endswith, Not contains, Not equals, Not startswith, Not endswith Hostname Values
      HTTP Request Cookie Identifies the HTTP request based on its cookie. Identifies almost any type of information in a cookie header Returns the contents of the HTTP Cookie header. Contains, Not contains Cookie Name, Cookie Value

      Note:

      When the Add Conditions option is selected, the preceding list of conditions is displayed and the Limit Requests drop-down menu list only the three basic options, For overall app, Per URL, and Per client IP.

      Configure rate limit policy with single condition

    4. Set maximum requests to be allowed within a given time frame.
    5. Set the time frame in seconds.
    6. Set the Limit type:

      Bursty: Use this limit type if your application traffic is sporadic. It is helpful if the load peaks anytime within the set time frame.

      Smooth: Use this limit type if your application traffic is consistent. It evenly spreads the load across each time slice of the set time frame.

      For example, the set maximum requests are 100 and the time frame is 10 seconds. If your application receives 80 requests in the first second, these limit types behave differently.

      The bursty limit type allows the requests to pass through because the load is below the set threshold. However, the smooth limit type evenly spreads the load across the set time frame. In this scenario, it can only allow 10 requests per second. So, it applies the configured action for the excess load.

    7. Configure any of the following actions for subsequent requests that exceed the limit.

      • Drop - Connections are silently dropped.
      • Reset - The connection with the client is reset.
      • Respond with 429 - Display the status code 429 to a user. This code suggests that there are too many requests for the application.
    8. Status. Enable or disable rate limit policy configuration.
  7. Click Add Policy.

You can view the policy in the Rate Limit section.

Rate limit summary view

Logging settings

Logging settings collects more information about the payload than what is collected in a regular log. It can collect verbose logs such as the log pattern, pattern payload, and HTTP header details.

The payload information gives you more context while troubleshooting issues. For example, if a violation is detected, you can look at the request that triggered the violation.

To set logging settings, complete the following steps:

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click Logging Settings.
  4. Select the verbose log type.
  5. Click Create.

The following table lists the verbose log types supported for WAF and Bot traffic:

Verbose Log Type WAF Traffic Bot Traffic
Pattern Logs only the violation pattern -
Pattern Payload Logs violation pattern and 150 bytes of extra payload -
Pattern Payload and Header Logs violation pattern, 150 bytes of extra payload, and HTTP header information. Logs full HTTP header information such as domain address, URL, user-agent header, cookie header.

Verbose Logging Settings

View verbose logs

Complete the following steps to see verbose logs:

  1. Navigate to Analytics > Security.
  2. Select WAF or Bot tab based on which traffic type that you want to see verbose logs.
  3. Click the required application and click the link under the Request URL column.

SQL injection

The SQL injection filter examines the incoming request for SQL Injection attacks. If an SQL attack is detected in the payloads, the security check blocks the request. Use the SQL protection check to secure your web application and prevent SQL injection attacks.

Enable SQL injection protection

Before you configure the SQL injection exception, you must first enable security protection for HTML or JSON content type requests. When disabled, the NetScaler App Delivery and Security service does not inspect the traffic for SQL injection attacks. Also, you must toggle the Block action to block requests that contain malicious SQL attacks. When the block action is not selected, NetScaler App Delivery and Security service only logs the data.

Intent based auto blocking

The Block clients with 20 violations within 30 minutes option allows you to define the intent of auto blocking malicious clients that are attempting SQL injection attacks.

If the number of requests violating the security check received from a client increases to 20 or more in a 30-minute duration, the client is considered malicious. Select Block clients with 20 violations within 30 minutes to block such clients for a 30-minute duration.

Enable SQL injection protection

Create an SQL injection exception

An SQL injection attack can occur in several parts of a request. The variants of an SQL injection attack are:

  • Form fields. A basic SQL injection attack can be through a login page where the user provides input. The web application accepts inputs through the page, which pass the user input to the database for processing. If the web application accepts inputs without sanitizing them, an attacker can inject SQL statements through the form fields that can delete, copy, or modify contents in the database.

  • Header. Server variables such HTTP headers can also be vulnerable for SQL injection. If a web application accepts inputs from HTTP headers, fake headers containing arbitrary SQL can inject code into the database.

  • Cookie. Cookies are another vulnerability for SQL injection. This is done by modifying cookies to affect the database queries. Web applications often load cookies and use the data for database operations. A malicious user, or malware deployed on a user’s device, can modify cookies, to inject SQL in an unexpected way into the back-end database.

To avoid false positives and bypass a security check, you can add an SQL injection exception for form fields, header, or cookie values

Complete the following steps to add an exception.

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click SQL Injection.
  4. Select the required content type.
  5. Click New exception and set the following parameters to add an exception for SQL injection protection:

    1. URL Pattern. The URL for which the exception is required. It can be a regular expression. For any URL enter ’.*’.
    2. Field type. The field type for which the exception is required.
    3. Form field names. The form field in which the exception is required. It can be a regular expression.
    4. Status. Enable or disable the SQL injection exception.
  6. Click Add Exception.

    Create an SQL injection exception

    You can view the exception in the SQL Injection section.

    SQL injection summary review

Edit an SQL injection exception

Complete the following steps to update an SQL injection exception:

  1. Navigate to Applications > Security Protection.
  2. Click the pencil icon under the Actions column corresponding to the security protection that you want to edit.
  3. Navigate to the Security Protections tab and click SQL Injection.
  4. In the SQL Injection page, click the pencil icon in the Actions column corresponding to the required exception.
  5. Edit details and click Update Exception.
  6. You can view the updated exception in the SQL Injection summary section.

Buffer overflow

The buffer overflow security check detects if your application receives more input than expected that can cause a buffer overflow on the application server. For example, let us consider the origin server is set to handle a URL length of maximum of 500 characters but if an incoming URL length is 700 characters, the buffer overflow security check validation fails, and it blocks the request. To prevent buffer overflows, the NetScaler App Delivery and Security service – NetScaler managed security check enables you to set the maximum length for request parameters such as URL, cookie, or header value. If the input value for these parameters is longer than the profiled length, then the check blocks the request because it can cause an overflow.

Enable buffer overflow protection

Before you configure the buffer overflow limit, you must enable the security check. When disabled, the NetScaler App Delivery and Security service – NetScaler managed does not inspect the traffic for buffer overflows. Also, you must enable the Block toggle to block requests that can cause a buffer overflow. When the block toggle is not selected, the NetScaler App Delivery and Security service – NetScaler managed only logs the data.

Configure buffer overflow limit

You can prevent the buffer overflow vulnerability by configuring the maximum length for parameters such as URL, cookie, or header length.

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click Buffer Overflow.
  4. Select the required content types.
  5. In the Buffer Overflow section, set the following parameters:

    1. Maximum Container Depth. Enter the maximum allowed nested depth for a JSON element. Requests with container depth greater than the configured value are blocked. Default: 5, minLength: 0, maxLength: 127.
    2. Maximum Document Length. Enter the maximum allowed document length in a JSON request. Requests with document size greater than the configured value are blocked. Default: 20000000, minLength: 0, maxLength: 2147483647.
    3. Maximum Object Key Count. Enter the maximum allowed object key count in a JSON request. Requests with object key count greater that the configured value are blocked. Default: 10000, minLength: 0, maxLength: 2147483647.
    4. Maximum Object Key Length. Enter the maximum allowed length for an object key in a JSON request. Requests with object keys of length greater than the configured value are blocked. Default: 128, minLength: 0, maxLength: 2147483647
    5. Maximum Array Length. Enter the maximum length for an array in a JSON request. Requests with array length greater than the configured value are blocked. Default: 10000, minLength: 0, maxLength: 2147483647.
    6. Maximum String Length. Enter the maximum allowed length for a string in a JSON request. Requests with json string length greater than the configured value are blocked. Default: 1000000, minLength: 0, maxLength: 2147483647.

    Configure buffer overflow limit

The cookie consistency filter examines if the cookie returned by the user matches the cookies set by the website. If a modified value is found, the cookie is stripped from the request before forwarding it to the application server.

Before configuring the cookie consistency security check, you must first enable the feature. When disabled, NetScaler App Delivery and Security does not inspect the traffic for cookie consistency attacks. Also, you must toggle the Block action to block requests that contain malicious SQL attacks. If the block action is not selected, NetScaler App Delivery and Security only logs the data.

Enable cookie consistency

You can create an exception to prevent blocking legitimate requests or resolve false positives and bypass the security check. Complete the following steps to add an exception.

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click Cookie Consistency.
  4. Select Enable Cookie Consistency Protection.
  5. Click New Exception and set the following parameters to add an exception for cookie consistency:

    1. Cookie Name. Name of the cookie set by the server.
    2. Status. Enable or disable cookie consistency exception.
  6. Click Add Exception.

Configure cookie consistency exception

You can view the exception in the cookie consistency summary section.

Configure cookie consistency exception

Complete the following steps to update a cookie consistency exception:

  1. Navigate to Applications > Security Protection.
  2. Click the pencil icon under the Actions column corresponding to the security protection that you want to edit.
  3. Navigate to the Security Protections tab and click Cookie Consistency.
  4. In the Cookie Consistency page, click the pencil icon in the Actions column corresponding to the required exception.
  5. Edit details and click Update Exception.
  6. You can view the updated exception in the Cookie Consistency section.

Cross-site Scripting

In a Cross-Site Scripting (cross-site scripting) attack, an attacker inserts malicious code into an incoming request that can have huge implications, such as compromising website security or user authentication. Use the cross-site scripting feature to secure your web application and prevent cross-site scripting attacks.

Enable Cross-site Scripting protection

Before you configure the Cross-site Scripting exception, you must first enable the security check for HTML or JSON content type requests. When disabled, the NetScaler App Delivery and Security service does not inspect the traffic. Also, you must enable the Block toggle to block requests that contain malicious Cross-site scripting attacks. When the block is not selected, NetScaler App Delivery and Security service only logs the data.

Intent based auto blocking

The Block clients with 20 violations within 30 minutes option allows you to define the intent of auto blocking malicious clients that are attempting cross-site scripting attacks.

If the number of requests violating the security check received from a client increases to 20 or more in a 30-minute duration, the client is considered malicious. Select Block clients with 20 violations within 30 minutes to block such clients for a 30-minute duration.

Enable cross-site scripting protection

Create a cross-site scripting exception

You can add a Cross-site Scripting exception for form field, header, and cookie values to prevent blocking legitimate requests or resolve false positives, and bypass the security check. Complete the following steps to add an exception.

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click Cross-site Scripting.
  4. Select the required content types.
  5. Click New Exception and set the following parameters to add the cross-site scripting exception:

    1. URL Pattern. The URL for which the exception is required. It can be a regular expression. For any URL enter ‘. *’.
    2. Field type. The field type for which the exception is required.
    3. Form field names. The form field in which the exception is required. It can be a regular expression.
    4. Status. Enable or disable the cross-site scripting exception.
  6. Click Add Exception.

    Configure cross-site scripting exception

You can view the exception on the cross-site scripting summary section.

Cross-site scripting summary view

Edit a cross-site scripting exception

Complete the following steps to update a Cross-site scripting exception:

  1. Navigate to Applications > Security Protection.
  2. Click the pencil icon under the Actions column corresponding to the security protection that you want to edit.
  3. Navigate to the Security Protections tab and click Cross-site Scripting.
  4. In the Cross-site Scripting page, click the pencil icon in the Actions column corresponding to the required exception.
  5. In the Configure Cross-site Scripting Exception page, edit details and click Update Exception.
  6. You can view the updated exception in the Cross-site Scripting page.

Command injection 

The command injection security check examines if an incoming request has unauthorized commands that can break the system security or modify the system. If the request has malicious commands, the NetScaler App Delivery and Security service blocks the request.

Enable command injection 

Before configuring the command injection security check, enable the feature for HTML and JSON content type requests. When disabled, the NetScaler App Delivery and Security service does not inspect the traffic for command injection attacks. Also, you must toggle the Block action to block requests that contain unauthorized command attacks. If the block action is not selected, the NetScaler App Delivery and Security service only logs the data.

Intent based auto blocking

The Block clients with 20 violations within 30 minutes option allows you to define the intent of auto blocking malicious clients that are attempting command injection attacks.

If the number of requests violating the security check received from a client increases to 20 or more in a 30-minute duration, the client is considered malicious. Select Block clients with 20 violations within 30 minutes to block such clients for a 30-minute duration.

Enable command injection 

Create a command injection exception 

You can add an exception for legitimate requests or resolve false positives, and bypass command injection check. Complete the following steps to add an exception.

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click Command Injection.
  4. Select the required content types.
  5. Click New Exception and set the following parameters to add a command injection exception:

    1. Exception type. Select a content type to add an exception for command injection check.
    2. URL Pattern. The URL for which the exception is required. Only for JSON content type, the URL is applicable. It can be a regular expression. For any URL enter ‘. *’.
    3. Field Type. Vulnerable field that can be excluded from security check input validation.
      1. Form Field. If the vulnerable field type is selected as form field, then enter the field name.
      2. Header. If the vulnerable field type is selected as header, then enter the header name.
      3. Cookie. If the vulnerable field type is selected as cookie, then enter the cookie name.
    4. Status. Toggle command injection exception status. 
  6. Click Add Exception.

Configure command injection 

You can view the exception in the command injection summary section.

View command injection summary table 

Edit a command injection exception 

Complete the following steps to update a command injection exception:  

  1. Navigate to Applications > Security Protection.
  2. Click the pencil icon under the Actions column corresponding to the security protection that you want to edit.
  3. Navigate to the Security Protections tab and click Command Injection.
  4. In the Command Injection page, click the pencil icon in the Actions column corresponding to the required exception.
  5. Edit details, and click Update Exception.
  6. You can view the updated exception on the Command Injection page.

Cross Site Request Forgery (CSRF)

The Cross Site Request Forgery (CSRF) security check tags each web form sent by a protected website to users with a unique and unpredictable Form ID. When there is an incoming request from the user, the security filter examines the web form to ensure that the supplied Form ID is correct. The security check is applicable only to HTML requests that contain a web form, with or without data.

Enable CSRF

Before configuring the CSRF security check, you must first enable the feature. When disabled, NetScaler App Delivery and Security does not inspect the traffic for CSRF attacks. Also, you must toggle the Block action to block requests that contain malicious CSRF attacks. If the block action is not selected, NetScaler App Delivery and Security only logs the data.

Create a CSRF exception

You can create a CSRF exception to prevent blocking legitimate requests or resolve false positives and bypass the security check. Complete the following steps to add an exception.

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click CSRF.
  4. Select the required content types.
  5. Click New Exception and set the following parameters to add an exception for CSRF:

    1. URL Pattern. The URL for which the exception is required. It can be a regular expression. For any URL enter ‘. *’.
    2. Status. Toggle command injection exception status.
  6. Click Add Exception.

CSRF exception

You can view the exception in the CSRF summary section.

CSRF summary section

Edit a CSRF exception

Complete the following steps to update a CSRF exception:

  1. Navigate to Applications > Security Protection.
  2. Click the pencil icon under the Actions column corresponding to the security protection that you want to edit.
  3. Navigate to the Security Protections tab and click CSRF.
  4. In the CSRF page, click the pencil icon in the Actions column corresponding to the required exception.
  5. Edit details and click Update Exception.
  6. You can view the updated exception on the CSRF section.

Field format protection

With the field format protection feature of the NetScaler App Delivery and Security service, you can examine both the length and type of web form data to ensure that it is appropriate for the field. If inappropriate web form data is found in a user request, you can configure the NetScaler App Delivery and Security service to block the request.

The NetScaler App Delivery and Security service supports examining the different field formats such as numeric, alphabetic, and alphanumeric. For example, if a particular field expects the user to enter a phone number, the field format protection feature examines the user-submitted input to ensure that the data matches the format of a phone number. If a field expects the first name, this feature ensures that the data in that field is of a type and length appropriate for a first name. It does the same thing for each form field that you configure it to protect.

Enable field format protection

Before configuring the field format protection feature, you must first enable the feature. When disabled, the NetScaler App Delivery and Security service does not inspect the field formats of web form data. You must enable the Block Requests toggle to block the requests that violate the field formats. If the block action is disabled, the NetScaler App Delivery and Security service only logs the malicious data.

In addition to enabling the feature, you can add one or more enforcement rules to configure field format protection for an individual field of a specific form.

Enable field format protection

Add a field format enforcement

Complete the following steps to add field format protection for a specific field:

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click Field Format.
  4. Select Enable Field Format Protection.

  5. Click New Enforcement and set the following parameters:

    1. URL Pattern: The client URL for which field format protection is applied.
    2. Field name: The name of the field that is validated for the data entered.
    3. Field Format: The type of data that is allowed for the field. The following types of data are supported:
      1. Integer
      2. Alphabets
      3. Alphanumeric
      4. No HTML
      5. Any
      6. SSN
      7. Credit card
      8. Custom Format
    4. Minimum Length: The minimum length of data allowed in the field.
    5. Maximum Length: The maximum length of data allowed in the field.
    6. Status: Select the check box to enable the enforcement.
  6. Click Add Enforcement.

    Add a field format protection

Edit a field format enforcement

Complete the following steps to modify a field format enforcement:

  1. Navigate to Applications > Security Protection.
  2. Click the pencil icon under the Actions column corresponding to the security protection that you want to edit.
  3. Navigate to the Security Protections tab and click Field Format.
  4. In the Field Format page, click the pencil icon in the Actions column corresponding to the required enforcement.
  5. Edit the values (or enforcement) and click Update Enforcement.

Edit a field format protection

Field consistency

The field consistency security check examines web forms returned by a user to a website and verifies if the web forms were modified inappropriately by the client. The security check applies only to HTML requests that contain web forms, with or without data.

Enable field consistency

Before configuring field consistency security check, you must first enable the feature. When disabled, NetScaler App Delivery and Security does not inspect the traffic for form field attacks. Also, you must toggle the Block action to block requests that contain malicious attacks. If the block action is not selected, NetScaler App Delivery and Security only logs the data.

Enable Field consistency

Create field consistency exception

You can create a field consistency exception to prevent blocking legitimate requests or resolve false positives and bypass the security check. Complete the following steps to add an exception.

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click Field Consistency.
  4. Select the required content types.
  5. Click New Exception and set the following parameters to add an exception for CSRF:

    1. URL Pattern. The URL for which the exception is required. It can be a regular expression. For any URL enter ‘. *’.
    2. Status. Toggle command injection exception status.
  6. Click Add Exception.

Field consistency exception

You can view the exception in the Field Consistency section.

Field consistency summary page

Edit field consistency exception

Complete the following steps to update a Cross-site scripting exception:

  1. Navigate to Applications > Security Protection.
  2. Click the pencil icon under the Actions column corresponding to the security protection that you want to edit.
  3. Navigate to the Security Protections tab and click Field Consistency.
  4. In the Field Consistency page, click the pencil icon in the Actions column corresponding to the required exception.
  5. In the Configure Field Consistency Exception page, edit details, and click Update Exception.

WAF Signatures

A signature represents a pattern that is a component of a known attack on an operating system, web server, website, XML-based web service, or any other resource. A set of configurable rules offers an easy-to-use security service, applying the power of pattern matching to detect attacks and protect your application against common vulnerabilities and exposures.

Enable WAF signature protection

Before you customize a signature rule, you must enable the security check. When disabled, the NetScaler App Delivery and Security service – NetScaler managed does not inspect the traffic for common vulnerability attacks. Also, enable the Block toggle to block requests with a common vulnerability attack. When the block toggle is not selected, the NetScaler App Delivery and Security service – NetScaler managed only logs data for the selected signature rule.

Manage WAF signatures

The Signature section displays a preconfigured list of signatures with new rules added periodically or updates added to old rules. As a user, you might want to customize a signature or list of signatures under a category. To filter signatures, select a category and use the search functionality to narrow-down your search.

Categories. Signatures are classified under various categories. You can select a category to view the list of signatures classified under it. For example, selecting web-cgi reduces the table to display signatures that reference web-cgi attack type.

Search. The search functionality enables you to locate a signature based on the category that you have selected. For example, selecting web-cgi as the signature category, you can use the signature attributes to filter signatures that reference this category. Following are the signature attributes and its search operators to filter your search:

  • ID. Unique identifier for a signature. Use the search operator to sort rules based on signature ID.
  • Log string. Log message for a signature. Use the search operator to sort rules based on log string value.
  • Year. The year when the rule was newly added. Use a search operator to sort rules based on a year value.
  • Reference. External references to a signature. Use a search operator to sort rules based on reference.
  • Block. Block toggle to block traffic. Use a search operator to sort rules based on block toggle status.
  • Log. Log toggle to only log data. Use a search operator to sort rules based on log toggle status.

Customize a WAF signature

Complete the following steps to customize a signature:

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click Signatures.
  4. Select Enable Signatures.
  5. In the Signature section, select signatures and set the following parameters:

    1. Log. Enable log toggle to only log signature violation.
    2. Block. Enable block toggle to block traffic.

    Customize a WAF signature

HTTP security headers

HTTP response headers are used to prevent security attacks on your web application by controlling the browser behavior during application access. In addition to the default headers, the security check enables you to add a security header or delete the Server: Apache/2.4.1 (UNIX) header in the HTTP responder headers for enhanced security protection.

Enable HTTP security header protection

Before you configure the HTTP headers, you must enable the security check. When disabled, the NetScaler App Delivery and Security service – NetScaler managed does not inspect the traffic for HTTP security headers.

Configure default HTTP security header

Complete the following steps to insert a default HTTP header:

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click HTTP Security Headers.
  4. Select Enable HTTP Security Headers.
  5. In the HTTP Security Headers section, set the following recommended default headers:

    1. X-Frame-Options. Specifies the browser how to behave when rendering a page in <frame>, <iframe>, <embed> or, <object> format. The security header protects the website from clickjacking attacks. There are two directives for X-Frame options – DENY and SAMEORIGIN. If you specify DENY attempts to load frames from both the same sites and other sites will FAIL. If you specify SAMEORIGIN, page loading works from the same website and fails for other websites.

      1. Value. Select directive type as DENY and SAMEORIGIN.
      2. Status. Select the toggle to insert the header when examining the traffic.
      3. Actions. Click the pencil icon to edit a directive.
    2. Content-Security-Policy. Enables administrators to mitigate Cross site script and clickjacking attacks by controlling how the browser loads JavaScript’s images, CSS from different sources. For example, Content-Security-policy: script-src ‘self’ js.example.com. Indicates how JavaScript can be loaded from js.example.com and not from anything else.

      1. Value. Set the source directive value.
      2. Status. Select the toggle to insert the header when examining the traffic
      3. Actions. Click the pencil icon to edit.
    3. X-Content-Type-Options. Specifies the browser that only the MIME types advertised by the original web server in the Content-Type headers must be used. This header protects the website against MIME sniffing vulnerabilities.
    4. Referrer-Policy. Specifies the browser how much referrer information must be included with requests. There are two directives for referrer-policy security header – no-referrer and no-referrer-when-downgrade (default).

      1. Referrer-policy security header – no-referrer. If you specify the no-referrer directive, the Referrer header is omitted, and no referrer information is sent along with the requests.
      2. No-referrer-when-downgrade (default). If you specify the no-referrer-when-downgrade (default) directive, the origin, path, and query string of the URL are sent as a referrer when the protocol security level stays the same (HTTP -> TTP, HTTPS→HTTPS) or improves (HTTP -> HTTPS), but not sent to less secure destinations (HTTPS→HTTP). For “origin” derivative, only the origin of the document is sent as referrer.

        1. Value. Directives type for referrer-policy security header.
        2. Status. Select the toggle to insert the header when examining the traffic
        3. Actions. Click the pencil icon to select a directive.

Configure HTTP Security header

Add an HTTP security header

The NetScaler App Delivery and Security service – NetScaler managed, security protection enables you to add an extra HTTP security header for enhanced security protection. Complete the following steps to add a new HTTP header:

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click HTTP Security Headers.
  4. In the HTTP Security Headers section, click Insert Header and set the following parameters:

    1. Header Name. Name of the HTTP security header.
    2. Value. Directive for the security header.
    3. Status. Select the toggle to insert the header when examining the traffic.
  5. Click Add Header.

    Add an HTTP security header

You can view the header in the Inserted Headers section.

View HTTP security header summary view

Delete an HTTP server header

The NetScaler App Delivery and Security service – NetScaler managed, security protection enables you to delete a server header from the HTTP server-side response. Complete the following steps to delete a header:

  1. Navigate to Applications > Security Protection > Create > HTTP Security Headers.
  2. In the HTTP Security Headers section, click Delete Headers.
  3. In the Delete Headers page, set the following parameters.

    1. Header Name. Name of the server header to be removed in the HTTP response.
  4. Click Delete Header.

    Delete the HTTP server header

You can view the header in the Delete Headers section.

Delete header summary view

Data leak prevention

Your websites might have access to database servers that store user-specific sensitive information such as credit card numbers and Social Security Numbers. The leakage of such information might pose a security risk. The Data Leak Prevention feature of the NetScaler App Delivery and Security service helps to avoid the leak of such sensitive information.

With this feature, the NetScaler App Delivery and Security service identifies if the responses coming from the webserver contain any user-specific sensitive information. When a match is found, the NetScaler App Delivery and Security service takes configured action to avoid leakage of such information.

The data leak prevention feature allows you to create safe objects that define the rules to prevent attacks. These safe objects contain regular expressions to match the sensitive information in the responses and the action to perform when there is a match.

If the responses from the webservers match the regular expression defined in the safe object, you can configure the NetScaler App Delivery and Security service to perform one of the following actions:

  • Block: Block the response.
  • Mask: Mask the sensitive information with an X in the responses before processing it further.
  • None: Take no action. The NetScaler App Delivery and Security service processes the responses as is without any changes.

The safe objects for credit card and Social Security Number (SSN) are created by default. You can enable or disable these default safe objects and change the action associated with them. You cannot change the name or regular expression of these default safe objects.

You can configure actions at the global level. Configuring the global level action changes the action associated with all the individual safe objects. For example, if you configure the global action as block, the action associated with all the safe objects gets changed to block. You can also change the action specific to individual safe objects.

Enable data leak prevention

Before you configure the data leak prevention, you must first Enable Data Leak Prevention. By default, the credit card and SSN safe objects are created, disabled, and the action is set to block. If necessary, you can edit the status or safe object action for the default safe objects. You can also create new safe objects by clicking Add Safe Object Rule.

Note:

If the data leak prevention feature is disabled, the default safe objects for credit card and Social Security Number (SSN) are not effective even if their status is enabled.

Enable data leak prevention

Add a safe object

Complete the following steps to create a safe object:

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click Data Leak Prevention.
  4. Select Enable Data Leak Prevention and click Add Safe Object Rule.

  5. On the Configure Safe Object Rule page, configure the following parameters:

    • Safe Object Name: Name for the safe object.

    • Safe Objection Action: The action to perform when the server response matches the configured regular expression. You can choose Block, Mask, or None.

    • Maximum Match Length: The numerical value representing the maximum length of the string that you want to match.

    • Regular expression: A Perl compatible regular expression that is used for matching the response from the server.

    • Comments: Any remarks about the safe object.

  6. Select Status to enable the safe object rule.

  7. Click Add.

Add a safe object

You can view the newly added safe object on the Data Leak Prevention page.

Newly added safe object

Edit the safe object

Complete the following steps to edit a safe object:

  1. Navigate to Applications > Security Protection.
  2. Click the pencil icon under the Actions column corresponding to the security protection that you want to edit.
  3. Navigate to the Security Protections tab and click Data Leak Prevention.

  4. Click the edit icon under the Actions column corresponding to the safe object that you want to edit.

  5. Perform the required changes and click Update.

You can also delete the safe object by clicking the trash icon under the Actions column corresponding to the desired safe object.

Edit a safe object

Configure global actions for safe objects

Using the Global Actions option, you can change the safe object action for all the existing safe objects at once.

  1. Navigate to Applications > Security Protection.
  2. Click the pencil icon under the Actions column corresponding to the security protection that you want to edit.
  3. Navigate to the Security Protections tab and click Data Leak Prevention.

  4. Select Enable Data Leak Prevention.

  5. Choose an action from the Global Actions drop-down list.

    Data leak prevention global actions

  6. Click Yes, Proceed.

Bot signatures

The bot signature security check protects your web application against bot attacks. Bot signatures help in identifying good and bad bots based on request parameters such as user-agent in the incoming request.

Enable bot signature protection

Before you customize a bot signature rule, you must enable the security check. When disabled, the NetScaler App Delivery and Security service – NetScaler managed does not inspect the traffic for bot attacks. Also, enable the Block toggle to block requests with a bot attack. When the block toggle is not selected, the NetScaler App Delivery and Security service – NetScaler managed only logs data for the selected bot rule.

Manage bot signatures

The list of bot signatures is huge and new rules get added and stale ones are removed periodically. As a user, you might want to search for a specific bot signature or list of signatures under a category. To filter signatures easily, the bot signature page provides an enhanced search capability. The search function enables you to find bot rules and customize its property based on one or more bot signature attributes.

Categories. Bot signatures are classified under different categories. You can select a category to view the list of bot signatures classified under it. For example, selecting “Crawler” reduces the table to bot rules that reference Crawler, and it is an easy way to locate Crawler type bot attacks.

Search. The search functionality enables you to locate a bot signature based on the category that is selected. For example, selecting “Crawler” as the bot signature category, you can use the bot signature attributes and its search operators to filter a signature that reference the selected bot category. Following are the bot signature attributes and its search operators to filter your search.

  • Id. Sort bot signatures based on bot rule ID.
  • Name. Sort bot signatures based on rule name.
  • Developer. Sort bot signatures based on the host company publisher.
  • Type. Sort bot signatures based on signature type.
  • Action. Sort bot signatures based on bot action.
  • Log. Sort bot signatures that have logging enabled.
  • Block. Sort bot signatures that have blocking enabled.

Customize a bot signature

Complete the following steps to customize a bot signature:

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click Bot Signatures.
  4. In the Signature section, select signatures and set the following parameters:

    1. Log. Enable or disable log to only log data.
    2. Block. Enable or disable block toggle to block traffic.
    3. Action. Action to apply on bot evaluation. Action types are as follows:

      1. Drop. Drop user request without sending a response.
      2. Reset. Reset client connection by closing it.

    Customize a bot signature

  5. After customizing the bot signature rule, click Create.

In the Deliver an Application page, bind the security profile to a service, and click Deploy.

Bot trap

The bot trap is an effective technique to block attacks from bots. This technique detects and blocks automated bots by inserting a random trap URL in the server response. The trap URL is an alpha-numeric URL auto-generated by the NetScaler App Delivery and Security service and is invisible to human users. However, if the client is an automated bot and if the trap URL is accessed, the NetScaler App Delivery and Security service can block the request from the client.

Enable bot trap

Before you configure the bot trap, you must first enable the feature. When disabled the NetScaler App Delivery and Security service does not insert the trap URL in the server response. You must toggle the Block Requests to block requests from an automated bot. If the block action is not selected, NetScaler App Delivery and Security only logs the data.

Enable bot trap

Configure bot trap enforcement

To prevent bot attacks with specific webpages, add the application URLs for which the bot trap URL must be inserted.

  1. Navigate to Applications > Security Protection.
  2. Click Create. On the General tab, type a Name.
  3. Navigate to the Security Protections tab and click Bot Trap.

  4. Select Enabled and Block Requests.

  5. Click Add Enforcement and enter the URL for which the bot trap URL is inserted in the server response. The entity can be a regular expression.

  6. Select the Status check box to enable the enforcement.

  7. Click Add Enforcement.

    Bot trap - add enforcement

Edit bot trap enforcement

Complete the following steps to update a bot trap enforcement:

  1. Navigate to Applications > Security Protection.
  2. Click the pencil icon under the Actions column corresponding to the security protection that you want to edit.
  3. Navigate to the Security Protections tab and click Bot Trap.
  4. In the Bot Trap page, click the pencil icon in the Actions column corresponding to the required rule.

  5. Click the pencil icon under the Actions column corresponding to the security protection that you want to edit.

  6. Select Bot Trap on the left navigation menu.

  7. Click the pencil icon under the Actions column corresponding to the enforcement that you want to edit.

  8. Edit the values (or enforcement) and click Update Enforcement.

    Edit bot trap enforcement

Device fingerprint

Device fingerprint technique detects the incoming traffic as a bot by inserting a JavaScript script in the HTML response to the client. The JavaScript script when invoked by the browser, collects browser and client attributes and sends a request to the NetScaler App Delivery and Security service. The attributes are examined to determine whether the traffic is a Bot or a human.

Enable device fingerprint

Select Enable Device Fingerprint to enable the device fingerprint technique for incoming traffic. Select Block Requests to block the requests that are detected as requests coming from a bot. If the block action is disabled, the NetScaler App Delivery and Security service only logs the requests that are coming from a bot.

Bot TPS

Enable bot TPS (Transactions Per Second) for your application. It helps you to detect the incoming traffic as bot based on one of the following parameters:

  • Number of transactions per second
  • Surge in transactions (%) for the last 30 minutes

You can drop or reset the connection if the incoming requests are from a bot.

Add a policy for bot TPS

  1. Navigate to Applications > Security Protection.
  2. Click the pencil icon under the Actions column corresponding to the security protection that you want to edit.
  3. Navigate to the Security Protections tab and click Bot TPS.
  4. Select Enable Bot TPS.
  5. Click Add Policy and specify the following fields:
    1. Input Type - Defines the source type to calculate the transactions per second.
    2. Maximum Transactions (per second) - The maximum transactions you want allow within one second for the selected input type.
    3. Maximum TPS increase percentage - Surge in transactions (%) for the last 30 minutes.
    4. Action - Set an action for the incoming bot traffic.

    Bot TPS

  6. Click Add Policy.

In this example policy, the incoming traffic is detected as bot if one of the following conditions is met at any time:

  • Exceeds 100 transactions per second from the same client’s IP address.
  • 15 percent surge in transactions for the last 30 minutes.